Mike's answer is basically correct, both with regard to the legality of monitoring and the practical consideration that if you monitor and record something, someone else may be able to use it against you. Your Monitoring Policy should be developed in cooperation with your HR dept. and your company's legal dept. Don't just go slapping keyboard monitors (or other forms of monitoring) on your employees without coordinating with those other depts. Sections 2511 and 2520 of Title 18 of the U.S. Code create criminal and civil liability for improper interception of wire, oral and electronic communications. Although there are exceptions under both the U.S. Code and under state laws for system providers, relying on these exceptions is unnecessary if your company puts in place an appropriate Monitoring Policy. By explicitly requiring user consent to monitoring, your company can make access to your network and systems conditional on users accepting such monitoring. All users of your network and systems (whether employees, third party contractors or customers) should be required to consent to monitoring. Your Monitoring Policy should specify that your company has the right to monitor all network traffic and all data stored on equipment used for company purposes that is provided to an employee or contractor by the company or by any third party contractor. Both your authorized use policy ("AUP") (for internal users) and your TOS (for any external users) should reference this policy and explain it. In addition to informing users via the AUP and the TOS, logon banners should reference the Monitoring Policy and state that access to the network or system is subject to monitoring at any time and for any reason, and that by accessing and using the network or system, the user is explicitly agreeing to such monitoring. Monitoring traffic and behavior on your systems can allow you to detect misconduct in real time, and can create logs that will be useful in an investigation and/or prosecution. Monitoring can also decrease behavior such as employee web surfing or other violations of your company's authorized use policy. However, you must remember that anything you record can potentially be used against you, too. Records of explicit or otherwise discriminatory chats or emails could be used as evidence of a hostile workplace in a lawsuit against the company. How much easier would the tobacco litigation have been with email and IM records? This is why your HR and legal departments need to be involved. In the future, the increased use of personal technology (e.g., cell phones, PDAs, etc.) to access corporate systems will require increased and more specific consents. If, for example, you open up your document management system so that it is web accessible, an employee with a PDA and a wireless modem can download confidential information. Access to that system could require explicit consent from the user to monitoring of the activity and an agreement to provide access to the PDA on demand. (Note, such access will be easier if your company owns the PDA and provides it to the employee.) I wrote an article on employee monitoring for USENIX; login: about a year ago. Rather than waste the bandwidth sending that to everyone, if you're interested in receiving it, please drop me a separate note. John In a message dated 7/12/2001 8:53:36 PM Eastern Daylight Time, mikebrownat_private writes: > > My question is twofold: > > > > 1.) What are the legal ramifications (real or potential) of a keyboard > > entry capture program installation on corporate desktops? Do civil > > issues exist? Must one have clear evidence of wrong-doing before silent > > installation? Precedence? How well does this type of 'evidence' > > present itself in the courts? How to 'prepare' outcome for Chain of > > Evidence compliance? > > > > IANAL but courts have ruled that company owned computers can be searched > and monitored. Even if you look at the larger picture it is my understanding > that company phones are open to wiretapping and the like. It only makes > sense to assume that the same would extend to the computer. > From a practical stand point I wouldn't just start installing keyloggers > everywhere. Not only do you have privacy issues but security issues as well. > Are you confident that the computer that is being monitored to secure? The > log file could contain very sensitive data the would have been housed on a > server that you watch closely, but if left on the desktop it could be very > vulnerable. > In addition you may not want to collect data at that level. Allot of > companies have been embarrassed by ICQ logs or secret memos that where never > meant to see the light of day. If you record it, it can be collected by > third parties, i.e. courts and reporters. > if you feel the need to install it on an employees computer send out a > memo to everyone saying that it can be done, this might tip off the employee > but it will also make people watch what they do. It's sort of like leaving a > kid at home, if you tell them that they are being watch by the old lady > across the street they might just behave on their own. > > Mike Brown ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 15:56:04 PDT