One in three IT staff snoops on colleagues

No, I don't worry about it. Our company explicitly reserves the right to inspect email and PCs if employee behavior warrants it (for example if employees are believed to be operating a personal business from work or downloading porn, etc.), so I don't have any real presumption of privacy.

After all, they own the entire infrastructure, so it's all theirs anyway. I just use their equipment.

I view email as a postcard anyway. Clear text emails are visible to anyone along the way if they have access to the servers or routers.

(I've been on the 'net since long before "the web", so perhaps my expectations are different from most.)

p.s.
Very much enjoy your columns, Helena!

I'm not worried at all, I always assume my employer has checked, is checking or will check my personal business at work. After all, it is their property! Fortunately we have a relaxed work environment where surfing the net is not prohibited as long as we get our work done.

From the moment I clock in til the instant I clock out, I am operating as an agent of the company.
What I do during work hours is absolutely the company's business, every email I write is company property. I could care less if IT guys are snooping, as long as they don't reveal my personal info to other employees (or anyone else for that matter) who don't have a need to know such things, which is against company rules. Our guys wouldn't do that.

I agree. When I use company time and computer hardware, I should be working. When using their equipment, what I write in emails belongs to the company. They also have a right to know what sites I visit when I go online on their time and with their equipment.

I keep a secure personal computer at home for personal stuff like online banking, credit card orders etc.

Though I don't worry about such things, at least where I'm concerned, it's interesting that this article just came out today, one day after a friend's boyfriend of four years broke up with him because of e-mails he found in my friend's Hotmail account. They both work at a bank, and my friend's now ex works in their IT department. The jealous sort and suspicious of what my friend might be getting up to, he recorded his keystrokes on his work computer, which gave him all he needed to be able to log into my friend's Hotmail account and read through his mail. Though the e-mails were seemingly innocuous, it stands to reason that anyone who will go to these lengths, risking their very jobs (and even prison!) in the process, isn't exactly stable to begin with, so those harmless e-mails were taken to be indicative of the worst, and he called it quits with my friend as a result.

So, needless to say, IT snooping can have serious ramifications even outside the job.

One in Three IT professionals? I find this extremely hard to believe. First off, one in three IT professionals do NOT have access to passwords or any sensitive data. So, which of ALL THE IT professionals are included. Is it just database administrators, network security, information security, programmers, managers, operations.... Let's not scare executives until we understand the entire field that is being discussed.

At Wal-Mart you have to worry about everything....they monitor everything

True professionals in this business have nothing to fear.

Funny that you mention "executives"...............

In my experiences, they are the least knowledgable of any in this field.

Plain and simple. If you have a fear of being snooped on at work then do your personal online business at home where it belongs. The company that you work for provides you with the equipment and internet access so you can do your job. It is not provided for you to email or text your honey, make you the next online stock trader millionaire, or feed your need for strange porn.

We have never implemented a policy limiting use of the Internet, we have always assumed our employees were smart enough to work, and look around online.

However we do have a policy that reserves the right to inspect, monitor, view employee E-mails, communications, txt messages on company phones, and anything else used in their job. Any software made on the job or for a job belongs to our company.

And the 2 years since I have been the IT Manager i have only had to do one investigation.

Coming from the System Administrator's side, I would like to say that I personally (and hopefully others as well), hold myself to a higher standard. The Lopsa System Administrator Code of Ethics (you'll have to google it, I can't post links here) is posted outside of my door, and I firmly believe in it.

In the past I have had people say to me "Oh, you consult for banks? Can you see how much money I have?" (which I could), or "Can you read my e-mail?" (which I could), and I tell them "I *could*, but I don't. To me, it's just data. My job is to make sure that it's protected and backed up, and that it's correct."

Now, granted, in the course of my job, there are times where I have to get into forensics. If you are surfing porn on my (notice how we admins take personal ownership in our networks) network, then guaranteed I will find it.

This is also something that I do not take lightly, however. Keeping in mind that when I go into that "mode" of investigation, I'm fully aware that my findings will most likely have an impact on that person's future employment, and depending on what they've been doing, their basic freedoms (jail). It's a job that I don't care to do; I'd rather think that everyone was behaving on the network and not looking at naughty bits while at work. I make sure that my findings are accurate, and that my report is complete before submitting it to HR / Executives / Etc.

I have to continually remind myself that I didn't hold a gun to that person's head and tell them to look at porn at work. I must be professional and objective.

I was, frankly, shocked to see the headline that said that fully 1/3 of the administrators out there are abusing their power. Shocked, and disappointed, that people don't take the position seriously, and are giving the rest of us a bad name.

What I *have* noticed (and would be an interesting study) is how many sysadmins are kind of "full of themselves". I can't tell you the number of people I work with who say "Gee, you're the computer guy? Every place else I ever worked they were unseen and aloof..."

If you're not focusing in your internal customers (the other employees using your network), then how can you best fill their needs for getting their jobs done?

Thank you for letting me rant... hopefully folks realize that there's still ethically sound admins out there.

You know, in reading Pat from NJ's post, (s)he makes a very good point.

Only a small percentage of "IT Professionals" should have Administrative access. Obviously, in my previous posting, I spoke as an administrator with administrative access.

I have consulted at places where they freely handed out the administrator password (or had it taped to the front of the monitor). (Shudder)

I was so proud of one of the banks I consult for, because when an external company came in to do security testing (including security testing), they said to one of the people there "OK, I just need the administrator password to get started with the testing" and the person replied "I don't *think* so... I will log you on to the administrator account, and stand here while you use it."

I was so proud. :)

Perhaps the headline should have read 1 in 3 Administrators, or 1 in 3 with Administrative access, but certainly not "1 in 3 professionals"... They do need to clarify that statement.

I mean, remember, 94% of all statistics are made up. (including that one) hehe

--Greg

It just goes to show that even the folks with the keys to the kingdom need to be watched/audited. Who is ensuring that the people with the power to use unmonitored authority are trusted, but verified?

Skip email, what other sense of implied privacy do most of us expect from the work place?

I do not expect that what I use my work machine for is private (business specific) information, however I do have a job to perform that requires some level of privacy (within the company) and if I am in the process of auditing, or reviewing or testing and then reporting on IT, do I stand a fighting chance when my hard work can be intercepted and effectively discredited before even presented to the Board of a company?

For example(1): I prepare a report for the board that states that the IT group has not established appropriate measures to mitigate a risk, say 'risk a'. I have done my homework, I have clearly determined that IT has not prepared for 'risk a' and that the expectancy of 'risk a' in a year is likely to happen in this year.

Information leaks out, 'risk a' is inserted into the 3 year plan, appears on desk tops everywhere, etc.
YOU are thinking, good result from IT covert channels, however the real result is that 'risk a' is minimized for the board, I look like a fool for touting something that is ALREADY being addressed and 'risk a' is lost in the budgeting process because it did not get the attention of the Board.

The value of my job is slighted - axed maybe, and the IT admin with the keys to the kingdom gets a raise for being ahead of my role.

Where and when do you think 'risk a' will get the attention it really requires?

Example(2): Marketing and Trading in some companies makes friends with IT and provide iPhone for information, innocent right?

Example(3): Anyone remember the 7 Billion dollar guy in France, to much IT information tied to business processes.

Example (4): COME ON IN THE WATER IS FINE - ADD SOME OF YOUR OWN PET PEVES ((RANT ON))!!!!

I view the internet email system as being similar to the US Mail system and emails should be private. That doesn't condone sending them on company equipment or using company time to send them, it just means that the same privacy laws that apply to the US Mail system should also apply to email. If a company sees you using their system for sending private employee email during work time on their equipment and they discipline you for it, you deserve the discipline, but that should not give the company carte blanche to read or share the contents of the email.

Being realistic, I know that anyone with the correct software and passwords can hack into anyone else's account and read their email. Being idealistic, that should be illegal. It would be the same as you mailing a letter via US Mail to your mother through the company US Mail slot, the company catching it, and opening your letter to prove you sent a personal letter through their US Mail system. The message is still private, the act of using the company mail system infrastructure to send the message is the breech of company rules/trust. Maybe the answer is for companies to provide separate and secure access to the internet as an employee benefit for use during lunch hours and off hours.

I like the wrap-up comment Merlin!

While it is an inarguable point that one has little or nothing in the way of a 'Reasonable Expectation of Privacy' when using an Employer's computing/network resources, as those resources aren't owned by the employee, but the organization that employs them -- from a Managerial perspective, I've seen much of what I would classify as egregious abuse of the use of surveillance software (Corporate-Grade, not just a mere consumer-grade keystroke logger, but something which could be and was deployed across every workstation which authenticated to the Domain Controller, with even new machines joined to the Domain having 'pushed' onto their machines, as this entire framework was put into place without even the knowledge of any of the IT staff, barring those at the very top, and neither the Network Admins nor the techs who formatted/deployed new workstations were told of it (and none were aware of its existence) -- to say nothing of the employees themselves, who were entirely unaware of its existence.

While this was done under the aegis of "Protecting Intellectual Property and enforcing Information Security" of the organization, as no other adequate measures were taken towards that end -- including lack of proper Antivirus/Anti-Malware protection -- as the 'Non-Technical' staff (e.g., CSRs, secretaries, Middle Managers, etcetera) had machines which were invariably infected by spyware and/or viruses with some regularity, while those in charge of monitoring the centralized repository of the data gathered from all the workstations in the company spent countless hours poring over the personal chats, browsing habits, and inter-office gossip which is inherent in virtually all organizations of a certain size, it became clear that neither security nor the protection of Intellectual Property had anything to do with what was being done; when it was suggested to those in charge that a logon banner notifying employees they were subject to monitoring while using company resources would put the company in a more legally defensible position, that was dismissed, instead turning to making inquiries as to how to configure a particular keyword-trigger feature so that if any employee said something derogatory about person(s) XYZ (with the triggers configured, by pure coincidence, so that XYZ = Those doing the monitoring) it would record data more closely, and notify them of it immediately, as well. That they were clearly engaging in nothing short of a type of voyeurism became undeniable, as things progressed to the point where not only no attempts made to inform the employees they were the subject of constant monitoring, it came to the point where those few of us who were aware of the monitoring were expressly *forbidden* to disclose to any other employees that they were being actively monitored, even going so far as to threaten termination as a consequence of disclosure(!), which clearly demonstrated the true motivations of those involved, as trivial as those were -- being nosy and voyeuristic -- with protection of Intellectual Property and security not even being a plausible 'front' for the behavior of those in charge of things. As, during my time there, not a single monitored employee was terminated for 'inappropriate' use of company resources, and being in the office with a 'Watchman' who, while I was meeting with them, proceeded to idly scroll through different employee Hotmail and Yahoo accounts, with no clear purpose or reason for doing so but to simply "read someone else's mail", there was no room left for charitable interpretation of their actions.

While the above is an extreme example, it both denies and affirms certain points, namely:

A) That those in a position of power can perpetrate greater abuses, owing to their greater position of power, and
B) That abuse of power, including invasion of the privacy of others, is by no means the sole purview of Information Technology staff.

While one study does not a proof make, I suspect if one were to expand the scope, one would find that out of *any* given segment of those within the 'privileged' ranks of the managerial or IT sectors, one third of them (to give a figure) are probably prone to abuse what they can abuse, regardless of what their profession may be. So, instead of "One out of three IT staff", perhaps "One out of three people in a position where they have the privilege/access/information" will abuse it.

What I would like to make clear is that, while not disagreeing with this article, or the study findings, I think it is inaccurate to depict IT professionals/staff as being prone to pry and/or abuse their privileges, meanwhile not addressing that there is just as much, if not more, abuse of access and invasion of privacy from those to whom the IT professionals report to, that being, in its own way, far worse, as it generally evolves from being initially Covert, to finally becoming Formalized and made into Standard Procedure, by which time, nobody realizes they should have protested it long before it became that way.

My point is not to defend those who blatantly abuse company resources, or to be an apologist for any of those who have abused Admin-Level access: having been in charge of everything from medium- to Enterprise-sized Information Systems and Infrastructure for Corporations and other organizations, I think it deplorable that anyone would abuse the Administrative privileges entrusted to them, as from the perspective of the individual and organization alike, we *should* be able to trust those who Administrate to and otherwise tend our email, our Personally Identifiable Information in an HR or Accounting Database, etcetera, as being an Administrator of *anything* which others use, be it a mail server or a Database, is a serious responsibility, and a position of Trust. To betray that trust is extremely unethical, period.

Professionally and personally, I can say I have never violated that trust, as I hold it inviolate: even when I am in a position to tend to other people's email, I DO NOT read it -- I recall a time in the mid-1990's during the course of fixing a corrupted (MBOX format) mailbox -- and I did it without actually reading the contents of the emails themselves, only looking for delimiters. In systems I've designed, I am as diligent as possible to ensure the Principle of Least Privilege is in effect everywhere it possibly can be, as anything less would be a disservice to those for whom I am doing the work, and/or their users, as well.

In counterpoint to the above, I think it only fair to say that virtually all of us in any number of industries have seen what a reasonable person would perceive as "abuse" of an organization's Computing/Networking resources: one only needs to occasionally read the Washington Post to catch mentions of those employed by the Federal Government being caught (say) downloading pornography over a long period of time, or making arrangements for Prostitutes using the Government's resources/facilities; some of what's been publicized just in the last year or two has been scandalous enough that some of them might even serve reasonably well as a counterpoint to the aforementioned abuse from the Managerial standpoint, with these being from that of the employee.

In summary, Physicians and Attorneys are bound by certain Oaths prior to being eligible to practice their chosen vocations; they are expected to adhere to a standard of Ethics in their respective positions, and during their careers, they can and may be subjected to peer or peer-appointed group review(s) if the question of Ethics violation comes forward. Is it such a strange notion that, perhaps those more "Senior" in the IT field, and/or who are entrusted with the Administration, securing, and/or monitoring of Information Systems, have the same Duty to honor the privacy of those whose information we have been entrusted with?

While I cannot see a revamp or sudden AMA/Bar-like association sweeping the entire field of IT professionals, complete with people lining up to take an Oath to uphold a basic standard of Ethics, is that in and of itself really such a bad idea...?

The last post was dead on. I agree that members of the IT industry should create a simple ethics creed and stand by it. We are employed to protect networks and their data. Not hired to packet sniff, looking through other users emails, or violate the users privacy. We are hired to assist the user so that their job is made easier and less stressful. However, the only time we have a right to violate privacy is when we are performing and investigation of a user if they should violate the Terms of Use/Policy of a company, which makes sense. Just doing it because you can is a blatant disregard for morals and the user's trust. A code of ethics for the IT industry would do us some good because it would hold the dishonest IT people accountable.

I don't worry about it... cause I AM the one that does the snooping :)
When I wear my "I READ YOUR EMAIL" T-Shirt people don't think twice. People should know and I have always let people know: All network activity is monitored. Those that abuse company policy are the ones that get busted. Normally I'm very lenient and overlook stuff, and to be real honest... I don't have the time to waste reading people's SPAM and stupid Forwarded chain letters.

What many don't understand is that we are paid to be suspicious. If there is any breach of security or protocol the first person that will be questioned is the Systems Administrator. For those that work in healthcare know how strict HIPAA guidlines are and we need to comply to make sure that patient, sensitive or company information doesn't get leaked out. What's the easiest way? EMAIL. So.... We're just doing our jobs.

Merlin said: "I view the internet email system as being similar to the US Mail system and emails should be private."

That is a common mistake. Everyone *SHOULD* view the e-mail system like sending post cards.

With snail-mail, if a letter is mis-delivered to your mailbox, you can write "Not at this address" and put it back in the mailbox, without ever reading the contents or opening the envelope.

However, if a postcard gets mis-delivered, there it is for everyone to see. Including the mail carrier, the sorter, your neighbor, whoever, because it is NOT sealed.

Same with e-mail. If it gets mis-delivered, it's like a postcard. Only with secure mail (stuff like Secure Pipe and Voltage and others) where the recipient has a "key" to open the e-mail is it like a letter.

I will also agree with USA Infidel by saying this: I've been on the Internet since 1984; I've run online systems, bulletin boards, chat systems, and mail servers for years and years. I don't *care* what people send in their e-mail, and I only look at work if there's an allegation and I'm part of the investigation.

I don't care who does what to whom, where the next party is, whatever. To me, it's all data; and frankly, after so many years, there's nothing that I haven't seen or heard already. lol

Two great points made already:

-Chris from MN is dead on, you have been fully disclosed to up front that you are on a "company network". With that being said, if you knowingly commit actions that would be considered obscene or send sensitive personal data you are doing so knowing the material could be read or seen by a coworker.

-Several have commented that it should be 1 in 3 admins, not 1 in 3 IT professionals. Totally correct. An Exchange Admin is more likely to see your email than a DBA or PM. A network engineer is more likely to see you web surfing inappropriately then the IT director.

Bottom line, employee access is like my son's computer and internet access at home: Until he buys his own computer and own internet access at 18 he can do what ever he wants, until then, I am watching him and his internet activities/communications like a hawk so he doesnt hurt himself or my family. Just like an employer watches their employee's to make sure they don't hurt themselves or the company.

Finally an article about this! And while Chris may claim that an employer has a right to view e-mails and employee personal business in the workplace, it opens up a new arena as well. For instance, is the IP Department sitting reading personal employee e-mail as though they are judges on "American Idol", and then disseminating that information? Do they pick, choose and pass judgment on internet uses by employees in the workplace based on personal content and take revenge on those who don't put out or don't access their personal e-mail in the workplace? Do they access passwords of personal accounts and read e-mails of employees when they are in the privacy of their own home? There are many questions that need to be asked and answered when it comes to the IP Department. Most companies hire them because they don't want to deal with the intricacies of technology, and rarely oversee whether is IT is usurping its authority and violating Constitutional rights to privacy where there is no question there is an expectation of privacy. In essence, IT Departments in most cases are answerable to no one which is not really a good thing. Good article. We need more articles in this particular area.

AMERICA has become a third world country. Everywhere you look another freedom is being taken from us. You can blame it on 9-11, but we were getting the"short shaft" before then.
Now anyone can tap ypur phone snoop into your personal life, or steal all your money on a phony stock deal, walk away free as a bird. Pretty soon everyone not rich wil be living like dogs and showing papers just like RUSSIA. Some my be lucky, and die in a stupid WAR for some reason that is ,in fact, another LIE.

America is now a third world country. More freedoms are taken away every day, privacy is a joke. The average man is being taken on a BIG ride of lies, stolen funds , that cann't be recovered, and gas that cost as much as a diamond. Police, bosses at work, FBI,CIA, and any number of other people we don't even know, know ALL about us. Welcome to Russia or any of the African nations. "Who's watching the WATCHERS?"