Bloxx provides means of filtering personal emails

A new email filtering appliance claims to be able to separate business email from personal email, quarantining personal messages until after working hours.

Most acceptable usage policies allow employees some personal use of their computers, provided it is "reasonable." That usually means a few visits to non-work-related websites and some email exchanges with friends and family. As long as that activity does not get in the way of work, it is generally tolerated. But what is "reasonable" usage, and how can an enterprise enforce it?

With the Web, it is fairly easy to control activity. For instance, most companies block any access to certain website categories -- such as gambling or porn -- and give limited access to others, such as online supermarkets, at certain times of the day. But controlling email is much more difficult. Most email filters will block spam and malware, and allow all other messages to flow into the user's inbox, regardless of whether it is work-related.

Bloxx Ltd., a Scottish company that until now specialised in URL filtering, claims to have created a solution in the form of an email filter that goes one step beyond normal spam filtering; it distinguishes business and personal email and sifts out non-work-related messages.

"What we are providing is a means to create rules around what email you allow into the business, and also when you deliver it," said Eamonn Doyle, Bloxx CEO. "You can create work-focused zones of the day when you are not being pestered with subscriber stuff or auction updates from eBay."

The Bloxx email filtering appliance incorporates spam filter software supplied by Mail-Filters Inc. and ClamAV, an open source antivirus engine, with Sophos plc antivirus as an optional extra. The product costs £2,200 for a network of up to 100 PCs.

What sets it apart from other mail management systems, said Doyle, is the True-View technology which Bloxx also uses in its URL filtering appliances. True-View analyses the source address and content of email messages, along with any embedded links and, on the basis of what it finds, assigns emails to one of approximately 50 categories, such as business, sports, shopping or news.

According to policy, the system will then decide whether to deliver the message immediately, block it, or quarantine it and deliver it later, for instance at lunchtime or after office hours.

Monitoring of employee computers can be a delicate subject because it can cause bad feelings and even accusations of invasion of privacy. It is also covered by a range of laws, including the Data Protection Act, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Human Rights Act 1998 and the Regulation of Investigatory Powers Act 2000.

But according to Rosemary Jay, a lawyer with Pinsent Mason LLP, employers are within their rights to do it. "They can do it under the Lawful Business Practice Regulations as long as they have proper policies and notices to support it and do not do it in an obtrusive manner," she said, adding "but that may be hard to do."

Doyle said some councils, NHS Trusts and private companies have already begun trials of the system without objections. "We initially thought the unions might object to it, but they had the opposite reaction. With a rule-based engine, it ensures everyone is treated uniformly," he said.

Andrew Kellett, an analyst with research company Ovum Ltd., said the product could provide a useful extra layer of control in email management. "It seems like a useful thing to do and it gives [Bloxx] a useful differentiator," he said. "Everybody claims the 90-odd percent rate for trapping spam, and you tend to take these things for granted now. Therefore another layer of protection gives more confidence without too much extra overhead."

Read more on Application security and coding requirements