legality/ethics of desktop viewing software 8

[jspartan]

hello

i'm looking at implementing remote desktop viewing software on our user PCs, mainly to troubleshoot remote user problems over a VPN

using software like RealVNC, i can connect to the users desktop, and view or take control of their PC etc

i'm curious as to the best practice here? presumably this should be included in the IT policy that each user has to sign, so the user is aware that their PC can effectively be 'spied' upon? do they have any legal grounds to object to this, or any grounds to complain if they claim they were not aware of this policy?

any thoughts would be greatly appreciated

many thanks

AB

 

[fredericofonseca]

You should give them notice yes.

But you should also set the software in away that

1- Normal users are able to connect remotelly but the remote user needs to give permission.

2- Admin users do not require permission.



And then make sure that your network guys DO NOT use the admin user unless absolutelly required.

Note that your software may not permit the above.

Regards

Frederico Fonseca
SysSoft Integrated Ltd

http://www.syssoft-int.com

 

[Thadeus]

The way a previous company handled this was to pop a window as part of the log-in script, that alerted the user that "this PC may be monitored at any time." Something additionally about clicking on the OK button amounting to consent... Clicking on Cancel dropped one back out to the sign in screen.

It was annoying to have to click the button, but effective in communicating and keeping the user aware of possible monitoring activity.

~Thadeus

 

[eyec]

be careful to look @ State Laws. some States have laws that even an employer cannot "spy" on company owned assetts without the employee's permission.

Florida & Maryland are 2 such States.

 

[MasterRacker]

A company has every right to use RC software as part of it's support - all the pc's are company property. User's should be made aware of the use of RC as well as any other monitoring as part of a standard usage agreement signed at hiring.

Only authorised IT staff should actually be able to remotely connect to a machine. Even administrators should never connect to a machine without calling the user first :

A) Nothing is going to spook a user more than their keyboard locking and mouse moving on it's own. Call them and let them know you're taking over to help them with their problem.

B) If a user has a document containing sensitive information open, they should have the opportunity to close it before the IT staff can see their desktop. Your finincial, HR, manangement, etc. will especially appreciate the opportunity to protect their info from casual viewing

C) You have the right to do what you need to to support your systems, however your users will generally be much happier and more comfortable with you if they are involved and informed.

[sub]Jeff
[purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day

"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/sub]

 

[svanels]

MasterRacker you stated it very well, and I liked point C.
If the user knows that the software is there for his own pc's health he will appreciate that. The one who is complaining about "big brother" practices in 90% of the cases has something to hide.

some States have laws that even an employer cannot "spy" on company owned assetts without the employee's permission.

If this particular "employee" is the President of the company, you would be in big trouble without any "state law", you don't need a degree in Rocket Science to come to that important statement. As long as Mr. Big supports and enforces it, your @ss is covered.

Steven

 

[dgillz]

I don't know anything about RealVNC, but all the desktop remote access softare have usedis web based and requires the user to give you access to the desktop. If you do this, there are no legal/ethical issues, and you cannot be "spied" upon.

The software I use by the way is

http://www.gotomeeting.com

Software Sales, Training, Implementation and Support for Macola, eSynergy, and Crystal Reports

http://www.gainfocus.biz

 

[RCorrigan]

dgillz There is a mountain of RC s/w out there that can ---- I wil stress CAN --- be configured to allow non-noticeable access to PC's upon which the client is installed and to which you have admin access to the master ..... REALVNC & PROXY are just 2 examples.

While it is "FUN" to take control of a PC while phoning the user and listening to the comments -- it is WRONG.

As per SOX there should be an audit trail anyway, but even leaving that aside, it is common courtesy & good Helpdesk Management to confer with and inform users of any (even) attempt at RC.

A helpdesk service is a "CUSTOMER" service ...... they come first & your @ss is just a fraction away.

<Do I need A Signature or will an X do?>

 

[jspartan]

thanks all for your messages. very interesting stuff

AB

 

[grande]

If I call help desk, and they want to take over my computer, I get a dialog box that says "Someone's trying to take over your computer. Let them?"

You should look into something like that.

-------------------------
Just call me Captain Awesome.

 

[fredericofonseca]

After all these answers I wanted to add a bit more just to clarify my original post.

As you have noted I did distinguish clearly between normal users and Admin users.

Reasoning behind this is that there are situations where the IT personnel NEEDS access to a remote computer, and a user may not be available to authorize such operation.

As such it is necessary for a special user (admin) to be able to connect regardless.

Pretty much the same way that a computer (XP/2000/2003) can be unlocked by the user currently logged or by an Administrator (or member of the administrator group).

So whoever is looking for a remote access software should, in my opinion, look for this aspect.


Regards

Frederico Fonseca
SysSoft Integrated Ltd

http://www.syssoft-int.com

 

[zentastic]

We use Real VNC all the time at my company. I have a renegade IT person who EXPECTS everyone to accept his authorization to his PC. As the IT Manager, I have had a difficult time relaying to this "Young" kid that there are certain state and federal laws that may be in effect. I am having a long talk with him soon!!

 

[dgillz]

RCorrigan,

I agree it is wrong to be able to access any machine without consent of the user. The software I described requires the consent of the user, AND a physical presence, to take remote control of the machine in question.

There is NOTHING wrong with this, and in fact it saves many hundreds if not thousands of $$$ annually on tech support calls.

If you are talking about some other type of software, please explain what it is.



Software Sales, Training, Implementation and Support for Macola, eSynergy, and Crystal Reports

http://www.gainfocus.biz