Due to recent regulations and various legal decisions many companies have interpreted rightly or wrongly that they can be legally held liable if their systems were utilized for illegal purposes that resulted in harm to a specific individual or group of individuals. Their fear is as with many areas of law, ignorance is not necessarily a valid legal argument. Most companies are not implementing these technologies to validate that their systems are utilized only for company business (although some certainly are doing so for this purpose) but instead are implementing this technology to miitigate security risk$. By showing that they are monitoring for this activity they hope to show that they are taking appropriate steps to assure their systems are not used improperly. These efforts have accelerated with the implementation of SOX as the executives themselves are finding they can be held liable individually for the security of their systems. The use of systems for illegal actions is seen as a security issue and this technology as a viable and appropriate response to mitigate the associated risk$. Personally I do not expect privacy when utilizing company equipment for personal business. I instead appreciate the fact that my organization understands that a limited utilization of company resources for personal business is normal and thank them for allowing me to do so. If I require a level of privacy I utilize my own equipment at my own costs. Now as for the security issues this might raise one can only hope that the network team has put in place the proper security precautions to safeguard the information discovered. Not to protect the privacy of the individual, althogh that should be a consideration, but instead to safeguard the assets of the company that could be compromised if information such as passwords were left vulnerable. Finally this definitely should be discussed with the network team as I saw nothing in the discussion indicating such a discussion had already taken place. What if it wasn't the network team that attempted the installation? John Stone Consulting Manager Symantec Security Services (541) 335-5641 "Forensic Computer Service, Inc." <sales@private> Sent by: owner-crime@private 04/30/2004 12:58 PM To "Rob Magee" <robmagee100@private>, <crime@private> cc Subject RE: CRIME Surreptitious software First let me state that I am not an attorney, so this should not be taken as legal advice. In the business arena my experience has been it is lawful to install whatever one wants on equipment providing the company owns it, with the only acceptable provision being that it may not invade personal privacy. Video cameras, for example, can be installed to monitor employees but are not permissable in bathrooms, or other places where people have a "reasonable expectation of privacy". Some companies/organizations explicitly state in their policy manuals that such monitoring/recording may be done by the company. I'm sure there are those that will disagree with me that in Missouri we monitored (in another life of mine) and recorded, without any previous warning, calls made by the sales department. Our counsel approved this because no employee has any reasonable expectation of privacy while using a phone system and phone lines owned by the company. From your Email I see you are with a government agency. I would hope they have published policies on installing and using spyware on employees, but I certainly don't know what's permissable and what's not in Federal, State and local government operations. While I personally find what you said they did below offensive, in the private business world I see this alot and it's based on the premise that the employee is using a company owned computer to perform his/her job functions on company time and getting paid for it. I would consider taking the facts and the hard evidence, up the chain-of-command (in writing of course) and either it will be stopped and someone gets in trouble, or, you will get told it's policy. Either way you force the issue to get resolved not just for your benefit but for everyone else who works there. Regards, G. Chatten FCS -----Original Message----- From: owner-crime@private [mailto:owner-crime@private]On Behalf Of Rob Magee Sent: Friday, April 30, 2004 1:36 PM To: crime@private Subject: CRIME Surreptitious software Yesterday, the network team botched a silent install of Resource Monitor (resourcemonitor.com) on my computer when I logged in. I noticed it when I had to reboot after the install conflicted with MS's handwriting and speech module for Office and crashed. This software is aimed at monitoring staff application use, but goes a step further by adding screenshot capture and keylogging. My question is, is it legal to have silently installed keylogging software, even though that feature may not be enabled? My understanding is that keylogging is the digital equivalent of wiretapping, but I need some clarification. Thanks all. You can respond to me at: Rob Magee Outreach Helpdesk Team Oregon Department of Education (503) 378-3600 ext. 4495 robmagee100@private <mailto:robmagee100@private>
This archive was generated by hypermail 2b30 : Sat May 15 2004 - 09:29:17 PDT