George Kuzmowycz wrote: : The company I work for has set up a committee to draft a security : policy involving, among other things, e-mail. Since I'm responsible : for our networking and e-mail, I'm part of this group. Unfortunately, : I'm outnumbered by legal, auditing and HR types who, basically, want : to have access to everything. First, figure out what *your* objective is. You can't achieve e-mail privacy by implementing some idealized policy that says "Our company won't snoop into e-mail." It is the obligation of corporate functionaries to act in the corporation's best interest, and if that includes violating the privacy policy (as opposed to civil or criminal statutes) then it's going to happen. If you write it into one policy, they'll just find a different one that they can apply to override it. As you pointed out, the courts agree with this interpretation. Let us focus on what we *can* fix. You can make things better if you write the policy to reduce the risk of abuse. Nip this nonsense about "access to everything" in the bud. For example, the policy could provide oversight by requiring approvals from affected people (the victim's manager if not the actual victim). Then, access is granted to the victim's files and not to all the files. Even if auditors want to do "random audit" of e-mail, they don't really need "access to everything" to achieve it. They can randomly select messages somehow and only get readable copies after the messages are selected. You'd probably find lots of support for a more measured policy like this. For example, mail from the CEO or the head of the Audit department shouldn't be an open book just because Joe Blow from Audit is "auditing e-mail today." Also, your policymakers might think about the issues raised by the recent skit, "FBI Files on Republicans Stored in the Democratic White House." If they demand unlimited access to e-mail files, they might be held responsible for making use of information contained therein simply because they *could* have read them. Rick. smith@sctc.com secure computing corporation