Yeah, Your IT Guy Is Probably Reading Your Email

from the just-because-you're-paranoid,-it-doesn't-mean-they're-not-out-to-get-you dept

You probably suspected it, but there’s a decent chance that someone in your IT department may be snooping on at least someone in your company — and they don’t seem to mind admitting it. It’s not overwhelming, but about one in three IT folks admits to snooping using admin passwords to access information they’re not supposed to look at. Given that there are probably plenty who won’t admit it, there’s a pretty good chance that the actual percentages are higher.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Yeah, Your IT Guy Is Probably Reading Your Email”

Subscribe: RSS Leave a comment
Ben says:

I’d like to point out a few things.

1. The “survey” wasn’t even close to scientific. It was performed at an information security conference in London, and at least part of the survey was multiple-choice. However, we know nothing else. Who was considered a “senior IT professional”? What was asked? Were those being surveyed offered something to complete the survey? Unfortunately, no survey data is available.

2. If you’re given a list of company assets you’re most likely to steal if you’re facing being fired, and you have to choose three to finish the survey, that certainly doesn’t suggest that you would actually steal any of the things listed.

3. Chances are that a survey conducted at an information security conference is going to be biased towards information security workers. Is it reasonable to extrapolate those results to all IT workers?

4. Check the source. This survey was conducted by a company that just happens to sell digital vault and password management applications. Further, this article is based on a company press release. While the results of this survey might in fact be accurate it’s hard to overlook the bias that this company faces when conducting it, especially when no real data about how it was conducted is made available.

Kevin says:

Re: Re:

When a single crazed IT admin can take done your entire company overnight you have a really big problem.

How about when a single crazed electrician can take down your entire production line? Or when a single crazed accountant can take down your finances? Or when a single crazed security manager can lock down your entire facility? And so on…

One thing to keep in mind is that in the United States, the corporate email system is considered a corporate asset and you have no expectation of privacy there. Most companies do have policies that say that they’re allowed to read your email if they want to. Why should you be surprised if they exercise that right?

Many companies use software tools or appliances that scan email not just for viruses and spam, but also for certain sensitive keywords to try to prevent leaking of confidential information. Do you think that people don’t perform some degree of manual review of those systems?

Liquid says:

Re: Re: Re:

Very good point Kevin. Most of that is going to be done by your security professionals not the IT Admin if there is a security person on staff. The fact that they are using just plain old IT Admin is a farce as well. They do not give a precise definition as to what “IT Admin” is. There are many levels of IT Admin. Just like with the company that I work for I am a local admin, because I am desktop support so that gives me full rights to do what ever I need to do on a local machine and basic to intermediate server work. There are tiers of admins, and that all boils down to what kind of permissions they have and what type of an account they are running in AD (Active Directory).

The point that you stated “Most companies do have policies that say that they’re allowed to read your email if they want to.” is 100% correct. The normal “User” doesn’t understand that once they walk through those doors in the morning to the time they walk out those doors that everything thing they do on their companies network is logged, and can be reviewed by anyone in the IT Dept.

There are a lot of network admins that run network analyzers on their own networks to get an idea of what kind of traffic is being passed through their networks, what kind of traffic loads are being put on the network, and so on and so forth. If your company has a policy of no streaming video or audio over they network and they happen to run a network analyzer when you open that video that your friend sent you they will know about it. I don’t know how many times that I have personally run a network analyzer my self and caught people surfing adult oriented materials.

There are a lot of things out there that the normal every day user does not know about when it comes to their companies IT Dept. Whether or not they are clueless to the fact that when they use company property that its not theirs at all and the company can do what ever they want with it with policies in place. Or you have the user(s) that know, and have read their Acceptable Use policy(s). Know that they could be monitored at any time on the network by the security team, or anyone that has the ability to look at what needs to be looked, or has been asked to look at in the IT Dept. What it basically boils down to is if a company thinks you’re doing something wrong and could possibly jeopardize the security of the network they have MANY eyes to watch what your doing.

Chris Buechler (user link) says:

you're throwing an entire profession under the bus...

…without any basis for doing so. The summary here is partially misleading and partially flat out wrong given the facts of the survey.

First, “your IT guy is probably…” isn’t accurate. The 1 in 3 was actually “they or one of their colleagues”, not solely them personally.

Next look at the source of the survey – a “maker of password file security management software.” Far from a neutral party, in fact one that has a vested interest in creating or overstating this problem. The articles here typically do a great job at pointing out blatant conflicts of interest, but in this case you apparently prefer to throw system administrators under the bus on the basis of information provided by a company with a clear agenda.

Does it happen? Absolutely. That frequently? Well how frequently is it really? 1 in 3 say “they or their colleagues”, well that could be 2 of 100 people that 1 in 3 know of. I don’t believe it’s anywhere near one in 3 doing it, and I suspect the percentage is in the single digits. I’m sure it’s no different from any other profession where access to private information is available – see the recent Clinton and Obama passport information unauthorized access for just one example.

I wouldn’t think about it and if I caught anyone under me doing it, it’s likely they wouldn’t have a job much longer.

JBB says:

Not me!

Bah. Okay, it’s true, I’ve looked at people’s email. When they’ve asked me to fix a problem with their mailbox, when they’ve asked me to look into a problem with mail delivery, or when we were investigating a significant threat to the operation of our server. Do those count as reading your email?

And even then, we tried to grep (pattern-match) only the needed information from the mailbox. If I grab only one line from a user’s mailbox — and that is the line that matches — does that count as reading your email?

Are you even sure that the study said we were looking at things we were “not supposed to”?

Frankly, I don’t want to know what you weirdos have in your inbox. It’s probably disgusting at best, and illegal at worst (which would put me in a situation I don’t want to be in — reporting it.) I’ve got my own email to read (and I hate having to read that!) so why would I read yours too?

Anyway. Take a small amount of comfort that SOME of us have morals and scruples (and policies) we actually adhere to.

Anonymous Coward says:

Re: Not me!


I have the hardest time convincing people that emails/files are just little packages that we have to make sure are ‘shipped’ to the right place, and are ‘stored’ in the right place. There are times where they are not where they are supposed to be, and we have to find out why.

I couldn’t care less about what’s in the package. I just care that it started at the right place, traveled the right path, and ended up at the right place.

Flyfish says:

Having been an admin for well over 20 years let me tell you that the temptation isn’t nearly as great as you’d think. Having been forced to wade through more than one person’s email as a result of HR investigation/disciplinary action was enough for me. You’re all pretty boring and your email is safe from me and every admin I’ve ever worked with. We have too much to do to be bothered wading through email looking for purity test results.

Bigdogpete (profile) says:

Re: Re:

I agree who cares. I have tools that alert me when you do something wrong and other than that I could care less if you email your girlfriend or boyfriend. I have enough problems without wading through your email. Investigations are a pain, but someone always is looking for a way around the system. Guess what it isn’t your’s, you don’t own the computer or network you are using at work. So make my life easier and don’t be stupid when you go to work.

Steve R. (profile) says:

Your Local PC Repair Storefront

Actually this points to a “bigger” issue, which fortunately does not seem to have yet “hit the fan”.

Last year the PCs in our house were fried by a lightening strike, we took our PCs in to get repaired. The PCs, of course, has a lot of private data on them that the repair folks would have had access to.

Doctors and Lawyers have a have a fiduciary duty to protect their clients and (in most cases) can’t be forced to disclose personal information about their clients. Seems like the time is right for a similar code of conduct for PC repair persons.

Fortunately, from the absence of any horror stories in the media, that your local PC repair shop is quite ethical.

Jake says:

Re: Your Local PC Repair Storefront

A good point, but I’d only endorse the idea if said fiduciary duty included similar exemptions for evidence of criminal activity; if I stumble across a vast library of child pornography on the hard drive I’m backing up prior to an OS reinstall, I’d kind of like to have the right to call the cops.

some old guy says:

Incorrect everything.

No, the IT guy isnt reading *my* email. He’s reading his own company’s email, and the company has every right to have him read it. If he wants to read *my* email, then he has to perform a man in the middle attack on my SSL certs. Why anyone would expect privacy on their work email accounts astounds me. Why anyone would even use a company email account for private uses…

CaySal says:

I have been in IT for 13 years and out of say 40 IT guys and gals that I have known – only one ever snooped around in someone’s email and he was discovered and fired. If you are worth your salt as IT person you don’t have the time for it, and if you are worth your salt as a human you have an ethical reason not to do it. Besides users are boring, why would we want to read their email?

Overcast says:

Was an email admin for years.

Don’t ever consider your email private.

only one ever snooped around in someone’s email and he was discovered and fired.

*key* – has been discovered. Suspect any that are ‘undiscovered’? 🙂

Sometimes… the business will direct you to read other’s emails. That’s happened to me more than once.

Joseph Durnal (user link) says:

Who has that kind of time

I’ve been running, designing, implementing, fixing e-mail systems for 10+ years now. I’ve been directed by management to search for e-mails, but other than that I’ve never sat down to randomly read random e-mails from random employees.

Seriously, if someone in your IT department has that kind of time, you should replace them with someone who will work a little harder.

Joseph Durnal

Andy says:

Best comment in the thread. . .

As a sysadmin myself I have to say the best comment I’ve yet read in this thread was where another sysad sort said

“Frankly, I don’t want to know what you weirdos have in your inbox. It’s probably disgusting at best, and illegal at worst”

Darn right. If I am reading your e-mail it’s because I’m debugging something. And I’d really rather not read it at all if I can avoid it. I know it belongs to the company, but it still feels like an invasion of privacy and a massive waste of time.


myrandomstuff says:

huh....i read email?

There are several comments I agree with here. Why did TechDirt post this eye grabbing title? How many accountants or building service managers that read this site? Primarily this is an IT based readership.Why did they post the results of a survey that they did not explain? Ok yes I am messaging engineer. When tasked by HR, legal and compliance; I do discovery. Yes it disgusts me that there is nothing, “darker than the hearts of men.” I hate knowing I am looking at someone’s communications looking for something wrong. I have to say that with all the free email addresses in the world why people want to send non-work email back and forth via corporate methods is still beyond me. Being the email/blackberry admin, I usually find out someone is fired before they do simply because I have to turn off their blackberry and email before they are told. Thanks to everyone for the comments, I don’t feel so guilty with my job.

link says:

Hostpital emails

When I worked IT at hospital X, the guys there read email on a daily basis. However this was email that was flagged by the filters as suspicious. They shared a couple of the crazy ones. There were some people that I didn’t want to know certain things about.
The reason the email was read was for a couple of reasons, to make sure that employees were doing their jobs and not sitting around sending pornographic emails and so the hospital would not get sued over illegal activity.
So if you just send normal business or standard casual emails your email will never get read.

Jack-Jack (user link) says:


Anyone think that we are given this access to read the emails because.. IT’s OUR JOB. YES we read YOUR email. (As if we have time to sit around and do that… we actually have software that scans your email for non-work-related-phrases.) Why would you want to send a non-work-related email from work when so many other “mom-n-pop” sites have FREE email accounts? Give me a break people… work is for working. If it was supposed to be fun, we wouldn’t get paid. Stop the QQ.

iToast (user link) says:

Words from an Admin.

I’m an admin. I work on many exchange servers and send mail servers amongst my countless other tasks. Let’s address this logically.

1. That computer, your login, your documents and your messaging data DON’T (read DO NOT) belong to you. You may have one and your eight year old my use one, but the machine on your desk belongs to the corporation and you relinquish your privacy when you hit “OK” at the log in warning. Oh, you didn’t read it where it say we can audit your box for any reason? Well, a thousand pardons maybe you should take 5 minutes out of youtube time and put it towards reading the log in warning. Kay great.

2. If I read your messages I do so lamenting the fact I have to search through your messages trying to find something because it detracts from my ability to do anything else, like read Techdirt.

3. I make a conscious effort NOT to pay attention to the contents unless they match my criteria for the search. I don’t care that your aunt fanny thinks sending an e-card to your work is neat I really don’t and thus don’t read it. The less I know about you as an individual the better, because then I have to develop a degree of care for your digital well being. Sorry, but I don’t.

4. Where did you learn that work was a good place to get email defining personal matters anyways?

Take the example of Susi Humantrafficker. She illegally smuggles people around the globe and works for the corporation who’s network I maintain. If I know more about you and find out that instead of using your address you used I now could get called to the stand as a witness to testify against you should your little operation get noticed by the Feds. Sorry Susi, but I just don’t understand your disregard for common sense which is why I will, despite my laziness, skip going to the gym and testify to have you summarily sentenced.

Think of it this way you wouldn’t have your personal mail delivered to work, so why your electronic mail? But, then again I don’t place a lot of faith in modern computer users.

This ends my ridiculous diatribe thanks for reading.


I’m cynical and jaded. Don’t try to disagree, because if you do I’ll just remind you that you’re wrong. Thanks again.

Rose M. Welch says:


My husband, an IT guy, does not have the time to snoop around for his own curiosity. If your IT guy does, then your company needs to rethink how much and why you have your IT for the amount of time that you do.

I’ve heard of IT being told to look for certain things during median downtime, such as who is surfing the net, who’s taking care of personal business and e-mail on company time, etc. but not looking just to look.

I’d consider the source on this one…

PaulT (profile) says:

I don’t tend to snoop intentionally (though I have been known to casually browse through video/music folders while waiting for an update to install). However, generally speaking it’s impossible to not come across sensitive information occasionally. Especially if people don’t password protect any directories (as most people don’t), or if they need you to go through their email to work out why they can’t open a message or attachment (usually user error to begin with).

@#4: What’s your solution then? Lock IT guys out of systems? (Good luck getting that vital fix applied)?

@#19: You should probably take your PC somewhere you trust then. Doctors and lawyers take professional oaths to protect their clients and are paid handsomely for it. Your local Best Buy will have a dude working for slightly over minimum wage so he can afford beer at the weekend, so won’t care (slight exaggeration, but still..). Find someone more professional, and they will act accordingly.

Stylus says:

I don't really care what is in your email

As stated by others, we don’t really care what is in your email.

I have worked for doctors and lawyers that required me to sign paperwork that I will protect the privicy of their data. I will gladly sign the paperwork, and re-assure you that I don’t really care what is in the data, only that the data is working for you and safe when it hits the fan.

Some people imagine that all IT people are like the original BOFH. Although that series is funny as hell it is not reality.

…anyways the real interesting stuff is usually in word documents filed under employee reviews…JK

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...