SHOULD an administrator 'spy' on employees by logging in as the user

By Aussie Gal ·
I have tried to search around here (and Google) for the answer but failed. And I really need this answer if possible, please.

I know that as an Administrator of a small network myself, I can log into another user's account and find out exactly what they have been doing on the company computer. What I don't quite know is this - how ETHICAL/LEGAL is it?

Personally I would not do it as there was no reason to, no hint of wrong doing etc. But I was told another Administrator was asked to do this to the other Administrator, and of course didn't like having to do it.

Should they have done it, or should the manager have asked them to do it? I am in Australia so I am not sure if the law would be different here.

The manager is not an IT person, and may not know the ethical issues involved. And as I am still studying, I am unsure either. So I thought I would come to this great place and ask what you think.

I would appreciate an answer very much. Thank you!

This conversation is currently closed to new comments.

53 total posts (Page 2 of 6)   Prev   01 | 02 | 03 | 04 | 05   Next
Thread display: Collapse - | Expand +

All Answers

Collapse -

Wow great answer

by Aussie Gal In reply to Well as this is a Compani ...

Thanks! I was born where you are hehe.

The problem is that the Manager did ask the other Administrator to have a look around, FISHING. There was nothing to find, but there is emnity between the Manager and the 'target' Administrator. The other Administrator did log on and left the Manager with the computer, as they were too ethically challenged to do more.

The Manager has no idea about Ethics as far as computers are concerned. And this is what bothers me. I feel like she might ask this person to do it to me (nothing to find) or others, and it is just an invasion of privacy.

As I said, we are a very small NGO, right in the middle of building the policy. And I just find it offensive that the Manager logged in on a fishing expedition, hoping to get the target in trouble. There is no question about porn etc, just that 'oh you chat too much' when they only chat in their lunch break, and 'you answer personal email' when there is no policy against it etc.

I just feel like everyone needs to change passwords and we Administrators refuse to give it to the Manager. The Manager is not IT literate, and has proved they will log into your account to spy on you if you have done something to upset them. That's just an abuse of power, IF this happened. I am going to do checking tomorrow to see for myself if the Manager did in fact do this.

I hate this kind of spying in such a small organization that up until recently was a family....

Thanks heaps for your input :-)

Collapse -

Things like this are very common in Family Run Businesses

by OH Smeg In reply to Wow great answer

The down side however is that those who do it are leaving themselves and the Company Wide Open for a massive Court Challenge and loss when someone complains.

I have seen cases where the owner also a female will alter the Windows I'M to send copies of all communication to them as well as whoever is on the other end of the line. They have done the same with E-Mail so they get to read everything that is done relating to IM & E-Mail applications. I find it disturbing when those involved in this do it for nothing more than their Own personal Titillation or self gratification but maybe that is just me.

Justice Connelly however has spoken to me on this issue and confirmed to me that it's wrong and is a very dangerous thing to be involved in. Perhaps you should talk to Terry O'Gorman. I would suggest contacting him through the Civil Liberties Association or what ever it's called now rather than ringing his offices where he is a Barrister and ask for direction here. Either Terry or Ian would be better to speak to rather than me as they know the Law in far greater detail. After all that is what they do for a living and both are highly competent and quite approachable from my experience.

Personally i prefer talking to Terry but that's a very personal thing as once upon a time when I had a Life and went out everywhere I went I would bump into Ian and his wife or his entire family. I had to warn him that if he didn't stop stalking me I would have to seek relief from the court's.

But both are very friendly and quite approachable if you get them outside of their Legal Practices.

Only possible down side is if you know the Law it may get you into trouble when you refuse to do something that is Blatantly wrong. These people who do things like this don't worry what is right or wrong or even know most of the time but they do take it personally when they do not get their own way or end up costing the organization that they work for lots of money.

In QLD Health I have seen some higher up Bureaucrats ruin a perfectly good investigation because they believe they know better and will do as they think right. This has always resulted in the wrong thing happening and the guilty party doing as they please to the determent of all others. This type of person fails to comprehend that they are not the End of everything but just a cog in the entire machine and go crazy with what little power they do have allocated to them.

It's one of the problems of working at a small organization where some more senior people are scared of their staff and constantly try to find reasons to have then stepped upon to advance their own positions. When it happens it's no fun and if these can be pulled into line places like this can be a real enjoyment to work at.

Maybe you could suggest hiring a very Prominent Barrister to advise on the Legal Aspects of the Computer Usage Policy so that the company doesn't leave itself open to Litigation if some one is unhappy with the goings on of all people at this place. You or at least the company needs to ensure that what they come up with is actually Legal and enforceable.

However if someone was to want to look at what I did on one of these computers they are welcome to as far as I'm concerned as I never do anything that could land myself with problems. Though I would be very uncomfortable if they where to access a Sensitive section of the business after I had worked there when they have no right to access that area. Things like accessing the Companies Bank Accounts/Records or Staff Review Forms and things like that would make me very unhappy and less likely yo return there if a breach like that was allowed to happen. Doesn't matter if it's the owner but when they are only an employee there and they start to get into the Owners files and things like that I do have to step in to improve Security.

Also if they left this person to dig around they would have left tracks and if the Admin in question is any sort of an Admin they would know already. Generally speaking doing things like this are not Legally Wrong unless you sneak around and employ Subterfuge to try to hide your actions. That is where the real problems start and the possibility for Litigation against the company begins.



Collapse -

It might be necessary

by Tony Hopkinson In reply to SHOULD an administrator ' ...

However, log on as them. How are you doing that?

If it means you know their password, then all your investigations are meaningless. All hey have to say is you did it logged on as them and you're near f'ed.

Collapse -

Things are more complicated...

by Aussie Gal In reply to It might be necessary

I *thought* the person who logged the manager in as the other administrator, was themselves an administrator. However, on logging into the server today, I discovered the person that was forced to log the manager in, has the passwords, but is NOT an Administrator. So for the manager to get another user to do this... not happy.

Myself, I would never do it. Especially since the 'victim' is actually an Administrator.

I am trying to figure out how through Windows Server 2003, I can find out when a user logged on, if logging was not already set up??? I need proof this happened, though the person who did it, all but admitted it to me.

This is just dirty business, that is why I need other people's advice. And I appreciate it all very much.

Collapse -

Could be simple that

by Tony Hopkinson In reply to Things are more complicat ...

Depends on where they did it from. When 'they' logged on as another user, it would have created them a profile.....

Collapse -

I think if you login as them,

by TonytheTiger In reply to SHOULD an administrator ' ...

you just gave them plausible deniability.

Collapse -

I agree

by Aussie Gal In reply to I think if you login as t ...

There was never anything to find anyway. It is more the manager having a problem with the administrator, and wanted to find evidence against them. All that could be found was chatting in lunch time which is allowed, and so is emailing.

Today I told everyone to change passwords and do NOT tell anyone, not even the Manager.

Should the Manager be an Administrator? They know NOTHING about computers, and if they are this paranoid, they could log into the server. And if they want to shut down the computer.. they would 'shut down' but that would shut down the whole server!!

This is just so complicated, but I appreciate everyone's opinion, thanks.

Collapse -


by LarryD4 In reply to SHOULD an administrator ' ...

No matter where you work, no matter the attitude of IT in the organization. You have to respect the trust the user has, that his logon, as long as the user is compliant with policy, has some semblence of privacy.

Most companies have policies protecting both sides of the coin. Our policy is explicit and vague all at the same time, but it is a work in progress. See below.

III. No Personal Use/No Expectation of Privacy

Users are advised that computers, computer networks, E-mail and other electronic communications systems and all communications created, received, stored on or transmitted through these systems are Organization property. Accordingly, users shall not use these resources for personal use and have no reasonable expectation of privacy regarding this equipment, networks, systems, or these communications and are advised that the systems and their communications are subject to monitoring and interception by management. While the systems may contain passwords, locks, encryption or other security features provided to users, users are advised that these security features exist to protect the Organizations?s business interests and not to protect a user?s personal use of a business resource.

IV. Routine Monitoring and Systems Maintenance

Authorized information technology personnel may access or monitor computer systems, networks, internet access/use, electronic mail, and other communications created, received, stored on or transmitted through these systems only in the course of system maintenance and repair, and only for purposes of assuring system performance and security or detecting breaches of that security. Any violation of this security policy discovered during such routine maintenance and monitoring shall be reported to the Administrative Director and the user?s immediate supervisor.

V. Non-Routine Monitoring

Approval to access or monitor the computer systems, networks, internet access/use, electronic mail, and other communications of a user may be granted by the Administrative Director for any legitimate purpose, including but not limited to, the following circumstances:
? In the course of asserting a claim or legal defense of the Organization or a Organization employee in a civil action or administrative proceeding;
? Investigations of allegations of employee misconduct or violations of the law;
? Investigations of abuse of Organization resources;
? Investigations of breaches of security; and
? When a user is unavailable and the Organization must conduct business. Verification of a user?s unavailability is required. In this instance, management should attempt to contact the individual and inform the individual prior to asking the Administrative Director for permission to access the individual?s computer files.

VI. Information Sessions/Training

All authorized Organization users shall be informed or trained on this policy and its importance.

Collapse -

Good policy

by Aussie Gal In reply to No..

Thanks for your post. I find that policy very interesting. That is what we are trying to do now, formulate the policy. But if the Manager themselves abuses this policy by having the Administrator spied on... hence the problem.

I am going to discuss this as a meeting tomorrow so I need everyone's opinions and appreciate it. You guys are cool :-)

Collapse -

my thoughts

by jck In reply to SHOULD an administrator ' ...

A) If the manager is not the IT Manager, that manager should not be ordering around IT staff to do things. If they are an executive above management level, then they should go through their subordinate or the executive overseeing IT function.

B) I think it's unethical to just "spy" on a user, unless you feel there are possible legal, moral, ethics, or policy violations. Just reading their email because you can is not right to me.

C) If another manager is ordering around IT staff without authority to do so by position in the corporate structure, then I'd go to the IT manager. If they are unaware, inform them. If they are aware, doing it to make sure shows you care about your boss and them not getting end-arounded...if done and said right.

Back to Networks Forum
53 total posts (Page 2 of 6)   Prev   01 | 02 | 03 | 04 | 05   Next

Related Discussions

Related Forums