Ethical And Privacy Concerns With Mail Admins

Hello all,

I run a mail server for an extremely limited number of users and have just
recently been considering what would be a concise explanation of just what
I can and cannot do with regard to monitoring those who use my server.
(Perhaps for inclusion in an 'acceptable use' page on a site or similar.)

It is those who are NOT supposed to be using my server that I'm most
interested in. Even though most of my log checking is done with
specific searches for 'ruleset' and 'relaying denied's, I'm still going to
see who others are emailing from time to time, and I feel guilty when this
happens. This may seem silly to some of you, but that's me.

I'm finding this difficult to explain properly so bear with me please.

In my view, it stands to reason that if someone is going to connect an
email server (or any server for that matter) to a network of any kind,
then that person is going to want to be able to control and monitor it's
usage, so to avoid security breaches, deal with abuse complaints and so on
and so forth.

Included in that 'control' is the ability (in theory) to read other user's
email, or at least see who is mailing who.

In any company/ISP, there has always got to be someone who will have the
required privileges to 'see all'. What stops them from abusing this
privilege ? I'm thinking legal and employee policies would go some way to
doing this.

But what of a small site admin or operator, who doesn't have a wordy
company policy that applies to them ? Or one that doesn't necessarily have
the reputation of a large and maybe very successful company to keep intact ?

How could such an admin or operator put their user's minds at rest ?

For what it's worth, I personally regard myself as an honest individual,
perhaps too honest sometimes, but how the hell can I convince others of
this if they don't know me personally ?

Thanks for your time all.

NoSleep.

Re: Ethical And Privacy Concerns With Mail Admins

NoSleep wrote:
> Hello all,
>
> I run a mail server for an extremely limited number of users and have just
> recently been considering what would be a concise explanation of just what
> I can and cannot do with regard to monitoring those who use my server.
> (Perhaps for inclusion in an 'acceptable use' page on a site or similar.)
>
> It is those who are NOT supposed to be using my server that I'm most
> interested in. Even though most of my log checking is done with
> specific searches for 'ruleset' and 'relaying denied's, I'm still going to
> see who others are emailing from time to time, and I feel guilty when this
> happens. This may seem silly to some of you, but that's me.
>
> I'm finding this difficult to explain properly so bear with me please.
>
> In my view, it stands to reason that if someone is going to connect an
> email server (or any server for that matter) to a network of any kind,
> then that person is going to want to be able to control and monitor it's
> usage, so to avoid security breaches, deal with abuse complaints and so on
> and so forth.
>
> Included in that 'control' is the ability (in theory) to read other user's
> email, or at least see who is mailing who.

I'm not a lawyer, however the comments I'm making here are based on my
own understanding of U.S. law in this regard, and many years of experience.

You have the ability as a superuser to eavesdrop on your clients.
However you also have the ethical, moral and in many cases legal
responsibility in your position as a superuser or administrator of a
service to maintain the privacy and confidentiality of those
communications as well, with a few exceptions, regardless of the content
of those communications.

Some exceptions that I can think of off hand are:
1) You inadvertently happen across some text during the normal course of
maintenance that you otherwise would not have seen. You still have the
responsibility to maintain the privacy of your client in this case
Unless what you happened across is a clear violation of the law. In that
case you have the ethical responsibility to report the violation to the
proper authorities.

2) A person submits a complaint to you through an abuse desk, about a
client on your site. This can give you very limited authority to deal
with that one situation. ie: gather enough proof to substantiate the
claim, or not. In this case you would open a trouble ticket, deal with
the situation as appropriate, then close the ticket. Once the trouble
ticket is closed, you do not have the right to go in and re-examine it
if such re-examination would potentially violate the privacy of your client.

3) If in the coarse of monitoring your system, you discover that you
have an unauthorized use of your system, then you are well within your
rights to deal with that situation. It helps cover your butt if you
state in your terms of service that any unauthorized use or activity
that is discovered will be dealt with as appropriate.

>
> In any company/ISP, there has always got to be someone who will have the
> required privileges to 'see all'. What stops them from abusing this
> privilege ? I'm thinking legal and employee policies would go some way to
> doing this.

Nothing stops you short of your own sense of ethics. However if you get
caught eavesdropping on someone else's private communications without
their full knowledge and consent you can get into serious trouble with
the law, even if you own the hardware though which or on which the
communications take place.

>
> But what of a small site admin or operator, who doesn't have a wordy
> company policy that applies to them ? Or one that doesn't necessarily have
> the reputation of a large and maybe very successful company to keep intact ?
>
> How could such an admin or operator put their user's minds at rest ?

Have a clearly stated "Terms of Service" policy and stick to it. In that
policy (or contract) you can make certain exceptions for yourself as
an administrator, which in theory your clients know about when they
consent to make use of your service.

>
> For what it's worth, I personally regard myself as an honest individual,
> perhaps too honest sometimes, but how the hell can I convince others of
> this if they don't know me personally ?

By offering a policy and abiding by it to the letter. The old saying
comes to mind, "A man is only as good as his Word". Don't give your
word if you can't or have no intention of keeping it. If you give your
word, then break it, there is nothing more to trust. Only a fool would
continue to trust a person who breaks their word even once.

By becoming an administrator of a system, you are asking your clients to
place their trust in you. Most know full well what you could do with
that superuser access if you choose to abuse that trust. Enough said.

>
> Thanks for your time all.
>
> NoSleep.
>

I suspect the following will answer most of your questions if you are in
the United States. Otherwise check the law in your country regarding
interception of private communications.

The following link is to
"The Electronic Communications Privacy Act of 1986" - U.S. law.
http://www4.law.cornell.edu/uscode/html/uscode18/usc_sup_01_ 18_10_I_20_119.html

Garen

Re: Ethical And Privacy Concerns With Mail Admins

On Mon, 23 Jan 2006 16:22:02 -0700, Garen Erdoisa wrote :

> NoSleep wrote:
>>
>> I run a mail server for an extremely limited number of users and have
>> just recently been considering what would be a concise explanation of
>> just what I can and cannot do with regard to monitoring those who use
>> my server. (Perhaps for inclusion in an 'acceptable use' page on a site
>> or similar.)

[snip]


> I'm not a lawyer, however the comments I'm making here are based on my
> own understanding of U.S. law in this regard, and many years of
> experience.

[snip]

> Nothing stops you short of your own sense of ethics. However if you get
> caught eavesdropping on someone else's private communications without
> their full knowledge and consent you can get into serious trouble with
> the law, even if you own the hardware though which or on which the
> communications take place.
>
>
[snip]


> Have a clearly stated "Terms of Service" policy and stick to it. In that
> policy (or contract) you can make certain exceptions for yourself as
> an administrator, which in theory your clients know about when they
> consent to make use of your service.

[snip]


> By becoming an administrator of a system, you are asking your clients to
> place their trust in you. Most know full well what you could do with
> that superuser access if you choose to abuse that trust. Enough said.

Thank you very much for your detailed post. Even though I'm in the UK, the
link you included makes for very interesting reading. That last point you
made has reminded me that I need to give my users a bit more credit. They
doubtlessly get the 'big picture' even if they don't know (or care)
exactly how things are done.

I shall refer back to your post from time to time as a kind of 'reality
check'.

The use of my email server is free to those who need it at the moment, but
I am considering a major upgrade. This will cost me considerably more per
month to run, so I may charge a low fee for using it.

I was of the impression that if people have to pay for something, they can
often feel more reassured about their use of that something, maybe because
they then expect a certain amount of professionalism and service once
money has changed hands. Plus they know they have laws on their side to
demand refunds etc if a service doesn't deliver what it claims to deliver.

Thanks again for your time and the detailed information.

NoSleep.

Re: Ethical And Privacy Concerns With Mail Admins

NoSleep wrote:

> I run a mail server for an extremely limited number of users and have just
> recently been considering what would be a concise explanation of just what
> I can and cannot do with regard to monitoring those who use my server.
> (Perhaps for inclusion in an 'acceptable use' page on a site or similar.)

In Finland, where I live and work, such monitoring is legally restricted.
For one of the most relevant and, concerning your question, detailed acts in
question, please see
.

Thor

--
http://www.anta.net/OH2GDF

Re: Ethical And Privacy Concerns With Mail Admins

On Wed, 25 Jan 2006 05:43:42 +0200, Thor Kottelin wrote :

> In Finland, where I live and work, such monitoring is legally restricted.
> For one of the most relevant and, concerning your question, detailed acts in
> question, please see
> .

Thanks Thor. I've downloaded that now.

I'm actually pleased that all these restrictions exist. I'm going to look
up some UK-specific laws and combine them with the information I've read
in this thread to offer a kind of 'summary' for a page I will publish,
with links included of course for exact 'letter of the law' references. It
may take some time though.

Thanks again.

NoSleep.