On Fri, 2 Aug 1996 ichudov@algebra.com wrote:
George Kuzmowycz wrote:
In an ideal world, the rest of the group would agree with me and say "Yup, we have no business reading e-mail." Since that's not likely, I'm looking for examples of "privacy-friendly" corporate policies that I can put on the table in our meetings, and end up with a minority report.
Maybe it is only me, but I recommend "privacy-fascist" policy. This way employees will at least know to keep their own business out of computers that will be monitored by the company anyways.
I think you need to take the "fascist" approach, at least officially. I would hope that, unofficially, you don't monitor, eavesdrop, etc., unless a problem requires you to. (such as receiving email from another site that attacks have been detected, originating from your systems, etc.) If you don't take the "fascist" approach, you are granting employees a "reasonable expectation of privacy", which you cannot, in truth, provide (without spending a lot of additional money). Once you've put your company in this position, you've now set them up for an employee to have their "privacy" violated, so you've increased the company's risk. The benefits of running a "privacy friendly" corporate system just don't outweigh the costs and risks. If somebody wants to read alt.sex.whatever-floats-their-boat, I really don't care, but I don't want to be in the position of ensuring their privacy while doing so on corporate equipment; they can get their own 'net account and play at home. I prefer to put out an official "fascist sysadmin's system use policy", and then leave users to themselves, as long as I don't get any complaints of illegal activity that could land my company in hot water. What you publish as a use policy, and what you actively enforce do not have to be the same. Just my $.02.