Ethical & Legal Stance

[SGTRawlins]

I have recently held a conversation with a fellow IT Professional.

We were discussing the Ethical & Legal implications of 'Monitoring' (Spying) on network users to protect the security of the infrastructure and the reputation of the company. I am aware that there are several pieces of 3rd party software that allow system administrators to view a real-time stream of the client desktops without the users consent.

What is the Ethical & Legal stance on this subject? Is it an invasion of privacy?

Would you consider, or do you already have a system such as this running on your networks, this BIG BROTHER tactic isn't really my style however I am interested in the opinions of the industry on this one.

Give me you thoughts Ladies and Gentlemen, Let the debate begin.

 

[bluedragon2]

Before we allow a new user account, they must sign one of our policies that explains that all actions may be monitored at any time.



[Blue]Blue[/Blue] [Dragon]

If I wasn't Blue, I would just be a Dragon...

 

[jrbarnett]

The legal stance will depend on your geographical location as the rules differ from country to country.

John

 

[Stevehewitt]

Ethically, its company networks on company time. Why shouldn't the company see what your up too?
Also, how are you going to have a secure network and ensure that your IT policies are enforced when you can't look at what people are doing?!

As well as the standard auditing logs, web logs and email logging, I also use TightVNC to have a quick peek to see what 'suspicious' users are up to.

According to EU law, (or maybe its just UK) you are entitled to ensure your networks are secure and meeting internal policies by intercepting communications.

Its actuallya huge mess in the UK, as the EU/UK law is contradicting. E.G The law I mentioned above Vs. Human Rights. (Privacy at work etc)

Legal minefield.

 

[sleipnir214]

Ethically, as Stevehewitt has said, in the U.S. it's the company's network, so the company has the right to see what's going on on it.

Legally, you may be limited to what you can do about violations. If you have a written policy that every employee must sign, and if that policy specifically lists the possible repercussions of violations of that policy, then the company can take the actions specified. If the company does not have a policy or if the policy does not specify the actions the company might take, then the company must be circumspect in the actions it takes against an employee. For example, if there is no written policy and the company terminates an employee, the company is probably wide open to legal action.

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[rosieb]

Stevehewitt
In the UK, with regards to the Human Rights legislation, it's thrown everything into disarray. There's no case law as yet, so no real guidelines.

It all depends on how the right to privacy and personal communication (can't remember the exact phraseology) is interpreted. There is no authorative information that I can find. (And I've looked.)

Rosie
"Never express yourself more clearly than you think" (Niels Bohr)

 

[Stevehewitt]

I know, it really is a mess. I stand by the ethical view, but I do allow users to have 'private' access to emails and stuff via hotmail - although downloads are blocked.

As Sleipnir214 stated, everyone needs a signed policy. This way people know, they have the opportunity to have private comms, but I keep a close eye on my network.

Like Rosie said, its such a grey area - almost anything you do can't be clariffied. The URL for the law that I think gives network admins the power to monitor stuff is:

http://www.legislation.hmso.gov.uk/si/si2000/20002699.htm

Bit again, like Rosie said, the EU Human Rights Act comes in. Where do we stand?

Steve.

(God my spelling is awful!)

 

[OhioBill]

It's up to the company as to monitoring, how much, and who is responsible. Beyond that, I believe that the company should clearly inform all workers that there is no expectation of privacy within the company, that all telephone conversations are recorded and monitored, all activity on the PC recorded, that the employee's desk will be searched without the employee's knowledge or consent, and that email isn't private. Reiterate this several times to the employee, hand them a written copy which they must read in your presence and sign, and I believe you and the company are now on safe moral and legal ground.

This is only what I believe to be morally correct. The reality is that all these things happen anyway, with or without anything in writing.

 

[rosieb]

Stevehewitt
I suspect that's out of date now. I've seen a legal opinion which suggests, they never say outright, that the HRA could imply that personal emails from work are a right and that their privacy should be guarenteed. Where that puts inappropriate content/ excessive time spent etc. is an "interesting" question.

We're still going with the "this is the policy...." line but I'm waiting for a challenge.

Rosie
"Never express yourself more clearly than you think" (Niels Bohr)

 

[SemperFiDownUnda]

Honestly I think the UK goes a bit far about personal privacy in the workplace.

If you have properly documented policy then I don't see the issue.

Employees are notified, hopefully a policy they've read and signed that says that any use of any communication device owned by the company may be monitored and should not be used for personal use if you want the communication to remain private.

I don't get where it is a right for you to do personal/private business on company time and equipment.

If I don't want someone to hear my telephone conversation I take my mobile and goto somewhere private.

A company network should not, IMHO, be concidered private. Why? Because even if you company isn't monitoring it what if someone else was? If it expected to be "Private" does that mean the company has to issure that privacy and that if it is compromised that you can sue the company for a 3rd party hacking in? It would be like sueing your company because someone went crazy and shot everyone in the lobby and then sueing the company because they own the building.

I wouldn't be surprised if this has happened and the suer won. But unless they are neglagent, hiring known mass murders etc, then these type of situations are really stupid IMHO>

my 2 cents

Hope I've been helpful,
Wayne Francis

If you want to get the best response to a question, please check out FAQ222-2244 first

 

[mattKnight]

that all telephone conversations are recorded and monitored

In the UK, employers are obliged to provide a telephone will provide both incoming and out going calls that are unrecorded and unmonitored. Interestingly, there is no requirement for the calls to be made at the employers expense. Thus some UK call centers have ranks of payphones in the corridor!

Maybe it is worth considering whether an employer could extend this to internet email etc on the cyber cafe model...

Take Care

Matt
If at first you don't succeed, skydiving is not for you.

 

[Stevehewitt]

The employer may not have to pay for the phone call, but they will for the phones and line rental.

I believe people should have an opportunity to speak freely and privatly during work times, but on their own equipment. Why should the employeer have to pay for a personal phone when the employee probably has a mobile anyway!

Barmy!

And the real argument is that if there is nobody monitoring the company network to ensure security, then how do you know who else maybe monitoring the network without authorisation?


Steve.