The company I work for has set up a committee to draft a security policy involving, among other things, e-mail. Since I'm responsible for our networking and e-mail, I'm part of this group. Unfortunately, I'm outnumbered by legal, auditing and HR types who, basically, want to have access to everything. I am aware that there's a line of thinking which holds that what you do or say on company time, using company equipment is the company's business. I do not subscribe to this line of thinking, and believe that employees expect a "zone of privacy" in which their telephone calls will not be listened to and their e-mail will not be read or monitored. I am also aware that recent court cases have not supported this "zone of privacy" and have pretty much held that the employer can do whatever it wants with e-mail. What I want out of this process is to keep myself and my staff out of this business. As a practical matter, I'm sure the company could bring in a hired gun to do whatever they want; since our e-mail system does not easily support strong crypto, it's all there for the taking. In an ideal world, the rest of the group would agree with me and say "Yup, we have no business reading e-mail." Since that's not likely, I'm looking for examples of "privacy-friendly" corporate policies that I can put on the table in our meetings, and end up with a minority report. -gk-