Jump to content

Should companies be allowed to monitor their staff's use of business phone and computer in the office?


Yale Forland

Recommended Posts

According to a survey by the Privacy Foundation, more than one-third of U.S. employees are electronically monitored while they are at work. An increasing number of employers are checking their workers' emails and Internet use. It is worth mentioning that this monitoring technology does reduce the personal use of business phones and computers, however employee monitoring reveals other problems at work as well. Every year, thousands of lawsuits are brought by employees because of privacy invasion. I am here and just wanna listen to you guys' opinions about this. Should companies be allowed to monitor their staff's use of business phone and computer in the office?

Link to comment
Share on other sites

At home what you do is your business.

When in a company, using company resources, and their internet connection, you are on their dime. And while these days it's more understood that people could be monitored, System Admins and Network Operations have been able to monitor what you are doing for years on their networks.

On ANY network you connect to, someone could be monitoring you, that's the implicit agreement you have when using the network. Let me put it this way, if you use a network I administer, I can monitor you. I don't actively do so unless I have a need to, as I am too busy doing work, but if I start to notice something going on, then I will more actively do so.

You do not have a right to privacy on a company computer or phone. They belong to the company. If you want to browse in (imagined) privacy, use your own phone or computer in your own time on your own network.

Link to comment
Share on other sites

If you are using company resources do not expect privacy. They should be able to monitor what you do on their equipment but they should tell you that it is monitored and to expect no privacy

Link to comment
Share on other sites

While I do believe that an employer should tread carefully with the collected data, I think they are completely in their right to not just collect it, but also to act upon that data if the need arises. The only thing the employee can challenge is wether the situation actually warranted the long, hard look at their collected data, but I'm quite sure that like Broti my contract quite explicitly and in no uncertain terms allows them to both record the data and have this long hard look at it whenever they feel like it.

When your job entails having access to some very, very private, personal information on a large chunk of the populace, how can your employer possibly defend not doing so?

Link to comment
Share on other sites

HIPPA and PCI compliance is one reason to protect there own back end. Also securities rules.

I work for a company and I know I get so many shares of an initial public offering. Some one sets up an account and puts money in it and tells me what to do when the company goes public.

Another example

I work in a doctors office I use a computer to check patient records. If a patient record gets sent someplace where it shouldnt be there could be a problem. This is why this is a private network using encrypted email such as cisco strong arm. This is also why there systems are setup to block certain ports domain names and sites.

I will not go into pci compliance for business merchant "bank accounts".

Link to comment
Share on other sites

At home what you do is your business.

When in a company, using company resources, and their internet connection, you are on their dime. And while these days it's more understood that people could be monitored, System Admins and Network Operations have been able to monitor what you are doing for years on their networks.

On ANY network you connect to, someone could be monitoring you, that's the implicit agreement you have when using the network. Let me put it this way, if you use a network I administer, I can monitor you. I don't actively do so unless I have a need to, as I am too busy doing work, but if I start to notice something going on, then I will more actively do so.

You do not have a right to privacy on a company computer or phone. They belong to the company. If you want to browse in (imagined) privacy, use your own phone or computer in your own time on your own network.

Yeah, but sometimes when we use computer to search something online at break time, they can also know that. I just don't want them to know. Of course we shouldn't do it while work.

Link to comment
Share on other sites

While I do believe that an employer should tread carefully with the collected data, I think they are completely in their right to not just collect it, but also to act upon that data if the need arises. The only thing the employee can challenge is wether the situation actually warranted the long, hard look at their collected data, but I'm quite sure that like Broti my contract quite explicitly and in no uncertain terms allows them to both record the data and have this long hard look at it whenever they feel like it.

When your job entails having access to some very, very private, personal information on a large chunk of the populace, how can your employer possibly defend not doing so?

But they will use some monitoring software to monitor your computer and you will never know.

Link to comment
Share on other sites

But they will use some monitoring software to monitor your computer and you will never know.

There is no software on my laptop that I didn't put there myself. All they can monitor is the data flowing from my machine onto the network.

Granted, they can confiscate my laptop on the basis that, well, it's their laptop. If they ask I'm probably required to give up the root password, and I'm cool with that aswell for the very same reason. But I will not accept any direct monitoring on my own machine. Because then it's not about what I'm doing with their systems and data. It's about what I'm doing, period. And that has rather a lot less to do with data security.

I'm allowed to take my machine home with me and to also use it for personal things. If this were not the case, I probably would care less about them monitoring the machine as I'm using it, but as it stands right now I won't accept that as it would imply they don't trust me, in which case I have no business being employed by them to begin with.

Edited by Cooper
Link to comment
Share on other sites

I've had to install monitoring software on corporate computers. It's a pain in the ass. You have to make all kinds of whitelists for the antivirus or it will remove it, because, you know, spyware. It's much easier to just monitor the network connection, but they wanted screen shots of the desktop.

Link to comment
Share on other sites

But is there some poor schmuck within the company whose day-job it is to look at all those screen grabs, or do people suspect something might not be up, THEN look at the grabs and decide that person needs to find something else to do during working hours?

Link to comment
Share on other sites

But is there some poor schmuck within the company whose day-job it is to look at all those screen grabs, or do people suspect something might not be up, THEN look at the grabs and decide that person needs to find something else to do during working hours?

No, it was installed on suspected users machines. Usually there's already suspicions or other reasons to install that kind of logging software. Normally we just do high level logging of sites browsed logged to individual ip addresses or machine names depending on the client.

Link to comment
Share on other sites

I've had to install monitoring software on corporate computers. It's a pain in the ass. You have to make all kinds of whitelists for the antivirus or it will remove it, because, you know, spyware. It's much easier to just monitor the network connection, but they wanted screen shots of the desktop.

What kind of monitoring software are you installed?

Link to comment
Share on other sites

Sorry, I don't get your mean.

What I asked Barry was if the monitoring was active and constant, or passive and incidental.

In other words, was Big Brother constantly looking at your screen remotely to ensure you're doing what you're supposed to be doing, or would the software simply grab a screenshot every few minutes and store it on some fileserver to rot away for the next couple of years but if suspicions about an individual arise, the screengrabbing interval of that person's machine is increased and someone takes a look at the previous screenshots made on his machine to see if they confirm the already existing suspicions.

In the context of your main question, I would have a very difficult time working in an environment where my desktop would be actively and constantly monitored by someone.

The closest I've gotten to working like that was at a big bank here in .nl where your machine was locked up rather thoroughly, internet access required approval from your manager (but was handed out easily) but you were told that what you did would be monitored. If you had private things to do on the internet (main example given was online banking) there was a machine available in a fairly visual location - nobody could look at your screen, but people could trivially see that you were at that PC and you'd be asked about it if people felt you were on that machine too much. Interestingly, the first thing that a new recruit was tought at that place was where the working exploit was hidden that would allow you to make yourself local admin on your machine, simply because it was far easier than jumping through all the bureaucratic hoops to aqcuire the rights needed to effectively perform your job.

Link to comment
Share on other sites

Sorry to say but I agree with most of you lot :P

When you're using company equipment / on the clock I just assume you're being watched. Hell, back in the day when I was full-time at a bank as a CSR, I know I was being watched because they eventually blocked my access to the H5 website.

Link to comment
Share on other sites

What I asked Barry was if the monitoring was active and constant, or passive and incidental.

In other words, was Big Brother constantly looking at your screen remotely to ensure you're doing what you're supposed to be doing, or would the software simply grab a screenshot every few minutes and store it on some fileserver to rot away for the next couple of years but if suspicions about an individual arise, the screengrabbing interval of that person's machine is increased and someone takes a look at the previous screenshots made on his machine to see if they confirm the already existing suspicions.

In the context of your main question, I would have a very difficult time working in an environment where my desktop would be actively and constantly monitored by someone.

The closest I've gotten to working like that was at a big bank here in .nl where your machine was locked up rather thoroughly, internet access required approval from your manager (but was handed out easily) but you were told that what you did would be monitored. If you had private things to do on the internet (main example given was online banking) there was a machine available in a fairly visual location - nobody could look at your screen, but people could trivially see that you were at that PC and you'd be asked about it if people felt you were on that machine too much. Interestingly, the first thing that a new recruit was tought at that place was where the working exploit was hidden that would allow you to make yourself local admin on your machine, simply because it was far easier than jumping through all the bureaucratic hoops to aqcuire the rights needed to effectively perform your job.

It was both. Passive for the whole network, we watch the connections. We also had the ability to look up someone's ass if needed. Basically the desktop was DVR'd. Then someone would fast forward through the day.

Link to comment
Share on other sites

  • 8 months later...

I think this is a good idea to motivate the employees' potential power. You know, if you are being monitoring by the boss during the working time , then you will work hard then ,all the employees can make good profits to the company and the employees can get much more than what they want. The Micro Keylogger is a good choice for the company.

Link to comment
Share on other sites

Of course you want companies to be able to monitor their employees devices. How do you know that your employee isn't some kind of insider who is working to steal your companies valued secret processes etc. How do you know that they are not crafting exploits to hack into your servers and steal your customer info? How do you know there hasn't been a breach because the user clicked on something they weren't supposed to? That is why we have network logging, and desktop logging, etc. Even phones these days can be used to ex-filtrate data, typically via tethering or internal storage. Would be very hard in most cases, impossible on some versions of phones, but possible on others. This is pretty much computer forensics 101. How do you know the employees are not hosting their own web server on business hardware? How do you know they are not watching porn or game of thrones when they are supposed to be doing something idk... constructive with their time at work (sure we have all had those times when we had to watch Windows install or something, watch grass grow, or sit and wait for phone calls that probably weren't going to come but they could, then game of thrones is ok.)? It gets greyer when phones, tablets, or laptops are involved due to the fact that they can be taken home and therefore become more "personal". What matters though is that the device is essentially company property, therefore subject to monitoring. The company policy needs to state this before employees sign over their rights, and the employees need to be made aware of such logging. Also, getting back hardware after the employee has taken it home is often problematical. If it was given to the employee, you may never see the hardware again, and you may not even want to ask for it back. When their employment is up, in some cases you may as well just write off some hardware. There is some implied ownership after the employee has held on to something for a very long time. Also, when a company hands over a device to an employee you can run certain software on it to harden it's security.

As far as laptop software goes, I probably will never use a company laptop for everything... some things are too sensitive to allow my business colleges aware of, I probably wouldn't ever trust my co workers with my personal banking info (except the boss who needs to know which account to put my money in, even then he doesn't need to know my password). Another thing would be some forums, perhaps this one. I don't want to give them the wrong conclusions about me. I also do not want my work place viewing my medical information. The point being I have my own laptop which I can put my own software on, and keep it separate from company stuff. P.S. some schools got in trouble a while back for putting software on laptops so they could access the webcam. Just use some tape for that people. I couldn't see a company actually hacking this, but you never know, so just exercise a little bit of precaution.

Edited by overwraith
Link to comment
Share on other sites

I can understand your reasoning here, but my work has this really wimpy thing called "trust".

They provide you with a laptop with 2 partitions, one's the OS, the other is data. You can fuck up your laptop to your heart's content. If things get fubar'd to the point you can't do your work anymore, you give it to an admin who re-images your OS partition and sends you on your way again. You're expected to use your laptop for work-related stuff but there's the expectation that you'll use it for private stuff aswell. If somehow that private stuff leaks onto the network, it's considered both a networking problem (if patches and stuff were up to snuff, this shouldn't be possible) and a user problem (if your machine is causing others issues, your manager WILL learn of this).

People working here are, on average, well educated though, sadly, that doesn't always equate to 'smart'. Everybody has a government cert that says you're not an axe murdering maniac so at least we've got that angle covered. The proxy blocks certain sites (such as the pineapple website :sad:) but I'm sure there are ways to spend your day jacking off to youporn or proxying in your Netflix stream (hell, I've got my 22000 song library from home at my disposal). If this results in you not getting your work done, your manager WILL learn of this and people will ask what's keeping you. If you don't have a good response you get a bad review which, if you keep it up, leads to your termination. I doubt my company is alone in this.

Bottom line is that you're expected to act as a responsible adult. If you can't manage that, you have no business working here.

The only place I've experienced where you're treated like a mass murderer was a bank, where I spent a year at the high value payments department. I hated every fucking second of it because every improvement you wanted to apply to the code required half a rainforest of forms to be filled out and stamped, approved and signed by half the company before you could start. I got really good at drinking coffee there. I wasn't allowed to attach my work laptop to their network - they had machines for you with Windows pre-installed in a disgustingly locked down fashion. You developed on a remote UNIX box adminned by someone who actually knew what he was doing, and who had your manager on speed-dial in case you tried something funny. Since it was a bank and you were very directly handling vast sums of money (we once lost track of a 4 billion euro salary payment order for a day. Compute for a second how much in interest that accrues in that time...) so I really didn't expect it any other way although they did go a bit overboard with some things.

As a general statement, I think it greatly depends on the context. If you're dealing with sensitive shit, your employer is pretty much obligated to mistrust you to some degree because you're in a position to screw him over in such a severe manner.

Link to comment
Share on other sites

You're right, trust is wimpy. Here is my motto; "Trust but verify". I honestly don't watch porn... yet. At work it would probably make some people feel awkward, and I don't want all the computer viruses I hear are generally associated with it. I just brought it up because it is one of the aspects that an employee should take into account. My dad works at a contractor business, and sometimes he has to watch basically the nervous center of this project, and monitor for phone calls which could come at any moment during certain exercises. If these phone calls come he has to react to them (I am intentionally being a bit vague here). Therefore it is understood that during this grass growing exercise it is completely ok to watch game of thrones or band of brothers while these exercises are going on. No body works harder than my dad on his own projects. I completely agree if you aren't doing work then people will find out, and I would never propose one should try to get away with that. On your mass murderer quip, you have to admit that sometimes businesses are fooled, as happened a while back at a company in the US. Some moron started trying to convert his co workers to Islam, and when they weren't cooperative he brought a gun to work. I can see what you mean about security being a little too intrusive and exacerbating though. Ideally the security types should try to be as invisible as possible until something goes wrong, AKA don't tell your co workers that you know they visit sites x, y, and z unless it is a problem (don't be a stalker). Yes context matters when implementing your security.

Also everybody should be aware that if you connect a personal computer to a company network, then even if you are just browsing on your personal computer, the transmission goes over the company network, and can therefore be monitored. Typically companies won't let you bring your own personal devices sometimes. Just be aware.

Edited by overwraith
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...