Slashdot Mirror
Instant Message, Instant Transcript
shams42 writes: "Although the internet has been far from private for some time now, it seems that public awareness and concern over this issue is mounting. This article at CNN discusses the issue of companies monitoring instant messages for cyberslacking or leaking company secrets. There is also the possibility of them being included as evidence in court cases."
Jabber over SSL would solve this problem.
Finkployd
Ah, yet another story that makes me happy about my 50% purchase of CarrierPigeons.com!
------
Today's Top Deals
Hopefully within a couple of years we'll get the cheerful news that these monitoring companies have gone belly-up.
later,
Jess
I am programmed for etiquette, not destruction!
Use SSH link to your PC at home to run text based IM client and/or web browser from your home address.
I've not heard of an employer that monitors Port 22, and even if they did, it's encrypted so they can't pick up what you said.
Best program for this is PuTTY (assuming you use NT at work)
The whole thing assumes you are using *n?x at home and can run an SSH daemon on it.
OF course best of all is to not shout from the rooftops what should be said in private.
If my call is important, why am I talking to a recording?
People think Instant Messages are like phone conversations - no record is kept, they can say pretty much what they like. People used to think the same about Corporate email too.
Nearly every company today has an Internet Acceptable Use Policy. Said policy covers allowed surfing habits (work related only, etc), as well as appropriate email useage (no sexist jokes, spamming of jokes). Once companies realise that IM traffic is essentially the same as email, they will need to incorporate policy on usage into their existing AUP.
Naturally there's privacy concerns here. People don't like their every word and action at work scruitinized. However, as Pamela Housley (director of compliance at Thomas Weisel Partners investment banking firm) said in the CNN article,'It's just easier to archive it all. I don't have the manpower to have somebody look at this all day long.' This will hold true in most cases.
Most companies already archive all email sent/received by work accounts as a matter of course. However, that's not to say people actually read all those emails. They're there with the sole intent of keeping a record to cover the company's ass if something goes wrong - such as a client accusing an employee of doing something they were not asked to do. If said employee can turn around and say 'I was asked to do it via email, and HERE IT IS!', the company is fine.
Face it - IM traffic sent/received at work will end up being logged as a matter of course. It has to if companies want to keep themselves out of a legal quagmire. However, just because your communication via IM is logged, doesn't mean someone is going to actually violate your privacy by reading it. In fact, most AUPs specifically prohibit the reading of another's work communications without the proper authorisation.
Keep in mind that you're using work assets. Keep in mind that you can, and will, be held responsible for abuse of said assets. Stick to the AUP, and everything will be rosy.
Janie took my gun...
Actually we use Lotus Sametime in our company quite a lot for instant messaging.
Being a multi-national company, without this we would be spending a lot of money on international phone calls (although I believe we are looking at VOIP for this too)
It also allows you to share your desktop so you can collaborate on a document. Sometimes we use a combination of the instant messenger and the phone for this.
You can also see if the person you are trying to reach is at their desk before you try to reach them.
It is less intrusive than a phone call and more immediate than email.
If my call is important, why am I talking to a recording?
Generally slackers will abuse IM just like they will abuse 'free' phone calls -- to stay in touch with friends and family, make plans to go out after work, or just idle chat.
It can be difficult to implement a technical ban on instant messaging, webmail, etc. There are two many different services using different protocols and different servers to easily create firewall or filter rules to block them all.
AOL Instant Messenger is an interesting example. The AIM client is very persistent in trying to establish connectivity with their servers. First it tries the 'official' OSCAR protocol on port 5190, but if that fails, it tries a high port, and also FTP, SSL, and other protocols that many firewalls permit unrestricted outbound client access.
I do not deploy Linux. Ever.
After every questionable comment you might make in a message just put ;-). Problem solved.
;-)
For real though, I really don't care if people see my IMs. 99% of it is just jibber-jabber anyway, so who cares.
If your are dumb enough to write messages like "My boss is an asshole" over IM, then that is your own fault if your get busted.
Yes, but there's a large difference between ICQing a coworker to ask about a business-related issue and jabbering with your buddies on AIM for hours on end. One is a perfectly valid activity while working. The other is slacking off, and will probably get you in trouble. The solution is to avoid the second activity. Do you really care if your employer is recording the IM you sent to Joe down the hall asking if he knew the correct syntax for some obscure Perl command, or when the next meeting was scheduled for?
The company I work for, for instance, uses an internal ICQ server and the corporate ICQ client for interoffice IM, and doesn't allow any other IM clients. This lets people communicate internally without a problem, but keeps them from wasting time on idle chats with outside friends.
DennyK
just b/c you encrypt your convo's does NOT mean you will not get in trouble for what you say.
.02
I seriously suggest that anyone who IMs at work should stop. If you know your company monitors email, etc, I could only imagine that you encrypting your sessions would raise their suspicions even higher.
If you are that worried that you feel you should have to encrypt, you probably shouldn't be doing it at all.
Just my worthless
Where I work, Yahoo! Messenger is the preferred means of exchanging short work-related messages.
Unlike the phone or in-cube appearances, the recipient may respond when it is convenient for them (no interruption necessary if you have your message windows set to auto-minimize), but unlike e-mail, it's more interactive and conversational.
It's also incredibly convenient to be able to cut and paste example code, command-lines, URLs, etc. to co-workers on the fly.
First of all, the only reason I use IM these days is for work-related purposes with co-workers on an internal Jabber server. Okay, we do our share of chatting that's not exactly work-related, but who doesn't have f2f conversations with people at work about things that have nothing to do with work?
In any case, why I consider the instant transcript a "feature" is because my co-workers and I do tech support. We talk to each other frequently about customer issues. These transcripts often contain useful troubleshooting information. It seems awfully silly to type something more than once, so once a conversation is done, it's copied straight from Jabber into a case note. We usually do not make those kinds of notes viewable to customers, but they are good for internal documentation.
For those of you who have issues with your employer "snooping" on what you're doing, I would not expect any sort of privacy with respect to your computer usage at work. However, your employer needs to tell you your computer usage is subject to monitoring. Employers who fail to notify employees of monitoring are subject to serious trouble if they decide to take advantage of any information they find out as a result.
-- PhoneBoy
The views expressed herein are not necessarily those of anyone, including the poster.
Privacy at the work place...
You are in a building that you don't own..
You are sitting in a chair that you don't own
You are using a computer that you don't own
You are using a network that you don't own
You are using bandwidth that you don't own
Why do you have any expectation of privacy?
It's simply a given.... If I am talking on my cell phone in the middle of the IT department I have no expectation of privacy...
If I am 'yelling' my conversations over the network why do I have expectation of privacy...
If I want to chat personally or sell company secrets I will do it at my home where I DO have privacy... But, not at work
I've worked at a certain big investment bank over the summer. Internet access there was completely firewalled away except for a port 80 HTTP proxy server. Now, one could tunnel IM programs through this successfully but even then, the company has a zero-tolerance policy that bans any use of IM programs.
There is a very good reason for this. Apart from the usual virus problems, it is often *mandatory* by law for investment banks to log all communications between employees and clients, just like the article says. It is well known that all telephone calls are recorded for this reason. All proxy requests are naturally recorded and scanned for port and external mail use (also against company policy). Allowing IM would equally thus be in violation of company policy and legal requirements. Unless of course... if a system was introduced where all messages could be reliably logged and traced.
If you still aren't convinced about these policy issues, consider this. In a IB, if your phones are tapped, all web access is logged and you know it, then perhaps consider that logging IM isn't such a big extra step.
The famous workplace, where your freedom is checked at the door.
For people so concerned with freedom, it is astonishing that the entirety of a person's basic rights are handed over like a movie ticket once the workday begins.
And to top it all off, everyone DEFENDS this by saying, "well, they sign your paycheck."
Newsflash: signing a paycheck != control someone's life.
Here are people who tell you what to do 40, 50, 60 hours a week. What time to sleep. How long to spend eating. What kind of house you can buy. Where you must live. What to say. How to dress. How many phone calls to make. What web sites to visit. And so on. It's worse than grade school. If you don't like it, you're "downsized."
Personal life is not to interfere in the workday. No personal activities of any kind are to be conducted at work, unless you're a manager and you have kids. Then you can "take the afternoon off" or leave early on Friday any time you feel like it. All time off is given begrudgingly, even if it is pre-approved.
Now they'll just help themselves to every word typed or spoken during the workday. Excuse me, but why is the workplace exempt from a person's inalienable rights? Why are companies allowed to treat people this way? Why is a paycheck carte blanche to control someone's life?
If it isn't company business, PAYCHECK OR NOT, it isn't company business. Period. People should be given the freedom to be people before corporate drones.
No. Mainly because nine times out of ten, management hasn't the foggiest idea what is going on from day to day. Oh sure, every once in a while there's some frantically organized flailing "initiative" complete with an announcement at an all-hands meeting, but by and large, management doesn't understand a single detail of the work in most companies.
Then everyone gets laid off. Welcome to the workplace.
This may sound strange, but if a company is recording your chat sessions, instant messages, or e-mail communications, you can sue them for copyright infringement.
:-)
Sure, it would get all the merit of some of the recent patent lawsuits, but it's perfectly legal. At work, you have no expectation of privacy and often you even explicitly waive these rights by AUPs, as others have mentioned, so you have no legal high ground.
However of all the AUPs I have seen, none mention the property transfer of your communications, which are effectively your thoughts and are unique to you. This is called your "likeness". You are expressing it in your messages and chat transcripts, and by your employer snooping on you and storing records, they are effectively "copying" your copyrighted material, which you can claim copyright to.
Unless you're in a contract situation, the only works your company owns are those, which it has commissioned. Despite popular belief, it doesn't own everything you do at work -- only the work from your assigned tasks/projects/whatever.
I am no legal expert by any means, but at lunch with a lawyer friend I brought this issue up, and he said if he had a client in this situation he would have whatever logs found non-admissible due to copyright infringement. He then told me about likeness and how it can be used against an employer and possibly even to be on the plaintiff side of a suit. I found it interesting he would challenge this privacy issue from this interesting angle.
I guess you're best actually doing work while at work. If you must have security, use the various methods of encryption. Don't be stupid.
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
No one at work is going to be setting up elaborate forwarding systems for man-in-the-middle attacks.
You run into the script-kiddie fallacy here. Nobody is going to go to all the effort to find out what services I'm running on my machine, then look up all the possible exploits on the internet and patiently try each one. Of course not, they're going to download a script kiddie tool that scans entire netblocks and systematically tries all known exploits.
Similarly, companies are going to install 'snoop plugin for NT-firewall/proxy', and automatically snoop. I doubt they wrote the firewall modules they're currently using to snoop IM's, and installing a 'SSL proxy' doesn't take any more effort, just one unscrupulous software developer to produce and sell the plugin.
Of course nobody will bother unless there's enough people using the protocol you're using to sell that plugin - so find an unknown protocol and you'll be (relatively) safe.
I currently SSH tunnel for IRC, but for IM related software, I can't seem to SSH tunnel and get the relevant ports forwarded.
Assuming you have a recent version of OpenSSH, follow these instructions:
1. Run ssh -D 1080 hostname. This causes ssh provide a SOCKS v4 proxy services when connecting to localhost on port 1080.
2. Set your IM client to use your SOCKS v4 proxy server and point it to localhost on port 1080. Most IM clients support the SOCKS proxy protocol.
3. Chat.
My car gets 40 rods to the hogshead, and that's the way I likes it!
My father used to tell me stories of when he was stationed in WWII in the Aleutian Islands, preparing as a SeaBee for the invasion of Japan. One of the stories that continued to amaze him was the deployment of Native Americans to handle communications, now populary referred to as Code Talkers.
... if it just wouldn't be too expensive if we not only encrypted our transmissions, but perhaps had an IRC in which we could roll our own dialects via tools like Bison in which only you, and your buddy on the other end would possess the necessary grammar file.
... but perhaps the process would become so expensive that they'll just move onto hammering the putz down the hall who continues to spew open text.
Not only did they transmit messages in code, but they added a nice little touch, all transmissions were forwarded in their native dialects. Both my father and I would chortle at the prostpect of some enemy intercept trying to figure out Cherokee.
It makes me wonder, especially when you consider the costs of snooping everone's transmissions
Sure, I'm sure the employer and their lawyers could still crack it
healyourchurchwebsite.com - WWJB?
"What about your instant messages being logged by companies who will then in turn use your information to make a profit"
they can as they legally own anything you do, write or say on company equipment in company time (it's been proven - do a websearch on the subject)
"Personal data can be stored and later used for blackmail"
What ARE you doing at work and who do you work for - what company would actually do this.
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
I'm glad that IM hasn't caught on at my employer. I would find it incredibly annoying to be distracted by IM popups every few minutes
Depending on your level of responsibility, it really doesn't work out to "every few minutes". I, too, use Sametime at work and it, like MSN and Jabber (I never tried any others) allows you to set your online status. So each employee has their contact list up with a little status indicator right next to the name. Green means available, Red means Away (which can be set to not auto-return), and there's a little "international NO symbol" which means "Do Not Disturb".
I most recently used it to "feed lines" to my project manager while he was presenting to some big wigs in a meeting. He doesn't have time to know all the minutiae, so he would tread water on questions while I fed him better details. Luckily, I looked ahead into a presentation and saw some numbers were way off. I was able to warn him before he got to the page.
Being a mobile employee means I have to go to many different customer sites (or work at home) all the time. For coworkers with whom I'd occasionally have conversations of a personal nature, I always "take it outside", and off Samtime onto MSN or AIM. The chances of ALL of the customer sites recording IM sessions will always be less than the 100% guarantee that my IM's will be recorded if I use the company Sametime server.
Intelligent Life on Earth
Even when you encrypt your traffic, it will not protect you from traffic analysis.
.xls spreadsheets from an server in Poland and all the URL's have /..%20%20/ in the path, I give that user a call.
I happen to be the dude in between management and the users on my site. I refuse to eavesdrop on my users. Not all of my users realize it, but we've got a pretty liberal policy (don't break the law, don't be offensive to others, don't use excessive bandwidth during business hours; that basically sums it up).
Some of my users know me for cracking down on porn or MP3 downloads, and think I'm reading their every keystroke. Because if I wasn't, then how would I know that they were doing stuff that they weren't supposed to do?
The reality is, when I get complaints about Internet performance, I run some quick scripts on the logs to find out who is hogging the system. If, after eliminating the obvious business use connections, I'm left with a top ten and number two is downloading a gazillion of
Usually, the user will accept the lecture that his contractual obligation to stick to the corporate guidelines is not optional. I sometimes learn through the grapevine that such a user thinks I'm a fascist. So be it. If other people can't work because of egregious abuse, I have to intervene.
Do I even look at the stuff they're downloading? Not if I can avoid it. The only times I look at what they're downloading is when they start yanking my chain, giving me the go around that there is no law against downloading Warez or porn. Maybe there isn't, I've got no clue. I do know what's in their contracts though.
Most of these issues are dealt with amically. People sometimes don't realize how big their impact on the corporate network is, and even if they do I usually let them get away with it if the abuse stops. They're usually pretty happy when I tell them I've got no clue what they were downloading, but could find out when forced to.
Over the last year, IM became a bit of an issue because of the way their stupid tools communicated (if only they used persistent connections they'd fly right under the radar). At some stage, 30% of our proxies capacity was used to serve a few dozen IM sessions and it really started to hurt web performance.
It's always funny when they let it escalate to management level, and I can at that stage let them rant about the invasion of their presumed privacy, and then drop the bombshell that I didn't even look at what they were downloading, and that it was trivial traffic analysis that gave them away, and that the reason they were in that meeting was because they incriminated themselves.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
If you have a server you control, and wish to be able to get an SSH session through a firewall that blocks the "standard" SSH port, place your SSH server on port 443 (https) - both are SSL, and most firewalls will happily let you establish the connection.
/., Freshmeat et. al. while waiting for a recompile is one thing, burning huge amounts of bandwidth downloading crap it another.
That said - It's not spelled Foxtrot Uniform November, it's Whiskey Oscar Romeo Kilo - if you want to download porn or waste lots of time IM'ing, then do it at home. A quick scan of
www.eFax.com are spammers
Companys pay employees to work and provide a certain function, they *DO NOT* own them. This was discussed on Slashdot a few weeks back.
The discussion a few weeks back was about work created outside the office. If it's related to your job, or it's done on company time, chances are it's owned by your company.
If I hire you to paint my house, and you instead work on a product that ends up selling millions, I would have no claim to that product.
That's not an employer-employee relationship, thus it's subject to different rules.
Contractors by default have their works owned by them. Employees by default have their works owned by their employer.
For those interested, salon had a simmilar article a few days ago.
"Question with boldness even the existence of a god." - Thomas Jefferson