
Private messages at work can be read by EU employers - antouank
http://www.bbc.com/news/technology-35301148
======
p4wnc6
I know everyone is going to shoot this idea down with a million reasons why,
but even so:

why are these laws never symmetric?

Why can't employees also access things possessed and used by the employer,
like, say, HR personnel files, or executive emails, so that employees can
verify the company is not committing fraud, engaging in discriminatory
practices, etc.?

There's such an emphasis on what the company has a right to do to protect
itself that we almost don't even think about how company actions, which could
be damaging to and unapproved by the employee, go on unchecked all the time.

I assume the answer is just "might makes right" and the employer is the one
with capital available for legal and political manipulation. But what's so
surprising to me is that _we rarely even talk about it_ even in an era with so
much overt and publicly hated corporate corruption.

~~~
paulddraper
It's a question of ownership. Property rights and such.

If the company owns the infrastructure, the subscription, the accounts,
whatever, they can decide what to do with it.

In contrast, an employer can't, say, search your car without your consent.

~~~
nommm-nommm
Plenty of employers can and will search your belongings/vehicles you bring on
their premises. Think the NSA or prison workers for example. Or even bank
employees. Anyone who works in a secure facility (Think civilian employees who
work on a military base) are subject to search as well.

~~~
paulddraper
Again, property rights. If you choose to park on their property, they can
search, just as the TSA searches people who enter airports.

(There's some more rules, since this is a case where property rights conflict,
so generally they have to notify about the situation upfront.)

------
vertex-four
The trick here, as my understanding of the law goes, is that (a) the company
had a policy that work computers are to be used for work only, AND (b) that
the account in question was being used for both personal and professional
contacts.

In general, your workplace can (assuming that you have agreed to this in
policy) ensure that you're using your computer for approved uses, and it can
access all work-related information on the computer. You do have (limited)
privacy over anything personal on the computer, but they're welcome to
discipline or fire you just for its existence, and in some cases they may
access it if they have reasonable belief that they have to.

This ruling clarifies that if your personal information is mixed in with
professional information, the company may access it, as little as necessary
(the word you'll come across lots is "proportionate"), as part of an internal
investigation or similar. This has been spelled out by at least the British
Government for a while now, nothing has changed.

EDIT: On a side note, anyone else notice how the article names the ex-employee
and not the employer?

~~~
jasonkostempski
Do they even need a policy? If someone is on my computer and my network I
assume I have the right to access any of the stuff on it.

~~~
voxic11
Do you apply this to everything? If someone is using your bathroom do you
believe you have a ethical and legal right to surreptitiously observe
everything they do in there?

~~~
Double_Cast
In the computer case, the reason surveillance is a good idea is so the owner
can prevent misuse. Misuse is likely, as any computer with an internet browser
may temp a user with a wide variety of possibilities for misuse.

In the restroom case, an owner often can safely assume that the user's
activities will be restricted to a quite limited range of behaviors. However,
if I had reason to believe that the user might be performing some illicit
activity in the restroom (e.g. arson), I might feel surveillance is warranted.

The difference comes down to the disparate levels of suspicion.

~~~
lostlogin
The employer presumably didn't think he was using their computer for arson.
Would you be more comfortable letting a stranger into to your premises to use
your bathroom or letting them use your internet connection?

~~~
fixermark
The bathroom.

I haven't put NEARLY enough effort into securing the accessible services on my
LAN against unauthorized access. There's a practical upper limit on how much
undetected damage someone could do in my bathroom (without a crowbar or a
wrench) that is significantly exceeded by how much undetected damage they
could do on my network.

------
6stringmerc
> _And they added that Mr Barbulescu had had prior warning that the company
> could check his messages._

...and there's the part where I'm not surprised this fellow lost his lawsuit.

Honestly, if I come to a railroad crossing and the gate/arm is down and red
lights are blinking, and I go onto the tracks anyway, I think I kind of sort
of lose the ability to win a lawsuit against the railroad company for hitting
my car.

~~~
adam12
What if the company said that they were going to assault him if he was to use
private messaging? Does that make it alright because they warned him?

~~~
ddalex
This isn't a contract dispute - this is a human rights dispute.

Assault is probably against Romania's laws. As such, any policy or contract
specifying assault is illegal.

Invasion of privacy in the workplace is allowed under law; this law was
challenged in the ECHR - and the challenged failed, so the law stays. So it is
legal to put this in any contracts in EU, since the judgement sets precedence
across EU.

~~~
Coding_Cat
>So it is legal to put this in any contracts in EU, since the judgement sets
precedence across EU.

Nitpicky, but I believe it says that any European country _can_ have laws
which allow this but they are not _required_ to allow it. E.g. the Belgium
Gov't might still pass a law which says companies are not allowed to do this.

------
panglott
"His employer had discovered that he was using Yahoo Messenger for personal
contacts, as well as professional ones.

Because it believed it was accessing a work account, the judges said, the firm
had not erred.

The man, named Bogdan Barbulescu, ...argued that his right to a private life
had been breached when his employer had read a log of messages on a Yahoo
Messenger account he had set up for work, as well as that from a second
personal one.

Mr Barbulescu's employer had banned its staff from sending personal messages
at work.

To check his account, the judges said, it had been necessary for his employer
to access his records."

It sounds like a stupid policy, but all the company did was access a Yahoo
account that he had set up as a work account and saw that he had also been
using it for personal communications.

~~~
brazzledazzle
It's possible the usernames were similar but the profile and log directories
have a very clear separation between accounts that any IT person would be able
to see. This sounds more like a justification after the fact.

~~~
debacle
If the file is on your work PC it belongs to your employer. It's a sticky
situation but that's how it is.

~~~
Nadya
Which is why I use an external thumb drive with portable software and save any
personal files to the thumb drive. It may hit their network but nothing is
stored on their computers. Which gives plausible deniability - and I do not
think they can legally search the thumb drive.

Not that I'm paranoid about my current employer (extremely relaxed culture)
but it is something I do out of habit.

~~~
totalgeek
They may have the right to search your thumb drive if they believe you are
downloading company data that may help the competition or cost revenue.

~~~
debacle
They have the same right to search your thumb drive as they have to search
your house, which is none.

------
rogeryu
All real personal stuff is done on my smartphone. I use 4G only at work, no
work wifi. I do not open personal mail at the work computer. No Facebook,
except sometimes on the phone. The only thing I do is reading and posting here
and at several other websites.

I have no idea if my employer knows about this, but I haven't had any remarks
about it and I do this for years now. Reading articles on this website and
elsewhere (like Slashdot) is a distraction I need on a regular basis. And we
don't have a policy like this, so I guess this doesn't apply to me.

~~~
pc86
Honestly a 4G-only, no-guest-wifi policy is the safest from a privacy
perspective.

The downside being that it's possible someone sees you three times in one day
and you happen to be on your phone two or three of those times.

------
thomnottom
Wait, he was using a work account on a company-owned device? I don't see how
that can be called a "private message" at all.

~~~
oblio
Judging from what many Romanian people I know do, he was probably using Yahoo
Messenger to talk to his colleagues and his friends at the same time (some of
which might have been friends and colleagues at the same time).

Most likely from his personal YM! account.

The real problem was using YM! for work conversations. But if the company
involved did not have its own internal messaging setup... it's an easy mistake
to make.

~~~
ddalex
This was a work account, set up at the request of the employer, and managed by
such. Using a work account for private stuff should set some expectations
regarding privacy rights.

------
zeveb
The owner of a computing device has ultimate rights to the device. If your
employer owns your computer, he has every right to inspect his device and
ensure that you are not misusing it. He has every right not to permit you to
connect a personal computing device to his network, and he has every right to
inspect the packets you send on his network. This ought to be uncontroversial.

It should be taught in school: Don't use your work accounts for personal
stuff, and don't use your personal accounts for work stuff (I'd go even
further and say don't have just one personal account for everything).

~~~
forgotpwtomain
What load of BS. I don't see how my agreement to their policy should provide
them with immunity to what would otherwise be criminal. e.g. That it's
criminal to steal from my employer should not mean that if they suspect an
employee is stealing from them they can without repercussion steal-back.

Likewise they may have certain legal rights if an employee violates their
computer-usage policy -- but that shouldn't give them the right to violate the
CFAA.

Checking whether an employee "completing their professional tasks" and reading
their private correspondence are very different things. How is this any
different (aside from prefixing the word computer) then if you had personal
letters on your desk and a manager confiscated them from you (and read them) -
in order to "confirm" that you were using "completing their professional
tasks".

~~~
CPLX
> that shouldn't give them the right to violate the CFAA

The key issue here is the definition of authorized access. If you create a
contract with your employer whereby they give you money and you authorize them
to access your digital communications (via an explicit policy) then their
access is not unauthorized.

~~~
forgotpwtomain
> The key issue here is the definition of authorized access. If you create a
> contract with your employer whereby they give you money and you authorize
> them to access your digital communications (via an explicit policy) then
> their access is not unauthorized.

Yes, for example the corporate gmail terms of use explicitly states that your
employer has rights to any communications contained therein.

But I would be extremely surprised if someone logging into their personal
Gmail account at work would constitutes a 'right' for an employer to access
that account (and potentially look through years of personal correspondence)
to verify that they were "completing their professional task" \- essentially
access without authorization (at least in the pre-internet days where these
would have been physical letters) would have equated to theft of personal
property.

------
josh_carterPDX
At this point, if you don't understand that company equipment is to be used
for company business only, then you're clearly not using your best judgement.
Whether or not there's a policy, it should be implied that the equipment a
company gives you belongs to them. You wouldn't take a company vehicle to a
party or to the bar? Ok, maybe you would, but SMH. The point is that company
equipment should be used to that purpose. If you use it for any other purpose
you should expect that it's going to be scrutinized. If you don't want someone
reading your emails or messages on a company computer, then use something else
like a tablet or your phone to conduct personal business. I find the amount of
conversation here about this so confusing.

~~~
hamburglar
Exactly. My tendency is to try to keep my personal use of company computers to
a reasonable level and conservative scope, because while I know my company is
going to be reasonable about it and most likely leave me alone, I fully
recognize that it's their computer and me using it for personal things exposes
those things to their scrutiny if they have reason, or even if they _suspect_
they have reason. Frankly, I'd be a little surprised if none of my employers
have ever perused my browsing habits while investigating something (example: I
once had an officemate get fired for sucking up all the office bandwidth by
running a public porn server from his desktop -- that was a super dumb move,
and I really wouldn't hold it against anyone investigating the problem to take
a general survey of our web traffic habits in the course of chasing that
down).

~~~
josh_carterPDX
Definitely. This is especially important for companies that are public or are
planning to go public. Knuckleheads exist everywhere and they can be a
liability if not kept in check.

------
mhurron
Keep your personal information off your work devices.

~~~
angdis
I hear this as "blanket advice" all the time, but very rarely is there a
discussion about what is reasonable to expect from a "normal" employer who
isn't draconian or looking to find an excuse to fire someone.

~~~
Spooky23
Actually, the chill employer is the most dangerous.

Even if your employer is fine with personal use, courts will rule that it's
all in scope during a discovery phase. I've been involved in litigation
scenarios where people's personal email ended up being sifted through by the
other litigant because opposing counsel convinced the judge that business was
being conducted there, and there was evidence of frequent access on a
corporate device.

All of your protections from a legal point of view are really defined by
custody and scope of control. Data stored on your device in your home is the
most protected. Data stored on your employer's PC or file server on your
employer premises is the least protected.

~~~
angdis
OK, but what about email read/composed on my personal gmail account using a
work computer? When you say "personal email" do you mean @company.com email--
or do you mean _any_ personal email as long as it is read/composed on a
company machine?

Is it safe to assume that the only way that that (or any https content) can be
captured is by keylogging or some kind of desktop capture?

~~~
bri3d
> Is it safe to assume that the only way that that (or any https content) can
> be captured is by keylogging or some kind of desktop capture?

No, plenty of corporate firewalls provide HTTPS MITM by installing their own
root certificate and making client machines trust it. HTTPS certificate
pinning as it's implemented in most browsers specifically allows this behavior
by not checking pinned certificates if the root certificate is in the
computer's private keystore (vs. system keystore) because it's assumed the
private keystore is full of only certificates the user or machine owner
_wants_ to always trust.

------
djhworld
The key in this case was the guy was using a Yahoo account that was designated
for work purposes to message his brother.

What the ruling DOESN'T mean is employers cannot say, demand access to your
personal gmail account. However they can reprimand you for visiting gmail.com
or whatever for periods of time more than what they deem acceptable.

------
yAnonymous
That's a very specific case and it seems the main problem was that he sent
private messages from a monitored work account.

If you send private messages over your company's Twitter account, you can
expect to be fired, too.

------
RankingMember
What kind of awful company would be expending resources doing this?

~~~
unethical_ban
Every company with a competent information security department.

Protip: Never, ever, use company resources (laptops and workstations,
potentially even cell phones) for your personal communications. They likely
are MITM with their own root CA and can see what you're doing.

Reason: It's their device on their network, and it has access to company data.
Get a cell phone with a good data plan.

~~~
thieving_magpie
Of course they can, doesn't mean they should. For instance, if they're trying
to attract talented employees that's a great way to put them off.

~~~
unethical_ban
Depends on the industry. If a bank doesn't do this, then it's much easier for
an employee to send out PII dumps. If your "Github for farmers" startup isn't
worried about code commits to the cloud, then no biggie.

~~~
thieving_magpie
You're right. I had blinders on there about the populace of HN.

------
alistairSH
tl;dr - European Court of Human Rights (ECHR) says employers can read private
messages/mail sent (via non-corporate providers) on company time.

While I understand the employer's desire to ensure employees are working, does
this open up personal cell phone conversations to monitoring as well?

~~~
bnegreve
_> Because it believed it was accessing a work account, the judges said, the
firm had not erred._

I think this is relevant, at my workplace which is in EU, sysadmins are
allowed to access anything that is not explicitly marked as personal.

I've always assumed that this is some kind of EU regulation, but I don't know.
Does anybody here knows?

~~~
m_t
This is the case in France, and you're even allowed to use work equipment for
personal things as long as it is done in a reasonable amount.

For instance, reading news articles on your work computer browser, browsing
your personal facebook account, either during a break or for a few minutes a
day, will be seen as reasonable. On the other hand, if you spend 6hrs out of 8
doing personal stuffs, the employer can use this against you.

I also assumed this kind of usage would be protected by a court like the
European Court of Human Rights, but I was wrong.

------
Evolved
Hasn't the safe advice been that whatever you do on company resources (except
time) can be monitored/investigated by the company? Isn't it generally bad
practice to handle personal business on a work phone/work laptop/work desktop
anyway due to the assumption that your activities can be legally monitored by
your company?

Understandably, if you make a send a message/make a personal phone call on
company time to your doctor or spouse regarding some issue then that shouldn't
be grounds for the company to investigate just because you were on their time
and my reasoning for this is that even when you're off the clock, you can
still be disciplined for activities that may portray the company in a bad
light (getting into a bar fight after work, for example) so its assumed that
you're never really off work.

Either way, if I were him I wouldn't have assumed I could have used company
hardware to send personal messages yet still have an expectation of privacy.

------
mynewtb
The employer thought they were reading the _professional work account 's_
messages.

------
iamleppert
If there is that much distrust in your employee or employees, you should just
fire them.

------
Zenst
If it is upon employer equipment and time, then it is reasonable for the
employer to expect it to be work related. In this case the chap blurred those
lines and even using a personal account for work related stuff is going to
violate and respectable data policies a company may have and indeed many a
work contract alone.

The headline does make it sound a bit oft when you read the article and not
the best choice when you read it is not as clear cut as the headline portrays.

Still never mix business with pleasure being the moral on this one and not a
mass panic my private emails can be demanded by HR.

------
ChrisRazzzz
Question is Slack falls under this..., if people use Slack at the office on
multiple channels than you could consider it a private message on a work
computer.

------
known
ECHR should have considered
[https://en.wikipedia.org/wiki/Information_asymmetry](https://en.wikipedia.org/wiki/Information_asymmetry)

------
JTon
So I have a personal device (dual sim) with a personal sim and work sim
inserted. I have subscribed to my IT security policies. Any idea what my
exposure is? My gut says they'll treat my device like their own

~~~
Spooky23
Where I have worked, if you're under investigation or subject to retention
we'll seize your device. If you refuse, you'll get canned or sued.

------
gerty
The title is subtly misleading. This ruling applies not only in the EU
countries but also in in member countries of Council of Europe. That is EU,
EEA, Balkans, Russia, Turkey and a few more.

------
czl
Can employer capture your passwords and use them to access your cloud
accounts? Gmail? Facebook? Etc?

------
finid
Work is not were you want to send private messages that are not work-related
from.

Keep that simple rule in mind and you'll save yourself a lot of heartache.

------
walshemj
This is a dangerous precedent to set normaly invasive monitoring or workers is
only used for investigating serious offenses.

------
philippeback
I am my own boss, yeah

------
mizchief2
Encryption.

~~~
kinghajj
Yep. Very first thing I do when setting up a work machine is enable full-disk
encryption, both to protect company assets from theft, and protect any
sensitive material from prying coworkers/management.

~~~
teddyh
Same here. It amazes me that this is not more common.

~~~
p4wnc6
I wonder if doing this, just the action of choosing to encrypt, would be held
up as sufficient grounds for the company to investigate your activity, or even
possibly regarded immediately as criminal or potentially criminal. I can see a
lot of companies coming up with extremely irrational policies that say that
any attempt to encrypt anything is inherently not allowed.

~~~
teddyh
What? I don’t just encrypt my desktop, I encrypt _all the servers_ too, for
the same reason.

------
stensonb
"Not if you do it correctly", say mathematicians.

------
stensonb
"Not if you're doing it correctly", say mathematicians.

------
ivanhoe
Maybe it's legal, but after learning all this would you still apply for a job
there?

~~~
antihero
If finding work is tough and you needed to pay rent and eat, like in the real
world, then all this "you agree to their policy" stuff is frankly sinister.
Basically unless you're lucky enough to be desirable enough to the diminishing
amount of companies that don't treat their employees like cattle, you have to
basically suck up having your privacy shat on.

~~~
ivanhoe
absolutely, but we don't talk about unskilled workforce, this guy is an
engineer. And even if work is hard to find and you have to take it, you
probably will be actively looking for a better job very quickly. So ultimately
company that is enforcing such strict and hostile rules is going to loose all
the best people very quickly (because they will be first to get a better
job)... and that's bad for business and at the same time I doubt that it
improves performance significantly, so it's pretty stupid strategy IMHO...

