Employers Logging Keystrokes-What Can You Do?

daqman asks: "I work for a 'national lab' which is code for, 'we are funded by the Department of Energy'. Recently there was a big scare over a DoE employee at a weapons lab who has been accused of spying. Now we are very far from weapons research. If were any closer I would quit right away. Anyway, as part of the security flap we have been asked to put a notice on all of our machines. A part of the message is: 'By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.' What is the legality of this statement?" (There's more...)

"I live under the assumption that my employer cannot tap my telephone or open mail delivered by the US postal service and that I have the right to free speech under the constitution. Why is my E-mail and my very keystrokes on the computer any different? Please remember my work does not involve national security. Also, since this policy was not in effect when I started my employment what are my rights if I refuse to agree with the conditions and log off?"

What does one do (aside from up and quit) when you discover that your employer is spying on you -- by any method? I can understand an employer wanting to know what his employees are doing, but there is a line somewhere they shouldn't be able to cross (employees have rights, too). Where that line is, however, is anyone's guess.

Appearing soon on a Redhat machine near you

[RedGuard]

The Bastille hardening script adds this to
/etc/motd. The script claims it gives you a
better chance of intruders being prosecuted.

Monitoring, Sysadminning, Ethics

[prevost]

Carnegie Mellon University, where I used to work, has the following disclaimer at login:

This system is for the use of authorized users only. Unauthorized use may be monitored and recorded. In the course of such monitoring or through system maintenance, the activities of authorized users may be monitored.

By using this system you expressly consent to such monitoring.

I think this is for two reasons: one--to make any evidence they find against crackers more legally clear. two--to cover their asses in the case that they accidentally read someone's email (or the equivalent) doing system maintenance.

It's important to remember that if you're in any sort of shared environment, your sysadmin can very easily read every byte in the system, follow every bit thrown out the pipe, and etc. What's important is that ethical sysadmins don't use this power for evil. :)

No really--I'm serious. As a sysadmin, and a BBS sysop before that, I've had the power to do things like read users' email for a long time. I feel that I have an ethical responsibility akin to those a doctor or lawyer has with respect to confidentiality. I will not pry--but even if I do, I have no right to make public things that I learn. This is most important when doing routine things like backups or looking for files which are taking up too much space, or fixing mail spool files when there's a bad mail loop, or the like.

It's hard not to learn things about people that you shouldn't know in these cases. And as a result, I don't believe in sharing information learned in such ways with anyone at any time. I'm upset when I hear stories about sysadmins stumbling across somebody's private stash of kiddie porn and turning them in. It's true that kiddie porn is pretty damned foul--but in the interest of protecting everybody's right to "sysadmin confidentiality", I still don't think such things should be mentioned. At the very least, I'd probably say "please remove these files from the system, or I'll have to take steps against a potential DoS attack by law enforcement officials."

Anyway, my two cents. I think I'll go look up the CPSR and other like-minded groups now and see if anybody's got a sysadmin code of ethics. :)

Same where I work.

[Kartoffel]

US GOVERNMENT COMPUTER
This is a US Government computer. This system is for the use of authorized users only. By accessing and using ths computer system you are consenting to system monitoring, including the monitoring of keystrokes. Unauthorized use of, or access to, this computer may subject you to disciplinary action and criminal prosecution

That's what everybody gets on our office machines at the Johnson Space Center. Considering the enormous mountains of paperwork that people type up every day, I would hate to be the guy who reads the key logs. ;-) Even if all they did was store the keystroke logs somewhere, it would be an enormous amount of useless data.

welcome to government service

[imac.usr]

I'm a contractor at NIH, and you can find their suggested startupscreen here. It basically says that it's a government machine, they can do what they want, and although the banner isn't legally required, it does help the government prosecute people if there's a banner in place when you log on.

As for legality, hey, man, I just work here.

depends

[jbarnett]

The think you forget, is when you want into a workplace, you lose some of your freedoms. It is a private company and they don't force these "laws" on you, they give you are choice, "play by our laws, or leave/get fired"

For example, we all have the moral and legal right of "Freedom of Speech", but if you take a job at McDonalds, when you are clocked in your "Freedom of Speech" goes by-by. You can not say "So what the fuck do you want on this shitty ass BigMac dicksmack" to the customer. Sure, this is prefectly legal and lawfull (in the US), but McDonalds (private company) will fire you.

If you want to be able to say "fuck" and tell the world McDonalds BigMacs are "shitty", you will have to do it on your own time. The fact is, you are working at McDonalds on your own Free will, and they hired you on their own Free will. At any time either you, or them may terminate the employement agreement. (unless you sign a contact)

Most companies do monitor, on our phone system they warn the customers and employees that the lines are tapped, I mean montior for employee spying, I mean employee montioring and training purposes. They aren't forcing me to work here, and they aren't montioring without my permission. If I did not agree to this, I would have to either 1) quite 2) not agree to it (which would probably lead to me getting fire)

I think an employeer has the right to monitor, but the company HAS to notify the employees for this before hand and tell them what they can and can't do with the system (ie. no p0rn in email or hot grits in pants during business hours, expect for on fridays)

Recently logged at NASA

[cprincipe]

Mars Lander Telemetry Control System

login: root

password: xxxxxxxxxxxxx

Welcome to the Mars Lander Telemetry Control System.

MOTD: Management has become aware of the unauthorized use of agency computing facilities for the distribution and use of illicit materials, which is in violation of the computer use policy. Anyone found in possession of or transmission of such materials will be prosecuted.

jpl:# cd / pr0n

jpl:# rm -rf / pr0n

^C

^X

^C

^X

^D

Re:Fully legal

[bughunter]

I don't think you can much about it except for quitting (or threatening to quit over pervasive monitoring).

There's always one more option, though their effectiveness may be questionable... for example:

In the wake of the spy scandal last year, the DOE implemented a mandatory random polygraph policy for all of their Los Alamos employees. Every one. Needless to say, the affected employees were rather annoyed, and they organized and threatened action (wish I could be more specific). Anyway, the DOE just recently backed down and decided to only require random polygraphs for employees who work with sensitive information. They did something about it.

And also, if you have enough money to contribute to your senator's campaign, you could always go the Congressional route. It works for contractors.

(Sorry if this appears twice, but if /. hadn't timed out, I wouldn't be pressing the submit button again.)

Re:Fully legal

[arivanov]

A very important note: In the US.

But invalid in Germany. There, you cannot even perform exact recording of dialed numbers on the company PBX. The employer if recording them is obliged to erase the last n (forgot how much) digits. And recording email by the employer is absolutely out of the question.

They own it. You don't.

[DHartung]

This is actually a very common situation, and the legal battles took place mostly in the late eighties and early nineties. The employer pays for the equipment and resources, and they have the right to designate appropriate usage guidelines as well as monitor.

Partly this absolves systems people like me if we happen to come across your e-mail by accident (trust me on this one: I was working on a mail server yesterday and I could see the addresses EVERYONE was sending to, including some verrrry interesting domains), but also in case they have to investigate for any reason. Let's say another employee claimed you sexually harassed them in sending e-mail (let's also assume that this is serious, not just random dirty jokes, talking about the other person's anatomy for example). The company has the right to look at the victim's computer, your computer, the server, even SEARCH THROUGH DESKS looking for floppy disks on which anything relevant may have been saved. I've seen it happen.

As a systems administrator I have to install monitoring and blocking software. I can track every site you visit with your browser, stick it in a database and e-mail it to your manager by 8am Monday morning. He can see that Joe was surfing business-related sites, maybe too much, but within acceptable limitations; Mary was spending all day long at eBay; Dave was recklessly looking at p0rn on his lunch hour; and so on. As long as there's an upfront disclaimer, all such monitoring has been upheld by the courts. It doesn't even have to appear at login; you could have signed a blanket disclaimer when you were hired, and it was just one of a dozen sheets of paper you John-Hancocked and forgot about.

One employer determined that a married woman had transferred to another location in order to conduct an affair with a man there. They fired both of them, not so much for the affair, but for falsifying time sheets and so on, based on e-mails where they set up hotel rendezvous during work hours. They almost fired another woman who was the first woman's confidant in this situation because she had failed to report it.

Another employer requested printouts of all e-mail sent by an employee during his last week, as well as all outside mail sent and received by his friends in the department, in order to prevent disclosure of client trade secrets.

Another employer found that pornography was passing through the e-mail system and before any of the employees were notified, I and another individual had to check for anything illegal. If we had found anything, we were to call in the police.

When I worked on a help desk, I never knew whether my calls were being monitored silently by my boss. My internet usage at work then was via dial-up and this came to the attention of the telephony group, who reported it to my boss, and my boss then required me to justify time spent. (I was able to do so, it was mainly research.)

Bottom line: when you're at work, don't ever assume you have privacy. The employer has broad rights to monitor you for not only illegal activities, but for violations of your employment agreement, for slacking, for slandering, for sexual harassment. Some of the posts here speak of your government employment as a unique situation, but it really isn't. Out in the Real World you may, in fact, have FEWER rights to privacy than in your present situation.
----

Fully legal

[Kaa]

Under the current law (you don't have to like it) the employer owns everything that happens on machines and networks it owns. That means that your email, your files, and, yes, your keystrokes, belong to your employer. This has been supported by courts numerous times. If you want privacy, bring your own laptop/PDA/notepad.

I don't think you can much about it except for quitting (or threatening to quit over pervasive monitoring).

Kaa

Government Cheese

[joshamania]

This isn't exactly a vague situation. There might be a little lee-way if we were talking about a normal corporation, but this is DOE.

If you don't like the new disclaimer, all you can do is quit. As far as my experience goes, when working with the government, and especially when dealing with the military branches, and even more especially working with DOE, you have no rights to anything what-so-ever.

It matters not that you are doing weapons research. It matters not that you are checking an email from you girlfriend/boyfriend. When DOE is involved, the courts hardly matter. There are very few people in this country who are going to give a flying fsck about your privacy as soon as someone mentions nukes.

I'm not trying to say that this is right or moral, just the way it is. The NSA (National Security Agency) has very broad powers when it comes to protecting nuclear secrets. The secrets could be anything from warhead design to the number of gallons of water in a reactor's coolant reservoir.

Personally, I think that they should be checking into just about everything having to do with DOE's security. There is very little on this planet more dangerous that the nuclear arsenal of the United States of America. I'd like to keep it that way.

Keystroke logging at McDonalds

[scumdamn]

Big Mac
Large Fries
Large Coke
Happy Meal
Medium Chocolate Shake
Trinoo Attack on CNN
McDonald Land cookies
10 pc Chicken McNuggets

I can see how this would come in handy.