General discussion

Locked

Management want's me to spy

By hellboy ·
Management want's me to spy on a user.
I'll be using an app that is 100% hidden. Does screen captures etc. My question. Is there a doc out there that I can have management sign to LIMIT my liability. I want signatures from all management stating that they are authorizing me to spy. Thoughts? I have done this before, but this is the first time that have been asked to compile data aginst a user for possible use in court. I have also spoken with the feds and am searching for this form per their suggestions.

thanks

This conversation is currently closed to new comments.

76 total posts (Page 1 of 8)   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Too late

by Cactus Pete In reply to Management want's me to s ...

You just posted that question to a public forum with your email address as your alias. You might want to change that soon - Mr. Prescott might appreciate it too, along with Hans, et al.

Collapse -

Very good advice (EOM)

by maxwell edison In reply to Too late
Collapse -

Crap

by hellboy In reply to Very good advice (EOM)

Thanks Guys

Collapse -

No expectation of privacy

by Navyair In reply to Crap

I'm not a cyberlawyer, but there are numerous issues at play here:

1. Company policy-do they have a written monitoring/consent to monitor policy?
2. Anything on the initial logon screen stating this policy?
3. Civil or criminal investigation? Makes a BIG difference in levels of fidelity/rules of evidence. Downloading music is afar cry from child porn or other nasty stuff. Have had to discipline one employee for the former, and imprison another for the latter.

I just moved from a job as a govt CIO where we had keystroke monitors and surveillance software. My policy (in writing) was that only 3 people including me could authorize its use.

Bottom line is to keep asking questions until you are satisfied you understand all the ramifications of the particular situation you are involved in. If you cannot use company lawyers, ask to talk to whichever dept lawyer of the public office which is asking you to do the surveillance. Your boss cannot "indemnify" you with a piece of paper if what they are asking you to do is illegal...however, most court decisions have sided with companies on the limitation of personal privacy in the workplace when using corporate services to communicate.

Collapse -

From a government perspective

by 5 O'Clock Somewhere In reply to Too late

Fisrt of all, I am really suprised at the Feds reponse. Do you have a warning banner or user agreement in place that you haven't told us about? All of our users agree to monitoring and full disclosure each time they log onto any machine/web site in our domain. The warning banner alerts each user that he/she is subject to monitoring and that use is restricted to official government use only. If you have some similiar warning in place or have had your users sign an official use agreement then I would say you have no problem. If however, you do not have something like this, you are in a grey area at best. I would get a "get out of jail free" letter from my employer if none of the above are in place and implement these changes into your user's daily routine to establish informed consent throughout your organization. Without it, the user can argue that he/she had a resonable expectation of privacy and your collection of information my land you and your company in hot water.

Collapse -

Your Right On

by DataMordechai In reply to From a government perspec ...

I also work for the government, and we have every one sign proper use policies before we let them have there equipment. The other question is, are you a medical facility? Heck, is your company covered by HIPAA? If so you could already avoid a lot of legal concerns because most of this would be covered by the HIPAA Information Security Act. And, if your people are required to sign this policy they are also under the following guidlines. You say How? well if someone is performing connections that could allow an opportunity for any type of remote access into the network, then they could be jeopardizing confidentiality. Remember, anything with a social security number is considered sensitive information, and if they are creating possible breaches in your system then they are liable regardless.

Collapse -

Debate All You Want..........

by AnswerMan In reply to From a government perspec ...

And sometimes that's necessary. However, at the end of the day, if it's company owned property, servers, workstations, electric power .....Anyone that THINKS they have ANY expectation of privacy is wrong. Period.

As for my boss asking me to do this...... fuggem, let 'em do their own dirty work. See if maybe there is a "network / client priveledge" (loosely translated) that somehow can be invoked? In other words.. "whose watching the ones watching the ones, watchin us?" (Holy James Bond)

Ethical discussion is this. What if this same boss asking for this, came under suspicion from his higher-ups, and then you were asked to spy on HIM? Wouldn't THAT be a beautifully "karmic" world?

Or here's one even harder.... what if the CIO (your ultimate boss because if anything ever escaltes past that point, other top level managers are either too lazy to get involved, or can't be bothered..... SO...... Your CIO asks you to "spy" on the President of the company.... Perhaps a power play of some kind....

Do you just keep complying with every request? When does it end?

If you have no warning on the splash screens, GET ONE.... If the person under this investigation stops what they are doing, haven't you won? If not, then they deserve what they get. But.... if you bring this up to the management, and they feel it would be "waking the baby", then they are NOT after a clean policy, but rather they are after a victim.... and I would shy away from that.

So once again, fuggem, let 'em do their own dirty work.

Collapse -

Agree and disagree...

by bewernick.andrew In reply to Debate All You Want...... ...

I agree that since it is company property and company time the data on the computer etc. is company property too. The user is responsible to work for the company and not him/herself.
I disagree that the management should be asked to do their own "dirty work". I would think this a reasonable expectation of the IT dept.

Collapse -

Right On... What AnswerMan said...

by Pr0x1 In reply to Debate All You Want...... ...

Not their property, the company can do what they want. I would also assume that all employee's signed a useage policy for assets... if not, create one and get it approved/distributed, along with a login splash screen reminder.

Answerman is also right that, its more of an ethical issue than anything. How do I know this? experience... trust me, it happens, and careful cause if you don't CYA, it WILL come back to bite you in some form. Just make sure you CYA as high as you can go, and that others are dictating the action taking responsibility for your actions..

Collapse -

best to clear it with the lawyers

by JimHM In reply to Management want's me to s ...

First your company lDC should have a law office to assist you. Approach them - if they balk at then contact your own lawyer - and get the info - if you don't trust the company mouths then get your own lawyer - but in any case even if it costs you a few hundred - better safe than sorry and paying someone a few hundred thousand for invasion - and your company using you as the scape goat....

good luck - also I would change to something other than my email address and mark my alais private - just opened a can of worms on a public forum site...

Back to Security Forum
76 total posts (Page 1 of 8)   01 | 02 | 03 | 04 | 05   Next

Related Discussions

Related Forums