Re: Ethical And Privacy Concerns With Mail Admins

NoSleep wrote: 
Hello all,

I run a mail server for an extremely limited number of users and have just
recently been considering what would be a concise explanation of just what
I can and cannot do with regard to monitoring those who use my server.
(Perhaps for inclusion in an 'acceptable use' page on a site or similar.)

It is those who are NOT supposed to be using my server that I'm most
interested in. Even though most of my log checking is done with
specific searches for 'ruleset' and 'relaying denied's, I'm still going to
see who others are emailing from time to time, and I feel guilty when this
happens. This may seem silly to some of you, but that's me.

I'm finding this difficult to explain properly so bear with me please.

In my view, it stands to reason that if someone is going to connect an
email server (or any server for that matter) to a network of any kind,
then that person is going to want to be able to control and monitor it's
usage, so to avoid security breaches, deal with abuse complaints and so on
and so forth.

Included in that 'control' is the ability (in theory) to read other user's
email, or at least see who is mailing who.

I'm not a lawyer, however the comments I'm making here are based on my own understanding of U.S. law in this regard, and many years of experience.

You have the ability as a superuser to eavesdrop on your clients. However you also have the ethical, moral and in many cases legal responsibility in your position as a superuser or administrator of a service to maintain the privacy and confidentiality of those communications as well, with a few exceptions, regardless of the content of those communications.

Some exceptions that I can think of off hand are:
1) You inadvertently happen across some text during the normal course of maintenance that you otherwise would not have seen. You still have the responsibility to maintain the privacy of your client in this case Unless what you happened across is a clear violation of the law. In that case you have the ethical responsibility to report the violation to the proper authorities.

2) A person submits a complaint to you through an abuse desk, about a client on your site. This can give you very limited authority to deal with that one situation. ie: gather enough proof to substantiate the claim, or not. In this case you would open a trouble ticket, deal with the situation as appropriate, then close the ticket. Once the trouble ticket is closed, you do not have the right to go in and re-examine it if such re-examination would potentially violate the privacy of your client.

3) If in the coarse of monitoring your system, you discover that you have an unauthorized use of your system, then you are well within your rights to deal with that situation. It helps cover your *** if you state in your terms of service that any unauthorized use or activity that is discovered will be dealt with as appropriate.


In any company/ISP, there has always got to be someone who will have the
required privileges to 'see all'. What stops them from abusing this
privilege ? I'm thinking legal and employee policies would go some way to
doing this.

Nothing stops you short of your own sense of ethics. However if you get caught eavesdropping on someone else's private communications without their full knowledge and consent you can get into serious trouble with the law, even if you own the hardware though which or on which the communications take place.


But what of a small site admin or operator, who doesn't have a wordy
company policy that applies to them ? Or one that doesn't necessarily have
the reputation of a large and maybe very successful company to keep intact ?

How could such an admin or operator put their user's minds at rest ?

Have a clearly stated "Terms of Service" policy and stick to it. In that policy (or contract) you can make certain exceptions for yourself as an administrator, which in theory your clients know about when they consent to make use of your service.


For what it's worth, I personally regard myself as an honest individual,
perhaps too honest sometimes, but how the hell can I convince others of
this if they don't know me personally ?

By offering a policy and abiding by it to the letter. The old saying comes to mind, "A man is only as good as his Word". Don't give your word if you can't or have no intention of keeping it. If you give your word, then break it, there is nothing more to trust. Only a fool would continue to trust a person who breaks their word even once.

By becoming an administrator of a system, you are asking your clients to place their trust in you. Most know full well what you could do with that superuser access if you choose to abuse that trust. Enough said.


Thanks for your time all.

NoSleep.


I suspect the following will answer most of your questions if you are in the United States. Otherwise check the law in your country regarding interception of private communications.

The following link is to
"The Electronic Communications Privacy Act of 1986" - U.S. law.
http://www4.law.cornell.edu/uscode/html/uscode18/usc_sup_01_18_10_I_20_119.html

Garen
.