Email privacy
hygiene practices at Work.
LEARN ALL ABOUT EMAIL
Lawyer-proof Your Email
Don't ever put anything in an e-mail that you wouldn't want to read on the jumbotron at Times SquareDavid Shipley and Will Schwalbe, authors of Send: The Essential Guide to Email for Office and Home, offer tips on foiling prosecutors.1. Remember that every message is part of a searchable record. Don't type anything in email that you wouldn't say in front of a crowd (or the IT guy — who's probably reading everything anyway).
2. Don't email if you don't have to. When in doubt, initiate face-to-face dialogs ( shudder). Avoid fishy phrases like "Let's talk about that thing later." Prosecutors are great at lending meaning to ambiguity.
3. Change subject lines as topics change. Sometimes a legal dragnet will pull every file with a certain word in the subject line and enter it into the court record... even if you've moved on to gossiping about a coworker's hygiene.
4. Fear the software. Search programs can sniff out edits in forwarded messages, changes in writing style, even terms that suggest confusion or guilt, like "can't sleep," "high blood pressure," and "bewildered."
5. Cover your tracks when sending attachments. Some documents store info on who created them and what revisions were made. Save files in Text Only format or set up Word so it doesn't preserve metadata.
6. Avoid questions like "Do you really think this is a good idea?" The appearance of doubt can be used against you later. If you have to ask whether an item should be reviewed by legal, then it probably should.
Meebo "a website for instant messaging from absolutely anywhere."
There are several ways to intercept web emails.
Emails are sent in clear text, and are not secure. Someone with a network sniffer could easily pick up
contents of an email. There are even wireless network sniffers that can detect emails and credit card
transactions outside of buildings (in parking lots).
Other ways to intercept emails can be done by the staff running the email server. ISPs sometimes are
ordered/subpoenaed to provide emails of clients, and your emails can also be monitored (read) by anyone on
the
IT staff with root access.
Be aware that web emails are inherently insecure, and should never be used to transmit credit card, social
security number, or other information that is confidential. Some email systems, such as Lotus Notes, may
seem
more secure, but one should always be careful with email as it can be seen by outside parties without your
knowledge or consent.
Guidelines expand types of electronic info you'll need for discovery Companies that do not keep close tabs on PDAs, instant message conversations and other forms of electronic data may soon be in for a nasty surprise, should they find themselves in court. As of Dec, 1, 2006, new guidelines, called the Federal Rules of Civil Procedure, go into effect. The rules, set by the U.S. Supreme Court, expand the types of electronically stored information that companies could be required to produce in a lawsuit.
EMAIL SECURITY TLS/SSL
TLS for SMTP is very
similar to the way TLS/SSL works for web browsing, except that SMTP only supports TLS, and not SSL when
sending mail toother servers(SM supports SSL for clients though). For example, i domainA.com wants to send
mail to domainB.com, assuming that bot servers are correctly configured to support TLS, the mail server for
domainA.com will connect to domainB' s server and issue the STARTTLS command. This will begin TLS
negotiation, domainB's will negotiate a cipher suite and send its public key to domainA, domainA will
respond with a key for use with the agreed upon symmetric cipher.
There is a bit more to TLS
than that, but thats the basics in a nutshell. Now to answer your question, if the recipients server
supports
TLS, provided that you have correctly setup TLS on your server for port 25, any mail that your client sends
to
that recipient will be encrypted when sent over the wire. In a nutshell, SSL requires the remote host to
support SSL, otherwise it will drop the connection, on the other hand, TLS can be "stepped up" to
via the STARTTLS command. The sending server determines whether the receiving server can support TLS via the
HELO response of that server.
Jan 3, 2007 Google Vulnerability A Sign Of Web 2.0 Weakness
A design flaw discovered earlier this week in Web-based Google applications spotlights a troublesome
security
trend for IT departments: what to do about protecting internal systems and data as workers access Web-based
e-mail and collaborative applications using their employer's
PCs.Google's problem, first reported by the Googlified Web site and since patched by Google, resulted
from
the way Google software stored information in a JavaScript file on the company's servers. Prior to the
patch, an attacker could overwrite the JavaScript Object Notation, or JSON, that Google used to send
information from its servers to a user's client device and gain access to all of the contact information
stored in a user's Gmail account, as long as that user was logged on to any Google application. This is
known as a "cross-site request forgery." JSON is what makes it possible for a Web mail application
to, among
other things, fill in the "To:" field in an e-mail from a user's address book after the user
has
typed in just a few characters. Google acknowledged that, over the New Year's weekend, it was notified
of
a vulnerability related to the use of JSON objects that affected several of the company's products.
"These objects, if abused, can expose information unintentionally," Google information security
manager Heather Adkins said in a statement. The company claims that it corrected the problem within 24 hours
of being notified. "Google fixed the problem very quickly, which tells you how serious this was,"
says Gary McGraw, chief technology officer of Cigital, a provider of Web application security services. This
latest Google vulnerability is "a bellwether of things to come as people get more serious about SOA and
Web 2.0 capabilities, which are based on JavaScript and extensive client-side, browser-based
functionality."
While most security experts agree that guarding Web applications, a notorious security soft spot today, is
crucial for the overall well-being of systems and data, they debate whether security vulnerabilities
in consumer-focused Web apps are a great threat to business IT systems.
Employees use Web mail instant messaging, and social networking sites such as MySpace and Facebook and other
Web-based services from their work computers, and IT managers have little control over how securely those
Web
applications are written. Yankee Group senior analyst Andrew Jaquith says that it's what we don't
know
about Web applications that make them so dangerous. "Because they aren't fully understood,
they're going to attract a lot of attention from hackers," he says, adding that this should concern
IT managers because "consumer-grade applications are increasingly becoming de facto parts of corporate
IT
infrastructures."
This means employees may be mixing IT work with pleasure in their cubicles, potentially adding
work-related information to the vast repositories managed by Web mail systems. For example,
whenever a user can't remember a password for a given Web site, they'll typically have that password
mailed to a Web mail account because they can access that account from any computer with an Internet
connection. If these passwords are for work-related sites, Web mail security becomes a problem.
"Web mail accounts give you access to everything," says Jeremiah
Grossman, founder and CTO of WhiteHat Security, a maker of Web application security assessment
software.
Grossman, who also worked at Yahoo as its security officer, notes that cross-site request forgeries
can be used for more than poaching information from Web mail accounts. "An attacker can gain
access to any account the user is logged on to," he says. "This includes Web mail address books
and even bank accounts." Under another scenario, a Web mail user's ID and password could
be stolen and then used by the attacker to send bogus messages to the victim's co-workers. "All the
attacker has to do is send a Web mail saying 'I'm working from home today; use my Web mail
account'," McGraw says. This trick could divert all sorts of business-related information to a Web
mail account. Yet other security experts see Web mail as more of a danger for users purposely or
inadvertently
leaking data out of their employers' IT environments, rather than as an attack vector for malware.
"Applications that your employees are going to use that are not under the control of your IT department
are definitely a security concern," says 451 Group senior analyst Nick Selby. But, "if an attacker
is using malware, that's already being addressed by checking endpoints and isolating infected end
points," he adds.
While it's unrealistic for IT managers to stop the use of Web applications, they should be aware of the
potential threats to their IT systems and data.
2006
Your personal computer activities at work are part of your business' records. These records can be revealed in a lawsuit. Sending an e-mail to a friend created a business record.
Worker Liabilities EXIST when using email, IM, web services from work. Your company has
rules about storing your communication. "39 percent of U.S. workers incorrectly believe a message sent
from their personal e-mail account on a work computer remains a personal record. And two-thirds of all
workers
did not understand that personal instant messages to friends could become business records." ~ WeComply
Report
More than half of those under 55 did not understand that sending an e-mail to a friend created a business
record, compared with 39 percent of those over 55, the report says. The findings take on particular
significance given NEW RULES for disclosing electronically stored information during lawsuits. The report
said
those changes to the Federal Rules of Civil Procedure, which took effect December 1, 2006
make it more likely that inappropriate e-mails, Web searches, IMs and other electronically stored data will
surface in pretrial discovery. A 2005 study by the American Management Association and the ePolicy Institute
found that about 75 percent of U.S. companies monitor workers' Web site connections. Fifty-five percent
of
companies retain and review e-mail messages, and 36 percent track content, keystrokes and time spent at the
keyboard.
E-mail has a lengthy afterlife
1998
http://www.phillynews.com/inquirer/98/Feb/12/tech.life/EMAI12.htm
FACTS:
"There is no such thing" as e-mail privacy, said Atkinson. Encrypting e-mail messages may only
add
a sense of false security, say privacy experts. Determined e-mail pilferers, hackers and legal authorities
can
eventually crack most common encryption codes, and if not, courts can compel the writers of encrypted e-mail
to hand over the "keys" to encryption software, just as they would have to turn over the keys to a
safe whose contents were under subpoena, they say.
E-mails -- were easily obtained under search warrants issued to prosecutors. E-mail has a secret disk life,
not only on the desktop computer, but potentially on each of the computers it visits on the Internet.
"The bottom line," said Atkinson, "is, if you want to keep it private, don't do it via
the
Internet." Even deleted files can remain on a computer's hard drive for years, because a deleted
computer file isn't really erased until the computer needs the disk space. It may then record something
new over the deleted item. In the meantime, experts can retrieve the ghost files at will. Two-year-old
electronic messages were gotten from the hard disks of computers used by Capano and Fahey months after they
were sent.
Privacy experts say the public needs constant reminders that e-mail, now used by millions for personal and
business correspondence, is potentially as private as an I-95 billboard. E-mail increasingly figures
in everything from divorce proceedings to murder investigations.
FEDS
Federal law enforcement agencies now monitor e-mail in 17 percent of their investigations that involve some kind of technical surveillance, according to government figures compiled by James Atkinson, a computer security expert in Gloucester, Mass.
"Whole computers are being taken. We saw even with Monica Lewinsky, they subpoenaed her computer, her hard drive, and her discs," Rafaat Tass, head of the Global Internet Liberty Campaign for the American Civil Liberties Union, said in a reference to the probe of President Clinton's alleged affair with a White House intern.
WORK PLACE
Businesses have almost carte blanche to review electronic mail sent and received by employees on company computers. A survey by the corporate-backed American Management Association said that 14.9 percent of businesses had engaged in storing and reviewing employee e-mail in 1997, and that 10.9 percent of companies did so for all employees.
In the first federal court case on workplace e-mail privacy -- or lack thereof -- the U.S. District
Court in Philadelphia ruled in January 1996 that there is no "reasonable expectation of privacy in
e-mail communications" between an employee and his supervisor. In that case, a Montgomery
County man had been fired over the contents of an electronic message that among other things talked of
company
managers and plans to "kill the backstabbing bastards."
Based on that ruling, "employers are . . . free to read employees' e-mail,
even if it's not job-related and even if they promise their employees they won't do
it,"
said Lewis Maltby, director of the ACLU's Workplace Rights Task Force.
As a safeguard, said Smith, "be very careful [ with e-mail ] at work and don't use it for any
sensitive conversations if you don't want it to come back and haunt you." He said employees ought
to
urge management to state a policy on e-mail privacy.
If he hadn't known it before, Harvard law professor Lawrence Lessig learned that lesson
last week when a U.S. Court of Appeals temporarily halted his work as a special master in the Department of
Justice's antitrust case against Microsoft. Microsoft had objected to Lessig's role, pointing
out
that Lessig wrote in an e-mail last June that he had "sold my soul" and installed Microsoft
software on his computer, only to find it may have "screwed up" his files.
SUGGESTIONS:
1) Avoid participating in online discussion forums.
Google Groups archive of newsgroup discussions contains messages dating as far back as 1979. the best way to
protect yourself from leaving a search-engine trace is to assume a fake identity.
2) Don't post your regular e-mail address use instead, a throwaway address, or, list your real account, written out in in longhand: example ("JaneDoe at somewhere dot-com" instead of "janedoe@somewhere.com.")
3) Don't put your personal information on your company's site.
4) At home, you should check with their Internet service providers to know when and how e-mail files are backed up and what policies exist for their disclosure and protection.