Solved

What would you do?  See details...

Posted on 2009-04-08
6
304 Views
Last Modified: 2013-12-07
A potential client asked me to give them a rate for installing key logger/monitor software on 20 of their local workstations.  The employer does not have an AUP agreement established with their employees.  The client is asking about getting screen shots captured, and also using microphones and establishing an audio broadcast as well.  While I'm not sure if this is possible to do without the employee knowing, I am somewhat confident that this is illegal   And now, my question:

1.  If there is not an AUP established, is this illegal?
2.  Aren't AUP policies simply used to punish/fire someone should they break these rules?
3.  If the user is on the owner's network, is it illegal for the owner to monitor the user's activities?
4.  If this is considered "legal" as long as the owner does not use the monitoring software as a means to fire someone, is it ethically inappropriate and considerably immoral?
5.  If it is not illegal, what products should I recommend to the client?  I have never dealt with audio monitoring software.  This would also require that every workstation have a very small mic installed as well.

Please advise.
0
Comment
Question by:MrMintanet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 8

Author Comment

by:MrMintanet
ID: 24102828
I see your point.  I would then like to throw out the disclaimer that I will not be considering any answer given to be of legal substance in my defense.

Is there a "Lawyers-Exchange" I could use? :)
0
 
LVL 8

Author Comment

by:MrMintanet
ID: 24106344
Crickets...
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 24124498
Just to state first also (on top of your disclaimer) that I am no lawyer and the below comments are by no means representation of legal advices and would be up to reader discretion for appropriate interpretation. The example shared are purely for references for understanding and appreciating the discussion in general.

Nonetheless, I got curious with these question and like to share some personnel views.

1.  If there is not an AUP established, is this illegal?
Take a look at the discussion in http://www.daniweb.com/forums/thread58706.html, that points out the issue of privacy versus the presence of the AUP or even the Term of Employment. At all cases, employee being "tracked" should rightfully be informed of any such actions taken. Of course in presence of law enforcement reasons, I am not sure there can be exceptions .... but I see if there is a valid and strong reasons being the actions taken, it may be taken into considerations when legal discussion come in place. Having said that, the locale legal terms applied as well. Actually I am thinking with login AUP (electronic login writing), the user has accepted the terms prior to using it. It is only the fine details that may not be elaborated further....

2.  Aren't AUP policies simply used to punish/fire someone should they break these rules?
This talks about it enforceability of AUP, take a look at the wiki definition (http://en.wikipedia.org/wiki/Acceptable_use_policy). I thought this is a good head start read on this as well. Extract below:

".......... the AUP document needs to indicate the jurisdiction, meaning the laws that are applicable and govern the use of an AUP...... " 

It really boils down to the term specified in the AUP, it needs to be concise and clear (and those with clear section on Applicable laws would dismissed conflicts).

3.  If the user is on the owner's network, is it illegal for the owner to monitor the user's activities?
This sounds close to Kiosk scenarios where they also have term of service and usage (add on to internet AUP). The "identification of the user" as well as "implied consent" in AUP will really helps in this area. Thought this will be good to look at sample AUP by others. See extracts below from http://www.upenn.edu/computing/policy/aup.html

"Each person with access to the University's computing resources is responsible for their appropriate use and by their use agrees to comply with all applicable University, School, and departmental policies and regulations, and with applicable City, State and Federal laws and regulations, as well as with the acceptable use policies of affiliated networks and systems (See Appendices to Specific Rules)."

"Anonymous and pseudonymous communications are permitted except when expressly prohibited by the operating guidelines or stated purposes of the electronic services to, from, or through which the communications are sent........"

The above can helps to clarify who the user is pertaining to resources use ...

4.  If this is considered "legal" as long as the owner does not use the monitoring software as a means to fire someone, is it ethically inappropriate and considerably immoral?
This is really a discussion on privacy as well. See the my comments in (1). As for ethics, it is better to be clearly put across in legal binding. But I see that if there misrepresentation is absence and users are able to justify actions taken (accordingly to organization instruction or directions without any abusive or "bad" intent), this can be seen in a lighter pictures. Nonethless, it is better to put across through awareness training and reminder on this with regular audit as well. All will be on toes ....

5.  If it is not illegal, what products should I recommend to the client?  I have never dealt with audio monitoring software.  This would also require that every workstation have a very small mic installed as well.
Well should really look at Enterprise solution as this capturing process can be performance impact (imagine recording for all employee at schedule interval ... there can be bandwidth limit and I see potential business impact). Check out
a) Smartauditor - http://support.citrix.com/article/CTX114799, the table give a summary of its features

Also for audio monitoring, I will say that the internal call system should be centrally managed (be it analog/digital or VoIP)... check out Snapshield's Snaptrunk (http://www.snapshield.com/products.asp?cat=30&in=0). If it is VoIP, I will say that network sniffer can do the trick but do note that for cases it is encrypted (scrambled) the recorded content will not be meaningful. This applied for analog/digital, so it really needs expertise to plan out the "capturing" point as well.....By the way, you would not want to turn off protection for "capturing" as compared to business requirements.... really a balance need to be clarify first.. Also big budget is involved as well....

Just some thoughts .... Hope the discussion helps ....
0
 
LVL 63

Expert Comment

by:btan
ID: 24124612
You can take a look at this article as well for understanding legal actions can be taken in the context of ISP if needed

http://digg.com/d1o5Rl - Extract some interesting excerpts

Today, when you send an email, the addressee will be recorded by your ISP and stored, again for twelve months, in case the police, the security services or any of their authorised agents wish to investigate the data. When you visit a website the address is similarly logged.

Encrypting this data and refusing to hand the keys over to the authorities is already illegal, so it would be very difficult to go online or make a phone call in the UK and avoid being watched once you're under suspicion.
The new rule stems from the EU Data Retention Directive and access to the data will be subject to the rules in the Regulation of Investigatory Powers Act 2000 which essentially says that as long as it's OK by the Home Office, anyone can have a look at your records.
0
 
LVL 8

Author Closing Comment

by:MrMintanet
ID: 31568260
Sorry for the delayed acceptance.  Great job!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Number of packets sent seems to be exceeding Recieve window 5 60
Speed testing 26 111
wireshark 2 computers 8 84
How analyse your IT Outsourcing provider 3 79
Many network operators, engineers, and administrators do not take several factors into consideration when troubleshooting network throughput and latency issues.  They often  measure the throughput by performing a measurement  by transferring a large…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

742 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question