http://news.cnet.com/news/0-1007-202-2924978.html

Web-based email services offer employees little privacy 
By Rachel Konrad and Sam Ames
Staff Writers, CNET News.com
October 3, 2000, 1:30 p.m. PT
URL: http://news.cnet.com/news/0-1007-200-2924978.html 

Everyone knows the boss can read all of the email you send and receive
through your corporate account. 

Unfortunately, security experts say many employees would be surprised to
know that Web-based email services also offer little
privacy. Messages sent via a Yahoo or Hotmail account, or through instant
messaging products, such as ICQ or America Online's
Instant Messenger (AIM), are just as accessible to nosy employers. 

"The information is essentially being sent back and forth via text as long a
wire. Anyone along that wire, inside or outside of your
company, has the ability to intercept, read and change the text," said David
Kennedy, director of research services for ICSA.net in
Reston, Va. "Is it technically possible? Yes, and it's fairly easy to do." 

Such alternative email programs--which boast downloads numbering well into
the millions--have become immensely popular in the
workplace, partly because employees believe the messages are less accessible
than the company account. The reality is that
employers can easily intercept such email traffic, with just slightly more
effort than it takes to sift through chatter sent with an
employer-supported product such as Microsoft Outlook. 

Representatives for Yahoo, Microsoft's Hotmail division and AOL would not
provide specific information on the security of their
products. They each said, however, they rarely receive security complaints
from users. 

Yahoo, meanwhile, is currently running banner ads that boast, "Only you can
see your Yahoo mail." A company spokesman would
not comment on whether the ad may create a false sense of security or on
assertions from competitors offering secure email
services that Yahoo mail is easily accessible to employers. 

Yahoo mail and similar products are susceptible to "sniffer" programs that
are readily available for download--and their popularity is
on the rise. When planted in a computer that is connected to a network,
sniffers behave like hidden recorders, capturing email and
URLs of Web sites that subscribers have surfed and all passwords required to
operate the computer or access sites. 

Carnivore, the FBI's controversial online surveillance technology, is one of
the best known sniffers, used ostensibly to monitor the
email of people under investigation. 

Keystroke monitoring is an even more extreme surveillance tool that enables
employers to read every key employees push--from the
URLs of Web sites to email and instant messages, including deletions or
changes they make in the process. 

Some programs, including the Silent Watch software that tracks employee
computer use, retail for as little as $39.99. As many as
35 percent of all corporations already have these systems installed,
according to Internet surveillance company Websense. 

It's impossible to say how many companies actually use surveillance software
as a routine business process. One technology chief
said zealous use of keystroke monitoring would provide so much data that any
normal corporate network would become overloaded
and crash moments after installation. 

Still, experts say, it's important for companies to have access to sniffers
and other software--even if they only use it to nab the most
egregiously unproductive recipe-trading gabbers or porn-surfing harassers. 

Under surveillance
Many companies admit to having a surveillance arsenal at their disposal,
even if they only snoop in rare instances. Technology
companies that are especially sensitive to corporate espionage are
particularly unapologetic about their ability to pry into personal
email accounts during employees' working hours. 

"From a policy standpoint, anything that's an Intel asset inside the company
belongs to the company. That includes the network,"
said Intel spokesman Chuck Mulloy. "The information that moves over that
network is not treated as private." 

But the increasing popularity of corporate surveillance doesn't necessarily
mean that employers are categorically clamping down on
                     the use of noncorporate email accounts and instant
messenger services. 

                     David Nocifora, chief financial officer at executive
recruitment firm Christian & Timbers, acknowledges
                     that he can read the email of the company's 270
employees in North America and Europe. That doesn't
                     necessarily mean he does so. He cuts slack to people
who put in long hours and use their computers
                     for personal business. 

                     "People spend a lot of time here," Nocifora said, "and
have a personal life to conduct." 

                     In fact, companies may want to think twice about
clamping down on employees' use of personal email
                     or ICQ banter while at work. In addition to obvious
recruitment and retention problems for employers
                     perceived as jack-booted cyber sheriffs, legal experts
say companies should encourage the use of
personal accounts to limit the company's liability. 

Companies have a responsibility to keep harassment of any kind out of the
workplace. A company might have an easier time proving
that it did not contribute to an unhealthy working environment if an
employee sent sexist jokes or racist commentary through his
personal email address instead of the corporate email address, said attorney
James Butler. 

"Email is like company letterhead," said Butler, co-chairman of Internet and
New Technologies Practice Group of Atlanta-based law
firm Arnall Golden & Gregory. "Would you want your employees to pass
inappropriate messages on company stationery? To that
extent, I'd almost encourage the use of personal email." 

Thanks to a slew of new products, it's becoming easier for employees to send
personal email privately--perhaps alleviating
employers' liability as well as employees' security risks. 

Yahoo announced in August that it would partner with Dallas-based encryption
company ZixIt to let its email account holders use
data scrambling to protect the privacy of their messages. The companies did
not disclose a start date for the service, which will let
Yahoo Mail users send messages through ZixIt's SecureDelivery.com site. The
scrambled messages will only be readable by the
sender and recipient, even if the message is intercepted en route. 

Bellevue, Wash.-based AbsoluteFuture.com also has an encrypted email service
called "SafeMessage," described as a "direct
messaging" service that transmits messages from party to party without the
use of a central server. Traditional email always passes
through mail servers, leaving a copy that can be subpoenaed, read or
otherwise accessed by unauthorized readers. 

The code ahead
Such products are catching on with job-hunting employees who are loath to
use the company email address to send resumes to
prospective employers--and those who are just fond of chatting via instant
messages. Corporations are also using the services to
send and receive email and messages more securely, both inside the company
and to potential clients, suppliers, partners and
potential acquisition targets. 

According to Forrester Research, 1.5 billion email messages will be sent
each day in the United States in 2002. 

Provo, Utah-based software developer Novell said the genesis for its free
"Instant Me" secure messaging system came as a direct
result of possible security risks associated with AOL's popular Instant
Messenger. 

John Gailey, Novell vice president of product management for Instant Me,
said AOL executives approached Novell because they had
received requests from AIM users for more security. 

"We had a lot of businesses coming to us saying, 'Our employees are using
more and more instant messaging out on the free
services,' and they were getting concerned about manageability--support and
security aspects of their employees conducting
business across the public network," Gailey said. "AOL actually came to us;
they had been hearing the same requests from
businesses for secure features. They had identified that perhaps they needed
a business partner to target this community." 

Hush Communications is another leader in the private email field. The
Dublin, Ireland-based company has customers in 222
countries and houses its source code and intellectual property in Anguilla,
a Caribbean nation home to many cryptographic
developers. 

The flagship product is HushMail, a free, 1,024-bit encrypted, Web-based
email service that doesn't require subscribers to download
additional security software or do anything more than other Web-based email
services require. 

Hush spokeswoman Genevieve Van Cleve said Web-based email and messaging
services should incorporate encryption by default.
Free services from Yahoo, AOL, Hotmail and others simply don't offer
necessary protection to employers sending company secrets
or employees wary of spying bosses, she said. 

"Strong encryption is a necessary design feature of online products," Van
Cleve wrote in an encrypted email. "If consumers and
businesses are going to adopt the Internet as a preferred medium for
communication and commerce, they're going to have to have
confidence in the security of the products they use. Our technology beats
the pants off of both the big and small players in this
market, hands down." 



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%