According to a new survey by Forrester Research, 41% of large companies (those having at least 20,000 employees) either read or analyze the contents of outbound e-mail.  They’re either paying other employees to read them or presumably using any number of commercially available software programs to analyze them. 

44% of the companies surveyed investigated a confidential data breach involving e-mail in the past year, while 26% said they fired an employee for violating the company’s e-mail policy.  Companies also expressed concern over employees leaking information on message boards, blogs, and other electronic media.

Quite frankly, I’m surprised only 41% of large companies are doing this (although it depends on the industry).  I would have expected it to have been much higher given the daily parade of data and privacy breaches in the news.  After all, it’s large companies that have the financial and human resources to implement widescale e-mail monitoring systems.  Smaller companies may be in a much different situation.

Of course, many employers find it distasteful to engage in this type of monitoring.  It can, if not handled properly, be destructive to employee morale and have lasting effects.  Nevertheless—for better or worse—many employees are slowly coming to grips with their employers’ monitoring efforts.  It’s just becoming a fact of life. 

But the truth is, I’ve had clients whose employees have e-mailed confidential and sensitive company data.  Some workers do it without thinking about it, while others are far more malevolent in their intentions.  This is especially the case when employees leave their companies on bad or poor terms.  So it’s a very real problem for employers that has very real consequences.  Thus, like it or not, monitoring will only continue to increase. 

Bottom Line:  Be careful.  You don’t have any right to privacy when you’re at work.  So don’t think that anything you send—whether to a spouse, boyfriend, girlfriend, doctor, stockbroker, or anyone else—is private.  Even if you have to send it and it can’t wait until you get home, an employer is within its rights to read your e-mail, no matter how private the subject matter.  Of course, what it does with that information is another matter.

     In yet another invasion of privacy couched in the rhetoric of “but the consumer will benefit!” comes this story from the Washington Post.  Apparently, a small but growing number of ISPs are monitoring their users’ every click and keystroke.  The ISPs then harvest the data to determine a user’s interests and preferences and provide it to advertisers who make highly targeted pitches to the user.  I can see the pitch now:  “We’ve noticed that you’ve typed in the word “hemorrhoids” 12 times, searched Google 3 times, and visited 9 sites.  Here’s a coupon to try Preparation H for free.  It will stop the itch!”

      This monitoring is known as “deep-packet inspection” and it divides every aspect of a user’s data into packets that an ISP can analyze for content.   First, as a general matter, whenever I see anything with the words “deep” and “inspection” in a title, I get somewhat concerned without even having to read any further (similar to how the FBI first named its now infamous packet-sniffing software ”Carnivore,” but later changed it to the more benign-sounding “DCS1000″).  From a more substantive perspective, however, it represents a considerable escalation of an ISP’s ability to monitor its users.  Barring any legislative or regulatory action, it won’t be long until all ISPs engage in this practice.  According to the article, only 100,000 users are affected at the moment.

     As usual, the ISPs gain their users’ consent by burying the monitoring in their lengthy customer service agreements.  According to the article, one ISP—Knology—has a 27 page agreement and only makes vague reference to the system.  Few people actually have the time and energy to read them, and those that do will not necessarily understand them anyway.  The lawyers that draft them are not exactly known for their clarity, especially when it comes to a controversial subject such as this.  In fact, according to one Knology executive, there’s no violation of privacy at all.

     The article is silent as to how long an ISP actually retains all of this information, but presumably can retain it indefinitely.  And even if it doesn’t, once the information is disclosed and sold to advertisers, copies of it could continue to reside in cyberspace even if the ISP purges its records.  The article is also silent as to how such information could easily be disclosed to law enforcement or to parties involved in civil litigation.  So the march towards “zero privacy” continues. <sigh>