Interesting People mailing list archives
OMB on email privacy
From: David Farber <farber () central cis upenn edu>
Date: Wed, 18 May 1994 14:29:53 -0500
From: kadie () eff org (Carl M. Kadie) Subject: [OBM] Guidelines for government-employee email privacy/monitoring Date: 12 May 1994 21:22:55 -0400 An excerpt from:
ftp://ftp.eff.org/pub/EFF/Policy/Access_govt_info/federal_email_policy_omb.repo rt>
========================================================= Report of the Electronic Mail Task Force Prepared for the Office of Management and Budget, Office of Information and Regulatory Affairs April 1, 1994 [...] Monitoring e-mail E-mail technology makes it possible for Federal agencies to monitor the communications that flow through their e-mail utilities. Some monitoring may be necessary for system management, trouble shooting, capacity planning and similar purposes. Additional monitoring, concentrating on the parties involved and what information is communicated, may be appropriate to manage records, to protect privacy and confidentiality, in the interests of national security, for law enforcement, and for other legitimate purposes. However, such monitoring of actual communications and communicators may impinge on the Constitutional rights of freedom of speech (1st Amendment), against unreasonable search and seizure (4th Amendment), and against self-incrimination (5th amendment), as well as on the right to privacy, specifically as set forth in both the Privacy Act and the ECPA. However, the agency may wish to access or monitor an employee's mail when the employee's official duties are carried out through the use of e-mail, as a basis for evaluating the quantity, quality, or efficiency of the employee's work. Access to an employee's electronic mail by an employer is a potentially contentious area that should be directly addressed. Choices range from treating all electronic mail as accessible at any time, to limiting access to particular circumstances when such access is necessary. An agency should first decide for what purpose(s) it wishes to conduct monitoring and determine that all such purposes are legitimate. Legitimate purposes for monitoring or accessing individuals' e-mail include: To conduct system management, trouble-shooting, maintenance, or capacity planning, to correct addressing problems, or for similar reasons related to performance or availability of the system. In such cases, to the extent possible, the content of messages should not be accessed. If it is necessary to access contents, then those who actually gain access to e-mail messages should be careful to protect privacy and confidentiality. To maintain security of the system. To carryout records management responsibilities. To conduct authorized law enforcement surveillance or investigations, including tracking unauthorized access to a system. To conduct business during a business crisis if an employee is absent when information is required. In such a case, the agency should notify the employee affected that such access was obtained when the employee returns. To conduct business during a prolonged absence of an employee, when information in the employee's e-mail is required. In such a case, the agency should notify the employee affected that such access was obtained when the employee returns. For purposes of national security. When an agency decides to monitor the contents of e-mail messages or the identities of the parties communicating, the agency should specifically identify the purpose(s) of such monitoring, ensure that the purpose(s) are legitimate, and establish and implement controls and constraints that prevent the misuse of monitoring. An agency which monitors e-mail should do so in the least intrusive way possible to acquire the required information. Usage statistics, for example, may only require the date and time stamps of messages, rather than the sender and recipients' names. System maintenance on a mailbox may only require gathering header information, rather than the entire contents of messages. Intrusive monitoring may have a "chilling effect" on usage of the system. Similar considerations apply to access to e-mail by employer in employee's absence. In all cases, it is important to notify individuals subject to monitoring in advance what the rules are. Individuals subject to monitoring must be notified in advance of the following: the authority to conduct monitoring, the circumstances under which monitoring would be applicable, the particular type of monitoring which will be used, the kind of information which will be collected during the monitoring, the uses to which the information collected may be put, the potential effect on the individual of the monitoring, and the effect on the individual of refusing to participate in such monitoring. Employees should be notified when they are hired, or when they are given access to e-mail, of any monitoring programs in effect. In addition, they should be notified in advance before any new monitoring program. Business partners should be notified about monitoring when the partnership is established or in advance of any new monitoring program. Agencies should also conisder whether, and how, to notify any other correspondents of their employees. In addition, individuals must be granted due process rights to access and amend Privacy Act records created as a result of monitoring, or when an adverse action is initiated as a result of monitoring. [...] ======================== end of excerpt ========================= - Carl -- Carl Kadie -- I do not represent EFF; this is just me. =Email: kadie () eff org, kadie () cs uiuc edu = =URL: <http://www.eff.org/CAF/>, <ftp://ftp.cs.uiuc.edu/pub/kadie/> = -- Stanton McCandlish * mech () eff org * Electronic Frontier Found. OnlineActivist "In a Time/CNN poll of 1,000 Americans conducted last week by Yankelovich Partners, two-thirds said it was more important to protect the privacy of phone calls than to preserve the ability of police to conduct wiretaps. When informed about the Clipper Chip, 80% said they opposed it." - Philip Elmer-Dewitt, "Who Should Keep the Keys", TIME, Mar. 14 1994
Current thread:
- OMB on email privacy David Farber (May 18)