IT managers are woefully ignorant of the rising tide of internet laws that threaten to swamp their companies
The result is high profile email cases which have already landed the likes of Demon and Norwich Union in hot water. The law has yet to catch up with the unusual nature of email compared with traditional forms of communication - and the confusion is set to worsen as email proliferates.
According to the latest research from International Data Corporation (IDC), by 2000 over two billion business email messages will be sent daily by 80 million US workers. Currently, UK courts are reacting to email related incidents on a case by case basis and there have been too few of these to give anyone an accurate picture.
Email case law has been thin on the ground, but there have been two high-profile UK cases where companies have fallen foul of failing to protect employees or customers from nasty emails or electronic posts. The first was Western Provident and Norwich Union, and more recently there has been Dr Laurence Godfrey versus Demon Internet.
Norwich Union Insurance agreed to pay Western Provident Association £450,000 in damages and costs in settlement of an action arising out of defamatory remarks made by employees on the company's internal email system. The Demon Internet case is still in the appeals process but is based on a defamatory email that it is alleged Demon failed to take steps to remove from its servers. (see vnunet.com 11 June)
Demon was very sensitve of its image after Godfrey chased it into court. (see vnunet.com 3 June)
A government department's network manager, who asked not to be named, typifies the confusion experienced by many IT professionals.
"We own anything that passes through our network," he said. "If it is written on our PC, transmitted on our network and stored on our servers, it belongs to us," he said.
Under his policy he was able to justify opening any email that an employee sent. Unfortunately he was incorrect and was on shaky ground with the current Data Protection Act which prevents employers opening and reading email without their employee's permission.
Code of practice
The waters will be further muddied next March when the Data Protection Registrar, Elizabeth France, starts to enforce a new code of practice in relation to email and data communications. A draft of these codes of practice has yet to be released, but legal experts expect them to be considerably tougher.
Data protection compliance manager, Helena Sims, said that the new code of practice would force employers to tell employees if they are monitored, as well as why and if information is processed what is being done with it.
But according to Tarlo Lyons solicitor George Gardiner, other legislation and cases are making matters even more confusing.
"Under race relations and equal opportunities statutes employers have a clear duty to protect their employees from malicious and harmful emails. At some point, they are going to have to open emails to do that," Gardiner said.
The government is also preparing to update the laws on wiretapping. Currently telcos have to provide facilities to enable the police, using a magistrate's warrant, to listen to telephone conversations. The plan is to extend this to cover any network.
"The new law is targeted at ISPs, but the way it is worded means that the police can apply it to any company," Gardiner said.
Practically this means that companies will have to monitor email and be able to intercept any post on their networks just in case the police show up with a warrant.
Gardiner said this will mean that many IT managers will have to set up a huge database where the millions of emails can be stored in case they are required during a police investigation. This will cause many problems for companies that have small networks and those that have global networks.
"Those with small networks will find these demands overwhelming, as the overheads of establishing these sorts of systems would be huge," he warned.
Large companies with global networks could find that such systems breach data protection legislation in countries like the United States. "A British company with a global network in the United States could suddenly find itself in court because it has breached their data protection legislation in a bid to comply with British laws," Gardiner said.
Other email complications arise where network managers are obliged by law to protect data from hackers. Email messages are the ideal medium for computer viruses. Last March, the Melissa virus infected well over 100,000 computers by email, and companies such as Lucent Technologies and Lockheed-Martin were forced to temporarily shut down their systems.
Because the new breed of virus sends itself to thousands of contacts contained in a user's address distribution list, there is a possibility that companies might get sued from all on the list and the data protection registrar for failing to protect data.
Some companies are turning to new technology as a way of protecting themselves from harm. A new generation of network security products is tying together anti-virus software as well as providing policy-based control.
A UK supplier of secure messaging software wants to help companies manage the flow of email to protect and filter business data. Nexor recently launched its Interceptor software, which operates as a gatekeeper, checking the content of incoming and outgoing email.
The product examines an email message and its attachments to identify the context. After identifying the main ideas in any piece of text, the system determines how the message should be categorised and who should see it, then routes it accordingly.
WorldTalk's email surveillance program is designed to tell corporate clients what's happening with their email. "To find out how secure you are and whether or not you need security," is the way WorldTalk founder Simon Khalaf put it.
A WorldTalk team sets up a computer to intercept every email a company sends out over the Internet and analyses it for content using search software that looks for evidence of noncompliance, harassment or whatever else the company asks it to find.
But such products need to be used with care. Their advantage is that they cannot be claimed to breach anyone's privacy because the software cannot misuse the information in the same way a human can. But they cannot provide total security. It is difficult for software to monitor for words that constitute harassment. For example, the phrase ‘take care when you go home tonight’ does not contain a threatening word.
It is also possible that emails that should be passed into the network would be bounced because the machine identified what it though were obscene words. An example was software designed to protect children from adult web pages that would not allow people to visit the Scunthorpe City Council web page.
If bouncing all email is not an option, then the software would have to send it to a manager for checking and then they move into a legal grey area.
Like any powerful tool, email can be hazardous to the user. And as the Microsoft antitrust trial illustrates, email can furnish plaintiffs with potentially incriminating information. Last year during the antitrust suit, Microsoft executives had to defend not just against the government, but their own emails.
One thing the Microsoft trial has already accomplished is to focus the attention of the corporate world on email its employees send. The videotaped image of Bill Gates squirming in his seat during testimony seemingly contradicted by his own company's email redefined the term email faster than hitting the send button.
What is the solution to the problem? Gartner Group analyst Jim Browning recommends that all companies have a written email policy.
The policy should state clearly what constitutes proper and improper use of email and the consequences of sending inappropriate messages. "Some companies allow some degree of personal use of email," Browning said.
He added that the email policy is the place to make that clear as well. "Be sure to advise employees that their email is subject to monitoring."
This statement should be signed as a condition of their employment and then they cannot make any comebacks under the Data Protection Act. Along with a policy for use, a company should establish a policy for email retention, how long messages are saved before network managers automatically delete them.
All this would make it possible to install the latest monitoring software that would appease anything the government's Interception of Communications Act will bring up. Then at least network managers can get a bit of sleep without having to worry too much about the perils of email.
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all