The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Legal Spyware? Investigator, Silent Watch, etc.
joshofalltrades
Class TraitorSmoke-filled roomRegistered User regular
Class TraitorSmoke-filled roomRegistered User regular
There's a very popular piece of software being used by businesses to monitor productivity of their employees called Investigator.
Playing solitaire at work? Think again...
Essentially, this software not only monitors what programs you open and when, but individual keystrokes (even backspaced) and personal emails opened. This means that your boss could have the password to your personal email address, without your knowledge and without you signing anything upon beginning employment empowering him/her to do so.
Of course, you shouldn't be checking your email at work anyway, but I can see how the possibility for abuse of this program is there. Say your boss is not utilizing this company-supplied program to further the company's interests, but to blackmail employees.
In my opinion, companies should acquire consent to acquire this data for more reasons than legality (the Washington Privacy Act has been superseded by precedent allowing this sort of spying, and computers for some odd reason aren't covered by it). If employees knew they were monitored (but not to what extent), it would likely end problems before they began. The article mentions that maybe it would be a better idea to use the software to monitor overall productivity, and not to keep track of every individual keystroke and action a given employee makes. I agree with this. Employees who spent the entire workday instant messaging and playing solitaire would still be canned, but without the mess of your boss knowing how to screw up your life by faking an affair for your wife to find.
What do you think?
Playing solitaire at work? Think again...
"Employers use this to find out what's happening in their business," said Richard Eaton, the Kennewick-based developer of Investigator, a software sleuth that nets employees who use their computers to slack off or sneak around -- and more -- on company time.
Stealthy software programs like Eaton's enable employers to watch every tap of the their employees' keyboard -- including deletions never stored or used in the final version.
Memos typed, e-mail sent, proposals drafted and Web sites visited -- all can be viewed by bosses without the employees' knowledge.
Investigator software users pooh-pooh their Orwellian powers and lavish praise on a program they say tightens security and helps eliminate workplace slouches and cheaters.
But privacy advocates worry about the fuzzy laws still surrounding the workplace computer.
"Employees often think they have privacy rights, when in fact they have very little," said Jeff Mathias, an Iowa attorney and employment law producer with the Seattle-based Prairielaw.com, a legal issues Web site.
Essentially, this software not only monitors what programs you open and when, but individual keystrokes (even backspaced) and personal emails opened. This means that your boss could have the password to your personal email address, without your knowledge and without you signing anything upon beginning employment empowering him/her to do so.
Of course, you shouldn't be checking your email at work anyway, but I can see how the possibility for abuse of this program is there. Say your boss is not utilizing this company-supplied program to further the company's interests, but to blackmail employees.
In my opinion, companies should acquire consent to acquire this data for more reasons than legality (the Washington Privacy Act has been superseded by precedent allowing this sort of spying, and computers for some odd reason aren't covered by it). If employees knew they were monitored (but not to what extent), it would likely end problems before they began. The article mentions that maybe it would be a better idea to use the software to monitor overall productivity, and not to keep track of every individual keystroke and action a given employee makes. I agree with this. Employees who spent the entire workday instant messaging and playing solitaire would still be canned, but without the mess of your boss knowing how to screw up your life by faking an affair for your wife to find.
What do you think?
joshofalltrades on
0
Posts
Well, reading someone else's email is identity fraud, or something, so the right of privacy does extend to the content of what you're doing. Does that make any sense?
don't log on to sites such as personal email or your bank account while at work
problem solved
I'd imagine content would be covered to a degree. Stealing someone's identity is illegal regardless of the circumstances.
However it's the company's machines and web access you are using. They have every right to track the traffic that goes in and out of their servers.
Suppose you're on your lunch break, never signed any technology agreement and have no idea you're being monitored.
I'm smart enough not to do something like that, but what about the average Joe Schmoe who checks his email on his break to keep in touch with his grandkids?
So I'd say it could be limited to knowledge of IP's.
However, keystroke loggers also present a related issue. While they allow you to see if an employee is stealing company data, they make it possible for one employee to steal another employee's identity. While it's understandable that a company would want to discourage excessive, frivolous, or irresponsible personal use of the Internet, I don't think it's realistic to expect that your employees will never check personal email or a personal banking site at work, particularly during lunch breaks. People can't just put their entire personal lives on hold for eight hours a day or more.
If that data is logged, then other employees will have access to it. The company then has a responsibility to handle that data responsibly. If your IT is outsourced, or if your internal access policies or security procedures are poorly defined, then you've got a major problem. A company should treat their own employees' information at least as securely as they treat their customers'.
the "no true scotch man" fallacy.
You have no rights on a work network. We tell all our users this. Technically anything you do here is the property of our company and you do not own it.
We aren't nazis over enforcing rules, and cracking down on slacking. But don't think we don't own everything you do and aren't allowed to monitor.
And think about it this way, if they say dl'd child porn, we'd be responsible.
Basically.
It's not spyware if you're monitoring your own hardware.
That last part is an ethical issue to me, however, not yet a legal one.
I think the company needs to be legally compelled to inform employees that this is what they're doing, because I think even a technologically savvy employee assumes a certain degree of privacy (and rightfully so) while using a computer at work.
How it usually seems to happen is that either the employer/manager develops an unrelated issue with the employee and seeks to gather evidence or reasons to justify action - in which case internet/email use is a good place to start; or either through a system like OP linked or say through a casual/regular check they find something that worries them
Right. In general, most people know that when they see the little lock icon close on their browser or see "https" instead of "http," that means their session is encrypted, and they generally think of that as being protected from snooping. I would call that a "reasonable expectation of privacy," even if the law does not necessarily recognize it as such. Most ordinary users do not encounter or even really think about keystroke loggers in their day-to-day computer use.
Consequently, I would say that logging Internet traffic (through a web filter like Smartfilter or Untangle) is an understandable amount of snooping, while anything that circumvents SSL, like a keystroke logger, is exceptional and would require an exceptional amount of disclosure except in very extreme circumstances.
the "no true scotch man" fallacy.
My two most successful methods of getting rid of it were pointing out that this would give anyone user/pass access to anyone else's account, completely in violation of the computer usage agreement (since I can't track what user did what, access to that means I could sniff someone's password, log in as them, and surf porn to get them fired. No Go.), or by quite loudly installing the software on every manager and C*O's PC first and calling them any time they even sort of hit a non explicitly company website. Nothing kills stupid IT policy like hard line enforcing it on the people who made it.
edit: I'm fine with pulling DNS/Web access logs, but my usual lecture first is that I can crack down every unauthorized use of a computer ever, and if your employee doesn't want to work, he'll just bounce a ball around his cube. The issue isn't net access, it's either the employee or the working conditions.
every job I've used a computer at had a piece of paper as part of the hiring process that I was required to read and sign off on, explaining that computer and internet use would be monitored
I agree this should be mandatory at any job with computer use involved
it will help employees be less stupid on work computers though I guess
Paging Dr. Foucault.
the "no true scotch man" fallacy.
He is way too busy having anonymous sex in the bathroom to respond to the page.
Isn't it? It's pretty much what I presumed when I signed a similar agreement.
See, I can understand that this would be a reasonable assumption as things stand. But it shouldn't be - there's a population that doesn't even realise that this is possible, and I'm not sure what circumstances would require this sort of technology. Could someone present an argument for this?
One of the first things I learned in college during my IT related classes is that if you click yes to a user agreement concerning using a computer, the organization or person that issued that agreement can do whatever the hell they want with the information they might gather from you using that PC.
Now, there's a difference between can and will. You'd be shocked how many companies make a user agreement like that and never really use the tools at their disposal. That being said, the college I went too actively monitored college owned PC's, and would record everything, from passwords, to websites visited, to your email, if you were stupid enough to log on while using a wired computer.
Now computers connecting wirelessly, those are free and clear apparently. They either never quite got down how to track who did what, or never bothered.
As for an example, it doesn't really matter. Companies do it because they can, and because they want to know if someone is slacking off. Yes, data-mining to figure out if someone was typing IM's would be tough. Booting up a program that could just look at what they're looking at in real-time is not however.
If you do want an example, consider that some of these tools can be used by computer forensic investigators to ruin the day of someone who's doing something illegal.
These are subject to the same problems - expectation of privacy. Otherwise, reading packets allows some of the same things to be done on unsecured connections.
From a technical standpoint, a wired connection can be traced just as easily as a wireless one - again, I suspect this is just a matter of who controls the machine.
Well, no, actually, it does matter. Because justification is important in determining whether this is an ability that should be held by companies.
Not needed. This is sort of the point of warrants, etc.
Absolutely, this. Using software to obtain other people's passwords should be illegal no matter whether the entity doing the obtaining is giving you money or not.
The way employers are worshipped and indulged in here creeps me right the fuck out. Its not pleasant to observe what a total lack of adequate labour laws does to a working population
A well written agreement will usually provide enough leeway for an organization in court so that it won't be overturned, unless some really egregious crap is going on. So the point is moot either way.
A well written agreement can also waive expectation of privacy. For example, if you boot up a company computer, and it brings up a user agreement that states that your actions will be monitored, and states what you can and cannot do with that computer and you agree to it, or you get a pop-up that warns you about monitoring, by definition (In most states, I do believe there are some exceptions.) you no longer have an expectation of privacy while using that computer. This is a big thing with most companies, since if they monitor employees who have an expectation of privacy they could end up in some nasty lawsuits should the employee find out about it.
In regards to my college, it's more likely an issue that most students use laptops that connect wirelessly, and that there's a fair number of people pushing for wireless laptops to not be restricted or monitored on campus.
As for justification, see what I wrote above. If they warn you ahead of time, legally, unless they abuse their ability to monitor you (IE take passwords/personal details that could harm the employee needlessly and act on this information in a way that is not legal, nor pertains to the company in question.), they are well within their rights to do so.
As for a computer forensics related investigation, not all investigations are done at the criminal level. There is such a thing as a corporate investigator. The only thing is that at that particular "level", you have to worry about the silver platter doctrine, in regards to criminal activity. So yes, this software could be used in certain situations, if there was not an expectation of privacy in the first place.
It's not a matter of ethics, but rather a matter of results. If you go and say that companies can no longer monitor their employees, you leave the companies open to all sorts of terrible things, most of them criminal in nature.
Of course, this doesn't always stop the smarter people, who find ways of getting around using computers and other systems that can be traced. I once heard a great story about a guy who stole money in cash form and stuffed it in his furniture to keep anyone from finding it, and a sixty year old woman who was looking for a new set of living room furniture.
I'm not really worshipping employers, just stating what the law is.
There's a very good reason why companies can get away with this. The opposite, no monitoring, or limited monitoring, creates all sorts of issues for the company in regards to catching people trying to screw the company in question over, be they a disgruntled employee, or just a greedy arse.
That being said, there is generally an expectation that an organization doesn't abuse the ability to waive expectations of privacy, and I can't imagine a rational judge looking too favorably on an organization that did abuse that privilege if they did something illegal, regardless of what agreements were in place, like, were I to use an extreme example, take, and use personal credit card information from an employee without their permission or knowledge.
Edit: Setting aside the company thing, there's also the issue of who is handling the data. You aren't going to be seeing Joe Moneybucks, the CEO of the company, looking at URL logs, or remote desktopping into an employees computer. It's either going to be the IT staff, or a corporate investigator, most likely with a computer forensics background. In both cases they will be employees of the company in some capacity. The former is susceptible to abusing their position, yes, but for the latter, it would be akin to career suicide to do that. If whoever is wanting an investigation done is smart, they'll hand it off to a professional too, meaning it goes to the latter instead of the former.
Computer forensics investigators have to maintain a spotless reputation in court, nevermind maintain an unbiased view of the events that occur while on the stand. If they can't do that then the evidence that they collect can be thrown out by even a half-decent lawyer. They basically have to be saints, unbiased, saints, that are just doing their job, nothing more, nothing less. Using personal information for their own gain could really come back to bite them in their ass. If not resulting in jail-time, it'd make getting hired to do their job near impossible, since any lawyer could just trot out the time that forensics investigator stole Phil from Accounting's personal information and used it for his own benefit to discredit the investigator in court.
In general, this is true (I used to work for a company with a large data forensics division). This also presents an inherent limitation: you're not going to pay a computer forensics professional $80k a year or more to comb through keystroke logs of admins making $30k a year just because you're afraid your employees are wasting time. That's a ton of data and simply doesn't make economic sense, which is why keystroke loggers are usually (as they should be) restricted to situations where an employee might be engaging in directly destructive, fraudulent, or otherwise illegal practices.
That said, I have encountered a few smaller businesses who have used these tools without fully understanding what they're getting into. So while most businesses, particularly larger businesses, are going to have high-level career IT security or data forensics professionals managing surveillance tools, some other businesses might just throw the job to their part-time right-out-of-cert-school IT geek (or, worse, their outsourced sysadmin).
the "no true scotch man" fallacy.
It's possible my perspective is slightly skewed. I work in the financial services industry, and it tends to be taken pretty much as a given that whatever I do must be recorded and auditable.
Phone calls I make, faxes I send, emails I send, files that pass through my hands (even if I immediately hand them off to someone else), I'm supposed to note in files if I discuss them with someone else in anything other then general terms, etc.
The regulatory environment is such that generally, if it's possible to record it, it will be.