The laws does not actually allow employers to check on their worker’s emails and read their communications. It gives them the right to track them, though, by retaining associated information to those emails such as recipients, senders and the time when those emails have been read or sent. Employers can also check if emails have attachments, and data related to them. This law, of course, has created a big amount of discussion among civil rights groups, employers organizations and the Finnish society.

What we think is interesting is the way this is evolving. It seems that it is becoming an undeniable fact that business are in the need of defending themselves from corporate espionage. But there’s also the fact that allowing employees to check on some information about their worker’s email may open the door for abuses. The direct relation between being allowed to do it and the certainty of abusing this law is a matter of debate. The important issue here is that it will certainly put doubts in each worker’s mind: is my boss checking my emails?. So the key element here is the ability to prove, unquestionably, that emails have or have been not checked. And this is where the Kinamik Secure Audit Vault can be the final solution.

Of course, these accesses to the worker’s emails must be audited. But auditing does not provide a sufficient solution, since these audit data can be easily changed, specially when users have high privileges or power. By collecting, centralizing and securing this audit information with the Kinamik Secure Audit Vault, employers will not only gain in efficiency and lower auditing and compliance costs, but they would also be able to provide something harder to quantify but not less important: their employee’s trust. Being able to prove, without any doubt, that the audit recors that show who has done what have not been changed will certainly provide ease of mind to every single person in an organization. Knowing that there’s an always-on, tamper-evident watching system like this should definitely be the standard best practice whenever any organization wants to exercise their right of checking their workers’ emails.

One last note: I have been asked many times in the past why any worker organization would accept to implement a system like this into any organization, since they feel that they will be constantly watched. Well, the reasons mentioned above are exactly why: this kind of systems are not accussatory systems; they are protective systems, that allow the guilty to be proven guilty, and the innocent to be confident that his or her innocence will be unquestionably shown.

The German rail company is being accused of spying on almost all of its 227.000 employees for almost a decade. Part of a campaign to root out internal corruption -a very positive cause indeed-, the spying operation consisted on comparing “master data” (i.e. personal details) of over 170.000 employees, with information of around 80.000 external suppliers. This would show irregularities that might imply internal corruption. These investigations and comparisons have been going on at least three times (on 2002, 2003 and 2005).

It is now under investigation whether privacy laws have been broken or not. But even if Deutsche Bahn’s actions were legal, privacy is an extremely sensible matter in Germany because of its Nazi and Communist past. Surprisingly enough, this is not the first of such spying cases, with Deutsche Telekom in 2008 and Lidl grocery stores in 2007.

Under investigation as well is how aware of these proceeding were its top managers (including Deutsche Bahn’s CEO, Hartmut Mehdorn).

Once again, we are witnessing privacy and employee surveillance issues arise. Any organization is in its own right to safeguard its name, intellectual property, and even its trade and business secrets. But doing so correctly and stepping on their employees privacy are two different matters. Proper systems should be put in place in order to audit each and every action done within an organization, even by the most privileged users. This kind of systems (like the Kinamik Secure Audit Vault), would act as deterrent for any misuse that may occur, and accountability and full responsibility would be in place. It would protect both the organization and its employees: the organization would be protected since employees would think twice before doing any unappropriate or ilegal action knowing that each and every action is being recorded and archived. And employees would be protected since these audited actions would include also the actions allegedly done by Deutsche Bahn; any empoyee representative (e.g. union leader) could then run integrity reports and analysis on the audit trails for checking improper actions, and be sure that these reports can be unquestionably trusted.

So if you go through life certain that your bank passwords are safe, and nobody can access that delicate piece of information… think again. As Bruce Schneider reports in his blog, this funny story has a bit of a worrying level underneath.

Summarizing the story up, Steve Jetley -a Lloyd’s TSB bank customer- decided to set his bank password as “Lloyd’s is pants”, just to find later that his password had been changed to “no it’s not” by a bank employee without Mr. Jetley knowing about this. The story gets worse when -after realizing the change- he tried to change it back to his original password or another similar such as “Barclays is better” on the grounds that it was “too long” (Barclays is a competitor of Lloyd’s). Even the password “censorship” wasn’t allowed.

Mr. Jetley received a full apology from the bank and the employee (I don’t know if the one that changed the password in the first place or the one that refused to accept the new ones given) was dismissed.

I think that leaving aside the possible comical side of this story, what worrying about this case is that banks are keeping their passwords in flat, non-encrypted forms in their databases. Why would an employee be able to see any client’s password? Or even further, why would an employee need to see any client’s password? So here for me there are two important issues:

1) confidentiality: makes me wonder how many of these important passwords that I have (banking, payment platforms, etc.) are still unencrypted, and

2) accountability: why would an employee see a client’s password?

I guess that the reason is that people (i.e. IT Managers, System Administrators, or even employees) access data for a plain and simple reason: because they can. If proper audit trails systems would be put in place, if there would be any kind of system that could serve as a “surveillance camera” that can prove irrefutably all the access and modification to data, there would be an automatic deterrence for this kind of behavior. People would not be sniffing around information they shouldn’t be looking at if they knew that all their actions were being audited, that these audit trails could not be tampered with and consequently they can -and probably would- be held accountable for their actions.