User Passwords, and the Law.

By brian96789 ·

I have a legal question regarding domain passwords:

I am the administrator for a small network (about 25 users and workstations), for a small family owned business.
A few months ago, one of the owners told me to keep track (update weekly) of all users domain logon passwords, because they wanted to logon as an employee a snoop. I provided it with much anger, and did not persue updating the list.
Last week, they approached me again with the same task. This time I asked them to provide me that question 'in writing', in order to save my back down the road. They also said that they spoke to their lawyer, and he said that the owner is within their rights to collect passwords, since they own the computers, and that larger corporations, such as Microsoft, have a department that does this too...
The question is: Is a company within their leagal jurisdiction to demand such a thing from the IT Administrator? Do I grin and bare it?
I am not sure were to post this, but any advice you have would be great.

If it matters (states are different), the company is in Pennsylvania.

Thansk for your adice!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Legal, Moral, and Ethical

by Tig2 In reply to User Passwords, and the L ...

If indeed the owner of the business is legally responsible for the purchase of the hardware, he has a right to the passwords.

Where I think that you are having some issue is that the reason you have been provided doesn't appear to be ethical. Simply to say, "I have a legal right" doesn't make the activity acceptable. Indeed, it could get your owner in some trouble if he found something that he needed to use as evidence in a court of law.

Morally, every IT person knows that you don't just hand off a user's password. Morally wrong, ethically wrong.

There is no easy answer to this. Here's what I would try.

First- asking for the directive in writing protects you. But the owner may not see it that way. Perhaps trying to find out WHAT he's looking for is the right answer.

He may have reason to believe that his company information is getting out to public domain. If this is the case, his concern is legitimate but his approach won't yield him what he wants- evidence. But a check of the log files might. Installing a keylogger on that user might. I'm sure that there are others.

Finding out the WHY may give you better ways to handle the WHAT.

Do take the step of making sure that you are not willing to break the law- and that you don't want to see him take a step that would put you both in question.

This is a tough spot. The very best of luck to you!

Collapse -

Off the cuff

by IC-IT In reply to User Passwords, and the L ...

You may want to point out to them that it is useless to possess the passwords. You shouldn't even have a list.
All resources are ultimately accessable by you. Having the password would mean that you or they could have tampered with the users files/drive/user profile.
The users may be subject to monitoring and the computers are company property, however their entry into the users profile could easily be construed as tampering with any potential evidence.

Collapse -

Spot on - the password is very dangerous to the owner

by drowningnotwaving In reply to Off the cuff

A "user" could put an argument in court that they had nothing to do with any supposed activity. They'd argue someone else, with access to that user's password, had signed on to their computer in the guise of that user and performed whatever task / action / lookup that had supposedly caused an issue.

Informing the users that their computer, files, emails, web access logs etc etc are open to random scrutiny, and giving clear and reasonable definitions as to what the company's rules are, will work better in the long run.

Related Discussions

Related Forums