Re: Proposal to revise ISOC's mission statement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Christian Huitema <huitema@xxxxxxxxxxx>
Date: Tuesday, November 7, 2017 at 4:46 PM
To: Lee Howard <lee@xxxxxxxxxx>, james woodyatt <jhw@xxxxxxxxxx>
Cc: IETF Discussion Mailing List <ietf@xxxxxxxx>
Subject: Re: Proposal to revise ISOC's mission statement



On 11/7/2017 11:06 AM, Lee Howard wrote:
 (Responding to James Woodyatt)
Those are dissimilar with respect to the issue of consent. It’s one thing to use surveillance technologies in the role of legal guardian for dependents without capacity for consent, and it’s an entirely different thing to use a contract of adhesion to coerce subordinates into “consenting” to give up their rights to intimate privacy.

You have no right to “intimate privacy” at work on your company-owned computer on the company network on company time.

Lee, you are making here a legal statement, "you have no right". As a matter of fact, that statement depends on which laws apply in the place of business. I understand that most US courts will consider that employers have a right to monitor employees' communications, although there are gray areas when employers allow private use of corporate email. But then, German courts will take the opposite view.

The opinion of the European Court of Human Rights, as reported here by the NYT(https://www.nytimes.com/2017/09/05/business/european-court-employers-workers-email.html), is rather nuanced. The very high level summary of that opinion is that expectations should be set clearly, so that employees understand what is monitored and what is not. The opinion also states that enterprises should be reasonable, and limit their monitoring to work relevant issues.

Thanks for that link; that article was interesting and illuminating. The nuance is that in affected jurisdictions, employers must disclose the extent to which they might inspect employees’ communication. That seems like a reasonable constraint (although one that would have been better articulated before the fact, rather than inferring the requirement). 

I think rights, though, are not just a legal matter, but a philosophical one. And when examining rights, it’s always interesting to examine the inverse, and look at who is compelled to safeguard those rights.



Bottom line, the situation is much more nuanced than "you have no right". Although of course I always advise my friends to not conduct private conversations using corporate email, and use their own personal account instead.

That’s prudent advice. Even if they weren’t permitted to produce your email in court, trusting that your employer isn’t monitoring your activity is asking for trouble. Firewalls can’t tell the difference between mSexChange and MSExchange (real example), and employee can do many things short of legal action.

Practical example: I was firewall administrator at a previous employer. So when they asked about employee activity, and I did some analysis, I could say, “This person is spending 4-6 hours a day on Local University site, and this person spends 40 minutes around lunch time on porn sites.” Rumor was (though I was not privy to personnel records) that the first person had been billing that time to clients, and was fired for fraud. Second person’s activity suddenly stopped appearing in logs a couple weeks later. 
Even if the employer didn’t have the ability to produce those logs in court, management might have suddenly been a lot more visible with those employees.


Lee



-- Christian Huitema
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]