Solved

What would you do?  See details...

Posted on 2009-04-08
6
298 Views
Last Modified: 2013-12-07
A potential client asked me to give them a rate for installing key logger/monitor software on 20 of their local workstations.  The employer does not have an AUP agreement established with their employees.  The client is asking about getting screen shots captured, and also using microphones and establishing an audio broadcast as well.  While I'm not sure if this is possible to do without the employee knowing, I am somewhat confident that this is illegal   And now, my question:

1.  If there is not an AUP established, is this illegal?
2.  Aren't AUP policies simply used to punish/fire someone should they break these rules?
3.  If the user is on the owner's network, is it illegal for the owner to monitor the user's activities?
4.  If this is considered "legal" as long as the owner does not use the monitoring software as a means to fire someone, is it ethically inappropriate and considerably immoral?
5.  If it is not illegal, what products should I recommend to the client?  I have never dealt with audio monitoring software.  This would also require that every workstation have a very small mic installed as well.

Please advise.
0
Comment
Question by:MrMintanet
  • 3
  • 2
6 Comments
 
LVL 8

Author Comment

by:MrMintanet
ID: 24102828
I see your point.  I would then like to throw out the disclaimer that I will not be considering any answer given to be of legal substance in my defense.

Is there a "Lawyers-Exchange" I could use? :)
0
 
LVL 8

Author Comment

by:MrMintanet
ID: 24106344
Crickets...
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 24124498
Just to state first also (on top of your disclaimer) that I am no lawyer and the below comments are by no means representation of legal advices and would be up to reader discretion for appropriate interpretation. The example shared are purely for references for understanding and appreciating the discussion in general.

Nonetheless, I got curious with these question and like to share some personnel views.

1.  If there is not an AUP established, is this illegal?
Take a look at the discussion in http://www.daniweb.com/forums/thread58706.html, that points out the issue of privacy versus the presence of the AUP or even the Term of Employment. At all cases, employee being "tracked" should rightfully be informed of any such actions taken. Of course in presence of law enforcement reasons, I am not sure there can be exceptions .... but I see if there is a valid and strong reasons being the actions taken, it may be taken into considerations when legal discussion come in place. Having said that, the locale legal terms applied as well. Actually I am thinking with login AUP (electronic login writing), the user has accepted the terms prior to using it. It is only the fine details that may not be elaborated further....

2.  Aren't AUP policies simply used to punish/fire someone should they break these rules?
This talks about it enforceability of AUP, take a look at the wiki definition (http://en.wikipedia.org/wiki/Acceptable_use_policy). I thought this is a good head start read on this as well. Extract below:

".......... the AUP document needs to indicate the jurisdiction, meaning the laws that are applicable and govern the use of an AUP...... " 

It really boils down to the term specified in the AUP, it needs to be concise and clear (and those with clear section on Applicable laws would dismissed conflicts).

3.  If the user is on the owner's network, is it illegal for the owner to monitor the user's activities?
This sounds close to Kiosk scenarios where they also have term of service and usage (add on to internet AUP). The "identification of the user" as well as "implied consent" in AUP will really helps in this area. Thought this will be good to look at sample AUP by others. See extracts below from http://www.upenn.edu/computing/policy/aup.html

"Each person with access to the University's computing resources is responsible for their appropriate use and by their use agrees to comply with all applicable University, School, and departmental policies and regulations, and with applicable City, State and Federal laws and regulations, as well as with the acceptable use policies of affiliated networks and systems (See Appendices to Specific Rules)."

"Anonymous and pseudonymous communications are permitted except when expressly prohibited by the operating guidelines or stated purposes of the electronic services to, from, or through which the communications are sent........"

The above can helps to clarify who the user is pertaining to resources use ...

4.  If this is considered "legal" as long as the owner does not use the monitoring software as a means to fire someone, is it ethically inappropriate and considerably immoral?
This is really a discussion on privacy as well. See the my comments in (1). As for ethics, it is better to be clearly put across in legal binding. But I see that if there misrepresentation is absence and users are able to justify actions taken (accordingly to organization instruction or directions without any abusive or "bad" intent), this can be seen in a lighter pictures. Nonethless, it is better to put across through awareness training and reminder on this with regular audit as well. All will be on toes ....

5.  If it is not illegal, what products should I recommend to the client?  I have never dealt with audio monitoring software.  This would also require that every workstation have a very small mic installed as well.
Well should really look at Enterprise solution as this capturing process can be performance impact (imagine recording for all employee at schedule interval ... there can be bandwidth limit and I see potential business impact). Check out
a) Smartauditor - http://support.citrix.com/article/CTX114799, the table give a summary of its features

Also for audio monitoring, I will say that the internal call system should be centrally managed (be it analog/digital or VoIP)... check out Snapshield's Snaptrunk (http://www.snapshield.com/products.asp?cat=30&in=0). If it is VoIP, I will say that network sniffer can do the trick but do note that for cases it is encrypted (scrambled) the recorded content will not be meaningful. This applied for analog/digital, so it really needs expertise to plan out the "capturing" point as well.....By the way, you would not want to turn off protection for "capturing" as compared to business requirements.... really a balance need to be clarify first.. Also big budget is involved as well....

Just some thoughts .... Hope the discussion helps ....
0
 
LVL 63

Expert Comment

by:btan
ID: 24124612
You can take a look at this article as well for understanding legal actions can be taken in the context of ISP if needed

http://digg.com/d1o5Rl - Extract some interesting excerpts

Today, when you send an email, the addressee will be recorded by your ISP and stored, again for twelve months, in case the police, the security services or any of their authorised agents wish to investigate the data. When you visit a website the address is similarly logged.

Encrypting this data and refusing to hand the keys over to the authorities is already illegal, so it would be very difficult to go online or make a phone call in the UK and avoid being watched once you're under suspicion.
The new rule stems from the EU Data Retention Directive and access to the data will be subject to the rules in the Regulation of Investigatory Powers Act 2000 which essentially says that as long as it's OK by the Home Office, anyone can have a look at your records.
0
 
LVL 8

Author Closing Comment

by:MrMintanet
ID: 31568260
Sorry for the delayed acceptance.  Great job!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Help with reporting bandwidth usage on Sonicwall NSA 220 3 87
Need public domain images 7 127
Monitoring Website Traffic 7 55
Sonicwall AP 3 65
Introduction Many times we come across a slowness or instability between two hosts, and almost always we blame the poor networking guys, just because they're an easy target.  Sometimes we forget that other factors including disk bottlenecks, CPU …
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question