Bill Thompson 

Every click you make

Most people now use the internet in the office as they would an office telephone. But, writes Bill Thompson , the easy access days are over
  
  


We have all done it. At the end of a particularly irritating meeting we send off an email to our close friends at the office telling them exactly what we think of the new manager's dress sense, nasal hair growth and corporate vision. Or we come across a particularly juicy photograph of two people locked in an embrace, one of whom just happens to look like the new photocopier engineer, and email a copy to one or two select colleagues.

It is part of the net culture in many offices. But, as 40 people fired from mobile phone company Orange in September for exchanging 'inappropriate' material over the internal email system found out, it can also get you into a lot of trouble.

It has always been possible to monitor staff email. Now, regulations which came into force on October 24 permit your employer to read your email and monitor which websites you have been visiting. And they can use that information against you.

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations have been drawn up by the Department of Trade and Industry under the Regulation of Investigatory Powers (RIP) Act mean that employers can also listen in to and record phone calls, check who you are calling on your mobile phone and search the hard drive of your laptop, if these items are provided through work. And they can do all of this without asking or telling you they are doing it, if they think you are committing a crime or doing something 'unauthorised', like sending personal emails or booking your holiday online.

According to e-minister Patricia Hewitt, the new rules must "strike the right balance between protecting the privacy of individuals and enabling industry and business to get the maximum benefit from new communications technology". They have been welcomed by employers' organisations such as the Confederation of British Industry, which believes that routine monitoring of email is both normal and acceptable.

But for trades unions or civil liberties organisations, the main concern is the imbalance between the rights of employers and those being monitored. "We have been calling for the regulation of surveillance for some time now,"said John Wadham, director of human rights group Liberty, "but these regulations do not go far enough to protect people's privacy."

Yaman Akdeniz, director of online civil liberties pressure group Cyber-Rights and Cyber-Liberties, calls the regulations "very vague" and fears "anything is justified under them". Caspar Bowden, director of the Foundation for Internet Policy Research, says: "The DTI has given bullying bosses carte blanche to pry and exploit knowledge of the private lives of employees."

But, there is a general acceptance that some degree of monitoring of email and web use is legitimate. If an employee is on holiday, ill, on a delayed train or away at a conference, it is important that email is dealt with and working documents can be accessed. In these cases, says Akdeniz, employers should be obliged to tell staff what they are doing, since "whatever policy they use it should be open and transparent to the employees". Wadham wants employees to ensure that "everyone knows that their communications are going to be under surveillance and under what circumstances".

The new regulations state clearly that only "communications relevant to the system controller's business" can be monitored and recorded. Yet people may send and receive emails which reveal office affairs or health problems, and these could be being read by managers and systems administrators.

One solution is for staff to be told that personal use of the system is not allowed, although this would be hard to enforce. Wadham believes workers should be provided with guaranteed privacy in some areas, perhaps through a separate personal email account for non-work matters. Employers could also agree not to restrict staff use of web-based email, limiting their interest to communications from work email addresses.

Even with an agreed policy, there are still problems when monitoring is secret, perhaps because an employee is suspected of criminal activity or breaking their contract. It is also highly likely that monitoring will uncover personal information which is not relevant to the job.

Nigel Wildish, an expert in IT law at London law firm Field Fisher Waterhouse, thinks "the issue is to what extent an employer can intercept or block employee email that is not to do with the business". He cites the need to stop viruses or block obscene material as legitimate.

Journalists are worried because many have confidential sources who use email from their workplaces. Milverton Wallace, organiser of the annual NetMedia conference for online journalists, has arranged a seminar on legal ways around the regulations. He says: "Unless we can find ways of guaranteeing that our communications with sources are really confidential, we will not be able to expose wrongdoing or investigate government or business effectively."

The new regulations do not address the issue of how an employer uses the information obtained. If personal data is being read then the Data Protection Act (DPA) comes into force. This requires that personal data should be obtained legally and used fairly - a provision absent from RIPA.

The Data Protection Registrar has just published a draft code of conduct on the use of personal data in employer/ employee relationships which deals with monitoring email. It accepts that "not all monitoring necessarily falls within the scope of the Act", but argues that "systems that involve the interception of personal electronic communications such as email will almost certainly be covered". Employers would have to ensure "monitoring operates in such a way that it does not intrude unnecessarily on employees' privacy or autonomy".

Phil Jones, assistant commissioner in the registrar's office, says this could mean an employer who acquires personal information by surveillance under the RIPA regulations could still be prosecuted by the DPR. "We are saying that when there is going to be any form of monitoring of email or phone calls then the fair thing to do is to be open with individuals. There should be clear policies", he says.

Rod Armitage, head of legal affairs at the Confederation of British Industry, has criticised the draft code for not acknowledging the needs of employers. "It has failed to recognise the context in which business email systems work," he says. However, Jones feels that the possible conflict has been rather overstated. "The code is a draft that covers lots of employee and personnel issues", he said, "and interception is a minor part." But he admits that "we may see legal challenges to how interception is carried out, although not to the fact of doing it".

Wildish says that "the RIPA powers are wider and more helpful to employers than the Data Protection Registrar's code of practice", and he is critical of the DTI and the DPR for "not talking together before they launched this".

Article 8 of the European Convention on Human Rights, which became part of UK law on October 1, guarantees respect for private life, while Article 10 gives a right to freedom of expression. Judges are now bound to consider all legislation within the context of this act. This means that intrusive, excessive or unreasonable surveillance could be illegal, despite the RIPA regulations.

Wildish says: "it is difficult to see how the Human Rights Act will be interpreted. For one thing, companies have human rights too, including the right not to have viruses infect systems". When employers do not clearly state their policies, employees will be forced to act on the basis that their email is being read and their web visits logged.

The only hope for those concerned for civil liberties comes from Nigel Wildish, who points out that "an employer needs a system that complies with all three acts, so the one most favourable to employees will determine how much employers can intercept". At present that means that the Data Protection Registrar's draft code of conduct offers the best way of stopping snooping employers. We can therefore expect to see intensive lobbying of the Registrar before the code is finalised in January, as employers attempt to make it easier to monitor their staff.

What employees can do
Perhaps the most useful thing you can do is to try to make your employers issue guidelines on how and why they will monitor email and internet use. If they refuse, assume the worst -they are reading everything.

There are limits to how secure you can make yourself when using a work computer on a work network, simply because whoever owns the hardware and internet connection controls almost everything. They can read cached web pages, look at your mail boxes, log messages at the server, tap into the physical network, grab all data passing through the router or firewall and even log every key press and mouse click you make.

Use your own mobile phone at work for personal calls (assuming your desk is not wired for sound) and your own laptop for all personal files or emails. You could even bring a laptop and modem into work and dial up your own ISP - although you may get into trouble for making 'personal' calls.

The latest handheld computers or top of the range mobile phones will let you surf the web and send email - and you don't have to limit yourself to the low-tech Wap services.

If this is not possible, stop using work computers for private email or Web surfing. Find the local cybercafe and head there at lunchtimes instead of having a sandwich at your desk.

If you really have to be online for your friends while you are at work, think carefully about what you are doing.

Web-based email services such as HotMail may seem secure because your messages are stored on their computers and sent over their connections, but the web pages you are looking at still have to come into (and go out of) your work network and this means they can be monitored. Since you are using the work computer and internet connection, this is even allowed under RIPA.

You can get secure web email - Hushmail.com offers the best-known service and the British campaigning group Cyber Rights and Cyber Liberties has just set up its own Hushmail service at www.cyber-rights.net This will give you private email, although the fact that you are using an encrypted mail service may attract attention.

So you also need to use Anonymiser to hide the web pages you are visiting from any curious systems administrator.

Unfortunately if your employers have installed keystroke logging software not even this will help as they will still be able to find out what you are typing.

And if MI5 or the police want to monitor your activities in cyberspace, you stand very little chance of keeping things from them unless you invest significant time and effort in it.

Posting hand-written letters may be your only option.

See also...

For the DTI's Lawful Business Practice Regulations
www.dti.gov.uk/cii

For secure web-based email
www.cyber-rights.net
www.liberty-human-rights.org.uk
www.cbi.org.uk
www.anonymiser.com
http://freenet.sourceforge.net

For online privacy advice
www.hmso.gov.uk/acts/acts1998/19980042.htm

For the Human Rights Act
www.ffwlaw.com

For Orange sackings story
Orange sacks staff for net porn - reported at www.zdnet.co.uk/news/2000/34/ns-17649.html

Living with the RIP Act, a journalist's guide to surviving cyber regulation, is on November 16 in London. See msw@net-media.co.uk

Data Protection Registrar's draft guidance at http://wood.ccta.gov.uk/dpr/dpdoc.nsf

 

Leave a Comment

Required fields are marked *

*

CAPTCHA

*