Preventing Email and Internet Abuse

Preventing Email and Internet Abuse

Alan Fraser

A survey by the law firm Theodore Goddard showed that less than 60% of UK companies have policies on Internet use, and only a third include these in induction for new staff, and the situation with electronic mail is even worse. This is a potential minefield - without guidance, staff regard access to the Internet as a “perk” and email as completely informal, and they behave accordingly, not only wasting company time, but also laying themselves and their companies open to legal consequences, not only civil but criminal. Current legislation is not helpful, as it emphasises staff's privacy and "human rights" over a company's rights to ensure that its employees do not break its disciplinary rules or the law. The Freedom of Information Act which became law in January 2005 makes having an email management policy critical. Companies who do not draw up and implement carefully-worded policies can be exposed to the risk of expensive and damaging litigation.

Whilst Jana I.S.S. Limited cannot give legal advice, we have good experience of drawing up Internet and email policies that can then be passed to your legal department or company lawyers before implementation. We can also assist in materials or presentations for staff awareness training.

Email Problems

A company where I did some regular security consulting added me to their internal email system. My name was the first of the Frasers. While I was there I received several messages intended for Fiona Fraser, who was next to me in their address book, and also for Heather Fraser and Iain Fraser as well (at least one of which had been marked “Confidential”). It therefore seems reasonable to assume that Fiona Fraser and Heather Fraser, who were also next to one another in the address list, sometimes got each other’s emails. I read in “Newsweek” recently of a case in the United States where a male employer sent a graphically worded, sexually explicit, email message to a female colleague. The company was using content monitoring technology on the electronic mail servers and the message was picked up. Both employees were interviewed, when it transpired that they were in a relationship. The woman insisted she would not have been offended by the message, but the man was still given a written warning to go in his personnel file. He was suing the company because he claimed they infringed his privacy by intercepting and reading a private message.

But what would have happened if this man had misdirected the message to a woman with a similar name? My Fraser example above shows this to be quite likely. The recipient would have been greatly distressed and would have almost certainly sued the company. There was once a joke list going round with “25 Reasons Why Beer Is Better Than Women!”. Some women responded appropriately in kind with “25 Reasons Why Shopping Is Better Than Men!” and “25 Reasons Why Chocolate Is Better Than Men!”. However, in the USA women workers receiving this list sued their companies on the grounds that they were sexually harassed by it, and won seven-figure damages! If something which most people here in the UK would regard as fairly innocuous is deemed so offensive, imagine how offensive the message described in “Newsweek” would be thought if it went astray!

In one UK case I dealt with, a man was dismissed for emailing a pornographic picture he’d downloaded from the Internet to a woman contact in another company. She complained to her manager, her company complained to his company, and he was sacked for breaching both their Internet and email codes of conduct. The man and woman must have previously established a bantering relationship via email that led him (mistakenly) to believe she wouldn’t be offended. The lesson is obvious - even if they think their recipient won’t be offended, staff should already know that by sending such a message they are committing a breach of their company's Acceptable Use of Electronic Mail policy and should never under any circumstances send such material! Also, where emails containing “dirty jokes” have been allowed to circulate in a company without management action, courts in the USA have judged this as proof that that a culture of sexual discrimination exists.

In the UK a woman worked in an office where staff with everyone’s agreement allowed each other access to their email mailboxes to cover for absences. She made the mistake of using the firm’s email system to ask a friend to get her some cannabis, although she took the precaution of deleting the message from her sent messages file. After she’d gone home her boss needed to access her mailbox and spotted the friend’s reply to the request for “weed” in the inbox, with the original message attached. She was suspended from work while the incident was investigated, and eventually admitted gross misconduct. Because she was a good worker she escaped with a written warning, but she chose to leave the job soon afterwards, only to find this incident mentioned in her reference. Like the man in the “Newsweek” incident, she considers herself unfairly treated. With clear guidelines banning the use of email for illegal activities, she would have realised beforehand that sending such an email from her work PC would be not only against the company's code of conduct, but a bad idea.

E-mail's very speediness is also its biggest drawback. Messages are composed and sent quickly - so sometimes they are sloppily worded and can be misinterpreted. Enough thought does not go into the words - bad temper isn’t given enough time to cool off and a heated exchange is started instead of things being calmed down. Companies must therefore in their email policy tell employees about these risks and advise them always to be prudent in what they write in emails, both internally and externally. Another danger is that messages thought informal by their senders have been construed as setting up binding contracts or used as evidence of breach of contract. Off-the-cuff email advice about product suitability in a specific circumstance led to a big damages claim when it was proved to be wrong - the sender did not obtain sufficient information about the customer’s intended use of the product before making a judgement. Another instance is where employees of one UK company made disparaging comments about a competitor in emails to prospective customers. One recipient forwarded the message to the competitor, who sued and won £450,000 in damages. I strongly recommend that email messages to external parties should always include a disclaimer (which can be added automatically by most email systems) stating the opinions expressed are those of the sender alone, and not those of the company. A good general rule is don't put anything in an email that you wouldn't put in a typed and signed letter. (In the days when letters were dictated and typed by secretaries, the secretaries often used their common sense to defuse many angry letters. Also, re-reading a letter before signing it sometimes made you realise the message could be worded much more positively)

Another risk is the passing of confidential information from the company to outside. The press misreported as "hacking" a case in British Telecom when ex-directory telephone numbers were posted to a web site. In fact a temporary employee who had access to the information had emailed the list to an external contact. Internet mail makes it very easy for people to email such confidential information or company secrets out of the company. It’s far safer than photocopying documents and taking them out in a briefcase! Content monitoring of outgoing mail can limit the risk by, for example, blocking the email addresses of competitors or intercepting messages sent to them for review.

Bad publicity was caused for a Japanese-owned bank by newspaper reports about one of their workers who was an anti-capitalist activist, passing information to other activists helping to organise the summit protests in the City of London from their head office in London. In messages sent from inside the bank he boasted of his skills as a computer hacker and threatened to attack corporate web sites. These activists are very computer-literate, so it is not surprising that one was working inside a bank as a “saboteur”. This is a very good example of the type of message that should be intercepted and action taken.

As stated already, a company's email policy should also ban joke messages - they're usually harmless, but not always, they can sometimes be virus-infected, and they always waste people's time and take up network traffic capacity. If in the Beer example above the company had banned joke messages in its email policy and had evidence of having punished offenders, it could have claimed in court that it had taken all reasonable steps to prevent such an occurrence, and was therefore not a party to the offence. Virus hoaxes are also a great nuisance because they clog up email systems and waste so much Help Desk time. This is even more galling because they can be so easily recognised - staff should know what to look for, even if they receive such a message from a usually trusted source. Because of traffic problems, possible virus-infection and breach of copyright, I recommend banning executable files of all sizes from the email system - there are better ways of distributing them than email (such as via the intranet using html or ftp). In addition to warning employees about inadvertent spreading of viruses, the deliberate spreading of virus warnings must be explicitly banned. This also applies to chain letters - a recent example is one purporting to show the picture of a Western girl orphaned by the South East Asian tsunami. This message asks recipients to forward the message to everyone they know, in the hope that the girl can be identified. All it actually does is clog up mail servers - if she is a real victim (which I doubt) there are procedures in place that will identify the girl eventually.

Another email problem that can effect staff is "phishing" - emails that purport to be from online services companies and banks asking the recipient to "verify their account details". They are usually directed to a fake web-site that counterfeits the genuine web-site, but on one occasion were directed to a pop-up window on the real web-site, thus providing assurance that the action was legitimate. It isn't - the objective is to obtain the user's sign-on details and then milk their account. Real online financial service providers never send emails in this way.

Preserving Confidentiality

Unlike post sent through the Royal Mail, email is able to be seen or, even worse, modified by any number of individuals as it makes its way to its destination. There for example is a program called Altivore freely available on the Internet that is able to read anyone's email. It has the ability to scavenge the Web for emails and allow anyone to read them.

Most email authors don't realise is that reading another's email is comparatively easy. When you send an email, it is very much like writing a note on a postcard. The odds are that no-one will bother to look at it, but if they do, anyone can see exactly what is written there. However, your postcard is usually written in ink - an email is like a postcard written in pencil so it's easy to make unnoticeable changes. Also, postcards are not given highest priority by the mail services and frequently get misdirected or lost forever!

There are ways to prevent this, of course. The only problem is that traditionally, the method has been cumbersome at best and totally unworkable at worst. Encryption is the answer to personal privacy and surveys show most people would be willing to use encryption if it were simple and easy to use. Fortunately, easy solutions are now available.

Having used email encryption very successfully for some time now, I recommend it strongly to all clients for confidential emails and attached files. It is very easy to introduce Digital IDs from VeriSign (for example) into an email system like Microsoft Exchange, and also into Outlook on client PCs. The same applies to using Pretty Good Privacy (PGP) to encrypt attached files, which is good for external contacts. These products also provide digitally signed mail, proving the authorship and integrity of a message, which is essential if it is to be accepted legally. You must use at least 128-bit encryption. The password protection provided by programs such as WinZip and Microsoft Office can be easily broken by hackers. If you need more information on this, please contact us . We also keep information on countries where using encryption is forbidden or restricted.

Another problem that affects the legality of emails is proof-of-posting/proof-of-delivery. There are services available that allow you to track critical emails. This is useful for important legal and other communications. One of the services, Postminder, can be found here

Reducing the Threat of Litigation

A company has to take firm action if they wish to minimise the risks of litigation arising from employees’ misuse of the email system, such as threatening or harassing other employees (or third parties). The company must first spell out clearly to their employees in a well distributed and promoted Acceptable Use of Electronic Mail policy, exactly what is and what is not allowed to be written in an email message. In this way they can rightly claim that they are not an accomplice to any sexual harassment or other offence that may occur, and have taken all reasonable steps to prevent it. The man in the “Newsweek” example should have been completely aware that he was committing a disciplinary offence by using such language in any message on the company’s email system, whomever it was intended for. The woman in the cannabis example should have been completely aware that she was breaking her company's Acceptable Use Policy by using their email system to undertake an illegal activity.

The next step is to install content monitoring on the mail hubs, to ensure that if such messages are written in contravention of company policy, they can be picked up and prevented from reaching their intended recipient(s). This is something I strongly recommend to clients, in spite of their worries about infringement of the privacy of their employees. Everyone agrees that snooping is bad, so make sure employees are informed that the intention is not to snoop. Monitoring is taking place both quantitatively to measure and plan network traffic, and qualitatively to prevent security breaches - no breach of employees’ privacy is intended (no-one sits reading people’s emails), and messages which adhere to the usage rules will never be picked up. If you monitor mail hubs and also incoming and outgoing mail known viruses and hoaxes and confidentiality breaches can be picked up.

With a Content Management system the administrator can specify words that are not permitted in any email message and prevent messages containing them from being sent. This would mean that the writer in the first example given above would have had to have modified his language, and would not have been able to send such an explicitly worded message. This has the advantage of course that no monitoring has actually taken place, and therefore the issue of breach of privacy does not arise. This can of course be taken too far - it’s reported (probably apocryphally) that when one “censoring” system was introduced to clean up email, “Saturday” was changed to “Sa****ay”, “scraps” to “s****s”, and “Essex” to “Es***”! I personally found that an email message with a technical query about a Matshita DVD-ROM drive was persistently refused by a server with the message "Unacceptable use of expletives!" until I changed the name of the drive to Mat****a!

It's also important to implement measures at your mail gateway to prevent what is known as "SMTP relaying". Senders of junk email or "spam" frequently disguise their identities by "bouncing" their messages off a legitimate mail server. This means the messages can then appear as if they come from you. In some cases companies have been sued by spam victims even though they were totally innocent, especially where the spam was offensive, as it frequently is. You can avoid this risk by having your IT department set up your external mail gateway to prevent SMTP relaying.

Old Emails are Dangerous!

Archived emails have been instrumental in the USA in costing companies immense sums of money. Because of the informality and frankness of emails, lawyers acting against companies have found email archives to be a treasure trove of incriminating evidence. For this reason it is now crucial for companies both to advise employees to be prudent in what they write in emails, even if intended for internal use only, and also to be very careful to delete old messages after at most three months. Email administrators must also delete old messages from email servers and backups regularly. This cannot be regarded by a court as deliberately destroying evidence, something which cannot be condoned, if it is part of a documented policy to remove all old messages for housekeeping purposes, and not just specific ones that may prove helpful to litigants. In December 2004 the UK Cabinet Office instructed civil servants to delete "unimportant" emails more than three months old, and to print out and archive "important" emails (which is of course the exact advice I was giving here for three years before that).

It is critical to get all employees to understand and observe my basic rule of email from above: don't put anything in an email that you wouldn't put in a typed and signed letter! I also recommend as above that all important emails should be digitally signed, and all confidential emails should be encrypted - the technology to do so is easy to use, and easy to implement. Emails relating to contract and legal issues should of course not be deleted after three months, they have to be kept for statutory retention periods. It is important to make sure that all such messages are transferred out of the email system into properly controlled archives that are part of the company's backup and restore system, and that users know how to do this. In that way all other non-critical emails can safely be deleted.

Preventing Internet Misuse

Use of the Internet is another area where there must be a clear acceptable use policy, especially banning access to pornographic and racist sites. Again, staff must have been clearly and provably told what is and what is not acceptable. People have successfully claimed unfair dismissal on the grounds they weren’t officially told that downloading pornography from the Internet was forbidden, even though common sense should have told them that their company would not find such behaviour acceptable. Statistics gathered from one company's Internet firewall showed the most popular Internet site visited by their staff was Playboy’s! (Another was Disney’s.) Dynamic allocation of IP numbers means that it’s not usually straightforward to identify an individual Internet user anyway. Use firewall logs to review regularly all the most popular sites visited, and block any that are inappropriate at the firewall - employees soon get the message. My own experience is that looking at news, sports results and stock quotes usually wastes more work time than looking at inappropriate sites, anyway. It's also important to have measures in place to block spyware, which can be present on even the most innocuous sites - the banner adverts often carry it.

Personal use of emails and the Internet has to be accepted - it's like making phone calls, or reading the paper in breaks. Also, personal relationships with externals can develop into business relationships. However, staff should be told that excessive personal use or use for private business activities is not allowed. An employee of a Cheshire management consultancy was sacked from her job for doing 150 searches for a holiday during work hours. An employment tribunal upheld her dismissal.

There are also differences in national culture which must be taken into account. The USA and UK are most extreme on gender-related issues, but my experience is that mainland Europeans regard this as much less of an issue, whereas they take privacy legislation much more seriously. Also, to my surprise, pornography is not deemed offensive in some European countries. I know of a case where a employee used his company PC to download pornographic images from morning to night, so much so that his activities prevented other staff from accessing the Internet. He was eventually prevented from doing so by blocking the web-sites he accessed, but he was not disciplined because "pornography is part of the country's culture"!

At the end of the day, it’s a management issue (why didn't his manager notice that the porno fan wasn't doing any actual work?). Managers must oversee their staff's use of the Internet and email, and keep things under control. Whatever staff do should enhance their carrying out of their duties, and personal use should not detract from that.

Recommendations

You must do everything you can to make sure that if abuse does take place, the company can prove in court or to a tribunal it did everything reasonable to create an environment in which abuse was clearly defined and not tolerated, and that any parties who are involved in such abuse did so in full knowledge that their actions were against company policy.

Draw up a clearly-worded policy on the dangers and what is acceptable and unacceptable use of the email system and the Internet and promote this to all managers and employees: on the intranet, booklets given to all staff (full/part-time, permanent/temporary, contractors), part of induction process, etc. Make staff sign to say they've read and understood the policy, and agree to abide by its conditions. Contraventions of the policy must not be ignored - they must always lead to disciplinary action.
Monitor all use of email and Internet access for content - make sure this is formally notified to all staff and well-publicised, and allow staff un-monitored email and Internet access if required by law. Block inward viruses and known hoaxes/chain letters. Prevent sensitive information leaving the company.
Put measures in place to restrict spam and spyware.
Add a disclaimer to all outbound email messages limiting your liability. Digitally sign all important email messages, such as those dealing with contracts or personnel issues. Your rules must state that such messages that are not digitally-signed are not legally valid.
Encrypt all confidential messages and attachments, especially those sent outside the company.
Transfer all contract and legal related messages out of email into secure storage - delete all emails from personal folders after three months for space management purposes.

Jana I.S.S. can help you draw up such a policy and also impartially give you contacts with suppliers of suitable products. We also have experience of working with secure email products, for digitally-signed and encrypted mail messages and attachments. It's much easier to use than you think.

More information on email policies can also be found at www.email-policy.com.

The advice given on this and other pages is for general information only, as a starting point for ideas rather than solutions to specific problems. Jana Information Systems Services Limited will not accept legal liability for any consequences for any individual or company of following any advice on this page except as part of a legally-binding contract between this company and a customer, with appropriate professional liability insurance in place.