Solved

What would you do?  See details...

Posted on 2009-04-08
6
281 Views
Last Modified: 2013-12-07
A potential client asked me to give them a rate for installing key logger/monitor software on 20 of their local workstations.  The employer does not have an AUP agreement established with their employees.  The client is asking about getting screen shots captured, and also using microphones and establishing an audio broadcast as well.  While I'm not sure if this is possible to do without the employee knowing, I am somewhat confident that this is illegal   And now, my question:

1.  If there is not an AUP established, is this illegal?
2.  Aren't AUP policies simply used to punish/fire someone should they break these rules?
3.  If the user is on the owner's network, is it illegal for the owner to monitor the user's activities?
4.  If this is considered "legal" as long as the owner does not use the monitoring software as a means to fire someone, is it ethically inappropriate and considerably immoral?
5.  If it is not illegal, what products should I recommend to the client?  I have never dealt with audio monitoring software.  This would also require that every workstation have a very small mic installed as well.

Please advise.
0
Comment
Question by:MrMintanet
  • 3
  • 2
6 Comments
 
LVL 8

Author Comment

by:MrMintanet
Comment Utility
I see your point.  I would then like to throw out the disclaimer that I will not be considering any answer given to be of legal substance in my defense.

Is there a "Lawyers-Exchange" I could use? :)
0
 
LVL 8

Author Comment

by:MrMintanet
Comment Utility
Crickets...
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
Just to state first also (on top of your disclaimer) that I am no lawyer and the below comments are by no means representation of legal advices and would be up to reader discretion for appropriate interpretation. The example shared are purely for references for understanding and appreciating the discussion in general.

Nonetheless, I got curious with these question and like to share some personnel views.

1.  If there is not an AUP established, is this illegal?
Take a look at the discussion in http://www.daniweb.com/forums/thread58706.html, that points out the issue of privacy versus the presence of the AUP or even the Term of Employment. At all cases, employee being "tracked" should rightfully be informed of any such actions taken. Of course in presence of law enforcement reasons, I am not sure there can be exceptions .... but I see if there is a valid and strong reasons being the actions taken, it may be taken into considerations when legal discussion come in place. Having said that, the locale legal terms applied as well. Actually I am thinking with login AUP (electronic login writing), the user has accepted the terms prior to using it. It is only the fine details that may not be elaborated further....

2.  Aren't AUP policies simply used to punish/fire someone should they break these rules?
This talks about it enforceability of AUP, take a look at the wiki definition (http://en.wikipedia.org/wiki/Acceptable_use_policy). I thought this is a good head start read on this as well. Extract below:

".......... the AUP document needs to indicate the jurisdiction, meaning the laws that are applicable and govern the use of an AUP...... "

It really boils down to the term specified in the AUP, it needs to be concise and clear (and those with clear section on Applicable laws would dismissed conflicts).

3.  If the user is on the owner's network, is it illegal for the owner to monitor the user's activities?
This sounds close to Kiosk scenarios where they also have term of service and usage (add on to internet AUP). The "identification of the user" as well as "implied consent" in AUP will really helps in this area. Thought this will be good to look at sample AUP by others. See extracts below from http://www.upenn.edu/computing/policy/aup.html

"Each person with access to the University's computing resources is responsible for their appropriate use and by their use agrees to comply with all applicable University, School, and departmental policies and regulations, and with applicable City, State and Federal laws and regulations, as well as with the acceptable use policies of affiliated networks and systems (See Appendices to Specific Rules)."

"Anonymous and pseudonymous communications are permitted except when expressly prohibited by the operating guidelines or stated purposes of the electronic services to, from, or through which the communications are sent........"

The above can helps to clarify who the user is pertaining to resources use ...

4.  If this is considered "legal" as long as the owner does not use the monitoring software as a means to fire someone, is it ethically inappropriate and considerably immoral?
This is really a discussion on privacy as well. See the my comments in (1). As for ethics, it is better to be clearly put across in legal binding. But I see that if there misrepresentation is absence and users are able to justify actions taken (accordingly to organization instruction or directions without any abusive or "bad" intent), this can be seen in a lighter pictures. Nonethless, it is better to put across through awareness training and reminder on this with regular audit as well. All will be on toes ....

5.  If it is not illegal, what products should I recommend to the client?  I have never dealt with audio monitoring software.  This would also require that every workstation have a very small mic installed as well.
Well should really look at Enterprise solution as this capturing process can be performance impact (imagine recording for all employee at schedule interval ... there can be bandwidth limit and I see potential business impact). Check out
a) Smartauditor - http://support.citrix.com/article/CTX114799, the table give a summary of its features

Also for audio monitoring, I will say that the internal call system should be centrally managed (be it analog/digital or VoIP)... check out Snapshield's Snaptrunk (http://www.snapshield.com/products.asp?cat=30&in=0). If it is VoIP, I will say that network sniffer can do the trick but do note that for cases it is encrypted (scrambled) the recorded content will not be meaningful. This applied for analog/digital, so it really needs expertise to plan out the "capturing" point as well.....By the way, you would not want to turn off protection for "capturing" as compared to business requirements.... really a balance need to be clarify first.. Also big budget is involved as well....

Just some thoughts .... Hope the discussion helps ....
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
You can take a look at this article as well for understanding legal actions can be taken in the context of ISP if needed

http://digg.com/d1o5Rl - Extract some interesting excerpts

Today, when you send an email, the addressee will be recorded by your ISP and stored, again for twelve months, in case the police, the security services or any of their authorised agents wish to investigate the data. When you visit a website the address is similarly logged.

Encrypting this data and refusing to hand the keys over to the authorities is already illegal, so it would be very difficult to go online or make a phone call in the UK and avoid being watched once you're under suspicion.
The new rule stems from the EU Data Retention Directive and access to the data will be subject to the rules in the Regulation of Investigatory Powers Act 2000 which essentially says that as long as it's OK by the Home Office, anyone can have a look at your records.
0
 
LVL 8

Author Closing Comment

by:MrMintanet
Comment Utility
Sorry for the delayed acceptance.  Great job!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now