Ethics

[docskurlock.livejournal.com]

Ok, so the other day, the owner of the company asks me to put some software on the server (his words) that would allow him to view what everyone in the company was doing. He claimed that he paid 900 bucks for some software that my predecessor had used, and it showed every page on every system every 5 seconds. He wanted to view websites, passwords, you name it.

My question to all of you is this:
Would you do this and why?

Would you have a problem if you were forced to do this?

Don't get me wrong, I know he's the big boss and he can probably find out more information about somenone, but wanting to see their passwords on their bank accounts or what have you, I mean, that's stretching it, in my opinion.

Comments

[usekh.livejournal.com]

Depends on your work IT policy. Does it allow for using it for personal reasons?

[docskurlock.livejournal.com]

Most people spend a fairly large amount of time on the internet, mainly doing price research from other auction companies and other auction sites. It's not hard to browse to your bank account, check if something went through and then keep going. He wants to be able to view ALL data, and that bothers me.

[docskurlock.livejournal.com]

In response, we have no official policy and since I'm the one that makes said policy, well....

Personally, I don't mind if they hit up their bank account, email, or what have you. As long as they aren't downloading viruses or porn, there is no issue.

A better question...

[(Anonymous)]

Is there any evidence that the software was ever used before?

Or maybe the last person had to leave because they refused to install the software?

Or just maybe your boss said that so you wouldn't think too hard about the effects of installing it?

Re: A better question...

[docskurlock.livejournal.com]

No, I've not seen any evidence of this prior software. The only thing I've found is ethereal, which is not exactly what he's referring to.

The last person left for other reasons, and they did not deal with the IT field.

Doubtful he said it to give me a reason.

[thalionar.livejournal.com]

There is no reason he should be able to see people's passwords. If he can see pages, he can have proof of what is being viewed, *without* having access to their bank accounts.

Really. At the point you have access to someone's bank account (or personal email or whatever), you've gone to far, especially if the point is to see if someone is using the machine for unauthorized purposes, just knowing what pages they're going to should be sufficient.

[docskurlock.livejournal.com]

I agree. It's fine if he wants to make sure that people are working, but he wants access to everything and that really bothers me.

[jcaswell.livejournal.com]

We run a program called NetOp, but we're a school, and monitoring what the bastards little darlings are getting up to is unfortunately quite important - and often quite amusing :) We don't monitor anything the staff do though, and I think I'd have a bit of a problem with doing that :\

[docskurlock.livejournal.com]

Right. If it was just knowing what they're doing and not trying to access their passwords and what have you, I wouldn't have a problem. It's that he wants ALL of their information (which might even include mine) and that really bothers me.

[jecook]

I occasionally get called upon by mid level management (site supervisors) and the HR department here to do some "checking" on sites.

Why is the big boss wanting to se this information? to make sure his employees are not slacking off?

As far as capturing passwords, that's a large red flag in my book. why would he need the password to his employee's bank accounts? For payroll, a perfectly legit means exists to put money in. removing it is theft in my book.

I have a problem personally with web monitoring software. However, I trust my users to not screw the machines up.

Plus, if I really wanted to censor content, I'd be putting in a content filter at the internet gateway before I toss anything intrusive on the machines. a gateway filtering machine is a better way of performing filtering anyhow.

[docskurlock.livejournal.com]

I completely and totally agree with you. I don't know why he wants the passwords to whatever, but I don't know if I can trust him, or anyone with that information. What if someone else finds the program running and uses the information? That is not something I want to deal with.

CYA

[dazzedelf.livejournal.com]

Get the order in writing. Have him put in writing the program he wants installed and the level of access he wants it to give him to be able to see what comes up. That way if he gets sued for the HR admin's credit card to buy porn on ebay he can't blame you for giving him to much access. If you are concerned with the ethics and the privacy violations, I would say something to HR.

Re: CYA

[docskurlock.livejournal.com]

There is no HR. There's maybe 20 employees total. If he made me do this, I'd most definitely have it in writing and I'd probably ask that everyone be told about it. I don't like shady dealings like that.

[kalidor.livejournal.com]

If it does not say they are being monitored in the policy, I would point that out. Then if he does want to continue, inform him that you have to draft a new Proper Computer usage policy, send it to all workers, and have them sign it, before you can do teh install ...

[docskurlock.livejournal.com]

Yeah, absolutely.

[kalidor.livejournal.com]

that said .. I webmontioring software gives me the irks .. and and there is no reason to know passwords. You should have the ability to change any password to any systems he needs access to. That said remeber a simple rule. If boss wants you to change a password, make sure you have a request document signed by both him and HR with a reason for the password change request (unless its his own account and he locked himself out .. heheh).

That will cover your hind in internal bickering too.

[redqueenmeg.livejournal.com]

Ethically, I'd do a new policy that the users have to sign saying they know they'll be monitored.

As was pointed out by my law prof to me, though...

even if the company says they absolutely WILL NOT monitor your Internet activity, and they do anyway, (basically, if they flat-out lie), the law is STILL on the company's side right now, at least in the US.

The company's right to protect itself from legal action based on your Internet activity is considered to totally trumpt your right to privacy.

Just FYI.

[redqueenmeg.livejournal.com]

*trump. Doh.

[byh.livejournal.com]

As for me - I make it very clear to everyone on our network that everything they do may be monitored without warning. Internet traffic, e-mail, files - anything. It is done for security and troubleshooting.

Not that I hunt for their private stuff but sometimes I stumble upon it. I never turn anyone in for anything weird I discover except when I suspect information leak but everyone knows they are monitored.

As for ethics - it is a workplace and you are supposed to work here. Although if someone does something stupid but not critical in terms of security (like one girl downloaded a boatload of TV-shows) I just warn them without reporting it.

About your case - I would do it but also I would make sure it is reflected in your IT policy.

[taleya.livejournal.com]

I'd be tempted to BOFH it - fill it with garbage data that has no correlation as to what is going on.

Failing that, small company, let everyone know. With full ramifications of a worst-case scenariot.

They'll take care of him themselves.

[docskurlock.livejournal.com]

ROFL. Have a machine just going through the sample sites, spewing data. He'd go nuts!

[harry-whodunnit.livejournal.com]

I'd say you need to get your boss to commit to a written policy of what he's going to do if he does get access to his employees' private passwords.

Ideally, he should promise not to write down or pass on any non-work password, and any monitoring-related records which might reveal it should be discarded after a set period of time no greater than a week.

[jjjiii]

As tempting as it may be to treat the boss as a malicious, bad guy, that's only going to get you fired. You have three basic options:

1. bend over and do it, or
2. you can refuse/fight come up with every objection in the world against doing it, or
you can pretend to be representing your boss's best interests when you tell him why it's not a good idea AND how to turn what he's asking for into a good idea by doing things in a way which are legally and ethically sound.

Monitoring private account passwords is bad. Allowing personal use of the internet/business IT assets and then invading privacy and not spelling out exactly what is expected of the employees and what will be done with their usage history is bad. Not running this past a competent lawyer prior to implementation is bad. Not posting the changes in policy and practice to the company is bad. Etc.

You know this, evidently the boss doesn't. It's time to educate him, and in a way that leaves him happy and you employed. Good luck.

[trixtah.livejournal.com]

I presume you're in the US? Because in Europe, there would be big LEGAL concerns about taking such a step. In their terms, people have a reasonable expectation of privacy, and while you can monitor overall usage, block porn, what have you, you need a decent cause to get down to the nitty-gritty. You wouldn't have a legal leg to stand on to harvest private passwords. If you don't want people using banking sites, ebay etc, you monitor the fact that they're being hit from your proxy and then you BLOCK them.

Ethics aside, even in the US, I'm sure there would be legal ramifications, possibly depending on the state you're in. One thing to insist on is would be sign-off from the company lawyers - and if they don't have any, they need a lawyer for something like this. If they have to fork out cash for a legal consultation, they might think again.

Here's a pretty good top-level overview of workplace privacy rights (http://www.privacyrights.org/fs/fs7-work.htm) - bugger all in the US - but the way they describe "monitoring" refers to keystroke monitors (typing speed) and viewing what's on screen. It does not say that harvesting passwords etc is appropriate.

[the-s-guy.livejournal.com]

While he probably does have the authority to ask that this software be installed, you may want to remind him that people use the internet for activities like personal banking, that this software may enable him to see their personal banking passwords, and that being the case, if one of the employees' accounts is broken into then he will be the prime suspect.

To alleviate this problem, he may want to either institute a 'no use of sites that require personal passwords' policy for employees, as well as advising them that they are being closely monitored 24/7, or choose a lesser level of monitoring and leave the exact software choice up to you.

Basically, while the final decision may be his, he should be properly... advised and guided in that decision by subject matter experts. Such as your good self, of course. Certainly all the employees of such a small company should be informed by the owner of exactly what is occurring and what he expects of them, so that they don't all suddenly find out later and quit in a fit of pique, leaving the company to founder and sink.

[docskurlock.livejournal.com]

Yeah, I agree with that.

[lions-tambua.livejournal.com]

if the Policy RESTRICTS people from doing PRIVAT stuff at work, i'd say its ok to check which websites they surf on. but its not ok for me to show their passwords.
if you check which files they read/write/copy from or to the server, i would say its OK because i also wouldnt like to have child-porn on my server. who is responsible for that ?
The sysadmin (tm)

[docskurlock.livejournal.com]

The policy doesn't restrict anyone from doing personal business. I agree with you about keeping an eye on my users and I plan on doing so.

[(Anonymous)]

Well there are various reasons why the “boss” or manager would want the administrator to log/report everything that their staff is doing whist at work. I am an network admin myself, so I can see the practicalities of doing so, if not for statistical reasons than anything.

wanting to see their passwords on their bank accounts
Actually, this is pretty much a technical impossibility (although not completely impossible). Depending on how the network is setup, there are many things that will prevent the “transparent” capturing of secure website data (i.e. passwords).

Basically it is the design of SSL (Secure Socket Layer) to disallow a “man in the middle” attack, or as one would put it capturing the end user’s secure data and logging it for later viewing/usage.

[docskurlock.livejournal.com]

Yeah, I know about the SSL encryption and the disallowing of man in the middle attacks. I believe he mentioned purchasing software that would allow him to see everything in plain text.

I really don't want to put that software on. Ethereal is a very nice packet sniffer, and if he really wants to monitor the network, I can keep that running, but I'm not too keen on letting him see plain text passwords/logins/bank accounts, etc..