Windows Forum·65,705 discussions

Spying in IT

Locked

Have you or your IT department been asked or requested to spy on employees, monitor their surfing habits or read their emails? I was asked a while back to setup a users account on their managers system so she could monitor the users emails. I didn’t feel right about this. I know it’s company property but still felt funny about it.
What’s your thoughts on it.

Topic

Set up the users’s account

In reply to Spying in IT

on the manager’s pc?

Please tell me they weren’t logging on as the suspect?

I never use work equipment for anything I wish to keep private for any reason, because it isn’t. I consider anyone who does so, naive at best. As to feeling iffy about it, one guy I worked with got done for child porn, never would have suspected him of that, seemed a decent guy, but there you go. How right would you feel if your action or inaction let such a scrote continue.

At our level, short of good advice so as not to contaminate any potential evidence, you just have to take it on trust that the owners have some ethical reason for doing some thing tht implies a huge lack of trust.

Spying ?

In reply to Set up the users’s account

What happen is this I was asked to setup a Outlook account of a specific user on their managers system. So when the manager opened their Outlook they would see their account AND the specific users Outlook account. It was just like the manager was sitting at the specific users computer. They could see every email that was sent and recieved by that specific user.

Thank Cthulu for that!

In reply to Spying ?

There’s more than a few who’ve asked this question on here where they have accomplished the monitoring by logging on as the user…

My only quibble would be whether management were explicitly telling their people they were actively monitoring them. i.e. publishing their total lack of trust for their people.

Is there a valid reason for that or is it just someone being a prick.

I know management could do it, so I have no expectation of privacy, so I don’t do anything private. If however there is some expectation of privacy, some poor naive twit could be exposing private communications, whether buying somthing on line or a an assignation with the bosses wife to scrutiny.

Better all round if people know where they stand.

Global constant monitoring indicates no trust (quite valid in some situations), clandestine monitoring indicates a total breakdown of trust.

spying?

In reply to Thank Cthulu for that!

Whether the company told the employee(s) or not that I do not know. What I do know is that a couple of the employees WERE let go not long after I set up the accounts for the managers. So I’m guessing here, that managment was just gathering evidence on these employees for something they have or have not done.

Personally I’d be happier with

In reply to spying?

knocking up an auditted tool where an authorised person could asign themself read only access to a mailbox. Results positive or negative should be recorded and their should be some sot of process involving HR. That way it couldn’t be percieved as global spying and negative aspects such as individual harassment could be countered.

There should be a documented reason to commence monitoring, there is no value in it being pervasive and constant in a normal corporate scenario. Tyat’s bad for morale and it should be a waste of resource.

Expectations of Privacy

In reply to Spying in IT

Being partway through my Computer and Digital Forensics degree, I can tell you there really should be no expectation of privacy on a work computer from any employee. Bottom line the employer owns the network and all its components and can do as they wish, and indeed,report their findings to law enforcement.

RE: Expectations Of Privacy

In reply to Expectations of Privacy

Agreed, there should be no expectation of privacy on work computers. I was once asked to compile a list of usernames and passwords so management could log onto employee computers to monitor email. I flat out refused. We came to a compromise and gave management read only access to employee email through the manager’s machine.

Your are lucky you still work there.

In reply to RE: Expectations Of Privacy

Remember what happened to the CCIE in San Fran that refused to turn over passwords? Your situation is not the same, but you still refused a managerial request.

Still…

In reply to Your are lucky you still work there.

There has to be a reasonable way to do it.
Having a manager be able to log on as an employee isn’t necessary, and it’s a flucking mess waiting to happen.
No surveillance OP wants write-enabled access, it’s just so much easier to mess up when you’re able to accidentally or otherwise affect the object of inspection.
And think of the potential for unethical/criminal behaviour that’s then enabled. Like, managers doing illegal things through someones account. Either for their own kicks or to frame that person.
Management should be able to see this problem, and should be interested in limiting it’s own liabilities in that matter.

Such activities are the duty of a Security Officer —

In reply to Still…

preferably, one who has a State license as a Private Investigator. But there should be ways to monitor what individual employees do without needing to log-on to their accounts as they do (doing that is, however, usually more convenient). Auditing is a significant security function for a firm of any size.

Much depends upon the work in which the employee, who could be a supervisor or even an “executive” (manager), is engaged. For example, there is not only the employee who effects the payments to creditors or to other employees. There are also the employees who have the authority to command that employee to pay money to an individual or to an enterprise. Every firm has its own procedures and processes which, at least in the larger enterprises, are designed to forestall and to detect embezzlement and fraud, regardless of whether a computer system or network is an instrument. When those procedures are not followed and other undocumented “customary” procedures take their place, danger is at the door.

No there he was doing his job

In reply to Your are lucky you still work there.

Thew whole point of username and password is to identify someone. Hand them out, and then anyone with access to the document could be anyone of the people on this list.
If you can log in as me it could have been you. No audit trail, any use of evidence collected in management’s scenario would be completely invalid. So he did his job and provided them a technical solution that maintained the integrty of the system.

It’s no different to everybody logging on with same username with a blank password in auditing terms.

There are already sundry schemes for dealing with the mess in san franscisco, all you need is a vaguely competent person to set them up and a process to manage them.

Unfortunately they chose to employ some low forehead type, no doubt he was cheap….

Username and password are identity, authorisation is attached to them.

Exactly.nt

In reply to No there he was doing his job

nt

Which CCIE in San Francisco did that?

In reply to Your are lucky you still work there.

Can you please offer a link to the information?

I believe that this is what they’re talking about.

In reply to Which CCIE in San Francisco did that?

http://preview.tinyurl.com/34taq4w
You probably remember it.

Thanks!

In reply to I believe that this is what they’re talking about.

In July 2008, I probably heard the news but I was too busy to really pay much attention to the details.

San Fran Admin

In reply to Which CCIE in San Francisco did that?

http://www.pcworld.com/article/195171/exit_admin_found_guilty_in_san_francisco.html

He got five years!

Thanks for the link to the most recent story. Sad! -nt-

In reply to San Fran Admin

🙁

The employer also owns all of the network’s contents. -nt-

In reply to Expectations of Privacy

!

not actually

In reply to The employer also owns all of the network’s contents. -nt-

The company is just responsible for all data on the network.
Some companies allow BYOP for example , which does not allow jurisdiction over all data held in private pcs.

The context of my remark was in reply to

In reply to not actually

the specific message, not a generalized assertion. The original post does not mention any “BYOP” (bring your own popcorn). Businesses who allow that are asking for trouble, IMHO, if only because some of the data which is their property is accessed by, if not also stored on, the property that belongs to an employee or agent. Permitting that is usually not necessary and introduces “boundary issues” which can have significant legal ramifications.

Understood but heres where I was really going with that

In reply to The context of my remark was in reply to

But as some Companies have learned in the past,

Ownership of Data can be very dicey, especially if the contents of certain data does not originate from the company or network itself . “BYOP” is a blatant example
of mixed data. Another example would be non company phones being used (such as iphones) to receive company e-mail/data and to conduct biz , corporate laptops used for work and play , visitor/guest pcs/laptops , contractor “blackbox” computing equipment etc.

My favorite is overseas developers who come over to work 6-12 month contracts before rotating back to India who
are too cheap to buy a personal desktop/laptop for home use only. So you wind up with network backups of desktop clients pulling all sorts of garbage . Delete personal data from both the backups and their clients and someone is bound to get angry even though they clearly knew the IT policy.

To attest to your opinion , I worked for a company once that allowed some employees/contractors to bring their own pcs/servers/laptops/whatever for different purposes.
The policy was that in the event IT, management / HR needed to inspect said devices or whenever someone left the organization that the hard drive(s) were to be removed and compensated for. Well, that didn’t sit well and before you knew it rogue servers were running with IT being powerless really to do anything other than disable the network ports. A few ugly walk outs later with ex employees not surrendering their hard drives, the BYOP option was removed. Sad thing is, plenty of hosting companies still allow BYOP

Sad thing, indeed.

In reply to Understood but heres where I was really going with that

Thanks for your explanation. When a situation like that becomes a lawsuit(s), things can really get nasty, murky and very expensive.

By “hosting companies” I gather that you mean the ones which offer to host web sites that belong to other firms or individuals on their hardware and their network. If they don’t have any better security than that, or at least better sense, then I would think twice before dealing with any of them.

[i]Topic Drift:[/i] I can see why a small firm might want to establish a presence on the Internet that way, if only to see whether it can become worthwhile to eventually transfer the site to their own proprietary hardware and network.

But the big campaigns to [i]move[/i] everything to The Cloud and to use SaaS is not only contrary to that, there will be a head-on collision with emerging US ISP tendencies to cap bandwidth usage, by individuals in particular. The ISPs are also fighting “network neutrality”, because they plan to offer higher bandwidth in conjunction with transmission priority, to make their service more appealing at the prices they want to charge to those who can afford to pay them.

Frankly, though, I think that will spell the end of the Internet as we know it, and leave it the playground of the privileged.

Part of the Job

In reply to Spying in IT

I’ve had several requests in the past to spy , gather files, record plaintext conversations over the network and even managerial requests to plant porn on certain employee laptops as to make a firing process go allot smoother.
(I didn’t have to carry out the last request as the person winded up being fired anyways)

evilVNC and other similar remote desktop session monitoring tools are great ways of watching employees , and there are many other ways to retrieve employee emails without risking authenticity . Plain and simple , IT is sometimes henchman work and if you refuse an order , you can easily be the next on the hitlist.

Just remember, when a manager or superior asks you to carry out such tasks that you are considered trusted, and remember what can be done to one person can also be done to the person requesting it . Once they trust you to do their bidding , its not too far off to think at some point later in time they can do your bidding as well willingly or unwillingly , knowingly or unknowingly. Remember, you can always play as a double agent or go rogue .

As for the poor guy being watched, I always recommend trucrypt, multiple layers of encryption + steganography and “accidently” dropping/swapping pc/laptop hard drives
if for any reason you feel you will be terminated or resigning due to hostile work environment in which any accusations true or false can condemn you . Not the college text book recommendation , but the burden of proof is always on the plaintiff and coming from experience and what I’ve seen, doing so on the contrary to popular belief has saved a few people’s @$$’s from losing their jobs
or being held liable for circumstances out of their control.

(Can’t say someone did X Y or Z if there are no network logs and a working hard drive with usable forensic data to pull off can you?)

CYA

In reply to Part of the Job

If you are asked to do something that seems to go beyond the scope of your job into the realm of unethical or illegal, make sure to gather proof that you were told to do this. It is always a good idea to cover your ass so you don’t get in trouble.

Standard Practice

In reply to Spying in IT

As a network administrator of an internation company I was responsible for over 500 accounts in 5 different countries. I was in the position of having or providing access to anyones account. My personal belief is that unless there is justifiable reasons for allowing a supervisor to “spy” on an employee, then they have no right to. If I had been given a legitimate reason such as suspicious behavior of an employee or confidential information leeking that was know by only a few select people, then I would consider granting the request, however I first would check with my supervisor (IT Director) and with our in house counsel to ensure that I was not the one that would be thrown under the bus. As a policy, my boss and myself both agreed that no matter who requested access to anyone elses account – even the CEO, we would not comply without proper justification and with th approval of the legal department. Even though the company “owns” your computer and everything on it, without the confidence of the users you support you will never be able to perform your job properly. I personally also believe that as an IT administrator and the responsibility that comes with protecting information that it is both unethical and unprofessional to give access to any individuals system or information without verification that they are doing something that will potentially hurt your organization or are violating standard policies that are potentially dangerous to the network and its servers. I don’t feel a person installing a game on their system rises to the level of allowing total exposure of their activities, even if they technically were not supposed to. In cases where there was potentially harmful activities done by users, we resolved the problem with them and warned them that if they continued to expose us to hazards, that we would then have to be the “Big Brother” and act accordingly. I know that this is a fairly liberal policy, but we had very few incidents of abuse and were most often asked to assist users in making sure that whatever non work related activity was acceptable to our department and that it was installed and setup properly to protect our systems. I know that would never occur in an environment where users look at the IT department as the eyes & ears of management.

I think that

In reply to Standard Practice

the policies and practices of your company in these matters are quite sensible and effective.

A friend who was a systems administrator for an insurance company, and who was responsible for three networks, was asked to enable access to an employee’s workstation and the records for which they were responsible. He told them that he was not a law enforcement agent and recommended that they hire a licensed private investigator (a P.I.) if they suspected someone of wrongdoing, and to consult with a lawyer before doing anything.

Two managers who were involved were angry at his response, but his own superior told them that he had given sound advice. Eventually, he received, and respected, a request to allow access to the accounts by a licensed P.I. who was an expert at computer forensics and investigations. The employee was found to be one of several who were collectively engaging in an embezzlement scheme. All were arrested, ultimately four were prosecuted and three were convicted on the most serious charges, the other one was convicted of less significant crimes. The main three were sent to prison for various terms, and the other was on probation for a few years.

My friend became interested in criminal investigations and crimes that involved computer systems. He eventually went to work for the firm of the P.I. who had conducted the initial investigation.

Wonder what would’ve happened…

In reply to I think that

They might have messed up the case against them, depending on the circumstances.
Great story.

[Author]

Replies