Today on CBC Search Engine, there was discussion about companies that read employee e-mail, why companies read e-mail and the fact that many have a manual process for accomplishing this task. The company that was interviewed by Search Engine was Proofpoint. They make several automated solutions to accomplish monitoring e-mail. One of the comments made was that they can monitor e-mails via Hyper Text Transfer Protocol (HTTP) or web based e-mail, such as Gmail, Hotmail or other type of web based mail services. This is all true and very possible.
What I find amusing is there are so many simple ways to smuggle out information from a company that monitoring e-mail seems to be a waste of time and money. One could copy the information to a laptop and download it to a computer at home. Copy the information to a USB key, CD or DVD and take it home. One could print the information out on paper (since most companies don’t monitor what is printed). None of these methods require expensive, or complicated technology. If I wanted to get information out of the office and I even suspected that e-mail, IM or transmissions were being monitored these ways are the simplest and least to arouse suspicion. Unless a company plans to manually search you and your belongings every time you enter or exit the building including checks of laptops, USB keys, and other media investment in technology to monitor e-mail I don’t see the point.
Proofpoint stated that it is often used to watch for employees spending too much time on personal versus work related issues. I suppose this is a valid use, but personally I don’t manage that way and I doubt I would ever work for a company that did manage that way. If people are getting their work done then I’m not going to worry if they send personal e-mail, surf the web or decide to take an extra 10 minutes at lunch. I believe it is important that you can trust your employees and they feel a sense of responsibility towards their work. If this is missing then the company has bigger issues that monitoring e-mail or other flows of information will not solve.
The other concern I have with all this “monitoring” going on is that it will increase the adoption rate of encryption and other stealth technologies . Governments, businesses, and law enforcement wanting to monitor people’s e-mail, web surfing, files shared and download will force software and developers to add encryption and other forms of covert data transmission into the software more quickly. Most E-Mail servers for example have encryption (TLS) support now. As encryption becomes more available in e-mail clients and set to be the default mode of communication the encryption will be transparent to the user. Encryption is something that law enforcement is running into more and more. It hampers their investigations. This is bad when you are actually trying to catch the bad people distributing drugs or child pornography. I picture an Internet where all communication is encrypted or obfuscated in different ways to avoid “monitoring.” What will we do then? Probably have discussions about key escrow,outlawing encryption, and other silly conversations we have had in the past and never worked.
