Mike's answer is basically correct, both with regard to the legality of
monitoring and the practical consideration that if you monitor and record
something, someone else may be able to use it against you. Your Monitoring
Policy should be developed in cooperation with your HR dept. and your
company's legal dept. Don't just go slapping keyboard monitors (or other
forms of monitoring) on your employees without coordinating with those other
depts.
Sections 2511 and 2520 of Title 18 of the U.S. Code create criminal and civil
liability for improper interception of wire, oral and electronic
communications. Although there are exceptions under both the U.S. Code and
under state laws for system providers, relying on these exceptions is
unnecessary if your company puts in place an appropriate Monitoring Policy.
By explicitly requiring user consent to monitoring, your company can make
access to your network and systems conditional on users accepting such
monitoring. All users of your network and systems (whether employees, third
party contractors or customers) should be required to consent to monitoring.
Your Monitoring Policy should specify that your company has the right to
monitor all network traffic and all data stored on equipment used for company
purposes that is provided to an employee or contractor by the company or by
any third party contractor. Both your authorized use policy ("AUP") (for
internal users) and your TOS (for any external users) should reference this
policy and explain it. In addition to informing users via the AUP and the
TOS, logon banners should reference the Monitoring Policy and state that
access to the network or system is subject to monitoring at any time and for
any reason, and that by accessing and using the network or system, the user
is explicitly agreeing to such monitoring.
Monitoring traffic and behavior on your systems can allow you to detect
misconduct in real time, and can create logs that will be useful in an
investigation and/or prosecution. Monitoring can also decrease behavior such
as employee web surfing or other violations of your company's authorized use
policy. However, you must remember that anything you record can potentially
be used against you, too. Records of explicit or otherwise discriminatory
chats or emails could be used as evidence of a hostile workplace in a lawsuit
against the company. How much easier would the tobacco litigation have been
with email and IM records? This is why your HR and legal departments need to
be involved.
In the future, the increased use of personal technology (e.g., cell phones,
PDAs, etc.) to access corporate systems will require increased and more
specific consents. If, for example, you open up your document management
system so that it is web accessible, an employee with a PDA and a wireless
modem can download confidential information. Access to that system could
require explicit consent from the user to monitoring of the activity and an
agreement to provide access to the PDA on demand. (Note, such access will be
easier if your company owns the PDA and provides it to the employee.)
I wrote an article on employee monitoring for USENIX; login: about a year
ago. Rather than waste the bandwidth sending that to everyone, if you're
interested in receiving it, please drop me a separate note.
John
In a message dated 7/12/2001 8:53:36 PM Eastern Daylight Time,
mikebrownat_private writes:
> > My question is twofold:
> >
> > 1.) What are the legal ramifications (real or potential) of a keyboard
> > entry capture program installation on corporate desktops? Do civil
> > issues exist? Must one have clear evidence of wrong-doing before silent
> > installation? Precedence? How well does this type of 'evidence'
> > present itself in the courts? How to 'prepare' outcome for Chain of
> > Evidence compliance?
> >
>
> IANAL but courts have ruled that company owned computers can be searched
> and monitored. Even if you look at the larger picture it is my
understanding
> that company phones are open to wiretapping and the like. It only makes
> sense to assume that the same would extend to the computer.
> From a practical stand point I wouldn't just start installing
keyloggers
> everywhere. Not only do you have privacy issues but security issues as
well.
> Are you confident that the computer that is being monitored to secure? The
> log file could contain very sensitive data the would have been housed on a
> server that you watch closely, but if left on the desktop it could be very
> vulnerable.
> In addition you may not want to collect data at that level. Allot of
> companies have been embarrassed by ICQ logs or secret memos that where
never
> meant to see the light of day. If you record it, it can be collected by
> third parties, i.e. courts and reporters.
> if you feel the need to install it on an employees computer send out a
> memo to everyone saying that it can be done, this might tip off the
employee
> but it will also make people watch what they do. It's sort of like leaving
a
> kid at home, if you tell them that they are being watch by the old lady
> across the street they might just behave on their own.
>
> Mike Brown
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 15:56:04 PDT