Help! Desktop monitoring program

Be very careful here. ireland is not the US and Europe has a lot more legislation concerning the right to privacy and a qhole working group exploring privacy in the workplace as well as establishing that not only to employees have a right to the expectation of privacy but also that given the online nature of modern life, employees are expected to be allowed to access personal information online from their workplace if the access is available (ie: if they have internet access to gmail, expect them to access it. if you dont want them to access it, block the site).

that software specifically states that it monitors and records chats/email

Logs AIM/ICQ/Yahoo/MSN/Skype/Google Talk conversation

thats almost certainly going to be private conversations (protected by a user/pass combination that you as an employer have no right to know) and recording it without your employee's knowledge could open you up to civil prosecution and perhaps even criminal.

the software makes a point of claiming silent installation and monitoring... you cannot monitor your employees without them knowing and you had better have an acceptable use policy in place that your employees have agreed to upon joining the company.

I am not a solicitor or a legal-type of any kind so before you start exploring technical solutions consult a solicitor (employment law) and make sure you know what is and is not allowed before you do anything.

BaconZombie wrote: »

Even if you have an "acceptable use policy in place" does not get you out of following Irish and EU laws.
There are some rights you can't sign away, and I'm not sure if an AUP has been tested in court in Ireland yet.

you're right. the AUP hasnt been tested but the ECHR working group 42 report (I think its 42, the one on privacy it could be 8 ...) did not have much faith in the legality of AUPs as they are not a contract between equals. If they are part of the starting contract then the employee to be can decide if they accept the constraints before joining the workforce, however, if an AUP is put in place after they have commenced working the employer could be leaving themselves liable for a "constructive dismissal" civil suit if the employee refuses to accept the terms and ends up being let go because they cant use the computer and so cant do their job.

I'd say work VERY closely with your companies Legal & Human Remains Resource to make sure you are only monitoring what you allowed to and that only authorized people can view the logs and know how/when they can use the information from them.

as BZ says and an alternate policy is to block and not monitor. If you dont want users using IM/Google chat there are proxy servers (ISA for example) that can filter at an application level as well as by port/destination address. Worried about a user sending a corporate secret through gmail or other webmail application? block access to webmail or use file management software to control what can and cant be done with documents of particular classifications. Want to stop people chatting on IM, block its use. If you monitor user activity and get caught with a screenshot of someone's online bank password recovery phrase, or a printout of an email marked "private" or a saved version of a users online email that is usually password protected (and therefore expected to be private) its the company that is in the wrong and the IT/HR manager for allowing it and you can bet that any employee that gets reprimanded through the use of covert monitoring is going to be a disgruntled employee and no matter what you do, you cant block smartphones with cameras built in.

syklops wrote: »

Is it not the same as the legality of making or selling crowbars. So long as you dont market it as "Guaranteed to smash any lock and get you into any house", the vendor needn't torry too much.

I think thats the generally accepted thinking on the subject

Core Impact markets its software to professionals. Its price also puts it out of the market for petty criminals(or so they say).

I have to laugh at that... most criminals that want to use Core Impact will either pirate it or can afford it. The vast majority of security professionals that dont have the backing of a large corporation cant afford the licensing and so are less adroit with its use than the criminals... imho, metasploit has it right. free to use version has everything you need, fancy bits require a license but dont really affect functionality, just reporting. Is Saint still free?

Im sure in the license agreement, you agree not to break any privacy laws in your country and Core Security is not responsible for anything you do. If I break into the central bank, and kill some workers in there using only a Draper hammer and a screwdriver, do you blame the manufacturers? Do you blame Woodies for having these tools available to the public?

At the end of 2011 there was talk of a government vote to ban "dual use" tools, both posession and sale would be illegal so yes, the government would indeed blame woodies as well as anyone that bought the hammer in the first place. I rarely use smilies beyond the standard happy or big grin but this kind of thinking definitely calls for use of this one :rolleyes: