The Butt Ugly Weblog

Breaking privacy

Finland has one of the strongest legislations concerning employee privacy. Now there have been requests from corporations that it should be broken. Not much, but just enough so that they would have the right to read who is sending email to whom (but not the contents of the message). The reason stated is that the corporations need to supervise their email traffic to cut down on industrial espionage.

The whole thing puzzles me. Many people have pointed out that most spies would just smuggle the data out on a USB memory card, or use the photocopier. You cannot stop that without instigating physical searches at doors. Also, it could not possibly be extended to free web-based email accounts, so that would not have much effect that way either.

On the other hand, corporations do already have the right to view the addressee of your regular mail - because the address is stamped on the back of the envelope. They can install a camera in your office, but they can't pinpoint it at you. They can read your email if you're disabled or on vacation (and they have good reason to believe that it's important for the company). It's questionable whether spam filtering is allowed: On the other hand, it's totally automatic, and untouched by human hands (so no "reading" of email occurs). On the other hand, someone could take spam filtering software (like spamassassin, and train it to recognize possible information leaks - or private emails. Not possible? Perhaps not now, but certainly feasible in the close future. Some companies have already blocked web mails, encrypted hard drives, and disabled USB ports, leaving email as the only feasible way to share secrets. Is it a surprise that they want to control that channel, too?

One argument is that the new law would only harmonize the different message bearers: the ability to read sender and recipient from email is the same as phone bill with phone numbers itemized, or looking at the sender and recipient information of regular mail. Currently, email is the bastion you can't touch, no matter how much you would like to do it.

The problems, of course, arrive when you realize the potential of mass-scanning of email - something which you could not do with regular mail. If it were possible to scan the header data of email from and to the entire corporation, you could very quickly determine who talks to whom. This could then be used to profile the employees, and that data then used to determine things like loyalty, potential risk, and so on. Internally, within the company, it could be used to determine possibly useful things like "which unit talks most to HR", or "in which site there are most health problems".

One of the things that the new law proposal might give a tool for is the notion of accidental leaks. Sometimes people send files or other things for which they have no right for. They might do this because they need to get their job done regardless of the means, or they're just thoughtless. But that is hard to determine without actually peeking into the contents of the message.

There is certainly a slipperly slope here, and one needs to consider carefully before trying to climb it down. Would the law be used for evil? Corporations profiling their employees to get rid of unsuitable material? Perhaps - but other laws will make that difficult. Will slips happen, and companies getting too greedy? Inevitably. Does it reduce employee's privacy? In some cases, yes. Is it against the Finnish Constitution? Well...

I know I am supposed, as a privacy advocate, to condemn this to the lowest point of Hell. But for some reason I find it rather hard. The reasons quoted for this proposal are too simplistic; too unrealistic. I also find it rather incredulous that corporations would have more power than the police to monitor email - but on the other hand, it is their email, and corporations have both a right and a duty to protect their assets. If you make an invention on company time, using company tools, performing company duties, then it's the company's idea, too. So says the law.

So far, I've found the discussion (and I am basing this writing on whatever I could find from the media archives and blogs - I was not able to find the original paper; nobody links to it and I gave up trying to navigate through governmental web pages (who's the moron designing those anyway?)) a rather hard-to-follow strawman argumentation. Without clear knowledge of what exactly is being suggested I find myself unable to form a good opinion on this.

It's just a bit too complicated.