SHOULD an administrator 'spy' on employees by logging in as the user

By Aussie Gal ·
I have tried to search around here (and Google) for the answer but failed. And I really need this answer if possible, please.

I know that as an Administrator of a small network myself, I can log into another user's account and find out exactly what they have been doing on the company computer. What I don't quite know is this - how ETHICAL/LEGAL is it?

Personally I would not do it as there was no reason to, no hint of wrong doing etc. But I was told another Administrator was asked to do this to the other Administrator, and of course didn't like having to do it.

Should they have done it, or should the manager have asked them to do it? I am in Australia so I am not sure if the law would be different here.

The manager is not an IT person, and may not know the ethical issues involved. And as I am still studying, I am unsure either. So I thought I would come to this great place and ask what you think.

I would appreciate an answer very much. Thank you!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Yes / No

by Wizard-09 In reply to SHOULD an administrator ' ...

No it's not illegal to access someones computer on your network I.E work network if your the administator, i would say that you should not do this unless you are investigating something or someone.

You should also have a legal notice when they sign into the network that they have no rights ect ect google network logon notice.

Collapse -

Interesting, thanks

by Aussie Gal In reply to Yes / No

Thanks for this answer. The interesting part is that it is the Administrator that the other Administrator supposedly 'spied' on, that is supposed to actually write the policy. There is no legal notice about what is and is not allowed. And I think the worst this Administrator was doing was chatting only in their brief lunch break, but again there is actually not even a policy saying that chatting/emailing is not allowed either... yet.

We are a very small NGO and are in the middle of writing up the IT Policy. I just find the thought of logging into another Administrator's account without any reason to suspect any wrongdoing (porn etc)... distasteful. And it opens up a can of worms, since the 'target' is an Administrator, if the users don't know this could happen....

That is why I am interested in hearing all opinions on this matter. Because I know this happened, but I do not know if I should approach the Manager and discuss my concerns - at least not without finding out where I stand first. I am a VOLUNTEER so... I have a bit more freedom than workers, but still...

The manager had asked for and received ALL the user's passwords, but swore they would not be used. IF they have been used to spy on another Administrator....

Is there a need for Administrators to have user's passwords, when they could easily just reset them???

Thanks heaps for this.

Collapse -

Yes / No

by Wizard-09 In reply to Interesting, thanks

No matter what passwords should not be given to anyone, not even your manager or co workers lets put it like this.

If someone knows your password they use your account and mess up or hack some part of the system and are using your network ID your going to get the blame for it.

If a admin needs to login as another user he must 1st tell the user the password is being reset and that he will be accessing the pc (If the person is not being investigated.

If one admin is spying on the other then something is going on i would take to your manager about this, if i was the other admin i would not be happy.

Collapse -

Thanks, you are great :-)

by Aussie Gal In reply to Yes / No

I am glad to get you online, as this really helps me.

Problem is that it is the MANAGER that 'asked' the Administrator to spy on the other Administrator. And it is the Manager that 'asked' for the passwords.

Thank you for this information, it means a lot. As the IT policy will be discussed at the Management Committee Meeting, I intend to point this out. And I will also quietly suggest to the staff that they all change their passwords and don't tell anyone.

I am very grateful for this, thanks.

Collapse -

Logging in as them is not

by Dr Dij In reply to Thanks, you are great :-)

'spying' on them. It is simply pointless, and worse destroys the integrity of your system.

For spying on them you would not need their account password at all, only to access relevant logs and monitoring software. And this is called monitoring, not spying, since any employee or admin should expect that data on a company system could be monitored.

Logging in as someone else violates the ethic of holding admins accountable for their actions. If someone else can login as htem then that means they MIGHT NOT HAVE COMMITTED any particular act that shows up in the log. So someone might use logins to frame them for a malicious act.

Since another admin can do anything the orig user can do there is not the slightest reason to login as the other admin except to commit crimes to implicate the other person, fake transactions, etc.

you could setup logging on sept machine to insure integrity of logs.

As other posters have said, in general it is better to reset passwords if lost rather than keep them. That way if the person asking for password is not correct person then next time correct person trys to login will regain control and that would be noted.

This isn't as far out as it seems. Do you know personnally everyone who might ask for password? In our case I worked for a company that supported clients at other companies logging in to system. I sure as heck have hard time authenticating that they are who they say they are. Therefor resetting password is much better than storing it, with inherent risk of master list being stolen, read.. At the other companies, when a password was 'lost' it generally instead meant some new user was now incharge of the data access / maint.

Resetting pwd means that previous person no longer had access that they should not have anymore.

Collapse -

Actually things get a lot more involved here

by OH Smeg Moderator In reply to Interesting, thanks

By handing over the User Passwords the Manager themselves can now be accused to placing things on the system and can be libel for any wrong doing.

There is never a need to Secretly Log into a Terminal without the End Users Knowledge for the Average System Admin. Even when the End User requests this to occur they will just hand over the Password and if the system is working correctly the System Admin will Log in with that. Personally I find that I don't remember what End Users Passwords are the moment that I have entered them and that can be for something as simple as a Data Entry Persons Terminal to the Companies Bank Account Access on the Owners system. Most of the time I just don't want to even know what the Passwords are to begin with but am forced to ask for these during the course of my Job. I always suggest tot he End User to Change their Password after I leave or finish the job for basic Security. This is for those not on a Domain who generally speaking own the Business in my case but for normal End Users I reset the Passwords and let them enter what they like.

However from my limited experience if you really want a end users Password most times all that is required is to lift the Keyboard and look at the Sticky Note either stuck to the Desk or underside of the Keyboard. I tell them not to do this but they continue to as well as use the same password that I suggest that they change after I finish.

The Conscientious of Opinion is that if they can not trust me they shouldn't be doing whatever it is that they are doing and I don't like it one little bit but as they say you can only lead a horse to water you can not make it drink.

When I need to consistently Log in and reboot whatever I write the password down on a piece of paper nd shred it when I'm finished the job if it is a short duration job that will only take a few minutes like maybe 45 minutes if it is any longer I just disable the password as I find it a nuisance to my work constantly needing to enter a Password on every restart.

But in a case like this the Manager and anyone else how is given the Password/s can be accused of placing things on the system if this hits the Courts. It will be impossible to prove who is responsible for placing anything on the system at all under those situations and the Company will loose any case brought against. It will also show a culture of inappropriate behavior to the Courts who will award Damages accordingly.


Collapse -

All of the Literature I have read...

by dcolbert Contributor In reply to Actually things get a lot ...

Indicates that this is an issue that is potentially very risky and that varies a lot by jurisdiction.

I would talk to your company's legal team, HR or a lawyer and define a policy specific for your organization and location. Even then, it might not keep you out of trouble, but it certainly couldn't hurt to be able to prove that you exercised your due-dilligence before taking action.

Generally speaking, I try to dissuade department managers from requesting us to look very deep into user's accounts unless there are clearly grevious violations going on. Being an HR/Corporate police officer is not part of my training and not something that I want to have associated with IT duties, roles and responsibilities.

Now on the other hand, I think there are some admins out there that *relish* in this kind of role.

Collapse -

No Problem

by Wizard-09 In reply to SHOULD an administrator ' ...

Glad i could help you out a little, good luck with it.

Collapse -


by Aussie Gal In reply to No Problem

You helped me out a lot :-)

Collapse -

Well as this is a Companies Computer

by OH Smeg Moderator In reply to SHOULD an administrator ' ...

There is no way yo expect Privacy of an Individual Users Account or actions.

Personally I wouldn't have a Problem with looking at the general things but I wouldn't draw the line at looking at what are obviously Personal E-Mails received at work.

As I'm in Brisbane the Law here is the same for both of us and this is where things get fuzzy. Some Places like QANTAS attach a Footer to every E-Mail that they send which says that they are intended for the recipients eyes only even if they are sent to a Work E-Mail Address this sort of applies. It really depends on what if anything is found in E-Mails like this. On occasions I have had to access a End Users Computer to get some information for either the End User themselves who are out of the office or for their employer when the End User was at a International Conference.

If you look specifically for what was requested there isn't a problem but if the person looking opens every e-mail or whatever and goes looking for anything just as a Fishing Expedition that is wrong. It is sometimes necessary to look for genuine Business needs and as such you don't need to go digging around for the fun of it. After all I don't have the time to waste just looking anyway for the fun of it.

However if there is a Genuine Legal Need to do this for some claimed Illegal Activity you will breach the Chain of Evidence and anything found will not be considered as belonging to the person under investigation. For instance if someone was assumed to be downloading Kiddy Porn on a Business Computer and you go looking in Court it will be argued quite rightly that the person who went looking and found such & such planted it there to frame another and the person who goes looking will be considered far more likely to be Guilty than the actual user who may have been responsible for it being on the computer to begin with.

If there is any possibility of Legal Action you should drop everything and call in the proper Authorities to investigate the system and it's contents. When they give Evidence they are considered as Expert Witnesses unlike a Local Admin who has complete control over what ends up on the individual or complete system. So as you will be a Suspect it is better not to go looking to begin with.

Depending on the organization there should be strict Guidelines in place for reporting any potential activity that can harm the Business or is blatantly Illegal to begin with. As we are not Experts in what Constitutes Pornography or Kiddy Porn we should not be involved in looking for this type of thing or unnecessarily accessing systems just because we can. If there is a Genuine Business Need to look at a individual system you have a right to look but not a right to blindly examine everything that is stored on the system.

However if you are instructed to look for something not directly Business Related you should cover your A$$ and get the Instruction in Writing so that when called to give evidence or be Interviewed by the Authorities you can quite rightly point tot he Written Instruction and I wasn't looking for anything I was instructed to have a Look see and this is what I found. While it will not cover you fully it will at least help to Mitigate the concerns of what you have done in doing your job and show no Intent.


Related Discussions

Related Forums