system surveillance

7aken

cant find anywhere else to post this so.......

is anyone familiar with laws/legislation surrounding the undercover monitoring of employees? i have taken on a job with a firm who suspect that critical private information is being leaked deliberately to the papers. i have invested in tools to enable me to 'spy' on a person that leaves no trace on their system, but i got a note with the software saying that the software and the methods it employs may be illegal in some countries.

i had a similar job a while back where the company suspected the employee of deleting all records and traces of wrongdoing. i was asked to recover evidence which i did. in my opinion these two methods are more or less the same, i am retrieving data for the company. in both instances i am likely to uncover personal information....

has anyone got any experience with this kind of thing?

snappieT

You can install a Keylogger service, which will record every keystroke for your reading enjoyment... The user can't kill it if they don't have admin priveleges, and it's easy. The log files can be saved to the network, or to an NTFS protected file on the HDD.

Downside: not so sure of the legalities of it. I'm almost certain that if you make an announcement that random employees will be monitored at random times, it's cool.

maidhc

The use of personal information is governed by the Data Protection Acts 1988 & 2003.

In your situation I think the most important thing is people are aware the information may be collected. See www.dataprivacy.ie for more information, in particular http://www.dataprivacy.ie/viewdoc.asp?m=m&fn=/documents/guidance/3gm3.htm

snappieT

I think "Any monitoring activity should be transparent to workers" sums it up entirely. Once they know that certain (un-named) employees will be monitored, chances are they'll all cop on.

WexCan

Most places will monitor email etc anyway. Might come up against some employee resistance though - what's industry are you in?

snappieT

But email monitoring is automatic. They search the email for words like 'F*ck' and 'I love you'. Only when it happens a lot does a person see your email.
It's like gmail scanning, borderline legit.

Gurgle

7aken wrote:

in both instances i am likely to uncover personal information....

I assume your company has an 'acceptable use' policy which states that the PCs are company property and not to be used for anything other than company business.

In that case, you may legally assume that the PCs contain no personal information and act accordingly.

Karoma

http://www.dataprivacy.ie/viewdoc.asp?m=m&fn=/documents/guidance/3gm3.htm
says it all really.
you must have a legit. reason (check!) and warn the staff (Have a popup before they login,etc.)
...your company could always just cleanup it's act...

stevenmu

7aken wrote:

. in my opinion these two methods are more or less the same, i am retrieving data for the company. in both instances i am likely to uncover personal information....

In the previous case it sounds like you knew that wrongdoing had occured and you were uncovering evidence of this, possibly by undeleteing files. In this new example you're talking about monitoring employees in case one or more of them do something wrong. There's a huge difference there both from an ethical, and I'd guess a legal standpoint. That said altough I don't think there have been any test cases of this in courts here yet, there have been in the US and I think it's generally found that the PCs are the property of the employer who therefore has the right to know what is on them and what is being done with them at all times.

To cover yourself you should make sure you have a 'terms and conditions' of use policy with an innocous little entry in it to allow yourself to do this. You could forward it to all the employees as a reminder, perhaps using some excuse along the lines of a virus infecting the network due to someone downloading screen-savers or getting it in a personal email.

Damn, I should go work for big brother.

7aken

Karoma wrote:

...your company could always just cleanup it's act...

i'm freelancing, also the company are legit, employees have access to very critical data however and the company has a duty to its customers. thanks for the input guy's, the company has decided to seek legal advice. have sent them in the right direction with your suggestions.

big brother sounds like a good career stephenmu!!!!!


i'm unsure as to this bit of the data protection page on the link karoma posted

'''Any monitoring must be carried out in the least intrusive way possible. Only in exceptional circumstances associated with a criminal investigation, and in consultation with the Gardai, should resort be made to covert surveillance''''

im aware that employees have a right to know that they may be monitored, however, the means i am going to use to collect this data amount to covert surveillance ie, the employee will not know that i am watching them specifically and will not be able to tell that they are being monitored???

WizZard

Once the employee's are notified, eg. via a windows login popup, and the covert software is installed on more than one PC (on all to cover yourself) then you can't be accused of anything along the lines of specific entrapment.

WizZard

Be aware though that if they are emailing data from personal webmail accounts then you are not allowed to access these accounts for any reason even if you have collected the password via a keylogging program.
If this is how data is being leaked then I suggest investing in a good proxy/firewall and blocking these type of sites. Then use the email server to monitor email.

Then again, if someone is stupid enough to use a company email address/mailserver for any dodgy activity then they deserve to be caught.

BadCharlie

I work in a city council and all that we do on our computers is recoreded.

Gurgle

An employee has no entitlement to use the PC for anything other than company business.

Make that clear & install anything you like.

But do it equally on all PCs or you could be accused of victimising someone.