Web-based email services offer employees little privacy

Employees might pale to know that companies are able to track Web-based email or instant messaging notes sent from work. Is your privacy being compromised?

6 min read
Everyone knows the boss can read all of the email you send and receive through your corporate account.

Unfortunately, security experts say many employees would be surprised to know that Web-based email services also offer little privacy. Messages sent via a Yahoo or Hotmail account, or through instant messaging products, such as ICQ or America Online's Instant Messenger (AIM), are just as accessible to nosy employers.

"The information is essentially being sent back and forth along a wire. Anyone along that wire, inside or outside of your company, has the ability to intercept, read and change the text," said David Kennedy, director of research services for ICSA.net in Reston, Va. "Is it technically possible? Yes, and it's fairly easy to do."

Such alternative email programs--which boast downloads numbering well into the millions--have become immensely popular in the workplace, partly because employees believe the messages are less accessible than the company account. The reality is that employers can easily intercept such email traffic, with just slightly more effort than it takes to sift through chatter sent with an employer-supported product such as Microsoft Outlook.

Representatives for Yahoo, Microsoft's Hotmail division and AOL would not provide specific information on the security of their products. They each said, however, they rarely receive security complaints from users.

Yahoo, meanwhile, is currently running banner ads that boast, "Only you can see your Yahoo mail." A company spokesman would not comment on whether the ad may create a false sense of security or on assertions from competitors offering secure email services that Yahoo mail is easily accessible to employers.

Yahoo mail and similar products are susceptible to "sniffer" programs that are readily available for download--and their popularity is on the rise. When planted in a computer that is connected to a network, sniffers behave like hidden recorders, capturing email and URLs of Web sites that subscribers have surfed and all passwords required to operate the computer or access sites.

Carnivore, the FBI's controversial online surveillance technology, is one of the best known sniffers, used ostensibly to monitor the email of people under investigation.

Keystroke monitoring is an even more extreme surveillance tool that enables employers to read every key employees push--from the URLs of Web sites to email and instant messages, including deletions or changes they make in the process.

Some programs, including the Silent Watch software that tracks employee computer use, retail for as little as $39.99. As many as 35 percent of all corporations already have these systems installed, according to Internet surveillance company Websense.

It's impossible to say how many companies actually use surveillance software as a routine business process. One technology chief said zealous use of keystroke monitoring would provide so much data that any normal corporate network would become overloaded and crash moments after installation.

Still, experts say, it's important for companies to have access to sniffers and other software--even if they only use it to nab the most egregiously unproductive recipe-trading gabbers or porn-surfing harassers.

Under surveillance
Many companies admit to having a surveillance arsenal at their disposal, even if they only snoop in rare instances. Technology companies that are especially sensitive to corporate espionage are particularly unapologetic about their ability to pry into personal email accounts during employees' working hours.

"From a policy standpoint, anything that's an Intel asset inside the company belongs to the company. That includes the network," said Intel spokesman Chuck Mulloy. "The information that moves over that network is not treated as private."

But the increasing popularity of

Gartner analyst Richard De Lotto says an unclear privacy policy could possibly become a public relations nightmare for companies.

see commentary

corporate surveillance doesn't necessarily mean that employers are categorically clamping down on the use of noncorporate email accounts and instant messenger services.

David Nocifora, chief financial officer at executive recruitment firm Christian & Timbers, acknowledges that he can read the email of the company's 270 employees in North America and Europe. That doesn't necessarily mean he does so. He cuts slack to people who put in long hours and use their computers for personal business.

"People spend a lot of time here," Nocifora said, "and have a personal life to conduct."

In fact, companies may want to think twice about clamping down on employees' use of personal email or ICQ banter while at work. In addition to obvious recruitment and retention problems for employers perceived as jack-booted cyber sheriffs, legal experts say companies should encourage the use of personal accounts to limit the company's liability.

Companies have a responsibility to keep harassment of any kind out of the workplace. A company might have an easier time proving that it did not contribute to an unhealthy working environment if an employee sent sexist jokes or racist commentary through his personal email address instead of the corporate email address, said attorney James Butler.

"Email is like company letterhead," said Butler, co-chairman of Internet and New Technologies Practice Group of Atlanta-based law firm Arnall Golden & Gregory. "Would you want your employees to pass inappropriate messages on company stationery? To that extent, I'd almost encourage the use of personal email."

Thanks to a slew of new products, it's becoming easier for employees to send personal email privately--perhaps alleviating employers' liability as well as employees' security risks.

Yahoo announced in August that it would partner with Dallas-based encryption company ZixIt to let its email account holders use data scrambling to protect the privacy of their messages. The companies did not disclose a start date for the service, which will let Yahoo Mail users send messages through ZixIt's SecureDelivery.com site. The scrambled messages will only be readable by the sender and recipient, even if the message is intercepted en route.

Bellevue, Wash.-based AbsoluteFuture.com also has an encrypted email service called "SafeMessage," described as a "direct messaging" service that transmits messages from party to party without the use of a central server. Traditional email always passes through mail servers, leaving a copy that can be subpoenaed, read or otherwise accessed by unauthorized readers.

The code ahead
Such products are catching on with job-hunting employees who are loath to use the company email address to send resumes to prospective employers--and those who are just fond of chatting via instant messages. Corporations are also using the services to send and receive email and messages more securely, both inside the company and to potential clients, suppliers, partners and potential acquisition targets.

According to Forrester Research, 1.5 billion email messages will be sent each day in the United States in 2002.

Provo, Utah-based software developer Novell said the genesis for its free "Instant Me" secure messaging system came as a direct result of possible security risks associated with AOL's popular Instant Messenger.

John Gailey, Novell vice president of product management for Instant Me, said AOL executives approached Novell because they had received requests from AIM users for more security.

"We had a lot of businesses coming to us saying, 'Our employees are using more and more instant messaging out on the free services,' and they were getting concerned about manageability--support and security aspects of their employees conducting business across the public network," Gailey said. "AOL actually came to us; they had been hearing the same requests from businesses for secure features. They had identified that perhaps they needed a business partner to target this community."

Hush Communications is another leader in the private email field. The Dublin, Ireland-based company has customers in 222 countries and houses its source code and intellectual property in Anguilla, a Caribbean nation home to many cryptographic developers.

The flagship product is HushMail, a free, 1,024-bit encrypted, Web-based email service that doesn't require subscribers to download additional security software or do anything more than other Web-based email services require.

Hush spokeswoman Genevieve Van Cleve said Web-based email and messaging services should incorporate encryption by default. Free services from Yahoo, AOL, Hotmail and others simply don't offer necessary protection to employers sending company secrets or employees wary of spying bosses, she said.

"Strong encryption is a necessary design feature of online products," Van Cleve wrote in an encrypted email. "If consumers and businesses are going to adopt the Internet as a preferred medium for communication and commerce, they're going to have to have confidence in the security of the products they use. Our technology beats the pants off of both the big and small players in this market, hands down."