Yeah, Your IT Guy Is Probably Reading Your Email

from the just-because-you're-paranoid,-it-doesn't-mean-they're-not-out-to-get-you dept

Wed, Jun 25th 2008 12:24am — Mike Masnick

You probably suspected it, but there's a decent chance that someone in your IT department may be snooping on at least someone in your company -- and they don't seem to mind admitting it. It's not overwhelming, but about one in three IT folks admits to snooping using admin passwords to access information they're not supposed to look at. Given that there are probably plenty who won't admit it, there's a pretty good chance that the actual percentages are higher.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: abuse, admins, email, it

43 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

JAck, 25 Jun 2008 @ 1:18am

I'd post but...
It will probably be read by some one so I wont!
[ link to this | view in chronology ]
Lindsay, 25 Jun 2008 @ 1:26am

I always try to make sure I leave something juicy in it for my IT guys to read. I figure I might as well make their day worthwhile. I know -I'd- be reading my ex-manager's e-mails, given the chance.
[ link to this | view in chronology ]
Ben, 25 Jun 2008 @ 1:28am

I'd like to point out a few things.

1. The "survey" wasn't even close to scientific. It was performed at an information security conference in London, and at least part of the survey was multiple-choice. However, we know nothing else. Who was considered a "senior IT professional"? What was asked? Were those being surveyed offered something to complete the survey? Unfortunately, no survey data is available.

2. If you're given a list of company assets you're most likely to steal if you're facing being fired, and you have to choose three to finish the survey, that certainly doesn't suggest that you would actually steal any of the things listed.

3. Chances are that a survey conducted at an information security conference is going to be biased towards information security workers. Is it reasonable to extrapolate those results to all IT workers?

4. Check the source. This survey was conducted by a company that just happens to sell digital vault and password management applications. Further, this article is based on a company press release. While the results of this survey might in fact be accurate it's hard to overlook the bias that this company faces when conducting it, especially when no real data about how it was conducted is made available.
[ link to this | view in chronology ]
Anonymous Coward, 25 Jun 2008 @ 1:33am

I'm always amazed at the power IT admins have within an organisation, and how companies don't notice this.
When a single crazed IT admin can take done your entire company overnight you have a really big problem.
[ link to this | view in chronology ]
- Kevin, 25 Jun 2008 @ 3:55am
  
  Re:
  When a single crazed IT admin can take done your entire company overnight you have a really big problem.
  
  How about when a single crazed electrician can take down your entire production line? Or when a single crazed accountant can take down your finances? Or when a single crazed security manager can lock down your entire facility? And so on...
  
  One thing to keep in mind is that in the United States, the corporate email system is considered a corporate asset and you have no expectation of privacy there. Most companies do have policies that say that they're allowed to read your email if they want to. Why should you be surprised if they exercise that right?
  
  Many companies use software tools or appliances that scan email not just for viruses and spam, but also for certain sensitive keywords to try to prevent leaking of confidential information. Do you think that people don't perform some degree of manual review of those systems?
  [ link to this | view in chronology ]
  - Liquid, 25 Jun 2008 @ 4:42am
    
    Re: Re:
    Very good point Kevin. Most of that is going to be done by your security professionals not the IT Admin if there is a security person on staff. The fact that they are using just plain old IT Admin is a farce as well. They do not give a precise definition as to what "IT Admin" is. There are many levels of IT Admin. Just like with the company that I work for I am a local admin, because I am desktop support so that gives me full rights to do what ever I need to do on a local machine and basic to intermediate server work. There are tiers of admins, and that all boils down to what kind of permissions they have and what type of an account they are running in AD (Active Directory).
    
    The point that you stated "Most companies do have policies that say that they're allowed to read your email if they want to." is 100% correct. The normal "User" doesn't understand that once they walk through those doors in the morning to the time they walk out those doors that everything thing they do on their companies network is logged, and can be reviewed by anyone in the IT Dept.
    
    There are a lot of network admins that run network analyzers on their own networks to get an idea of what kind of traffic is being passed through their networks, what kind of traffic loads are being put on the network, and so on and so forth. If your company has a policy of no streaming video or audio over they network and they happen to run a network analyzer when you open that video that your friend sent you they will know about it. I don't know how many times that I have personally run a network analyzer my self and caught people surfing adult oriented materials.
    
    There are a lot of things out there that the normal every day user does not know about when it comes to their companies IT Dept. Whether or not they are clueless to the fact that when they use company property that its not theirs at all and the company can do what ever they want with it with policies in place. Or you have the user(s) that know, and have read their Acceptable Use policy(s). Know that they could be monitored at any time on the network by the security team, or anyone that has the ability to look at what needs to be looked, or has been asked to look at in the IT Dept. What it basically boils down to is if a company thinks you're doing something wrong and could possibly jeopardize the security of the network they have MANY eyes to watch what your doing.
    [ link to this | view in chronology ]
Shemnon, 25 Jun 2008 @ 2:22am

RE: Your IT Guy ...
What is shocking to me is that it is so surprising to people that this happens! Of course it does! the whole point of admin accounts is to have access to everything. Don't be shocked when they get bored and start poking around...
[ link to this | view in chronology ]
- me, 25 Jun 2008 @ 9:13am
  
  Re: RE: Your IT Guy ...
  One more reason why you stay on the good side of certain folks, IT, HR, the cleaning crew (They can see your garbage), and the like.
  [ link to this | view in chronology ]
Chris Buechler, 25 Jun 2008 @ 2:23am

you're throwing an entire profession under the bus...
...without any basis for doing so. The summary here is partially misleading and partially flat out wrong given the facts of the survey.

First, "your IT guy is probably..." isn't accurate. The 1 in 3 was actually "they or one of their colleagues", not solely them personally.

Next look at the source of the survey - a "maker of password file security management software." Far from a neutral party, in fact one that has a vested interest in creating or overstating this problem. The articles here typically do a great job at pointing out blatant conflicts of interest, but in this case you apparently prefer to throw system administrators under the bus on the basis of information provided by a company with a clear agenda.

Does it happen? Absolutely. That frequently? Well how frequently is it really? 1 in 3 say "they or their colleagues", well that could be 2 of 100 people that 1 in 3 know of. I don't believe it's anywhere near one in 3 doing it, and I suspect the percentage is in the single digits. I'm sure it's no different from any other profession where access to private information is available - see the recent Clinton and Obama passport information unauthorized access for just one example.

I wouldn't think about it and if I caught anyone under me doing it, it's likely they wouldn't have a job much longer.
[ link to this | view in chronology ]
Crazy Coyote, 25 Jun 2008 @ 2:53am

This forum would be a more scientific pol.
If it can happen it will. Especially small buisness.
[ link to this | view in chronology ]
- Liquid, 25 Jun 2008 @ 4:46am
  
  Re:
  You will find that 99-100% of all your major corporations do this heavily. You probably wont see this as much in small businesses for the most part, because they have a smaller IT Dept. and they wont have time to. There is a possibility that it could and most likely will happen.
  [ link to this | view in chronology ]
Frogpond, 25 Jun 2008 @ 2:53am

It's nice to know that someone is actually reading my emails.
[ link to this | view in chronology ]
JBB, 25 Jun 2008 @ 3:28am

Not me!
Bah. Okay, it's true, I've looked at people's email. When they've asked me to fix a problem with their mailbox, when they've asked me to look into a problem with mail delivery, or when we were investigating a significant threat to the operation of our server. Do those count as reading your email?

And even then, we tried to grep (pattern-match) only the needed information from the mailbox. If I grab only one line from a user's mailbox -- and that is the line that matches user@foo.bar.com -- does that count as reading your email?

Are you even sure that the study said we were looking at things we were "not supposed to"?

Frankly, I don't want to know what you weirdos have in your inbox. It's probably disgusting at best, and illegal at worst (which would put me in a situation I don't want to be in -- reporting it.) I've got my own email to read (and I hate having to read that!) so why would I read yours too?

Anyway. Take a small amount of comfort that SOME of us have morals and scruples (and policies) we actually adhere to.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Jun 2008 @ 5:15am
  
  Re: Not me!
  AMEN!
  
  I have the hardest time convincing people that emails/files are just little packages that we have to make sure are 'shipped' to the right place, and are 'stored' in the right place. There are times where they are not where they are supposed to be, and we have to find out why.
  
  I couldn't care less about what's in the package. I just care that it started at the right place, traveled the right path, and ended up at the right place.
  [ link to this | view in chronology ]
- Bill Royds, 26 Jun 2008 @ 2:16pm
  
  Of course.
  Email has the same security as a postcard. Do postal sorters ever look at postcards?
  
  If you don't want other people to see you email, encrypt it. There are free (GPG) and cheap (S/MIME and PGP) systems to encrypt email. All you have to do is install and use it.
  [ link to this | view in chronology ]
Wellesley, 25 Jun 2008 @ 4:08am

I knew it!
...but then again, it is very tempting if you have that power. I am not sure that if I had that autonomy I would not have done so either, even a few times, although no harm intended. Regards
Wellesley
http://www.my-island-jamaica.com
[ link to this | view in chronology ]
Flyfish, 25 Jun 2008 @ 4:53am

Having been an admin for well over 20 years let me tell you that the temptation isn't nearly as great as you'd think. Having been forced to wade through more than one person's email as a result of HR investigation/disciplinary action was enough for me. You're all pretty boring and your email is safe from me and every admin I've ever worked with. We have too much to do to be bothered wading through email looking for purity test results.
[ link to this | view in chronology ]
- firefly77dreamer, 25 Jun 2008 @ 5:16am
  
  Re:
  I totally agree with you. First of all, it is ethically and morally wrong to read someone's "mail"... unless there exists a suspicion of wrong doing; secondly, who has the time?
  [ link to this | view in chronology ]
- Bigdogpete, 25 Jun 2008 @ 5:37am
  
  Re:
  I agree who cares. I have tools that alert me when you do something wrong and other than that I could care less if you email your girlfriend or boyfriend. I have enough problems without wading through your email. Investigations are a pain, but someone always is looking for a way around the system. Guess what it isn't your's, you don't own the computer or network you are using at work. So make my life easier and don't be stupid when you go to work.
  [ link to this | view in chronology ]
- BillGod, 25 Jun 2008 @ 6:20am
  
  @ flyfish... Agreed
  I WISH I had time to sift through sensitive crap. Most IT guys I know including myself don't have enough time to dig through a bunch of crap to find juicy info. In fact I really don't care enough to even look. I would much rather surf the web if I do have any free time.
  [ link to this | view in chronology ]
Skippy T. Mut, 25 Jun 2008 @ 5:19am

As an IT Professional all I can say is...
DUH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[ link to this | view in chronology ]
Steve R. (profile), 25 Jun 2008 @ 5:50am

Your Local PC Repair Storefront
Actually this points to a "bigger" issue, which fortunately does not seem to have yet "hit the fan".

Last year the PCs in our house were fried by a lightening strike, we took our PCs in to get repaired. The PCs, of course, has a lot of private data on them that the repair folks would have had access to.

Doctors and Lawyers have a have a fiduciary duty to protect their clients and (in most cases) can't be forced to disclose personal information about their clients. Seems like the time is right for a similar code of conduct for PC repair persons.

Fortunately, from the absence of any horror stories in the media, that your local PC repair shop is quite ethical.
[ link to this | view in chronology ]
- Jake, 25 Jun 2008 @ 8:51am
  
  Re: Your Local PC Repair Storefront
  A good point, but I'd only endorse the idea if said fiduciary duty included similar exemptions for evidence of criminal activity; if I stumble across a vast library of child pornography on the hard drive I'm backing up prior to an OS reinstall, I'd kind of like to have the right to call the cops.
  [ link to this | view in chronology ]
- me, 25 Jun 2008 @ 9:20am
  
  Re: Your Local PC Repair Storefront
  Or the user is too dumb to know, your presumption is quite naive.
  [ link to this | view in chronology ]
Anonymous Coward, 25 Jun 2008 @ 5:56am

IT staff dont have time to read boing work emails. If they do you are over staffed!!!!
[ link to this | view in chronology ]
some old guy, 25 Jun 2008 @ 6:01am

Incorrect everything.
No, the IT guy isnt reading *my* email. He's reading his own company's email, and the company has every right to have him read it. If he wants to read *my* email, then he has to perform a man in the middle attack on my SSL certs. Why anyone would expect privacy on their work email accounts astounds me. Why anyone would even use a company email account for private uses...
[ link to this | view in chronology ]
- Ummmm, 25 Jun 2008 @ 7:02am
  
  Re: Incorrect everything.
  If you go through a proxy with a cache he is reading your mail. At least I do.
  [ link to this | view in chronology ]
CaySal, 25 Jun 2008 @ 6:27am

I have been in IT for 13 years and out of say 40 IT guys and gals that I have known - only one ever snooped around in someone's email and he was discovered and fired. If you are worth your salt as IT person you don't have the time for it, and if you are worth your salt as a human you have an ethical reason not to do it. Besides users are boring, why would we want to read their email?
[ link to this | view in chronology ]
Overcast, 25 Jun 2008 @ 6:47am

Was an email admin for years.

Don't ever consider your email private.

only one ever snooped around in someone's email and he was discovered and fired.

*key* - has been discovered. Suspect any that are 'undiscovered'? :)

Sometimes... the business will direct you to read other's emails. That's happened to me more than once.
[ link to this | view in chronology ]
RedHanded, 25 Jun 2008 @ 6:56am

Tell us something we don't already know. If you don't want the world to see it, don't put it in writing...

Da!
[ link to this | view in chronology ]
Joseph Durnal, 25 Jun 2008 @ 7:00am

Who has that kind of time
I've been running, designing, implementing, fixing e-mail systems for 10+ years now. I've been directed by management to search for e-mails, but other than that I've never sat down to randomly read random e-mails from random employees.

Seriously, if someone in your IT department has that kind of time, you should replace them with someone who will work a little harder.

Joseph Durnal
[ link to this | view in chronology ]
Andy, 25 Jun 2008 @ 7:03am

Best comment in the thread. . .
As a sysadmin myself I have to say the best comment I've yet read in this thread was where another sysad sort said

"Frankly, I don't want to know what you weirdos have in your inbox. It's probably disgusting at best, and illegal at worst"

Darn right. If I am reading your e-mail it's because I'm debugging something. And I'd really rather not read it at all if I can avoid it. I know it belongs to the company, but it still feels like an invasion of privacy and a massive waste of time.

-andy
[ link to this | view in chronology ]
myrandomstuff, 25 Jun 2008 @ 7:29am

huh....i read email?
There are several comments I agree with here. Why did TechDirt post this eye grabbing title? How many accountants or building service managers that read this site? Primarily this is an IT based readership.Why did they post the results of a survey that they did not explain? Ok yes I am messaging engineer. When tasked by HR, legal and compliance; I do discovery. Yes it disgusts me that there is nothing, "darker than the hearts of men." I hate knowing I am looking at someone's communications looking for something wrong. I have to say that with all the free email addresses in the world why people want to send non-work email back and forth via corporate methods is still beyond me. Being the email/blackberry admin, I usually find out someone is fired before they do simply because I have to turn off their blackberry and email before they are told. Thanks to everyone for the comments, I don't feel so guilty with my job.
[ link to this | view in chronology ]
link, 25 Jun 2008 @ 8:18am

Hostpital emails
When I worked IT at hospital X, the guys there read email on a daily basis. However this was email that was flagged by the filters as suspicious. They shared a couple of the crazy ones. There were some people that I didn't want to know certain things about.
The reason the email was read was for a couple of reasons, to make sure that employees were doing their jobs and not sitting around sending pornographic emails and so the hospital would not get sued over illegal activity.
So if you just send normal business or standard casual emails your email will never get read.
[ link to this | view in chronology ]
Jack-Jack, 25 Jun 2008 @ 8:54am

huh?
Anyone think that we are given this access to read the emails because.. IT's OUR JOB. YES we read YOUR email. (As if we have time to sit around and do that... we actually have software that scans your email for non-work-related-phrases.) Why would you want to send a non-work-related email from work when so many other "mom-n-pop" sites have FREE email accounts? Give me a break people... work is for working. If it was supposed to be fun, we wouldn't get paid. Stop the QQ.
[ link to this | view in chronology ]
AJ, 25 Jun 2008 @ 9:35am

Is this only company/corporate email or...
...is it more than that? Means do they check just the company email or can also check Gmail etc.
[ link to this | view in chronology ]
Mohican Elf, 25 Jun 2008 @ 11:05am

Yeah, right.
Ah, so may pictures of kittens and sappy religious messages, so little time!
[ link to this | view in chronology ]
Solid, 25 Jun 2008 @ 11:17am

I work as IT support for a company and I can say that I have never looked through other peoples emails. I usually don't have the time anyway. Plus i don't even really care about what you have to say on your email.
[ link to this | view in chronology ]
mike allen, 25 Jun 2008 @ 1:14pm

they read my mail
they fired but then i do all the IT stuff so id have to fire myself.
[ link to this | view in chronology ]
iToast, 25 Jun 2008 @ 6:16pm

Words from an Admin.
I'm an admin. I work on many exchange servers and send mail servers amongst my countless other tasks. Let's address this logically.

1. That computer, your login, your documents and your messaging data DON'T (read DO NOT) belong to you. You may have one and your eight year old my use one, but the machine on your desk belongs to the corporation and you relinquish your privacy when you hit "OK" at the log in warning. Oh, you didn't read it where it say we can audit your box for any reason? Well, a thousand pardons maybe you should take 5 minutes out of youtube time and put it towards reading the log in warning. Kay great.

2. If I read your messages I do so lamenting the fact I have to search through your messages trying to find something because it detracts from my ability to do anything else, like read Techdirt.

3. I make a conscious effort NOT to pay attention to the contents unless they match my criteria for the search. I don't care that your aunt fanny thinks sending an e-card to your work is neat I really don't and thus don't read it. The less I know about you as an individual the better, because then I have to develop a degree of care for your digital well being. Sorry, but I don't.

4. Where did you learn that work was a good place to get email defining personal matters anyways?

Take the example of Susi Humantrafficker. She illegally smuggles people around the globe and works for the corporation who's network I maintain. If I know more about you and find out that instead of using your babiesovernight@aol.com address you used susih@techcorp.com I now could get called to the stand as a witness to testify against you should your little operation get noticed by the Feds. Sorry Susi, but I just don't understand your disregard for common sense which is why I will, despite my laziness, skip going to the gym and testify to have you summarily sentenced.

Think of it this way you wouldn't have your personal mail delivered to work, so why your electronic mail? But, then again I don't place a lot of faith in modern computer users.

This ends my ridiculous diatribe thanks for reading.

P.S.

I'm cynical and jaded. Don't try to disagree, because if you do I'll just remind you that you're wrong. Thanks again.
[ link to this | view in chronology ]
Rose M. Welch, 25 Jun 2008 @ 6:44pm

*sigh*
My husband, an IT guy, does not have the time to snoop around for his own curiosity. If your IT guy does, then your company needs to rethink how much and why you have your IT for the amount of time that you do.

I've heard of IT being told to look for certain things during median downtime, such as who is surfing the net, who's taking care of personal business and e-mail on company time, etc. but not looking just to look.

I'd consider the source on this one...
[ link to this | view in chronology ]
PaulT (profile), 26 Jun 2008 @ 12:55am

I don't tend to snoop intentionally (though I have been known to casually browse through video/music folders while waiting for an update to install). However, generally speaking it's impossible to not come across sensitive information occasionally. Especially if people don't password protect any directories (as most people don't), or if they need you to go through their email to work out why they can't open a message or attachment (usually user error to begin with).

@#4: What's your solution then? Lock IT guys out of systems? (Good luck getting that vital fix applied)?

@#19: You should probably take your PC somewhere you trust then. Doctors and lawyers take professional oaths to protect their clients and are paid handsomely for it. Your local Best Buy will have a dude working for slightly over minimum wage so he can afford beer at the weekend, so won't care (slight exaggeration, but still..). Find someone more professional, and they will act accordingly.
[ link to this | view in chronology ]
Stylus, 27 Jun 2008 @ 10:14am

I don't really care what is in your email
As stated by others, we don't really care what is in your email.

I have worked for doctors and lawyers that required me to sign paperwork that I will protect the privicy of their data. I will gladly sign the paperwork, and re-assure you that I don't really care what is in the data, only that the data is working for you and safe when it hits the fan.

Some people imagine that all IT people are like the original BOFH. Although that series is funny as hell it is not reality.

...anyways the real interesting stuff is usually in word documents filed under employee reviews...JK
[ link to this | view in chronology ]