The Web    Google
Enterprise IM Spurs Privacy Concerns

Enterprise IM Spurs Privacy Concerns
November 18, 2002

It's been a good few weeks for vendors of enterprise messaging solutions.

Two of the space's more established firms, FaceTime Communications and IMlogic, are in deals with two of the largest public IM providers, America Online and Microsoft's (Quote, Chart) MSN, to develop or provide support for business gateways that manage company IM usage.

The inertia comes in large part from companies in the financial services and, to a lesser extent, healthcare industries, which are feeling pressure to apply the same rules governing phone and e-mail communications to IM, in addition to working to protect their own trade secrets. Typically, features in enterprise gateways include provisions to track and archive IM conversations, to audit past conversations, and to alert managers to suspicious keywords used during a chat session.

On the strength of the market's potential, FaceTime last week secured an additional investment from old and new backers, including Bank of America (Quote, Chart). At the same time, IMlogic entered into a partnership with Asynchrony to bundle their products into a secure IM offering compliant with Securities and Exchange Commission and Health Insurance Portability and Accountability Act requirements. In recent weeks, it has also lined up partnerships with Reuters (, ), KVS, and IBM (, ).

As a result, the drive by enterprises to exert some form of tracking and control over the use of instant messaging using proxies -- like the Enterprise AIM Gateway from America Online -- naturally has important implications for employees' workplace privacy.

Most importantly, employees may not even be aware that their instant message conversations could be "tapped" by their company. For one reason, Microsoft's MSN Messenger Connect product (which requires that the licensing enterprise also install either FaceTime or IMlogic's software) is compatible with the current version of its IM client.

That means a company won't have to inform its workers that they'll need to upgrade to a new piece of software to enable the tracking features -- instead, those features will be active from the moment the software is installed at the server level.

Similarly, the Enterprise AIM Gateway will require at least one upgrade from the current version of its client, but the version used by companies in-house will be no different than the version used on the AIM public network (and in many cases, AIM automatically reminds users to upgrade to new versions as they arrive.)

Already, privacy advocates are speaking up about the issue. Last week, the Electronic Privacy Information Center sent a letter to America Online Chairman and Chief Executive Jonathan Miller, asking him to hold off on shipping the Enterprise AIM Gateway until its privacy ramifications could be explored.

"Instant messaging, led by AIM, has been a revolutionary communication service that has been broadly embraced by millions of users around the world," wrote EPIC Executive Director Marc Rotenberg. "Instant messaging captures the spirit and possibilities of the Internet by building relationships and communities in a unique fashion, but it depends upon the expectation of privacy that the service has created.

"The AIM Gateway service threatens to radically transform privacy expectations for instant messaging users," he continued. "The service poses a particular threat to employees whose well-established expectation of privacy in the workplace could be extinguished."

Expectations of Privacy

But whatever expectations of electronic privacy employees have could be unfounded, say other legal experts.

Few specific rules apply in the world of electronic workplace surveillance. In Connecticut, a law prohibits companies from searching employees' e-mail without first giving notice.

But the existence of such a statute is the exception, rather than the rule. Instead, in the absence of state or federal laws on electronic communications, most courts are likely to take their cues from existing rules on wiretapping and other forms of telephone monitoring. As a result, the rulings are less likely to view instant messaging as anything other than a variation on telephone usage, where employees have few reasons to expect total privacy.

In California, a statute forbids companies from monitoring personal phone calls. However, that likely doesn't apply when companies tell their employees not to make such calls at all from the workplace.

Federal law, meanwhile, allows unannounced monitoring of business-related calls. Title III, the colloquial name for the U.S. law prohibiting unauthorized wiretaps and the interception of electronic communications, doesn't apply in several key instances. In 1986, Congress amended Title III to include electronic communications, with the caveat that the additions contain the same sort of exceptions that allow employers to monitor telephone conversations.

One such case is when a business provides phones or other communications services to employees. In a 1996 case that could have bearing on future instant messaging litigation, an employee sued in federal court for invasion of privacy after his employer, Pillsbury Co., intercepted inappropriate e-mails from his computer and fired him. The court found that the employee, Michael Smyth, had been mistaken in assuming that he had privacy, even though Pillsbury had assured employees that it wouldn't view their e-mails.

Instead, the court ruled that Smyth forfeited his right to privacy by voluntarily communicating his message over the company's computer systems.

"Once [Smyth] communicated ... over an e-mail system which was apparently utilized by the entire company, any reasonable expectation of privacy was lost," wrote judge Charles Weiner in the decision.

In addition to the concept of "implied consent," federal law also is likely to allow telephone monitoring when one of the two speaking parties have given consent to the monitoring -- which under Title III could even include implied consent, by dint of being informed (in employee manuals or contracts, for instance) that monitoring might occur.

Additionally, businesses have some further leeway out of obligation to protect their business interests. For instance, Smyth v. Pillsbury Co. also found that Pillsbury's concern over halting inappropriate communications through its e-mail system outweighed any expectations of privacy that Smyth might have had.

"The rule of thumb is there's no reasonable expectation of privacy on a computer at the office ... period," said Mark Grossman, an attorney in the Tech Law group at Becker & Poliakoff. "Some of the case law is incredibly outrageous. Even though there was a computer-use policy which purported to give some level of privacy, there are cases in which there was a ruling that said it's the boss's computer, so the boss can look. Businesses are free to review any files on their computers they want."

There are a growing number of reasons that companies would apply e-mail- and telephone-monitoring rules to instant messaging, even though some -- like EPIC's Rotenberg -- equate the medium to the equivalent of idle "water-cooler chat."

For one thing, there are issues of national security that could encourage employers to probe workers' activity. The year-old USA PATRIOT Act requires, among other things, that businesses implement programs to detect and thwart terrorism-related schemes -- for financial firms, this includes money laundering and financing terrorism.

There's also perennial concerns revolving around sexual harassment litigation, which could prompt companies to call employees to task for behavior regardless of the communication channel -- no matter how mundane the medium might seem to the offending employee.

"With Title 7 and the whole anti-harassment movement, there is very, very little of anything I can think of that somehow, at some point, hasn't been drawn into a 'hostile environment' argument," said the HR executive. "There are numerous cases where women sued an employer because of 'water-cooler chat.' They felt that the company condoned a hostile environment because guys on their break were allowed to make comments ... or made comments that were overheard. So companies are very reluctant to consider anything in the workplace free."


As a result, there's little reason to expect the courts will treat instant messaging as any different than the telephone with regard to workplace rights. Additionally, that means companies don't necessarily have an obligation to warn employees that they track IM communications.

"Most companies have some sort of statement or policy that says, 'hey, this is just used for business purposes only.' Instant messaging would fall under that policy," said a human resources executive at a major international company. "There's no requirement that says you have to do anything differently or make an announcement. There really is no right of privacy with any sort of system that you're using at work."

However, the executive, who spoke on condition of anonymity, said companies are likely to inform employees about monitoring policy, or changes to the policy, in an effort to maintain morale.

"Most companies, in my experience, are good guys and will say to employees that there's a chance you will be monitored," she said. "Most firms have [notifications] during orientation ... they have employees write it down, or it's in their handbooks, or they have people sign and agree to abide by company e-mail policy."

Already, several major firms that have taken steps to regulate instant message communications have done so only after warning their employees.

"We sent firm-wide e-mails out, and told people that IM is going to be archived and reviewed, and everyone knows that their e-mails were subject to that as well," said Pamela Housley, director of compliance at investment banking house Thomas Weisel Partners, which last year implemented FaceTime's IM Auditor for tracking instant messaging activity.

"Our sales people use it a lot, when they speak with clients and get ideas and give them ideas and color-in a situation," Housley said. "We decided that eventually, the regulators were going to deem [it] correspondence ... so we decided that IM would need to be retained and archived, and this basically allows us to do that."

Grossman, who added that while companies typically win in most monitoring-related cases in spite of having a privacy policy to the contrary, said he advices clients that it's still safer to play it safe -- and inform employees before monitoring begins.

"Depending on which side I view it from, I still end up giving conservative advice," he said. "If you're an employer, you should communicate the level of privacy expectation an employee should have, vis-a-vis IM use and computing. I think it's a good idea. On the [employee] side, just assume you dont have any privacy.

"Theoretically, the employer can do what ever they want with the computer, but I don't think that's a good idea," he added. "I suggest they all stay from that middle ground."

Costs and Realities

There are also signs that companies aren't quite ready to implement and enforce 24/7 instant messaging surveillance. For one thing, there are the explicit costs associated with setting up -- and enforcing -- such a system.

"This software is very expensive, and you need someone to look at it everyday, and who has the power of the organization to say we're going to do something," said the HR executive. "Also ... are you going to fire your top investment banker [for violating company policy]? ... It's Clinton's 'Don't Ask, Don't Tell' policy. A lot of businesses in America follow that."

"You turn a blind eye to it unless it gets out of hand, it gets inappropriate, or it gets too much -- like there is an employee stealing from the company by stealing time. But if you have an occasional message, it's good for moral to allow that."

A Bay Area technology firm, meanwhile, confirmed that its IT staff even encourages employees to believe that they're subject to monitoring, when, in fact, the business doesn't even employ tracking software at all.

"It's something we haven't budgeted for, and it's unlikely that we are going to pursue [monitoring IM] anytime soon," said a spokesperson for the company. "Monitoring isn't mission-critical ... We're just operating under the assumption that everyone will assume that we're monitoring all forms of their communications."

Some also feel that among firms for which IM-tracking is not a regulatory requirement, employers' disinclination to use IM-tracking software might not strictly be limited to the current economic downturn.

"I don't think that when people have bigger budgets, that it'll go into policing software," said the HR executive. "Employers have become sensitized to messaging, and there are bigger fish to fry -- there's other things to hang people up by the heels about."

  • 7/1: PWSteal.Refest Steals Banking Info
  • Secure Your Network Against Viruses, Spam
  • Gates Sends Letter on Spam to Congress
  • 5/11: Ifbo-A Worm Exploits LSASS Flaw
  • 9/22: Agobot-XJ Worm Exploits Mic Flaws
  • 3/8: SymbOS/Commwarrior-A Hits Nokia
  • 5/11: Ifbo-A Worm Exploits LSASS Flaw
  • Apple Patches QuickTime Flaw
  • 2/7: Traxg-C is a Mass-Mailing Worm
  • Application Insecurity --- Who is at Fault?
  • 2/11: Rbot-VT Worm Has Backdoor Ability
  • Cheap Security Camera