General discussion


Spying in IT

By tweakerxp ·
Have you or your IT department been asked or requested to spy on employees, monitor their surfing habits or read their emails? I was asked a while back to setup a users account on their managers system so she could monitor the users emails. I didn't feel right about this. I know it's company property but still felt funny about it.
What's your thoughts on it.

This conversation is currently closed to new comments.

27 total posts (Page 3 of 3)   Prev   01 | 02 | 03
Thread display: Collapse - | Expand +

All Comments

Collapse -

Understood but heres where I was really going with that

by vulturex In reply to The context of my remark ...

But as some Companies have learned in the past,

Ownership of Data can be very dicey, especially if the contents of certain data does not originate from the company or network itself . "BYOP" is a blatant example
of mixed data. Another example would be non company phones being used (such as iphones) to receive company e-mail/data and to conduct biz , corporate laptops used for work and play , visitor/guest pcs/laptops , contractor "blackbox" computing equipment etc.

My favorite is overseas developers who come over to work 6-12 month contracts before rotating back to India who
are too cheap to buy a personal desktop/laptop for home use only. So you wind up with network backups of desktop clients pulling all sorts of garbage . Delete personal data from both the backups and their clients and someone is bound to get angry even though they clearly knew the IT policy.

To attest to your opinion , I worked for a company once that allowed some employees/contractors to bring their own pcs/servers/laptops/whatever for different purposes.
The policy was that in the event IT, management / HR needed to inspect said devices or whenever someone left the organization that the hard drive(s) were to be removed and compensated for. Well, that didn't sit well and before you knew it rogue servers were running with IT being powerless really to do anything other than disable the network ports. A few ugly walk outs later with ex employees not surrendering their hard drives, the BYOP option was removed. Sad thing is, plenty of hosting companies still allow BYOP

Collapse -

Sad thing, indeed.

by Ocie3 In reply to Understood but heres wher ...

Thanks for your explanation. When a situation like that becomes a lawsuit(s), things can really get nasty, murky and very expensive.

By "hosting companies" I gather that you mean the ones which offer to host web sites that belong to other firms or individuals on their hardware and their network. If they don't have any better security than that, or at least better sense, then I would think twice before dealing with any of them.

Topic Drift: I can see why a small firm might want to establish a presence on the Internet that way, if only to see whether it can become worthwhile to eventually transfer the site to their own proprietary hardware and network.

But the big campaigns to move everything to The Cloud and to use SaaS is not only contrary to that, there will be a head-on collision with emerging US ISP tendencies to cap bandwidth usage, by individuals in particular. The ISPs are also fighting "network neutrality", because they plan to offer higher bandwidth in conjunction with transmission priority, to make their service more appealing at the prices they want to charge to those who can afford to pay them.

Frankly, though, I think that will spell the end of the Internet as we know it, and leave it the playground of the privileged.

Collapse -

Part of the Job

by vulturex In reply to Spying in IT

I've had several requests in the past to spy , gather files, record plaintext conversations over the network and even managerial requests to plant porn on certain employee laptops as to make a firing process go allot smoother.
(I didn't have to carry out the last request as the person winded up being fired anyways)

evilVNC and other similar remote desktop session monitoring tools are great ways of watching employees , and there are many other ways to retrieve employee emails without risking authenticity . Plain and simple , IT is sometimes henchman work and if you refuse an order , you can easily be the next on the hitlist.

Just remember, when a manager or superior asks you to carry out such tasks that you are considered trusted, and remember what can be done to one person can also be done to the person requesting it . Once they trust you to do their bidding , its not too far off to think at some point later in time they can do your bidding as well willingly or unwillingly , knowingly or unknowingly. Remember, you can always play as a double agent or go rogue .

As for the poor guy being watched, I always recommend trucrypt, multiple layers of encryption + steganography and "accidently" dropping/swapping pc/laptop hard drives
if for any reason you feel you will be terminated or resigning due to hostile work environment in which any accusations true or false can condemn you . Not the college text book recommendation , but the burden of proof is always on the plaintiff and coming from experience and what I've seen, doing so on the contrary to popular belief has saved a few people's @$$'s from losing their jobs
or being held liable for circumstances out of their control.

(Can't say someone did X Y or Z if there are no network logs and a working hard drive with usable forensic data to pull off can you?)

Collapse -


by gmalleus In reply to Part of the Job

If you are asked to do something that seems to go beyond the scope of your job into the realm of unethical or illegal, make sure to gather proof that you were told to do this. It is always a good idea to cover your *** so you don't get in trouble.

Collapse -

Standard Practice

by bptjr3 In reply to Spying in IT

As a network administrator of an internation company I was responsible for over 500 accounts in 5 different countries. I was in the position of having or providing access to anyones account. My personal belief is that unless there is justifiable reasons for allowing a supervisor to "spy" on an employee, then they have no right to. If I had been given a legitimate reason such as suspicious behavior of an employee or confidential information leeking that was know by only a few select people, then I would consider granting the request, however I first would check with my supervisor (IT Director) and with our in house counsel to ensure that I was not the one that would be thrown under the bus. As a policy, my boss and myself both agreed that no matter who requested access to anyone elses account - even the CEO, we would not comply without proper justification and with th approval of the legal department. Even though the company "owns" your computer and everything on it, without the confidence of the users you support you will never be able to perform your job properly. I personally also believe that as an IT administrator and the responsibility that comes with protecting information that it is both unethical and unprofessional to give access to any individuals system or information without verification that they are doing something that will potentially hurt your organization or are violating standard policies that are potentially dangerous to the network and its servers. I don't feel a person installing a game on their system rises to the level of allowing total exposure of their activities, even if they technically were not supposed to. In cases where there was potentially harmful activities done by users, we resolved the problem with them and warned them that if they continued to expose us to hazards, that we would then have to be the "Big Brother" and act accordingly. I know that this is a fairly liberal policy, but we had very few incidents of abuse and were most often asked to assist users in making sure that whatever non work related activity was acceptable to our department and that it was installed and setup properly to protect our systems. I know that would never occur in an environment where users look at the IT department as the eyes & ears of management.

Collapse -

I think that

by Ocie3 In reply to Standard Practice

the policies and practices of your company in these matters are quite sensible and effective.

A friend who was a systems administrator for an insurance company, and who was responsible for three networks, was asked to enable access to an employee's workstation and the records for which they were responsible. He told them that he was not a law enforcement agent and recommended that they hire a licensed private investigator (a P.I.) if they suspected someone of wrongdoing, and to consult with a lawyer before doing anything.

Two managers who were involved were angry at his response, but his own superior told them that he had given sound advice. Eventually, he received, and respected, a request to allow access to the accounts by a licensed P.I. who was an expert at computer forensics and investigations. The employee was found to be one of several who were collectively engaging in an embezzlement scheme. All were arrested, ultimately four were prosecuted and three were convicted on the most serious charges, the other one was convicted of less significant crimes. The main three were sent to prison for various terms, and the other was on probation for a few years.

My friend became interested in criminal investigations and crimes that involved computer systems. He eventually went to work for the firm of the P.I. who had conducted the initial investigation.

Collapse -

Wonder what would've happened...

by AnsuGisalas In reply to I think that

They might have messed up the case against them, depending on the circumstances.
Great story.

Back to Windows Forum
27 total posts (Page 3 of 3)   Prev   01 | 02 | 03

Related Discussions

Related Forums