Re: [squid-users] A Logging question

From: Joe Cooper <joe@dont-contact.us>
Date: Fri, 10 Aug 2001 11:51:58 -0500

Bill Delphenich wrote:

> Joe Cooper wrote:
>
>
>>Squid isn't designed with this purpose in mind.
>>
>>Legally and morally, you'd be on very shaky ground implementing it even
>>if it were. In fact, it has recently been found by a circuit court to
>>be an invasion of employees privacy to monitor internet usage at
>>anywhere near that level
>>
>
> The default logs in squid already record all the information
regarding which
> workstation went to which web site when, etc. The only thing I am asking
> about is web-based e-mail.

Yes. And web-based email is legally protected just like company mail.
Sorry, but that's what the courts just found a couple of weeks ago. Be
thankful it wasn't your company that was the 'vs.' in this case.

What sites employees visit on the web is entirely different than the
contents of private email, and the courts have been very clear on this
point. I didn't make the rules, I'm just telling you what they are. I
follow this stuff because some of my clients are monitoring internet
usage to various degrees, and I try to look out for their interests. I
offered up my advice to you, as well, trying to prevent you from running
into serious legal troubles. You asked advice, I gave it. No charge,
so don't look a gift horse in the mouth, eh?

>>(in other words: email--even company provided
>>email--is considered private and cannot be viewed without a warrant or
>>probable cause). This is only in the US, of course...but I expect
>>privacy laws are equally strict or will become so shortly elsewhere in
>>the world. You /might/ be able to get away with it if you required all
>>employees to sign an agreement that all mail sent from the office would
>>be logged and monitored.
>>
>
> The mail I am referring to here isn't officlal office e-mail. We run
a mail
> server and have company policies, etc for all that already. I am talking
> about somebody's personal e-mail account that can be accessed from
any web
> browser in the world, including PC's in the office that don't even have
> e-mail installed on them.

Yep. And it's protected.

Email is legally protected private correspondence. To make the analogy
that has been made in court: If an employee mailed a traditional postal
letter by dropping it into the post box on the company premises, they
would have every expectation that the mail would not be opened and read
by the security staff at the company. There are ways around this
restriction (strict and very carefully worded employment agreements),
but even this is fraught with the danger of lawsuits.

>>Sorry to be so cynical here, but I think you're getting a bit carried
>>away with technology.
>>
>
> Obviously you don't work in a field where your work is proprietary,
highly
> competitive, often secret and almost entirely contained on CAD files. And
> equally obviously you haven't found out yet you can have people
within your
> company who rip you off. My congratulations. I hope you stay that lucky.

Nope. I work in a field where nothing is secret or proprietary (open
source software development). Nonethless, I understand your
concerns...my father is an engineer in the oil and gas industry here in
Texas, so I'm aware of the potential problems.

> We have a client who recently caught employees from a foreign (hostile)
> country mailing company secrets back their home country just this
way. These
> employees were deported, but it didn't help the company's stock any.

And neither will invasion of employee privacy or the following lawsuit.
   I'm sorry to be the bearer of 'bad' news Bill but the law is not
undefined here. You will be breaking the law if you read employee email
using your proxy. It's not me imposing this rule on you...it is the US
court system.

The current state of law in this area:

You can legally monitor what sites your employees visit (as long as they
are made aware of this monitoring).

You can block employees from visiting any site you choose.

You can block email from being sent from your local email servers to
certain domains (or limit them to specific domains), although this is
probably going to be the source of a lawsuit at some future date.

But you cannot read employee email without their explicit permission.
(Get it in writing! And prepare for lawsuits anyway.)

> This crap happens and somebody in the company is expected to have at
least a
> glimmer of a clue what is going on. In my company this somebody is me.

I've mentioned your options. But I'll clarify.

If you need PCs that are not equipped with email clients to not be able
to send mail (for example via hotmail) then Squid /can/ help you in a
completely legal fashion. Just block access to all public webmail
services. This won't prevent a determined thief from mailing things via
a non-public webmail server (I have a webmail client running for myself
when I'm travelling, for example...it's not difficult to set one up if
you have a server to put it on). You could also limit the size of
attachments that can be sent--preventing complete drawings from being
sent. In fact, Squid provides a nice friendly directive just for this
"request_body_max_size". Set this to something small (like 5k or 10k)
and at the very least, someone will have to break the file into 100
pieces to get it through the proxy. This doesn't make it impossible for
someone to send out such a mail, or make it legal for you to read it,
but it does make it a lot more difficult and your "spy" will have to
have a lot more knowledge than an ordinary thief has to circumvent it.

Beware however, there are a hundred other ways to bypass this without
using webmail. You're focusing one tiny little facet of a complicated
problem. And the real key is to hire honest people and/or require NDAs.

Just to point out that monitoring webmail is a fruitless pursuit, here
are some other ways a user could send files out over the network:

SSL Tunneling VPN

Running a POST enabled webserver outside your network and sending the
file via POST (possibly encrypted)

SSH

FTP

RSH

Encrypted webmail using some non-public webmail server, or over an SSL
link. Squid doesn't crack open an SSL request and so you would never
see the contents.

Even if your firewall blocks all but proxied web requests, you're still
fighting an impossibly uphill battle, and there is no easy way to
prevent the two methods above that would work even through such a
restrictive firewall.

Sorry, but you're focusing on a tiny little thing to the exclusion of
all others, and missing the whole picture by a mile. You cannot control
your employees every action, and there is no technological way to
control every packet that leaves your network. You can either unplug
your users from the internet entirely, or accept the risk of employees
having such access. Violating their privacy (as defined by US law) will
not help you here.

Good luck, Bill.
                                    --
                       Joe Cooper <joe@swelltech.com>
                   Affordable Web Caching Proxy Appliances
                          http://www.swelltech.com
Received on Fri Aug 10 2001 - 10:45:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:33 MST