This doesn't sound right - 3rd-Party "Deduction Management Firm"

notverypunny

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.

No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.

Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.

Their lack of knowledge is not your problem :angry_face_with_horns:

scottalanmiller

@notverypunny said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.

No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.

Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.

Their lack of knowledge is not your problem :angry_face_with_horns:

Exactly. They made a VERY specific technical request. Not your place to question that since it isn't a security concern since they will get the binary dump only.

WrCombs

@notverypunny said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.

No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.

Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.

Their lack of knowledge is not your problem :angry_face_with_horns:

Wasn't there a movie that said :
"you can't fix stupid, no matter how big a hammer you use."

Seems fitting.

Dashrender

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.

No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.

Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.

exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.

scottalanmiller

@Dashrender said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.

No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.

Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.

exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.

Right, and those people present a security concern.

And capturing "all email" is almost guaranteed to be a crime in California. Capturing it for archiving or backup, sure. Capturing to allow unintended recipients read it, almost certainly not okay. Capturing it to hand it over to an insecure, very questionable third party with no credentials.... whoa baby would I be concerned.

scottalanmiller

If you are going to do this, I would make sure that every employee and customer clearly understands that their private communications will be turned over to a third party. California has allowed employers to read employee emails when properly notified before hand. But that's way different than sharing with a third party, you'll need a really good employee handbook signed off by everyone before doing this.

wrx7m

@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@Dashrender said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.

No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.

Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.

exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.

Right, and those people present a security concern.

And capturing "all email" is almost guaranteed to be a crime in California. Capturing it for archiving or backup, sure. Capturing to allow unintended recipients read it, almost certainly not okay. Capturing it to hand it over to an insecure, very questionable third party with no credentials.... whoa baby would I be concerned.

Do you have anything to reference for the legal issue? I mean, I am not a lawyer and don't want to be, but if I know it isn't legal, I will certainly not do it and explain why.

scottalanmiller

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@Dashrender said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.

No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.

Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.

exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.

Right, and those people present a security concern.

And capturing "all email" is almost guaranteed to be a crime in California. Capturing it for archiving or backup, sure. Capturing to allow unintended recipients read it, almost certainly not okay. Capturing it to hand it over to an insecure, very questionable third party with no credentials.... whoa baby would I be concerned.

Do you have anything to reference for the legal issue? I mean, I am not a lawyer and don't want to be, but if I know it isn't legal, I will certainly not do it and explain why.

Not directly because this is so dangerous and so risky that it would never come up. But basically this third party is requesting access normally limited to requiring a court order.

https://www.employees-lawyer.com/can-my-boss-read-my-e-mail/

Unfortunately, the law on e-mail surveillance is not well-settled. The federal Electronic Communications Privacy Act of 1986 (ECPA) prohibits the unauthorized access to electronic communications.[7] The phrase “electronic communication” includes the transfer of any writing or data, but it does not include oral communications.[8] Several courts have found that the ECPA covers e-mail messages.[9] People that violate the ECPA could be subject to fines or prison time.[10]

The problem for employees, however, is the definition of “without authorization” under the ECPA. If an employee checks their e-mail from a work computer, have they authorized their employer to access it as well? The phrase “without authorization” is not clearly defined.

There is, however, at least some argument that an employer is not authorized to access employees’ personal e-mail accounts. So, even if the employee accesses their personal e-mail from a work computer, this would not seem to create an implied authorization for the employer to snoop in their e-mail further.

This argument is significantly diminished by the use of employer-issued e-mail accounts. Because the ultimate ownership of the domain and the e-mail account itself remains with the employer, it is likely that the employer can authorize itself to access the e-mail account.

scottalanmiller

@wrx7m basically here are the issues that I see:

1. Assuming that there are strong policies in place in regards to the employer being allowed to read the employee's email as a given starting point, that doesn't cover the situation here. That's "normally legal" if handled properly, but risky enough to generally be advisable to avoid. Even if the employee legally can do nothing, it can damage the company's reputation. And that's best case, worst case it goes to court and the company can't prove that it had the right to do it.
2. The request is to capture all traffic, not just email. Maybe we want to ignore this, but the request is for this and would risk crossing into "social engineering" grounds by trying to convince you to do so. This would include bank transactions and all kinds of things. Claiming that they are just incompetent might work, but not likely. Bottom line, they are asking for the keys to absolutely everything, using email as an excuse to breach the firewall / network security.
3. Even if we ignore #2, the request is for all email, regardless of sender or recipient, or system. This means that not just proper business transactions with clients, but also the CEO talking to the company lawyer, the HR team discussing employee issues, and other matters of HR, legal, or attorney / client privilege or possibly SEC trading (if you are public) are exposed to a third party without anyone's permission or knowledge (presumably.) Even telling people that this could happen appears to mean nothing.
4. We have to assume that the Harvest company has no legal framework around it making it have to do any due diligence to protect the confidentiality of the emails that it receives. Honestly it sounds like a scam business, but even if it isn't, this seems like a huge problem to know that they have major security gaps in their understanding and let them have data of unlimited sensitivity.

Sharing specifically targeted client / sales conversations, once the sales team is made aware, and the emails are verified by some process seems fine. Everyone knows what the contents are ahead of time. But anything that does a "grab all" from the network or the email system would be grabbing data of unknown origin and destination and purpose.

It would be super, duper hard to defend in court if an employee's private conversation with HR, a boss, a doctor, a bank, a family member, etc. was intentionally shared with a third party how that would be legal as it serves no business purpose.

Kelly

It hasn't gone into effect, but as of 1/1/20 you will be operating under this law: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

wrx7m

@Kelly said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

It hasn't gone into effect, but as of 1/1/20 you will be operating under this law: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

Thanks. At this point, it is only companies that this request would apply to.