Solved

Computer Privacy at work

Posted on 2002-04-10
32
886 Views
Last Modified: 2010-04-11
I was wondering if somebody could help me on this...
I am the IT Manager for a small company and I am having problems with an employee and privacy on his computer.  I don't read his emails or monitor his work and the company is pretty lax about emails and the internet.  Now this employee claims that any intrusion onto his computer is an invasion of privacy and against the law.  He has taken some labour law/employee rights courses through the company, and I would like to know if he is correct.

I did some searching and came up with this excerpt from http://www.privacyrights.org/fs/fs7-work.htm

Computer Monitoring

If you have a computer terminal at your job, it may be your employer's window into your workspace. There are several types of computer monitoring.

Employers can use computer software that enables them to see what is on the screen or stored in the employees' computer terminals and hard disks. Employers can monitor Internet usage such as web-surfing and electronic mail.


People involved in intensive word-processing and data entry jobs may be subject to keystroke monitoring. Such systems tells the manager how many keystrokes per hour each employee is performing. It also may inform employees if they are above or below the standard number of keystrokes expected. Keystroke monitoring has been linked with health problems including stress disabilities and physical problems like carpal tunnel syndrome.


Another computer monitoring technique allows employers to keep track of the amount of time an employee spends away from the computer or idle time at the terminal.
Is my employer allowed to see what is on my terminal while I am working?

Generally, yes. Since the employer owns the computer network and the terminals, he or she is free to use them to monitor employees.

 
This article is written for the US, I am in Canada and am calling on the experts to help me clear up this issue.

Thanks
0
Comment
Question by:mowse
  • 9
  • 7
  • 4
  • +5
32 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 200 total points
ID: 6931073
I don't know the Canadian laws, but under the US Wiretapping Act it is illegal to monitor computer communications unless you can meet one of the following requirements:
1.  You have a court order
2.  You are the network provider and are collecting data to protect your network from attack, monitor performance, etc.
3.  You are the network provider and you have informed network users that you monitor and that they have no expectation of privacy.

It's obviously the third one that would apply here - i.e., you'd inform the employee that you monitor before you start monitoring.

I'm guessing Canadian law is similar, but I'm not certain.  You mihght want to ask the RCMP or whatever the Canadian equivelant of the US Attorney's office
0
 
LVL 28

Expert Comment

by:vinnyd79
ID: 6932675
You should have a security policy that informs users that all computer activity as well as e-mail and internet usage will be monitored.

Look at the audit policy example in this link:

http://www.sans.org/newlook/resources/policies/policies.htm
0
 
LVL 1

Expert Comment

by:tonimargiotta
ID: 6933331
I think that the comment from Chris is probably correct - the law as currently tested is pretty much the same in the UK and the US.  One minor glitch in the UK is that the recommendations that go with the data protection act say that if you allow employees private use of the equipment you should not monitor it unless it is for the protection of you business.  

What you really need here is an Acceptable Usage Policy.  This should state quite firmly that your equipment is provided for the benefit of the company and the expectations that you have of employee conduct when using it.  State that you reserve the right to monitor employee usage - the company is most likeley responsible for their actions in issues such as software copyright, data confidentiality statutes, harrassment, the way that the use the equipment to represent the company.

Get your employees and contractors to sign a copy - we do.  Also put a logon banner on your systems stating that use of the system means confirms that they will adhere to the policy.

0
 
LVL 3

Expert Comment

by:DVB
ID: 6938586
I dunno, but I sure would talk to a lawyer about this. Talk to your local lawyer/law department regarding this, and draw up a policy regarding what is and is not acceptable.
What will be said here will have no relevance to your particular case.
Just like the Ask Slashdot rules.....
IANAL.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6939286
Chris is completely wrong, but it is a very common error made by less-than-clueful privacy advocates, so please pay attention to this next line:

  In the US, wiretapping does not apply when you own all the equipment and are the sole user.

("You" in the above sentence would refer to your company)


Or do you seriously think they are going to arrest you for wiretapping yourself?  Every case of some dumbass employee claiming some sort of privacy with regard to the use of corporate equipment has been summarily dismissed.  Do you think it would be illegal for a company to install GPS in their corporate fleet to make sure employees were not abusing the company cars?  Of course not - only if the company wanted to rent it's fleet to others might this be a problem.

I am completely mystified as to how Chris managed to be so confused when you posted a direct confirmation to what I just reiterated in your initial question.  The mind boggles...

In the end, of course, lawmakers everwhere love to create laws that leave you wondering just exactly what they were smoking, so I don't know if Canadian law is similar or not.  

In any case, as long as you don't allow professor bonehead to bring in his own machine and connect it to the network (which you should be able to avoid under the guise of your security policy), then I think this guy is smoking even more crack than most lawmakers, and has even less of a grasp of law that most.  Feel free to ignore him, and implement your IT policies as planned.

-Jon

BTW, how is the manager of IT not able to install monitoring software that is undetectable by the user?  Sorry, cheap shot, but I have to wonder...



0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6942228
LET ME REPEAT MYSELF.  THIS OPINION CAME FROM AN ASSISTANT US ATTORNEY!

In case you don't know, these are the guys who would actually prosecute a case like this, so obviously, yes, you could actually get arrested for this.

Sure, the case law in this area is weak.  But that's exactly why you have to be careful - you never know exactly where the courts will come down on this stuff.

Technically you could go to jail for a very long time if you monitor your network and can't show you were doing it to protect your network and you didn't have any written policies or banners explaining that you do the monitoring.

Next time pay some attention to what people have actually said before you make an ass of yourself.
0
 
LVL 1

Expert Comment

by:tonimargiotta
ID: 6942411
This may be a useful cross check on canadian law:

http://www.privcom.gc.ca/legislation/index_e.asp

Advice above seems to hold - monitoring is OK especially if you tell them.

PS.  One interesting clarification, one employee's case was thrown out of court because e-mail is not covered by US Wiretapping Law.  
0
 
LVL 1

Author Comment

by:mowse
ID: 6942482
The link above seems to just document about collection and use of personal electronic information by the government.  I don't know if this applies here.

I don't want to start fights here but Chris seems to know what he is saying but I don't know if you understand the question.

Yes, I am a network provider as in I provide all the computers, all the software, all the cabling, all the connections, I also pay for the internet connection.

With the above statement, what rights does a user have?  Even if there is no Acceptable Use Policy?
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6942610
My background is very pro on privacy rights. That said, I primarily agree with most of the above, but one has to keep perspective in mind, or this can become apples/oranges discussion. For what I see as primary issue:

> "Now this employee claims that any intrusion onto his computer is an invasion of privacy and against the law"

The employee is incorrect, likely for any country. The basic legal premise is that the company owns the computers, the networking, pays for the phones, phone-mail, eMail, etc., so the company itself has basic right to do as it sees fit with all of the bits and pieces. Employees cannot hide behind privacy law or any other to conduct personal business or illegal activity, for example.

So it should be obvious that employees just cannot do as they will.

How any company chooses to exercise its rights, and how much employees themselves diverge from a policy of "for business use only" is where some problems arise.

For real court cases testing such laws, the general rule was that companies would always win battles over who has the rights, and what ramifications there can be. It is down to maybe 90% IMO, with a novel distinguishing factor, employee rights to organize (so this may be country dependent).

While a company like Symantec got away with simply browsing eMail to dump themselves of disagreeable employees, some others ran into difficulty.

One I recollect was over air conditioning, where boss kept saying everything OK, or good enough, get back to work. Employees eMailing each other disagreed, to each other. Boss chose to dump employees. The ruling judge said something like: reading the strong language (apparently severe flaming) made decision difficult, turned stomach, unprofessional, that this did not supercede employee rights to talk to each other about work conditions, safety, etc. Since the boss dumped them due to the topic involved, disagreeing with him and his dictates, (and not 'professionalism in performing duties'), the company lost the case.

While there are other laws that can protect some classes of people from corporate intrusions, such as for discrimination and harassment, these are areas more involved in data handling, not data ownership.

So while company may have right to get to review some data items, such as eMail, this does not give company the right to abuse employee, for example, by feeding grapevine or broadcasting what was learned, perhaps about possible employee medical condition. While employer may have right to data, employer may have hands tied concerning what to do with the data accumulated.

As far as clarifying policy to employees, I don't see any legal need, although it is encouraged nearly anywhere you look. If there was one thing I'd recommend for policy, it would be the emphasis on employees NOT bringing personal goods to work, whether it is a laptop they like or a diskette to copy their favorite freewares. Both are possible contagions that companies have right to review, if for no other reason. But given economy that vastly increased personal holdings and capabilities, one might want to clarify that in policy statements, so that no one in company is confused by a grapevine dominated by your privacy advocate(s).

Please note as well, that I am not suggesting that you, or any individual within the company has the right to review any data. I am saying that it is the company that has the inherent right. Such rights that are transferred to you, as IT manager, to exercise in the performance of your duties falls under the purview of the company. There are, you should understand, reasons why a company may not want to have all the 'keys' in a single basket, perhaps to divvy responsibility for auditing, from that of personnel records, from that of system administration, PR, and finance.

As far as Canada itself goes, I think one test of law in the last year had to do with employee medical records. ai believe that the courts upheld my premise of company right to review anything on its computers. What I don't recollect was result. Like maybe it was left vague as to 'who' learned of medical condition, of 'how' learned, and of then who it was that abused employee privacy rights. But I consider this a different question(s) than that posed here.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6942648
> I don't read his emails or monitor his work and the company is pretty lax about emails and the internet.

Very Good! Some eMail admins just drool at opportunity to snoop, whether on the boss to get in on corporate secrets, or on employees to get the dirt.

To do a good job there really is not the time to monitor memos etc. But sometimes you just have to. When one lady sits on a copy machine, to produce something to pass around, or some of "the_boys" just have to keep teasing "the_girls" by certain pictures downloaded from the web to pass around in eMail, or whatever (change their windoze background?), and then employees start complaining and complaining, most companies try to step in before it hits the courts.

One major one I think was Dow, who ended up dumping 40-50 in an office at a time, one fell swoop.  What they said was that they were reluctant, took there time to ensure it was serious, repetetive abuse, and not trivial or simply casual misusage of the employees getting the pink slip.

This is more palatable, preferable to discussing or acting on a single memo or single URL hit.

Keyword I think is, abuse, either by employee or employer. Neither should be abusive. But employer gets the basic rights, for it is all bought paid for by company, whose success depends on proper, expected use of equipment; and, for if employee disagrees, employee can choose to work elsewhere.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6942664
<heh>
Carly Fiorina, of HP, for example, may not want just anybody in the company to have access to electronically stored phone-mail. Such as Hewlett.             ;o)

Likely, she would like to have someone with sufficient authority to access all systems to ensure that they work well. But such persons should be trustable, and not given to spreading news of anything accidentally learned during the course of their normal duties.
0
 
LVL 1

Author Comment

by:mowse
ID: 6942750
The link above seems to just document about collection and use of personal electronic information by the government.  I don't know if this applies here.

I don't want to start fights here but Chris seems to know what he is saying but I don't know if you understand the question.

Yes, I am a network provider as in I provide all the computers, all the software, all the cabling, all the connections, I also pay for the internet connection.

With the above statement, what rights does a user have?  Even if there is no Acceptable Use Policy?
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6942914
To answer mowse's last question, I think the answer is "we don't really now what rights the user has without an Acceptable Use Policy" because there isn't enough case law.

Also, to address SunBow's comments, "The Company" implies Officers/Owners of the company, so whether random email admins can legally monitor email depends on whether they've been told they can monitor email by the higher ups (though possibly it's implied by their positions, especially if they've been doing it and nobody's complained).

But generally my point wasn't that "this is illegal" but rather "nobody is 100% sure so CYA"
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6943023
again, half in agreement, but wary of apples/oranges.

I claim sufficient case law to oppose the employee claim to complete privacy, indeed claiming that 'company' has all the rights when it comes to any content on its computers, any use of its equipment. Courts won't distinguish one employee (monitor) over another (monitored). The employer remains liable for misuse, or abuse. What has the makings for a 'good policy' is a completely different issue, and quite complex. A company doesn't really want to dump employees for ambiguities of what may or may not be termed acceptable use.

But no employee can hide illegal activity behind any so-called privacy claim. That makes it simple enough.

A company may have need for checking computer to make sure the NIC and network protocols are set up. It may need to check PCs for appropriate upgrades, to run A/V checks, and to ensure that 'the pretties' available through eMail attachments, internet, and diskette, do not conflict with the established corporate platform. The desk top flags program a recent example.

In many cases, the company needs to track all eMail. This can be due to legal requirements, or simply to validate (or invalidate) some prior acts, or even to validate professionalism (similar to phone monitoring) and proper representation of the company. The eMail traced to a company, could be inflammatory to recipient, could be an inappropriate financial committment, or policy statement. Thus the case law supports the company right concerning its systems over any employee claim to privacy. A company has right to protect itself, and to know what it is that is happening with its equipment.

Once information is obtained, in comes the additional potential for ambiguities and misunderstandings.

While for medical information, one may discuss the popular AIDS topic. But I recall another, where a woman, I think nurse, was found to have text that led to conclusion she needed to have further tests, and therapies for cancer treatment. She was fired. Termed, someone the company could not rely upon for long term, full time employment. Her response of having had it before, and that the treaments taken then had worked, 10-20 years ago, met on deaf ears of company. Expectations were that she'd remain able to get through it again this time, with no loss, overall, in workdays to the hospital/employer.  Court still would not uphold her right to privacy concerning the company viewing the informational content.  What company does with the information obtained, is another matter. I think she is still out of work, suing the company under alternative statutes. Again, sticking to employee claim:

> "employee claims that any intrusion onto his computer is an invasion of privacy and against the law"

This is completely incorrect. For "against the law" There is no law stating that employee may keep personal information on a corporate system that is to ever remain free from any intrusion of anyone. Simply not so and in fact it is the exact opposite.

All acts by a company to intrude onto their computers are defined as legitimate.

But as a policy, since companies can be held liable for release of certain employee information, they generally choose to, for example, only let personnel staff have access to official personnel records. Employees may object to getting on mailing lists, for example, as much as they would for releasing of personal medical information, even if someone in company would have thought it in their best interests.

Companies themselves would prefer that certain financial information, be held tightly.

That's where passwords, groups, and authentication, even encryption can have value
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6943103
Chris confusedly states:
> Next time pay some attention to what people have actually said before you make an ass of yourself.

Rubbish - you are clearly the one not paying attention.  To me, you are very obviously confused about the difference between you *paying* someone to use your computers (in which case you can wiretap all you want), and you *selling* someone access to your computers (in which case wiretapping is clearly illegal).

Pls put your money where your mouth is, and give me just one actual case reference where someone actually went to trial for this (and if you come back with some lame case about an ISP getting sued, I'm gonna refer you to what I just said about selling access).

If you can't find one, I'll help you create one - I [my business] will pay you $1 to come over to my house and start up microsoft word for me.  I will wiretap the entire computer, and the network to which is it attached (all if which I own).  Then you can try and sue me, if I haven't already died from laughing.

Chris says no one is 100% sure - I sure as hell am (if you couldn't already tell), and it sounds like SunBow is as well.  This is not a new issue - IMO, the fact that Chris thinks it is still a gray area shows his misunderstanding of the entire situation.  To argue rogue (unauthorized) employes within a company is attempting to mold this argument into something it is not, which is usually the tactic of the logically outgunned.  A rougue employee can voilate a fellow employees rights in thousands of other ways, let alone privacy - I don't think this was in any way a part of the original question.  Other arguents about employee personal information is also moot - how did your employer get that information in the first place?  In the case of SunBow's canadian medical records, the emplopyee should have been asking how the company managed to obtain the info in the first place, not that they were reviewing it on a whim.

Cheers,
-Jon
0
 
LVL 1

Expert Comment

by:tonimargiotta
ID: 6943160
Hi mowse

The interesting thing about that link is that that is all that is out there - officially.  The canadian privacy statutes and the ontario recommendations.

I think that chris really covered the ground on his first post.

Case law so far in this area has generally come down on the side of the employers, but the statutes aren't there to back this up and the privacy lobby is still working hard to establish some rights for employees.  The general view that employees do have some rights in this area is backed up by items in the recommendations for interpretation that go with the UK Data Protection Act.

For the moment if you have an AUP and monitor only for business purposes you are as safe as anyone can be given the fickle nature of the legal system.  I would certainly consider it a risk not to be able to monitor employees given the responsiblity that an employer has for their actions.  

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6943176
All I can say is to see the following URL's....

http://www.jacksonlewis.com/publications/articles/20010923/default.cfm
http://www.gahtan.com/alan/articles/monitor.htm
http://businessweek.findlaw.com/employmentbook/HFCHP5_h.html
http://www.virginialaborlaw.com/library/e-law/outline-wiretapandecpa2001-01-24.pdf
http://pittsburgh.bizjournals.com/pittsburgh/stories/2000/05/22/focus6.html
http://www.clm.com/pubs/pub-914447_1.html
http://www.mycounsel.com/content/smbusiness/employmentlaw/policies/searches.html


All support the view that indescriminate monitoring of employees is clearly against the law in the US under he Electronic Communications Privacy Act of 1986.  Some also mention similar Canadian statues.

They also all point out that what constitutes employee consent to monitoring is a very fuzzy area.  In particular, the clm.com article addresses the issue of whether employers are covered automatically under the "system provider exemption", but concludes that the case law is unclear.

So, this goes back to my previous statement: CYA.
To do otherwise is to invite trouble.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6943279
So, once again, do you have a *single* example where someone who was told of corporate network policy with regard to monitoring when they took the job actually won a case?  

I guess chris's point is that if you don't tell people about your network policy (dumb idea to withhold it - I guess I made a rash assumption that this is usually published info) when they take the job, or worse, lie to them about what privacy they can expect, then the employee may have a case.  In any case, if your employee contract says they will keep current with and adhere to corporate policies as stated in the employee manual (what company doesn't?), then just add it [your monitoring policies] to the employee manual and your ass is covered.

BTW, don't think for a second I am anti-privacy.  I hate most corporations on general principle (sp?).  I just think that the workers of the world need to wake up and notice how draconian corporate working environments can be (where are all the technical unions?).  A person can't expect to just shout "That's not fair", when the law is not behind him/her - I am amazed that people accept a corporate employment contract that steals all of their rights, and then think that someone will listen when they want to complain, when it's their fault for not reading the fine print.

-Jon

0
 
LVL 24

Expert Comment

by:SunBow
ID: 6943573
Without reviewing all links, a quick shot through

> "In particular, the clm.com article"

yields:

"three types of behavior -- (1) the interception of wire, oral and electronic communications, (2) the accession of stored wire, oral and electronic communications, and (3) the disclosure of information contained in stored communications."

My focus above being on #3. That is where one may or may not get into trouble, for disclosing of what has been learned.

The--Captain> how did your employer get that information in the first place?  In the case of SunBow's canadian medical records, the emplopyee should have been asking how the company managed to obtain the info in the first place, not that they were reviewing it on a whim.

Most such cases appear to be just that. One), employee going a little beyond what was authorized by company, re: personal use of equipment and privacy, but yet two) it being another employee knowing of it and doing the tattle. More often neither initially behaving in the normal course of business or permissable activity. Maybe one employee sneaks a peak at another's screen. Maybe one is helping another with a hard drive or configuration issue, but while doing so clicks the mouse on a Word document of the other employee. So inititially there can be much greyness over how info was obtained. Supplemented later, by, once info obtained, what does company do? Continue the 'tattle'? Fire who? Why?

> "These statutory exceptions are (1) the "consent of a party to the communication" exception; (2) the "ordinary course of business" exception; and (3) the "system provider" exception"

Key here is #2. For this problem. Company owns equipment to be used for company business only. Employees have no basic rights to assume that they have any protections from eyes of employers.

But reason must also prevail.

chris_calabrese> All support the view that indescriminate monitoring of employees is clearly against the law

If you mean in general, without cause, I side with you a little.  I tend to prefer viewing it as opposite, that the targetting of employees for reasons based on no more than discrimination is clearly against the law. Targetting is personal, and not business-relevant, without cause.  Give proper cause, and you can run, but you cannot hide.

But I revert to the original piece here. The owner of the equipment, the business, has complete right to review all that it owns in its entirety. In many cases this is required by law. Just think of all those US cases where eMails are required to be produced to Congress or Judge, going back in time for years, or companies can be held in contempt or worse. Company has to be able to get at the data to do what it needs to.

If, in course of business, one runs across memos of flying planes into buildings, or memos of hating to take drugs as treatment to fight cancer, then one is perhaps entering the grayer area of #3, the disclosure piece. Whether to disclose or not to whom, then what may be done from there.

Trust me. If you are a guy collecting porn on your PC, and you insult a girl who tattles, you have no defense, privacy or otherwise, against company taking a review and, finding disk drive >1/2 full of Porn; eMails >1/2 with attachments of same, etc., any more than if they found it full of orders for trafficking in illegal drugs.

As I think a judge said in the reference above - it isn't that the company listened in on the phone call, or that they over-heard a phone conversation that was personal. It was that once it was learned that content was personal, there was no need to continue to listen in on it.

And.. doesn't it make some sense, that someone listening in on another's personal call, time and again, is like, more perverted, more abusive, than investing time in proper business activities? (<sigh>, wish management were really up to acknowledging that)
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6943650
I had thought this thread long enough, but had to respond at least a little, to Chris' post, please pardon overlooking any other content in other links provided there. I could have interest as well, but suspect we'd be better off with that in a different thread. But I had another diversion here, re:eMail.

While it has been addressed in other threads, to be sure we don't ignore it, there has also been much ado about what a company should include in eMail, as disclaimer, and whether or not it should even be at beginning or end of EM. I'm certain you've seen some - where "This may not reflect either opinion or policy of company itself" etc.

Some go on for three or more elongated paragraphs full of legalese. One person remarks that on receiving one, maybe a prospective 'date' is trying to tell something,, about prospects...

But business providing such disclaimers is 1) acknowledging that it has right to review, while 2) it doesn't want to have to take the time to review and 3) doesn't want to be held liable for not reviewing content.

IMO, unless a rather successful monopoly, a business, in order to compete, simply cannot devote the time to be as intrusive as we would fear.

IMO, the disclosures being made are more often due to what was learned outside the scope of normal business, whether by disgruntled employee, a hall-monitor type who won't take time to perform normal job, or, even a love-lorn feeling dejected. None of which should be permitted to escalate into action items of a well run business, but all too often does get 'adopted' by a business, where some mgr wants to look to be 'assertive', needlessly.

IMO, we have quite recent documentation, well-known from US in case of MS vs. anybody/everybody. Nearly all 'common knowledge'. Fluent notes, eMails, over years af tracking, as admitted courtroom documents, attesting to legality of collecting them. This includes some that go: " Lunch activity: Hi. I stopped at ___ to eat and saw so-and-so from other company. We gossipped and had chit chat. In course of gossip i asked about their plans for product X, and told them things about our product Y. Here's what we said. Now here is what I think it meant, concerning the directions our company should pursue"

Now if you want to talk "illegal" concerning privacy of any information, there ya go -- it is definitely legal. They could have at least redacted the personal stuff of what was ordered for lunch, but no. All admissable stuff, part of required courtroom documentation, the data from the companies' computers. Not all that long ago, huh?

For your consideration... there are a number of companies that are currently marketing eMail monitoring tools, including a recent one for so-called 'non-intrusive'. I suggest that some of them may also have the legalese behind the need for companies to utilize their products, should anyone care to pursue the broader topics involved with the comparisons, the contrasts that are available.
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6946332
> "Employers can use computer software that enables them to see what is on the screen or stored in the
employees' computer terminals and hard disks. Employers can monitor Internet usage such as web-surfing
and electronic mail."

Big Brother - carries Big Stick
try to not argue that, until your home is paid for

> "problems with an employee ... "
> "Now this employee claims ..."

OK, employee. Claim what you want. Does not reserve you a chair or a desk.

Go home without pay, knowing you must be right, and just try explaining to family, landlord, debtor, bill collectors, solicitors, about all these fine fair-haired claims. They may just listen - for awhile.
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6946382
NETWORK WORLD NEWSLETTER: MICHAEL OSTERMAN on MESSAGING 04/16/02
Today's focus: Facing the consequences
* What happened to one employee after e-mail, Internet use monitored
_______________________________________________________________
Today's focus: Facing the consequences

By Michael Osterman

Most of us have heard that about one-third of employers monitor
their employees' e-mail and/or Internet sessions, as was
discussed in a 2001 report entitled, "The Extent of Systematic
Monitoring of Employee E-mail and Internet Use" published by
the Workplace Surveillance Project. But what happens when an
employer finds out about personal or otherwise unauthorized use
of e-mail or other computing resources?

Here's a case in point from a government employee who wrote to
me recently, which I have paraphrased below.

***

My employer has policies that make no sense. One cannot use
'public' resources for any personal use. For example, my wife
can call me on the phone and leave a message, but if I return
her call I'm in violation of my employer's policies. My son or
another family member can send me a screensaver or a greeting
card, but I'm in violation if I open it.

I was caught having a Christmas greeting screensaver my family
had sent me on my computer at work. An investigation was
started, and every one of my e-mails and Internet sessions was
delivered to my manager. While no improper material was found,
my manager discovered that I had inquired about digital cameras
for personal use. My defense was that I was new to the
organization and my former employer encouraged employees to use
the Internet and e-mail as a learning exercise.

The result of this infraction was that my rank was reduced by
one grade, my salary was reduced for three months, and I am on
probation for three years. Further, I am now recognized as a
'trouble' employee, I must remain with my current manager until
I retire, there will be no chance for advancement because of
the stigma of being a problem employee and because other
managers don't want to take the risk of hiring such an
employee, and my manager now micromanages me.  Prior to my
infraction, my record was clean.  It is like I have leprosy.

***

I'd like to get your thoughts on the experience of this
employee - is this typical of employers in general, is it
typical only in government, or is it just an extremely rare
example of management overreaction to personal use of e-mail
and the Internet? Please drop me a line at
mailto:michael@ostermanresearch.com
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6946394
(!current, not old news!)                      :o(
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6946961
I'm replying in public, because I think this pertains to the thread in general.  

This overreaction from management is not too common, from what I have heard, but not entirely unexpected either.  What sucks is that the employee doesn't have a leg to stand on, legally...

There are, IMO, a number of thinks leading to the ridiculous situation described above, but two come immediately to mind.  

First, this situation is actually caused by the idiotic managers themselves.  If the employee is not supposed to use the computer for personal use, why does it have that capability?  Sounds like the IT folks aren't doing their jobs very well, and so a centralized problem is being distributed throughout the company - you see this all the time in huge corporations - one department can't/won't pull it's own weight, and so every else now has a new job requirement which is to support the lardassess/idiots in the lagging department.  In 99% of cases this is caused by ridiculous internal politics and power struggles, which once again is a problem of management.  

Second, why did this employee even take a job when it should have been apparent from the get-go that there were huge management problems?  Because the job market is not so great right now, and there are no significant technical unions to speak of that could stand up for his rights in the workplace.  Remember, folks - we workers of the world didn't always get Saturday and Sunday off (actually, I rarely do, but such is the price of running your own business).

Two things the employee can do off the top of my head - tell them to take that job and shove it (hey, I didn't *always* own my own business - it took a few different corporations constantly pissing on me before I woke up), or just silently reveal how much of a *real* "troublemaker" he can be while residing well with the company policy.  It only takes replacing a broken workstation 2 or 3 times until they get the idea that he won't take it lying down.  Other things can mysteriously "fail" as well that prevent him from doing his job.  Trashing the company-owned equipment necessary to do work has been a favorite tactic of overworked factory employees for ages (look up the etomology of the word "sabotage" if you don't believe me).

Just my take on the whole thing,
-Jon
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6946971
mowse - you may want to think about internal sabotage before you tighten the reigns on any internal policies.  I am not ashamed at all to admit having sabotaged equipment of crappy factories when I worked in them during high-school (ever wonder what a two-by-four does when you chuck it in between the upper and lower belts of a conveyor?  Funny stuff)- what do you expect when workers are underpaid, overworked, and employee moral is not a consideration of management in any way.  Also, the statute of limitations has passed (hehe).

Unless you have a camera in every cubicle, it's kinda hard to tell when somewhen is kicking their computer (which tends to piss off the hard drive severely).  

-Jon
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6951101
HP sacked worker after leak

By Peter Sayer
April 18, 2002 6:18 am PT
 
 HEWLETT-PACKARD HAS TERMINATED the employment of a worker who admitted leaking two company memos to the media in violation of company policy, according to an internal e-mail passed to journalists.

[more: http://www.idg.net/ic_849560_8434_1-3921.html]
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6951761
>according to an internal e-mail passed to journalists

Hehehe - that almost made me fall out of my chair laughing, since they are seemingly describing an endless cycle...  I can see the next newsbite:

HP terminates employee for leaking internal HR issues to journalists via email, according to an HP internal memo.

And then:

HP terminates employee for leaking internal compaay memos regarding HR issues to journalists....

Rinse, repeat.

-Jon
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6951971
; o ) )
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6952144
;=)                (alternate media):
http://www.computerworld.com/storyba/0,4125,NAV47_STO70278,00.html
includes:

"HP employee fired for leaking company memos
By BRIAN SULLIVAN (April 18, 2002) "
...
"The company also had to face accusations by Hewlett's legal team that HP employees who helped Hewlett wage his fight against the merger were in danger of losing their jobs. Hewlett's attorneys told Chancery Judge William B. Chandler III that they feared if HP management learned the names of those who had leaked documents, they would retaliate. Hewlett's lawyers tried to bar any HP in-house lawyers or managers from having access to documents in the case that might identify employees but won only a partial victory.

In an agreement announced Friday, attorneys for both sides said that HP managers wouldn't be allowed to see the documents but that HP's in-house lawyers would."...
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6967918
Cheers to FlamingSword - I needed a good laugh at the expense of corporate bureaucracy!

"Rinse, repeat" indeed...

Thanks,
-Jon

0
 
LVL 1

Author Comment

by:mowse
ID: 7039874
Sorry for the delay,

I am going to award the majority of you with points, you all made valuable points, suggestions, and comments...
0
 
LVL 24

Expert Comment

by:SunBow
ID: 7055060
Thanx:
 a) for enjoyable thread
 b) for considering award to multiple contributors
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now