Yeah, Your IT Guy Is Probably Reading Your Email
from the just-because-you're-paranoid,-it-doesn't-mean-they're-not-out-to-get-you dept
You probably suspected it, but there's a decent chance that someone in your IT department may be snooping on at least someone in your company -- and they don't seem to mind admitting it. It's not overwhelming, but about one in three IT folks admits to snooping using admin passwords to access information they're not supposed to look at. Given that there are probably plenty who won't admit it, there's a pretty good chance that the actual percentages are higher.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
I'd post but...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
1. The "survey" wasn't even close to scientific. It was performed at an information security conference in London, and at least part of the survey was multiple-choice. However, we know nothing else. Who was considered a "senior IT professional"? What was asked? Were those being surveyed offered something to complete the survey? Unfortunately, no survey data is available.
2. If you're given a list of company assets you're most likely to steal if you're facing being fired, and you have to choose three to finish the survey, that certainly doesn't suggest that you would actually steal any of the things listed.
3. Chances are that a survey conducted at an information security conference is going to be biased towards information security workers. Is it reasonable to extrapolate those results to all IT workers?
4. Check the source. This survey was conducted by a company that just happens to sell digital vault and password management applications. Further, this article is based on a company press release. While the results of this survey might in fact be accurate it's hard to overlook the bias that this company faces when conducting it, especially when no real data about how it was conducted is made available.
[ link to this | view in chronology ]
When a single crazed IT admin can take done your entire company overnight you have a really big problem.
[ link to this | view in chronology ]
Re:
How about when a single crazed electrician can take down your entire production line? Or when a single crazed accountant can take down your finances? Or when a single crazed security manager can lock down your entire facility? And so on...
One thing to keep in mind is that in the United States, the corporate email system is considered a corporate asset and you have no expectation of privacy there. Most companies do have policies that say that they're allowed to read your email if they want to. Why should you be surprised if they exercise that right?
Many companies use software tools or appliances that scan email not just for viruses and spam, but also for certain sensitive keywords to try to prevent leaking of confidential information. Do you think that people don't perform some degree of manual review of those systems?
[ link to this | view in chronology ]
Re: Re:
The point that you stated "Most companies do have policies that say that they're allowed to read your email if they want to." is 100% correct. The normal "User" doesn't understand that once they walk through those doors in the morning to the time they walk out those doors that everything thing they do on their companies network is logged, and can be reviewed by anyone in the IT Dept.
There are a lot of network admins that run network analyzers on their own networks to get an idea of what kind of traffic is being passed through their networks, what kind of traffic loads are being put on the network, and so on and so forth. If your company has a policy of no streaming video or audio over they network and they happen to run a network analyzer when you open that video that your friend sent you they will know about it. I don't know how many times that I have personally run a network analyzer my self and caught people surfing adult oriented materials.
There are a lot of things out there that the normal every day user does not know about when it comes to their companies IT Dept. Whether or not they are clueless to the fact that when they use company property that its not theirs at all and the company can do what ever they want with it with policies in place. Or you have the user(s) that know, and have read their Acceptable Use policy(s). Know that they could be monitored at any time on the network by the security team, or anyone that has the ability to look at what needs to be looked, or has been asked to look at in the IT Dept. What it basically boils down to is if a company thinks you're doing something wrong and could possibly jeopardize the security of the network they have MANY eyes to watch what your doing.
[ link to this | view in chronology ]
RE: Your IT Guy ...
[ link to this | view in chronology ]
Re: RE: Your IT Guy ...
[ link to this | view in chronology ]
you're throwing an entire profession under the bus...
First, "your IT guy is probably..." isn't accurate. The 1 in 3 was actually "they or one of their colleagues", not solely them personally.
Next look at the source of the survey - a "maker of password file security management software." Far from a neutral party, in fact one that has a vested interest in creating or overstating this problem. The articles here typically do a great job at pointing out blatant conflicts of interest, but in this case you apparently prefer to throw system administrators under the bus on the basis of information provided by a company with a clear agenda.
Does it happen? Absolutely. That frequently? Well how frequently is it really? 1 in 3 say "they or their colleagues", well that could be 2 of 100 people that 1 in 3 know of. I don't believe it's anywhere near one in 3 doing it, and I suspect the percentage is in the single digits. I'm sure it's no different from any other profession where access to private information is available - see the recent Clinton and Obama passport information unauthorized access for just one example.
I wouldn't think about it and if I caught anyone under me doing it, it's likely they wouldn't have a job much longer.
[ link to this | view in chronology ]
If it can happen it will. Especially small buisness.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not me!
And even then, we tried to grep (pattern-match) only the needed information from the mailbox. If I grab only one line from a user's mailbox -- and that is the line that matches user@foo.bar.com -- does that count as reading your email?
Are you even sure that the study said we were looking at things we were "not supposed to"?
Frankly, I don't want to know what you weirdos have in your inbox. It's probably disgusting at best, and illegal at worst (which would put me in a situation I don't want to be in -- reporting it.) I've got my own email to read (and I hate having to read that!) so why would I read yours too?
Anyway. Take a small amount of comfort that SOME of us have morals and scruples (and policies) we actually adhere to.
[ link to this | view in chronology ]
Re: Not me!
I have the hardest time convincing people that emails/files are just little packages that we have to make sure are 'shipped' to the right place, and are 'stored' in the right place. There are times where they are not where they are supposed to be, and we have to find out why.
I couldn't care less about what's in the package. I just care that it started at the right place, traveled the right path, and ended up at the right place.
[ link to this | view in chronology ]
Of course.
If you don't want other people to see you email, encrypt it. There are free (GPG) and cheap (S/MIME and PGP) systems to encrypt email. All you have to do is install and use it.
[ link to this | view in chronology ]
I knew it!
Wellesley
http://www.my-island-jamaica.com
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
@ flyfish... Agreed
[ link to this | view in chronology ]
As an IT Professional all I can say is...
[ link to this | view in chronology ]
Your Local PC Repair Storefront
Last year the PCs in our house were fried by a lightening strike, we took our PCs in to get repaired. The PCs, of course, has a lot of private data on them that the repair folks would have had access to.
Doctors and Lawyers have a have a fiduciary duty to protect their clients and (in most cases) can't be forced to disclose personal information about their clients. Seems like the time is right for a similar code of conduct for PC repair persons.
Fortunately, from the absence of any horror stories in the media, that your local PC repair shop is quite ethical.
[ link to this | view in chronology ]
Re: Your Local PC Repair Storefront
[ link to this | view in chronology ]
Re: Your Local PC Repair Storefront
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Incorrect everything.
[ link to this | view in chronology ]
Re: Incorrect everything.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Don't ever consider your email private.
only one ever snooped around in someone's email and he was discovered and fired.
*key* - has been discovered. Suspect any that are 'undiscovered'? :)
Sometimes... the business will direct you to read other's emails. That's happened to me more than once.
[ link to this | view in chronology ]
Da!
[ link to this | view in chronology ]
Who has that kind of time
Seriously, if someone in your IT department has that kind of time, you should replace them with someone who will work a little harder.
Joseph Durnal
[ link to this | view in chronology ]
Best comment in the thread. . .
"Frankly, I don't want to know what you weirdos have in your inbox. It's probably disgusting at best, and illegal at worst"
Darn right. If I am reading your e-mail it's because I'm debugging something. And I'd really rather not read it at all if I can avoid it. I know it belongs to the company, but it still feels like an invasion of privacy and a massive waste of time.
-andy
[ link to this | view in chronology ]
huh....i read email?
[ link to this | view in chronology ]
Hostpital emails
The reason the email was read was for a couple of reasons, to make sure that employees were doing their jobs and not sitting around sending pornographic emails and so the hospital would not get sued over illegal activity.
So if you just send normal business or standard casual emails your email will never get read.
[ link to this | view in chronology ]
huh?
[ link to this | view in chronology ]
Is this only company/corporate email or...
[ link to this | view in chronology ]
Yeah, right.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
they read my mail
[ link to this | view in chronology ]
Words from an Admin.
1. That computer, your login, your documents and your messaging data DON'T (read DO NOT) belong to you. You may have one and your eight year old my use one, but the machine on your desk belongs to the corporation and you relinquish your privacy when you hit "OK" at the log in warning. Oh, you didn't read it where it say we can audit your box for any reason? Well, a thousand pardons maybe you should take 5 minutes out of youtube time and put it towards reading the log in warning. Kay great.
2. If I read your messages I do so lamenting the fact I have to search through your messages trying to find something because it detracts from my ability to do anything else, like read Techdirt.
3. I make a conscious effort NOT to pay attention to the contents unless they match my criteria for the search. I don't care that your aunt fanny thinks sending an e-card to your work is neat I really don't and thus don't read it. The less I know about you as an individual the better, because then I have to develop a degree of care for your digital well being. Sorry, but I don't.
4. Where did you learn that work was a good place to get email defining personal matters anyways?
Take the example of Susi Humantrafficker. She illegally smuggles people around the globe and works for the corporation who's network I maintain. If I know more about you and find out that instead of using your babiesovernight@aol.com address you used susih@techcorp.com I now could get called to the stand as a witness to testify against you should your little operation get noticed by the Feds. Sorry Susi, but I just don't understand your disregard for common sense which is why I will, despite my laziness, skip going to the gym and testify to have you summarily sentenced.
Think of it this way you wouldn't have your personal mail delivered to work, so why your electronic mail? But, then again I don't place a lot of faith in modern computer users.
This ends my ridiculous diatribe thanks for reading.
P.S.
I'm cynical and jaded. Don't try to disagree, because if you do I'll just remind you that you're wrong. Thanks again.
[ link to this | view in chronology ]
*sigh*
I've heard of IT being told to look for certain things during median downtime, such as who is surfing the net, who's taking care of personal business and e-mail on company time, etc. but not looking just to look.
I'd consider the source on this one...
[ link to this | view in chronology ]
@#4: What's your solution then? Lock IT guys out of systems? (Good luck getting that vital fix applied)?
@#19: You should probably take your PC somewhere you trust then. Doctors and lawyers take professional oaths to protect their clients and are paid handsomely for it. Your local Best Buy will have a dude working for slightly over minimum wage so he can afford beer at the weekend, so won't care (slight exaggeration, but still..). Find someone more professional, and they will act accordingly.
[ link to this | view in chronology ]
I don't really care what is in your email
I have worked for doctors and lawyers that required me to sign paperwork that I will protect the privicy of their data. I will gladly sign the paperwork, and re-assure you that I don't really care what is in the data, only that the data is working for you and safe when it hits the fan.
Some people imagine that all IT people are like the original BOFH. Although that series is funny as hell it is not reality.
...anyways the real interesting stuff is usually in word documents filed under employee reviews...JK
[ link to this | view in chronology ]