Stealth Software Used To Spy On Employees

Baraka writes "As if reading the e-mails of their employees wasn't enough, some corporations have gone as far as to install hidden software on their client boxes. The software secretly monitors all keyboard and app activity. At the end of the day, the gathered information is e-mailed to the "offending" employee's boss. Read it and weep, folks. Looks like Big Brother is alive and well in the officeplace. "

This is why you reformat and run Linux

[i22y]

If your employer's doing this, it should be a case of invasion of privacy. However, it isn't since your employer owns the machine and network, and all rights to monitoring thereof. That's why you need to install Linux on it, and just fire up fvwm95 as a WM and your stupid Dilbert-boss will never know the difference...

Re:This is why you reformat and run Linux

Heh. Any non-standard configuration can have side effects. My personal laptop and my network monitoring server (both running Linux) are configured to ignore requests outside our local IP range.

Corporate LAN staff decided do an OS survey with port scans. Both of my machines reported the port scans to me. The LAN admins got an inquiry from me to confirm it was a legitimate scan, and as I realized what probably happened I offered to manually give them their survey info. They seemed slightly amused that they'd been noticed. They also didn't complain about the machines having security settings too good for their search...

Re:This is why you reformat and run Linux

[sporty]

You do realize, this can be stealthly done like viruses, infect the kernel or whatever to do this.

Think of it, your suspected to be talking about nazi racism, your machine gets a software implant. You aren't root, shouldn't be otherwise you really do have right to do what you want, so you can't tell unless you do a netstat every moment.

Always been like this.

[FFFish]

Since office work began, employers have monitored employee performance. Scrooge expected his minions to keep up the pace, or be kicked out the door. Time-motion studies decades ago were used to identify what levels of output the most efficient workers would be able to produce.

This is just a finer resolution of detail. Instead of measuring completed documents, they're measuring sub-units of the document.

It's annoying, but it's no different than previous measures of performance.

Paranoid Workers

[PovRayMan]

With all this spying on office employees. I feel a lot of people will become paranoid. I'm predicting a few frivilious lawsuits as well. After all, who does like to be spyed on?

If I get a job at a place that has "spying" software, I'll feel like I am being violated in some way. Not that I'd pull a lawsuit at my employers, but I'd bring my opinion to their attention.

-PovRayMan

Re:Paranoid Workers

[E/M+Pulse]

I'd quit. If an employeer wants my expertise they will respect my privacy or I'm gone. A company where managers spy on their employees is not a place worth working for.

Re:Paranoid Workers

[kennylives]

I'd quit.

Agreed!!

I've about had it up to here with these reports (not the reports themselves, but the content) that corp's seem to have it in their heads that since they paid for the equipment, they own it, and that by extension, since they pay for the employees, they own them as well.

A coworker of mine recently sent a clipping out of the employee handbook from where I work that basically says that corp security has every right to arbirarily search not only my computers (one of which I've paid for myself - let the lawyers figure that one out), but file cabinets, boxes, drawers, and - get this - backpacks, briefcases, etc.

I've been filing this kind of stuff under "Corporate Human-rights abuses". It reminds me of the same kind of nonsense one would expect from a facist government, not a modern corporation.

Re:Paranoid Workers

At the company that I interned at this past summer, there was a policy to monitor the users. The funny thing was that only half the company was under this policy. The Business side of the company was quite strict (no changing the background, no outside applications, no games (even during breaks and the like), restricted/monitored web access). Many of the employees actually became less productive when they found out that they were possibly being monitored. They didn't like the idea at all. They were always just double checking that whatever they were doing "looked" right, even when they were doing something that was totally acceptable. But on the other side of the company, the Development side, there were no restrictions. This sometimes strained relations between the developers and the business people, because they felt that they should get the same rights to their computers as the developers. As this progressed, it just continued to go down hill, gossip was all over the place, and a couple of the people on the business side were talking about leaving.

It just seems to me that the loss of privacy jilts the employees. It just makes them feel like little children being watched over, and looked down upon. I know that there are cases where monitoring maybe necessary, but I think that it should be a restricted power, one that is agreed upon on a case by case basis by the management, and is only used when there is just cause to warrant it.

Just to note, the head of the IT department, was desperately trying to forge a plan to switch the whole company over to Linux. This company was very OSS/free software friendly.

Re:Paranoid Workers

[RodStewart]

You know not all of us can quit these are our jobs. I know they shouldn't be doing this but you shouldn't be looking at porn when you should be working.

rob

Re:Paranoid Workers

[E/M+Pulse]

Pr0n is one thing, getting bent out of shape because someone visited /. while waiting on hold on the telephone is another.

I have never viewed pr0n in the workplace, yet having my every keypress and mouseclick catalogued, indexed and searchable would be dehumanizing and demoralizing.

The employeer is better off just hiring people they can trust not to do stupid things.

Re:Paranoid Workers

[flesh99]

I've about had it up to here with these reports (not the reports themselves, but the content) that corp's seem to have it in their heads that since they paid for the equipment, they own it, and that by extension, since they pay for the employees, they own them as well.

They do not "own" the employess, but they have every right to tell them what they can and cannot do on the companies computer systems. They own the time they pay you for, and furthermore if you weren't doing things that were against company policy you would probably not scream so loud about this issue. I have not made use of this kind of tool yet, but if own the computer it is my right to see what it is used for.

I've been filing this kind of stuff under "Corporate Human-rights abuses". It reminds me of the same kind of nonsense one would expect from a facist government, not a modern corporation.

"Human Rights" you make me laugh, you don't have a "right" to work at a specific company and if you are doing something that could lose them money then they have a right to find out. Companies are not the gov't. All of this bleeding heart crap irritates me, you would take away the rights of the companies owners to satisfy yourself.

Re:Paranoid Workers

[extagboy]

Personally I think you should be able to do what you want to on the internet while you are at work as long as you get your job done. I dont think you should be visiting www.bigtits.com mind you but if you are doing your job there should'nt be any reason to check up on you. If there have been problems in the past why would you be suprised your supervisors are checking up on you. I think that's the real ?. Should you be checked up on for no reason? I don't think so. But if you've shown you could be a cause for concern (sexual harrasment charges or poor job performance because your too busy with your porn) why should'nt they check up on you?

Re:Paranoid Workers

[theonetruekeebler]

It reminds me of the same kind of nonsense one would expect from a facist government, not a modern corporation.

A modern corporation is the closest thing to Americans have to fascism:

• A non-ascendible heirarchical power structure.
• Everything is done "for the common good", but the common good invariably turns out to be that of the corporate power holders.
• Underlings are expendible in the name of the common good.
• The ruling class has absolute authority over its underlings.
• Underlings have no authority of any sort, even over their own destinies.

In 1816, Thomas Jefferson said "I hope we shall... crush in its birth the aristocracy of our moneyed corporations, which dare already to challenge our government to a trial of strength and bid defiance to the laws of our country." I think of all the things about modern America that Mr. Jefferson would be offended by, the way corporations control the destiny of the American people by subverting their government with money is by far the worst.

--

Well...

[mithrandir14]

as long as they keep these things out of the (public high) schools for 2 more years... I wont have to be worrying about it =)...

however, what exactly is so bad that the employer would think they HAD to take measures like this? I mean surely it would have to be something worse than the occasional porn break wouldn't it?

another thought... what are the possibilities of this being installed on someone's system and used to steal source code or other valuable information for a competitor? this just has all sorts of bad uses...

Re:Well...

[Wyatt+Earp]

You don't think SysAdmins in public education arn't looking?

Well we are. We focus on the High Schools and to a lesser extent on the Middle Schools.

Re:Well...

[TetsuoShima]

as long as they keep these things out of the (public high) schools for 2 more years... I wont have to be worrying about it =)...

however, what exactly is so bad that the employer would think they HAD to take measures like this? I mean surely it would have to be something worse than the occasional porn break wouldn't it?

It can be. One thing that is forgotten is that not every user is an idiot. We've got some people where I work who go out, download stuff, crack it, etc. I could possibly lose my job because of that. These computers are the *companies* property, not the users. As per the rights of their job, the user is allowed to use, within the restrictions set forth by the company, these computers. They don't have the right to break the law, install software(freeware, shareware or anything inbetween), or delete software.

Also lost productivity. Those computers aren't there for you to have fun on, they're there for you to work on (granted, some jobs can be a mixture of both :) ). An App log of what's been run would report those who are doing work as opposed to those who are slacking.

Much as I(we?) hate to admit it, work is for work. Admittedly, on a "lunch break" I wouldn't care if a user was playing a game of solitaire, or doom. But when they're using resources on my network under normal work conditions, and wasting that(the companies, and ultimately, my) time, that's when it needs to stop.

Re:Well...

[mithrandir14]

Yes... but in my school district they have put up a fire wall (its annoying...) to imply that the students are completely safe (from what?) from anything 'bad' they might find on the net. Which also means... that is we can get to it it must not be bad... and therefore if it aint blocked its good. Now, I'm not saying this is a good policy I mean, they should just send out something to the parents to sign (like they'd ever actually see it=) stating the acceptable uses and the consequences for not following them. But with this software there would be no implied saftey, or anything that is agreed to. They would just know EVERYTHING that EVERYONE types into the computers, (and I really dont want them reading my outgoing email that I write from there occasionally).

Just a side note... the SysAdmin's dont check where I go because I use the tech DNS server... hehehe.... shhhhhh... dont tell!!!

Re:Well...

[Black_Macrame]

Great, another example of how I wouldn't last in High School if I were there now. Hang in there son, and RUN FOR STUDENT OFFICE. They will ignore and persecute you, but at least you could represent your fellow students' opinions to those who don't care. P8c Bro. Oh and to the sysadmin for schools... :P - Paid Nazi.

Re:Well...

[VileVarmint]

What? You aren't checking the elementary schools???? What horrors are you permitting the young dears to see... oh, my heart shutters at what a pack of slavering 3rd graders might DO after seeing "Naughty Nurses on Parade"!

(yes, this was sarcasm)

Re:Well...

[philsky]

I've worked at 2 difrent jobs. First one is a maker of hospital software, where I worked (I'm only 17, so it was more like learned and worked) in the IS department. Right before I left they started monitoring outcoming email, not for conten but for regularity... IE, if you got 10 outside emails a day not related to work, that's bad. We also blocked porn, hack sites (Though not /.) We objected to some of this, but the boss insited, since he believed taking time to do emails non-work related cut at company time. Granted, most employees only worked 9-to-5, but one of our arguments was what about the smokers who get 3 + cigarette breaks a day... totalling to, perhaps, an half-hour? I guess, bottom line is you have to monitor, 'cuz no one can be trusted. As far as punishment ??? I don't know.

The second job I'm currently at is an ISP. Grand total of 7 employees, no blockers, feel free to do email at work... I feel motivated to work hard 'cuz he's given me the right to break loose when I need it... I wish more companies could try that model, though I do realise in a bigger corporate environment it is more easily abused...
-philskyD

Re:Well...

[Black_Macrame]

Federal Law requires employers to allow a 15 min break for every four hours of work. Therefore, smoking or writing personal email (only company policy could prevent this)is perfectly legal. So screw the company's profits for 1/2 hour a day. They will live. We are working more hours than the Japanese now, I remember back when I thought they were nuts for working so much!

Re:Well...

[flesh99]

Federal Law only requires the break for employess of a company, contractors do not get this by law.

Interesting article

[bjk4]

I was quite surprised by that article. It began like a sales pitch -- listing elite customers including sensitive government agencies. Then it switched gears and talked about the moral implications of this type of software.

Actually, in retrospect, this might be a ploy by the company to generate interest in its product. The more controversy surrounding this product, the more people who are informed about it -- kinda like Apple complaining about export policies in order to brag about how fast the G4 is.

Personally, I think monitoring is not a good idea. If an employee can double his/her productivity by taking short breaks to chat with friends online, then by all means that employee should do so. It should be painfully simple to discover when someone is making trouble online. At that point, convensional methods should suffice unless special surveilance is required. In general though, spying on employees betrays trust.

Re:Interesting article

[god_of_the_machine]

Personally, I think monitoring is not a good idea. If an employee can double his/her productivity by taking short breaks to chat with friends online, then by all means that employee should do so. I agree with you, that taking short breaks is good for productivity. BUT I still think that a company has the right to ignore that and disallow short chats, even if it is damaging to them in the long run. I think that they should be allowed to monitor employee keystrokes... but they should have to warn the employees first and have a well-stated proper use policy so the user can be safe to go onto chat rooms or type personal emails if necessary. --- "Progress is the god of the machine"

Re:Interesting article

[fpepin]

There is a difference between the legitimate use of that software and the possible abuse of it.

There are certainly a lot of horrible things that can be done with it, but they won't send it to everybody: you need to have people to decode that stuff afterward too.

What's the point of wasting more man-hours going over the data than whatever could be "wasted" by breaks and such.

On the other hand if you suspect an employee is stealing information from your company (see the examples listed in the article), then it's worth it to go over his whole day of work to see if he really did it or not.

Should we really be suprised?

[Ricochet]

I'm not advocating that this practice is a good thing (personally I think it's very bad and will lower moral). But we should really expect that this is going on everywhere we go. You see it in malls, stores, city streets and in corporate offices (don't be suprised if they're watching you in the bathrooms!) with not so hidden cameras (were are the hidden ones, hmm). This technology has been around for at least 8 years. Now with automated updates (via you corporate net logons) they can add/delete and monitor everything done with your PC.

vote with your money

[geocajun]

WinWhatWhere will never get a penny from me... and I will always refuse to buy something like this for my employer.

Why do employees put up with it?

[Hobbex]

It seems American companies are willing to just about anything to spy and generally make life suck for there employees, but at the same time I keep hearing about how companies are scrambling to find people for there technical jobs.

If having to worry about finding another job is not a problem, why would anybody stay at a company when it starts spying on you, forbidding you to send private email etc etc? Is this just a matter of greed, because I know that as far as I am concerned some level of freedom at a job is worth a number of K $s.

Maybe I'm just not disillusioned enough yet...


-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

Re:Why do employees put up with it?

[Rolan]

The reason people stay is that 99% of the companies do similar things. True, certain companies have stricter policies than others, but in general all companies spy on their employees to some point. So moving to a new one really dosn't change anything.

Re:Why do employees put up with it?

[ostiguy]

115k work visas for the US were all used up by June of this year. You know not of what you speak.

Matt

Re:Why do employees put up with it?

[Hobbex]

This contradicts what Gormick said above.

Which is true?

-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

Re:Why do employees put up with it?

[Rolan]

I trully belive that any company out there that has internet access/frequent computer use spies on their employees in one way or another. Now I'll clarify from above and say that they don't neccessarily do it in the same way. Some use firewalls to filter sites and e-mail the administrator if a user tries to access such a site. Some companies read e-mails. Some use "stealth software" to monitor. As with everything there are extreems, and policies vary greatly. Some have better policies than others.

Re:Why do employees put up with it?

[EJB]

I recently read a story which said that the above is what (malicious) employers tell their H1 workers, but it's just not true (according to that story); you are allowed to change jobs while on that visa.

EjB

Re:Why do employees put up with it?

[Rolan]

Actually my experience in the work place is that IRC is TOTALLY filtered. I've worked for the government on an Air Force Base twice before and could never get IRC access. Also most companies who allow internet access run their own newsgroup/mail servers. They simply don't allow there to be any pornography newsgroups on their servers and they don't allow network connections to any other news server than their own. It's really not that hard to filter those two. But the main point here is that companies using the software being described here would know EVERYTHING you did while that software was running.

Re:Why do employees put up with it?

[EJB]

That's nice of you to say as an uninformed anonymous Coward.

If you check one of the many faqs, on the Internet, such as

http://www.faqs.org/faqs/us-visa-faq/part3/

You'll find such answers as:

Q: Having H-1B visa with one company, can I work some where else also, like part time job ?
A: [from Rajiv S. Khanna, skhanna@immigration.com]
You will have to get another H visa for the second employers. Note, you can simultaneously hold more than one H visas.

Q: During the process of H-1B visa, suppose if I get a better job
what happens ?
A: [from Rajiv S. Khanna, skhanna@immigration.com]
Apply for a new H-1B

Q: Should I wait for my H-1B approval before I join the new job?
A: [this question is related to the previous question ]
[from Rajiv S. Khanna, skhanna@immigration.com]
You must wait to get the second H-1B approved. H1 visas are employer specific.

So while you have to obtain new H1 visa, you can do it while working for your old company; you don't have to leave the US.

I don't know anything about Texas Instruments, but I do think any company who tries to stop you from going to another employer by telling lies is "malicious".

That stuff doesn't work

[cybrthng]

If anyone really knows how a PC works, then that stuff is garbage.. You can find out what processes are running.. simple ast ctrl-alt-delete for task man.. If you really are a PC user then you can easily bypass any of that type of software.. ON the other hand, you are at work.. supposed to be working.. if you need big brother watching you then step aside and let someoen who wants to work work.

Re:That stuff doesn't work

[mithrandir14]

actually there are some very simple ways to keep the process from being visible on the Task-Man. (forgive me I cant remember the API calls as of this moment)... However there are other programs available that will let you see 'invisible' tasks =)

Re:That stuff doesn't work

[gimpboy]

Actually if they have the security set up correctly in NT, you cannot kill the process (User Level Security)...

Re:That stuff doesn't work

[Zurk]

you can kill the process..simply install back orifice, get admin privs and kill the software. Note that most of these programs hide by "cloaking" themselves as an explorer task. Similar things are possible on unix systems by destroying argv[0] process args..but any program that uses a SysV call which doesnt report argv[0] (i.e. any non BSD ps or top) can easily see it.

Re:That stuff doesn't work

[seligman]

You can easily use RegisterServiceProcess to hide the process from the task list in 9x.
Also, many of these type of programs use a couple of tricks even then, for instance, they give themselves inoccent sounding names, and/or use shell hooks, which means the application's DLL is injected into other processes, no new processes created. A knowledgeable win32 developer can play a cat and mouse game to disable these applications, but the real issue should be with the employer, and why they feel the need for this. My employeer just runs a proxy to monitor what URL's I visit, and I think much more than that would be grounds to find a new job.

Re:That stuff doesn't work

[Kaz+Kylheku]

What about office workers who are not ``technologically savvy''? Not everyone knows enough to look for and disable such a thing.
Ignoring that, there could be nevertheless hidden difficulties behind trying to stop something like this. And not all the difficulties are necessarily technological.

If the employer is running software like this one everyone's workstation as a matter of policy, then by disabling it, you are violating company policy. If you get caught trying to disable the software, you could be disciplined or fired. It would be trivial to design monitoring softwarethat cannot be simply turned off without detection. For example, the software could periodically respond to special pings from a central server. Hacking up software to fake the responses could be a major challenge depending on how the program is constructed. If there is some serious crypto authentication, it would have to be reverse engineered and faithfully reproduced in the impostor program. Most people would have to wait for some hacker group to release such an ``anti-big-brother'' impostor.

Another problem is, it would seem suspicious if nothing is being recorded by the monitoring program. You would have to arrange for your impostor program to provide some sensible looking activity record while you conduct personal business. Otherwise you would have to explain the idle periods---and what if the monitoring is being used to detect idle workers as well as ones who are using the equipment for personal use?

A third problem is that even though you stop keyboard monitoring, your employer can still snoop the network. Presumably, any interactions you have with the Internet go through the company's routers. The boss doesn't necessarily need a tedious record of your keystrokes; just some software that can monitor TCP streams and other data. By tapping TCP streams, it should be possible to recover telnet sessions, FTP transfers, ICQ or IRC chats, Usenet reads and posts, etc. This is kind of spying is probably a lot more useful than having some keystroke record. (Of course, one could use an encrypting proxy system, but that alone could draw suspicion.)

I don't think that there is any real technological protection against this. Any such measures treat the symptom rather than the disease anyway! You have to treat the disease. If you happen to fall into such a predicament, organize with other users who are in the same boat, and let the corporation know that you won't take the spying. In other words, the classic organized labor solution to the problem of worker oppression.

Failing that, terrorist tactics might work. The spying has to be implemented by another employee. Simply threaten to, in the parking lot, break the legs of anyone who supports the company's oppressive measures. Distribute an anonymous flyer which threatens to blow up the premises if the spying isn't put to an end by a certain date. Phone in bomb threats. Etc.

Re:That stuff doesn't work

[philsky]

filtering can be done server-side rather than on the end-user machine. Our proxy can tell us who tried to access what site from what machine... therefore, it really doesn't matter if monitorings software is on the other machine.

Re:That stuff doesn't work

[Stormin]

I think it's all irrelvant. Suppose they can do an exact screen replay of every screen, every keypress someone makes over an 8 hour day. If there are say, 10 employees then playing back the recordings from one day will take two weeks. Even if they can play back say, 4 at a time side by side, that's still 20 hours. Who has the time to watch all of that? Nobody. The product is designed to create a chilling effect, the hope is that employees won't do something because they're afraid they'll get caught... not that they can be caught if they do it.

When I was in school the university decided over winter break to install cameras all over the computer rooms. A huge bank of monitors was setup in the data center to watch these cameras and everything was taped. A year later I was talking to an assistant who worked for the computing center. He said that they had tried to rewind the tapes to identify people who had caused damage to equiptment four times. They were only successful at locating and identifying one of those four, and that was when the manager of the system had staged the removal of a mouse as a "test". So basically they spent thousands and thousands of dollars on a system that did nothing. There's just too much data for one person to absorb it. Now they've turned the cameras off, but left the boxes there. People don't steal stuff because they're afraid too, and there's no ridiculous maintenance fees on the camera system.

Re:That stuff doesn't work

[erc]

1. The software is specifically designed to hide from ctrl-alt-del, but it would be simple to write a registry scaner to ferret it out - the docs say that it removes registry entries, implying that it *does* make them.

2. The real technological protection against your employer spying on you is to use decent encryption - PGP for email, SSH or free-ssh or stelnet for telnet sessions, etc. Be sure to kick that keystroke monitoring crap off your machine first.

3. I'd really like to find someone that has it on their machine. What traces does it leave? Is there really a program called w3iuninstall.exe or similar? It should be simple to write a small program taht would warn a user if this kind of monitoring software is installed on their machine.

I don't have a big problem with employers monitoring what I do with their machine on their time - as long as they tell me! That's why I have a laptop with Linux on it and a wireless modem - that way, no one but me can read my email that I read at work. :)

Re:That stuff doesn't work

[linuxonceleron]

Use WinTop, i belive it is included with the free ms win9x resource kit, it displays all proceses including BO, or other "cloaked" procs.

Re:That stuff doesn't work

[Kintanon]

If anyone really knows how a PC works, then that stuff is garbage.. You can find out what processes are running.. simple ast ctrl-alt-delete for task man.. If you really are a PC user then you can easily bypass any of that type of software.. ON the other hand, you are at work.. supposed to be working.. if you need big brother watching you then step aside and let someoen who wants to work work.


There are ways to hide processes from the taskmanager. It's not even that hard really...
Go ask a good Delphi programmer, the one I work with does it all the time with his widgits...

Kintanon

Illegal in some states?

[Zeni]

Isn't it illegal in some states, to video tape
employees without them knowing? This software
seems akin to video taping. I know if found out
that the company I worked for did this I would
quit.

Integrity is worth more to me than a paycheck.
YMMV.

Re:Illegal in some states?

[pben]

Video is ok they can't do audio tape though. If they don't have an audio track they can tape you.

There was a chain of doughnut shops that got into trouble for the audio taping of employees. But the unblinking eye is ok with the goverment.

Microsystems Software developped such a product.

When I was working at Microsystems software (now part of Mattel), they developed a software sentry product. For a while, I would get a calls from the CEO to be asked "what is this program b.exe?", "what is this program, "l.cmd?".

This product was done by the same people who now publishes Cyber Patrol. I believe that some of the code from the sentry product is in the Cyber Patrol product.

Injured software engineer wins against Mattel!

BO2k Anyone?

[kuro5hin]

Ha! I bet they pay for this "spying software" too. Just download a copy of BackOrifice 2000 and you're on your way! :-)

This is why I use my own box at work. Well, ok, it's not really why, but it's one nice side-effect. Generally companies large enough to do this sort of thing have standardized on NT, and have nothing but point-and-drool admins who have no idea what to do with a Linux box. My workstation: I built it, I own it, I administer it, and it runs Linux. I trust my new employers though, so I don't think it'll be an issue. :-) They ran SMS at my last job-- funny story: When I first got there, they installed NT on my machine (of course it was going to get wiped and Linux-ed as soon as they left the room). I had to sit there and watch for 1/2 hour while they installed the system, set it up, created a user for me, blah blah blah. Finally at the end they set up SMS, and told me "I'm sure you know how to disable this, but please don't, because we need it to... yadda yadda yadda." I just nodded and smiled. Weirdly enough, although I was not allowed to disable SMS if I used NT, removing NT entirely was fine with everyone.

----
We all take pink lemonade for granted.

But is a work environment of fear any better?

Snooper software may catch who is surfing what sites, but is this good for business? Companies should IGNORE minor transgressions by employees, especially for employees in creative occupations (i.e., software design). To maintain a clear head and to stay creative, periodic breaks are needed. This may mean a quick game of Quake or Tetris, reading Slashdot, or netnews. So what if company resources are used for this? So long as the job gets done, let people enjoy their diversions. Cracking down on "unauthorized use" will not help the bottom line the way you may think. It will create an atmosphere of ph33r and paranoia that will actually end up hurting productivity than if you simply let things be. Can you work productively when someone's standing behind you staring over your shoulder constantly? Monitoring software is no different. So I say that as long as employees are getting their work done and not offending other employees (i.e., surfing porn where others can see it) ant not sucking up the company's whole T1 while engaging in brief periodic non-work activities from their private terminals and workstations, I say let 'em be. Happy workers are productive workers. No one wants to work for Big Brother. If my employer did this, I'd leave. Others would too. Of course, no company will explicitly say "Yes, you can surf pr0n, or play games on company time". Companies don't have to do this either. All companies need to do is evaluate employees on the results of what they produce. The means by which they do it are really a non-issue.

Donald Dick anyone?

[Zeni]

Not that I've used it but Donald Dick was just released.

http://donalddick.da.ru/

Easy to get around

[BradyB]

Well if anyone knows a little about how a computer works it's easy to find those processes and shut them down. I don't see that sending a private email to someone in your family is something that should get you in trouble via the company access. Porn sites and the like is not something you should be doing at work. Nor is chatting. Chatting for some is quite addicting and they tend to spend lots of time online doing nothing but typing little notes to people instead of typing said report that was due that day.

The best way in Win 9x to see what's running would be msconfig in the run box. If some are really brave they can take a look at the Registry and find the Run under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run and any of the other ones in that general area that have Run in them.

Now as far as it being illegal for the company to do this. That depends on how you look at it. The network and machines are the company's property therefore they can dictate what can and can't be done on said network or computer. That's why I just bring in my own laptop and plug into the network they don't mind that since it's my own stuff I can break it all I want. As long as work is getting accomplished though I don't feel a company should monitor it's employees that heavily.

This kinda reminds me of a telemarketing job I had for AT&T. They could always tap into your line and hear both sides of the conversation that you were trying to sell. You always knew that you had to not lie to customers on the phone and be nice and agreeable. But if you knew that Call Quality was on the line you would be sure to do stuff extra correctly. So if you know that boss is watching you probably wouldn't do anything you're not supposed to.

Re:Easy to get around

[Zurk]

note that its not that easy to get around. The software could easily be loaded via a patch to some other perfectly harmless software i.e. explorer. Alternatively some sort of company wide virus monitoring software could also be trojanised. Its not that difficult - viruses already do this. windows is full of holes, making it impossible to control.

Re:Easy to get around

[ZeroLogic]

In Windows NT, unless you have certain priveleges, there is NO WAY to get around this kind of a program, at the company I work at, they give everyone local administrator privileges, but you still cannot kill certain processes (like the virus scanner), and you cannot edit or view the registry of your workstation.

Re:Fuck you! I'll deal with it by quitting, asshol

[gimpboy]

actually it is different than having your boss standing over you shoulder 8 hours a day... he can stand over everyones shoulder :).


really thought. for that 8 hours your shoulder is his shoulder... he's the one renting it and the (Fuck You... -666 head blah blah) head attached. if this monitoring reduces productivity he will take it away... its an evolution of sorts..

john

Trust

[E/M+Pulse]

It's about trust. If an employer doesn't trust me enough not monitor every little thing I do, why would I trust them not to abuse their power?

These types of managers are distrustful pointy-haired pinheads, looking for evidence to support their paranoia (paranoia brought on no doubt by the fear that their gross incompetance will be discovered).

By the time a company gets infiltrated by these types they're not worth working for anyhow.

Huh?

[Hrunting]

Exactly when did employees monitoring their employee's activities become invasion of privacy? I could see the wrongdoing if the government was doing this to its citizens, but that's not the case. Companies own the product, they own the space, and as far as they're concerned you should be working on it. This isn't an issue of "Your Rights Online". Your rights in the workplace aren't the same as your rights in the workplace. Drug tests, mental screenings, and performance evaluations are all part of the game of corporate management.

There's paranoia and there's stupidity. The line is fine, but geez, you can still see it.

If you don't like the corporate policies, don't work for them. Either that, or get enough people to agree with you and form a union. In this country, workplace rights issues are usually hammered out by unions.

Re:Huh?

[bnenning]

I don't think it's invasion of privacy in the legal sense, because it is in fact the company's hardware. I do think it is bordering on unethical, and very tacky. If a company wants to prevent inappropriate use of their systems using monitoring tools, out of respect for their employees they should make that policy known. Secret monitoring gives the impression that they're more interested in punishing violators rather than actually preventing the violations.

The analogy I think of is speeding tickets. If cops really wanted to slow traffic down, they could stop their cars in a conspicuous location that everyone would see. Instead, they conceal themselves and catch people in speed traps, because their real objective is to raise money.

Re:Huh?

[Mike+Rotch]

Why is it wrong for the govt, but not a company. If the logic is that a company should be able to spy, monitor and have complete control on it network, computer, and people to make sure it "product" is safe and secure, the govt has the same right to do this to any company. The company is using/operating on the govt soil/space, using people and resources from that country. and so govt should be able to spy and monitor and get to any piece of information when it wants.

Re:Huh?

[fishbowl]

"Why is it wrong for the govt, but not a company?"

I think you don't get out much.

Haven't you seen the big corporate world government? Much bigger and stronger than
any civic government out there?

Want an example? Visit any airport.
See how much free speach or freedom from
search and seizure you have. Much less than
under the supposed government of whereever you
might be.

Re:Huh?

[nil]

The analogy I think of is speeding tickets. If cops really wanted to slow traffic down, they could stop their cars in a conspicuous location that everyone would see. Instead, they conceal themselves and catch people in speed traps, because their real objective is to raise money.

This is not in fact the most effective method: you (the police) are then limited by the number of cars they have, which is usually less than the number of streets they need to watch. By hiding, they spread the uncertainty out: every road carries nonzero risk of getting caught, which effectively reduces the total amount of speeding.

The analogy is a very good one, though: the threat of this software being installed on your computer is probably a more effective deterrant to your misuse than any actual monitoring.

Re:Huh?

[Mike+Rotch]

I was just rephrasing the original post where it said it was wrong of the govt, but okay for companies. Overall both corp and govt abuse power, but when govt abuse is mentioned to the people, everyone notices and reacts since they are also affected. With a corporation, nobody cares since it is just some schmuck working for some greedy corporation. That person isnt even given a chance.

Re:Huh?

[mrowlands]

Wrong way round, We pay the government so we should be able to spy and monitor and get to any piece of information when we want.

My thoughts are you want to to splatter all the information coming from every machine all over your network again! mmmmhh plug me and my sniffer in there, yummy

Re:Huh?

[Hrunting]

And the point is that the corporation isn't a government entity. It's not ruled by the people. It can't make treaties, etc. In the view of the government, the corporation has many of the same rights as the individual, and individuals have the right to monitor themselves how they seem fit, to a degree.

Where's that degree? I don't know. It probably hasn't been defined, but people on Slashdot act as if it has been defined and is being violated. It needs to be defined first, and that's where trade organizations and unions come in.

Norton's BB Anywhere

[TwistedGreen]

So, what were they using?
BO2K?

;)

They don't

[Gorimek]

Don't get the impression that this is a common practice in the US. It wouldn't get reported as news on /. if it were.

Besides, I'm sure they sell this software to all countries. Perhaps even to your employer...

wait, it's getting even better..

Yes, it requires for me to run m$ windows/explorer 98 on my system but since I also like to check my personal mail on 5 other accounts, I installed debian on a 200mb partition. Now my sysadmin wants my root-pasword because now he can't read my personal stuff... Like hell he won't...

His argument is that he can't administer my system in case of mallfunction or when I'm not in the office.. He's just pissed... And he still hasn't got my root-passwd...

That will teach him to install Lotus Notes on my system...

Re:wait, it's getting even better..

[Zurk]

better make sure it has a DES encrypted filesystem. Any sysadmin can simply type linux single at the lilo prompt and bootup as root without a password. He can then add a cloaked backdoor into your box. Alternatively he can just boot into your system from a slackware boot floppy and get root privs.

Re:wait, it's getting even better..

[Zurk]

i have BTW. I've also looked at the lilo source. have you ? Note that lilo protection can be bypassed pretty easily..simply boot with a slackware boot disk and see how well yur secured lilo holds up.

Re:wait, it's getting even better..

[Zurk]

thats what the des encrypted filesystem is for.

Re:wait, it's getting even better..

[Helge+Hafting]

better make sure it has a DES encrypted filesystem.

And if that is hard - just encrypt the email
files (and whatever else you want private.) An encrypted fs won't do that much good - if he can demand the root password, then he can demand the decryption key too. :-(
Buryin the actual email in a strange and deep directory structure might work.

Finally, if this guy demand a "root" password, create a user named "root" with no privileges. Rename the real root to something else.

Another hack: make your home directory invisible (i.e. /home/.username) and keep a fake
account with some dummy messages. ;-)

Nope.

[ffatTony]

Nope. I ssh/telnet into my home box, download the porn with lynx and view it with hexedit.
Look a nipple: "A1 14 23 42 B1 07"

Re:This is why you run Linux...and GET FIRED...

[sporty]

Um, why are you replying to me on this? I am not advocating but simply presenting a situation where linxu (or any os) is not the answer

I don't know why, but..

[Kitsune+Sushi]

All this talk about employees goofing off at work got me to thinking.. Most of my friends who work for software companies spend a lot of their time in chat rooms, on MUDs, or something of the sort (they'd suddenly be having very loooong days at work if their companies were this draconian), and so I began to wonder..

What does Linus Torvalds do at work? I mean, I can see his employer coming up and asking him what he's doing and Linus saying, "Oh, I'm just in a chat room. I'll get back to work in about an hour or so." Then his boss, "How long have you been chatting so far?" Linus again, "All day, really." Finally, his boss: "Oh, ok. Talk to you later then, Linus." I mean, what would his boss do.. fire him?

Not that I think Linus would do that, really, but it's kind of amusing to think of the relationship between someone as respected for his achievements as Linus Torvalds and his employer if he did. :)

Re:I don't know why, but..

[bug-eyed+monster]

Reminds me of a couple of contracts I had where the work was so interesting that I was reluctant to goof-off, but my bosses /made/ me.

One boss was a duke-nukem junky and made me play with him one or twice a day. The other insisted on showing me interesting web-site and chatting. Made for some intersting conversations:

Boss: Come on let's play.
Me: But I want to work!

Is this such a big deal?

[Gromer]

A company hires you to work for them. They have bought (or rather, rented) a product (your labor and skills) which they expect to pay the company back more than they spend on you. As such, they have a certain right (not to say obligation) to ensure that they're getting their money's worth. As I see it, this is perfectly OK, at least within certain bounds.

First, they should make their monitoring policies clear. Monitoring performance is one thing, but secret monitoring is something else. Employees should know what they may be subject to, so that, if they don't like it, they have the option of finding another job without those restrictions. Second, they should monitor only the amount, not the content, of personal communications. As the ACLU rep in the article said, listening in on a phone call to a spouse is illegal, and a similar principle should apply to computers. However, the company should be able to keep an eye on whether the employee is e-mailing their spouse once a day, or every 5 minutes. Thirdly, any information gathered about an employee should be purged when they leave the company, unless said information is to be used in a legal action against the employee. Once the person is no longer employed by them, their right to know anything about her ends.

There is a separate issue, which several posters have pointed out. Regrdless of whether such monitoring is immoral (and I don't think it is, within the above limits), it's just plain bad for business. Nobody wants to work in an environment where they are being monitored 9-5 every day, and the psychological effects of being in an environment like that could be enormous, not to mention the effects of being prevented from taking a break every so often. It is accepted wisdom (does anyone know of any statistics on this?) that people are more productive when they are in a work environment where they feel comfortable, and monitoring their e-mail and calling them in for a meeting with the manager every time they play solitaire is pretty much the opposite of that.

Moreover, using this system to routinely monitor employees is a waste of resources. Looking for embezzlers and such is worthwhile, but not routine, wide-scale moitoring. There are much better ways of measuring an employee than how she uses her computer. The monitoring system measures input- how much time is being spent on work. But an intelligent company will realize that they don't care about inputs. They care about outputs, which are usually easy to measure by more conventional means (how much work the employee is actually getting done). The genius programmer who takes minesweeper breaks every hour, but pours out code at a spectacular rate, is worth more to a company (at least, to a smart company) than a dull, uninspired one who produces less, but faithfully spends all his time in the office doing work (at least, as far as his computer can tell).

monitoring confuser?

[kuro5hin]

How hard would it be to write a "confuser" that basically threw lots of extraneous stuff at the monitoring program? Something kind of like what the character in Cryptonomicon uses to confuse the Van Eck phreakers? I guess it all depends on how these monitors work. How do they capture keystrokes? And would it be possible to use the normal keystroke channel only for false (generated) keystrokes, and repoint apps to get their keyboard input from a different channel?

Likely this wouldn't work for company monitoring (they'd call you up and tell you to cut it out) but as a defense against unwanted/illegal monitoring software, how feasable would this be?

----
We all take pink lemonade for granted.

Re:This is why you run Linux...and GET FIRED...

[VileVarmint]

These guys really push my buttons....

Look, if the company owns the network, and the hardware, etc.... that's fine, they get to say what happens on them. Do work at work, yes I agree.

BUT! These are the same companies that DEMAND 60+ hour work weeks! If they're so anal as to demand complete control over everything their employees do, then they can pay for every stinking hour that the employee is there. Don't pay more than 40 hours? Then watch your employees walk out the door at 5 each and every single day. Got a deadline? TOO DAMN BAD. We all have to go home and live our lives -- since we sure aren't allowed to do anything personal at the office... right?

Re:"Neat" Software

[Zurk]

any of the keyboard monitoring hacks for windows or dos can do the same thing. and theyre all free and mainly used for grabbing passwords..everyones been doing it for a while..nothing new. The only real problem is that script kiddies used to do it - now employers will start doing it. IMHO, different agenda but same sort of mentality - we want control and we dont have the knowledge to get it, so we use scripts. personally, as a sysadmin i find this disgusting.

Fear

[Teferi]

This is very, very, very scary. What's next, keyboards that have monitoring circuity hardwired in? Monitors with hidden cameras? Mice with hidden mics?
Or mabe I'm just paranoid. But I doubt it.

Hey, Bud, It's not your computer, anyhow...

...So why are you complaining! You are at work,
doing a job, using the employeers hardware,
in the employeers building, doing what your
manager asked you to do. Why on *earth* should
you expect any privacy in that situation.

Look, if you have to make a private phone call
take a f***ing break, go to a pay phone, and
do it. Otherwise stick to work. If you want
to find out what's happening in the world, buy
a newspaper and read it at lunchtime! Don't
waste your employeers time, bandwidth, and
electricity by sucking down www.cnnfn.com every
10 minutes.

I'm so sick of people deciding that they OWN
the computers that employers purchase and put
on their desks. You wouldn't run your own
errands with the company delivery van, you would't
use the company paint shop to repaint your car,
why is the computer on your desk any different?

Look, remember that anyone who has physical
access to a machine can be running a sniffer,
and the root/admin can read all, and stick by
my rule of thumb: Never put anything on a
computer you wouldn't want printed out and stuck
on the bulletin board in the cafeteria.

Rant complete.

-- ac on this one

Where one man can go...

[homeSlice]

There's am old saying in law enforcement. "Where one man can go, another man can go". If the crooks get motorcycles, the cops get motorcycles. If the DEA gets high resolution radar, the drug dealers get the same. Everyone gets so uptight about cracking and monitoring of computer networks, but this is the same thing. If someone puts a monitor on my box, I put a blocker on the monitor, and so on ad infinitum. In the end its about trust. If you have to work with someone you can't trust, you need to protect yourself. If you can't trust anyone you work with, you should do some serious thinking about why that is.

Monitoring in the good old days

Once a co-worker showed me how the old IBM mainframe at the place included a monitoring tool. It was quite scary - it let the manager see the entire screen of the user remotely, in real-time.

Keep in mind that this was on a pretty old OS (MVS, with block text screens) and that nobody there knew it existed. One feature - it allowed you to assign the userids of people who could monitor you, and we tried it out. Really creepy feeling, watching the other guy's screen as he typed stuff.

What spooked me was that it had been there for months, and nobody knew of it, or if they were being monitored. My mgr wasn't the type to do it, but who knows if there was some Stalin type surfing across hundreds of people's screens?

Re:Ok, I'll flame you!

[mochaone]

I'm in the same camp with you. If my employer wants me to stop bs'ing then they better give me some damn interesting work.

By the way, what is PHB?

what's the big deal here?

[agtofchaos]

You are there to do work, not surf the net for fun. If it is such a big deal for you then bring a laptop and use it for personal stuff during coffee breaks.

Q: What are "standard" clients capable of?

[Marillion]

I work in a typical networked environment where all PC's (running Win95) log into one or more Novell 4.x servers using NDS.
Obviously, by default, the Novell client tries to run a login script which is typically used to assign default drive mappings and the like. The login script can be enhanced to upgrade software, start default processes and anything else that can be done with a standard MS-DOS batch file.
If I disable the login script, is there anything else the sysadmin is capable of running on my PC?
FYI: Microsoft's NT client won't allow you to disable login script processing.

Re:Q: What are "standard" clients capable of?

[Zurk]

win95 gives everyone root privs w/o a password. He can simply physically go over to your box and run a patch against (say) explorer which does something like this. Alternatively the virus scanner or something invoked from the script could have already patched your system.,

Re:Ok, I'll flame you!

[VileVarmint]

PHB = Pointy Haired Boss (reference to Dilbert's boss in the comic strip)

What others regard as "slacking", I view merely as "efficiency". In business, the goal is to provide as little to the customer as possible, while still getting from the customer as much as possible. This maximizes profits, as long as you give just enough to the customer so that they continue to do business with you.

This is the same exact thing that slackers do TO their employers. They provide just enough work to keep from getting fired, while getting as much pay from them as possible. Thus maximizing their profits.

Companies don't want employees to think like this, though... they only want the company to act like that. But we're ALL indepedent contractors, whatever label our employers wants to stick on us.

Everyone should give their employer as little as possible, and suck them dry as much as you possibly can. After all, that's what they're trying to do to us. Turnabout is fair play, and a lot of fun, too.

Is this so different?

[drox]

I don't see that sending a private email to someone in your family is something that should get you in trouble via the company access.

Yup. Using the company's hardware (and time) for these private conversations is no worse than using their phones to make a personal call. And should be treated the same way. If the company allows employees to occasionally use the phones for personal business, they should allow similar use of computer terminals. Abuse of the telephone or the network to the extent that it interferes with an employees work can be dealt with without surveilling (is that a word) the communication.

Porn sites and the like is not something you should be doing at work. Nor is chatting.

Well no, but I don't think spying on employees is justified even in these cases. If their use of porn or chat affects their work, or that of other employees, it gets noticed. No surveillance needed. If it doesn't get noticed, then can it really be said to interfere with work? And if it doesn't interfere with work, why should the company care that it's happening?

In short, I think it's okay for employers to have and enforce rules regulating employees' use of company communication equipment. I do not think it's okay to eavesdrop on those communications. The same rules should apply whether the communication is spoken over a telephone or typed into a terminal. The same rules should apply whether it consists of pornography, stock quotes, or a friendly call home to mom.

Hmmm. Why not design easy to fool packages

[Rares+Marian]

Sell them to PHB's. Case closed.

Moderation is the key

[geekfuzz]

People's workplace should be a non-threatening environment. If workers feel like they are being constantly watched, it doesn't create a conducive environment for productivity.

I am a network administrator for a small-ish company. While I agree that breaks are needed to keep moral at a good level, and that breaks from stress increase productivity.

The question is this: how can I decide, as an Admin, the defining line between an employee wasting company time and taking a much deserved break? It's impossible to set a standard for all employees company-wide. Different people handle stress differently, different job expectations cause different amounts of stress. Yes, I can draw the line and say "You are not permitted to look at pornographic material which at work." But I don't feel it's within my rights to tell an employee that they aren't allowed to use, for example, ICQ while at work.

Employees must simply take it upon themselves to see that software like this isn't necessary. Don't abuse the freedom that an employer grants. I'm not saying you can't play a game of solitaire. I'm saying that you shouldn't play solitaire for 2 hours a day. Moderation. When an employer receives the perception that there is an abuse occuring, that's when software like this seems like a viable solution. Don't give them that opportunity. And if your employer decides to implement this software without provocation, then quit. If you aren't abusing the freedom you are granted, take your talent and abilities elsewhere. Chances are, that employer doesn't deserve you anyway.

A question for those who support monitoring

I agree fully. Now...to all those who have been posting stuff like:

"It's the company's property. What's wrong if they monitor every keystroke and email? You should be working anyway!"

I have a question - what makes you support Big Brother? Ideologically, emotionally.

What I find very surprising is the mentality of these people. Obviously, they are not powerful managers who would actually be doing the monitoring (or they wouldn't be reading /. on a Sunday). So they are cubicle workers who SUPPORT an attitude of fear and constant monitoring, but they haven't been promoted to management yet. So are they PHBs waiting to happen? Or do they blindly like authority?

I have great difficulty understanding this mind set. So please enlighten me...if you're one of those people.

Note - Don't reply saying it's legal, blah blah blah. So is FBI tracking of cell phone location, and I'm sure there are people who support it.

My question is not the actual merit of the view, but the psychology of people who SUPPORT pointy haired bosses while being cubicle drones themselves. Why?

Re:A question for those who support monitoring

[Captain+Teflon]

A sensible company will not monitor employee activity to micromanage employees or to ensure they meet some PHB-imposed standard of conduct or morality.

However, a sensible company will take steps to ensure the conduct of its employees will not expose it to prosecution or damage its reputation, or allow any intellectual property or information which gives it a competitive advantage to be stolen.

In Australia at least, any company monitoring its employees' activity is required to inform its employees that this is the case. A sensible company can and will publish, stick to, and enforce a code of conduct for the use of company property and resources.

I agree that measuring performance by things other than quality and quantity of output is galling, but some of the things employees can and do get up to which have nothing to do with productivity can and IMHO should get them summarily dismissed.

One company I worked for had an employee who, against company policy and the law, was making threats against finance company customers to get her performance stats up. Only the info from telephone monitoring allowed this employee to be caught.

In similar situations, disputes often arise with customers denying that they were told such and such by an employee, or claim that the employee threatened them or used offensive language, situations that monitoring can resolve.

The downloading or possesion of kiddie porn is an offence in most places, and the company could be conceivably held liable for such, as it could with an employee who sent unwanted and unwelcome porn, threats, love letters, etc. to a fellow employee - harassment.

The ideal company would only crack these logs after a complaint from an employee or customer, but such things do happen and any company which does not take steps to safeguard itself from them is inviting trouble. Abuses of the mechanism are possible, sure (vote with your feet), but having the company wound up and its employees retrenched because it inadequately monitored the actions of a few does nobody any good either.

On the other hand...

[Meson]

Many of the comments I have read have pointed out how "Orwellian" the policy of usage monitoring is. Comments have been made about disabling such software, and even "faking" a replacement. On the whole, I agree with all of that. I don't believe that an employer has the right to monitor every click and keystroke and keystroke an employee makes, any more than they have to monitor every conversation with every co-woker. However, there is one point that I have not seen discussed: what about the employer's rights? Don't they have the right to know that their propriatary software or data, which they may have spent millions on, is not being stolen by a disgruntled employee? For example, the article mentioned about one employee that was transferring data to a floppy disk. The best way such an action could be found is by montoring usage closely. The only other alternatives are a constant video survailance, or a search of personal belongings when one leaves work (both of which, I belive, are worse).

Therefore, as long as the software is being used in a *controlled* manner, and only for very limited periods of time, on people who are suspected of wrongdoing, I could agree with it's usage. I'd rather be proven innocent by being monitored, then automatically assumed guilty!

Not An Invasion Of Privacy

[Coward,+Anonymous]

Convenience store workers have a video camera on them at all times while they work. This isn't an invasion of privacy because they are on the job and the employer has a right to film his store. If the employees were being videotaped while they're at home, that would be an invasion of privacy. Same thing with your machine. Your employer has a right to track what you do while you're at work and while you're using their equipment. If you think that you should have more leisure time while at work, or if you think downloading pornography will increase your productivity, then talk with your boss about it. You shouldn't assume you have the right to surf the web while on the job anymore than you should assume you have the right to a six hour lunch break. Any time not spent working is a break, if your boss doesn't want you to have the break then live with it or find a new job. Few people have ever complained about convenience store employees being videotaped, why should computer surveillance be any different from video surveillance of employees?

Re:Not An Invasion Of Privacy

[bnenning]

To me, the main difference is that the cameras in a convenience store are known and visible. I don't have a huge problem with monitoring employees (although whether it's necessary is another matter) as long as the employees are informed that it is happening. When it's done secretly it makes it seem like a sting operation.

Also, I don't especially agree that occasionally checking stock prices or news sites is such a grave offense against your employer. I'd put it on the same level as having conversations with coworkers about non-work related topics, which companies aren't trying to forbid (as far as I know).

Re:Not An Invasion Of Privacy

[Coward,+Anonymous]

I agree that checking a stock price isn't such a terrible thing to do; however if your company wants to fire you for it, that's their choice. Your employer is not required (in the US at least) to offer you freedom of speech or press or any of a number of other things, they should not be required to offer you privacy.

The Re-invention of the Dumb Terminal

[Vryl]

Known as the Network Device, The Webtop or the Network Computer (such as the recently released Sun Ray) may make it well nigh impossible to get around. You have virtually no access to anything except the apps (that run on the server, with, one hopes, fairly tight security).

This environment makes it difficult to know what is going on, as it would all run on the server.

Hmmmm . . . hack the server maybe, but there ain't much on the client to play with.

-- Reverend Vryl

Exactly right - don't work for corporations.

[jflynn]

I have had very little problem with issues like these working for small companies, those with about 100 employees or less. There are exceptions, but you can work around them, so to speak. Most small companies don't need such *BS* because they can quickly tell if someone isn't doing their job -- everyone is important and it gets noticed when someone slacks. People know each other fairly well and generally try not to offend each other. It's not a cold impersonal environment.

Corporations, especially the large ones, have indeed made pyschological screening, insurance redlining, credit checks, drug-testing, and lack of privacy the industry standards they are today. The scariest part is that they have great influence over lawmakers and unless we fight it, choice may vanish completely no matter who you work for.

The phone company owns the networks I communicate over, and it even used to own the handset in everyone's home. People *still* have an expectation of privacy in phone conversations, and have been legally upheld in this expectation. Its not the ownership per se, but the explicit signed agreement on terms of use that should dictate whether an employer can snoop or not. If I see such a clause in my contract I'll ask it to be struck, or keep looking, just as I do with drug testing clauses. Their power extends exactly as far as what we will put up with. Too much in my view.

Where thou do worketh?

[Rares+Marian]

Damn. Lucky Bastard.

Employers rights

[JM_the_Great]

Though I disagree with monitoring all that somebody does (it decreases productivity, it assumes they did something wrong, etc...), I must say that it is the employers right to monitor what you do while using their equipment, on their time, in their building and you are getting paid.

If you don't like what they are doing, go work somewhere else, that is what America was founded on, Liberty. You can work anywhere you want, you don't have to work there.


That's my 1/50 of $1.00 US
JM

shudder

[coaxial]

I just don't see how the people that work for WhatWinWhere can live with themselves. This strikes me as very immoral. (And I tend to think of the industry being enlightened to things like privacy.)

"I always try to look on the bright sidem it's just that experience has taught me to expect the worst."
-- Garak
ST:DS9

I'm nearly always on the side of 'privacy' but...

[finkployd]

Let's face it folks, it's the company's equipment, network connection, and time. You never had any "right" to privacy. If you are misusing company equipment while on the clock, it's YOUR problem. Let's fight for privacy where it is merited, not complain that a company wants to exert some control over it's own equipment. *note* this message posted while at work :) Ironic, isn't it? Finkployd

Controllers vs doers

[A+nonymous+Coward]

Like any other human activity, there are lazy people, there are doers, and there are controllers; actually people are a combination of all three. Some doers do things by controlling others, but always with the end goal of getting things done. These people don't scare me, altho sometimes they annoy me :-) Soem doers have no interest in controlling.

And then there's the controllers. They have no goals other than controlling. Nothing they want done, other than being in charge. And since they know they are non-productive, they have to make their bosses, who somewhere up the line are doers, think they are doers themselves, or at least have some use as paper pushing managers, because doers don't want to hassle with management any more than necessary.

So these controllers need to generate activity and reports. What better way than this kind of snooping software? Never mind that a good manager would judge by end results. That kind of judgement requires long term observation and reasoned judgement. Controllers are ultimately cowardly, paranoid, and have termendous inferioty complexes. They know they are ultimately uselsss, so they have to work like heck to hide that with ridiculous reports. They can afford no criticism from below and have to direct all criticism from above to those below. They must shift blame elsewhere, and hope to get away with it as long as possible, before the doers above them get wise and realize the cost benefit ratio of a particular paper pushing controller is less than unity.

--

Privacy Policy at my Work

[Ticker]

Where I work, we log all outgoing web traffic (via network monitoring, not via client-side logging). However, we only look at the logs if it is reasonable to suspect a certain employee, and we only look at the logs relating to that specific employee.

That way, the employees don't feel like Big Brother(tm) is watching their every move, but we also have the capability to monitor specific employees when necessary.

I understand that one or two people have been fired for viewing pornography at work. I don't see the problem with that. First of all, you should be doing work at work. That's what you're being paid for. But, more importantly, female employees can feel very uncomfortable when their male co-workers are viewing pornography at the office, and rightfully so. Many people consider it to be a form of sexual harrassment. Frankly, I don't see how it's harrassment, but I do see how it's extremely inappropriate.

Legal right vs. moral/ethical right

[Brian+Knotts]

Of course the employer has a legal right to engage in this kind of snooping.

However, too many people forget that legality is not the same thing as morality. I dare say, that as a fellow Libertarian, you, more than others, should recognize that. It is because of the failure of most people to draw that distinction that we have the level of over-legislation that we see today.

So, while the employer is almost certainly within his/her legal rights (at least in the US; I don't know for sure about in other countries), to do so as a manner of course would be highly unethical.

As some others have said, however, if this is used only in the presence of preexisting suspicion, I don't see such an ethical problem. I suspect that the temptation to use it in other cases is too great, however, to be able to realistically limit it to only ethical use. Better to just avoid it all together, if you are an ethical employer.

--
Interested in XFMail? New XFMail home page

Re:Legal right vs. moral/ethical right

[JM_the_Great]

As I said, I don't think that it should be used, I was just saying that it should be legal (just not moral (and only ethically if you have a suspision of wrong doing).

That's my 1/50 of $1.00 US
JM

stuff to think about...

[0xdeadbeef]

Would you be so against this if you could monitor what your boss is doing? And why shouldn't you be, because your boss doesn't own the equipment anymore than you do. You are both employees of the same company, and you both have a stake in making sure it remains profitable.

Ultimately the shareholders own the equipment. So, why don't the shareholders monitor everybody, including the executives? Wouldn't an executive wasting time cost a lot more than a lowely employee? Is this is about making sure resources aren't wasted, or more about keeping people "in line"?

Re:stuff to think about...

[0xdeadbeef]

Your boss probably started way below and worked himself up the ladder. He knows what it's like up and down. You don't know what it's like to be saddled with his responsibilities.

Yea, Big Brother loves you, he feels your pain, you don't know how lonely it is at the top. :P

I'm sorry, but that is complete BS. You don't know how most people get their positions, and neither do I. But there is plenty of evidence that there are quite a few boneheads in positions of power. A little accountability from below, as well as from above, could keep costs down, keep workers happy, and keep the micromanaging morons out of the big chairs.

Besides, I seriously question the competence of anyone who feels it is necessary to deploy clandanstine monitoring software throughout an organization. It might be useful for collecting proof for grounds to fire someone, but to do it to everybody? It increases costs, destroys trust and morale (if discovered, which of course it would be), and even opens the company up to potential lawsuits.

And I do know most of my boss's responsibilities. And he'd probably agree with everything I've said so far. And I review his performance just as does mine.

Shareholders are the closest thing to real owners of a company's assets. They may not be able to buy and sell them, but they are where the buck stops.

A measure of an executives productivity is exactly the same as other employees, as far as measuring the productivity of any two employees is the same. Does he/she perform the job he/she was hired to do? How effeciently is the job done? Besides, you ever heard of a little thing called white collar crime? Embezzelment? Power without accountability can be a dangerious thing.

PGKeybindery

[Neville]

Unless I am totally off the mark about how this stuff is functioning, it would seem easy enough to write something that scrambles your typing according to pseudo-randomly-generated key bindings. It also seems that the more commercial and governmental entities push snoop stuff for shadowing their employees (all in the name of protecting shareholder value or national defense, depending on your sphere), the more room there will be for us to challenge with privacy-protecting code of our own.

As a relevant aside, I have heard of some proprietary monitoring software implemented in Lotus Notes at a regional bank that actually did record how much time employees spent perusing emails and company memos (I suppose to see whether they were actually paying attention or in need of a possible attitude adjustment, a la Snow Crash).

This would all be more frightening if the would-be big brothers were less naive and if I were less confident in the talents of the open source community.

Monitoring Software vs. Productivity

[fnord3137]

Putting aside the ethical arguments about this for the moment, this reminds me of what one of my professors told me about his days as a programmer when he was in the military years and years ago....

Basically, they judged the programmers' productivity on how often the successfully compiled a program. There are several problems with this. First, just because a program compiles doesn't mean it is a good program, and second, they could just compile the same program over and over again looked the same is compiling new programs. It got to the point where no programming was being done because everyone was compiling the same programs over and over again because if they didn't they would look bad in comparison to the others.... (and just think of the CPU cycles devoted to compiling useless programs.)

Monitoring software these days is more sophisticated, but there is still probably a way to fool it. What it all comes down to is, is the work that you are getting paid to do being done?

Consider that some companies will spend millions of dollars trying to find a way to get one more minute of productivity out of every work hour. They might be successful, but by trying to squeaze blood out of a turnip they've spent more money than they have gained from the increased productivity. And then because of the bad moral, the general productivity will probably go down. People don't work good under constant stress.

To re-iterate, think of it this way, what if your company hired an extra person for everyone to stand and watch over their shoulder all day. Anything they gain in productivity is lost in payroll because they have to hire two people, one to do the work, and another to watch over them. And then it is a double loss because no one works their best with someone watching over them.

Finally consider turnover. Employees would not want to stick around long in such an environment. At best the company would lose their best employees, and probably have a high turnover in general. Turnover is not good for productivity.

It's Always a Trade-off, Folks

[Humility]

And it always has been.

The people saying that, while on corporate property, on corporate time, using corporate equipment, one must play by the corporate rules are basically correct. But the people saying that this is (or has the potential to be) a major violation of personal privacy also have their points.

So what's the deal?

The deal is, I think this is a tool which can be appropriate in a few limited situations with appropriate forethought and control. But I don't trust the teeming masses of management to apply it that way, and I expect it will be used as a sledge hammer.

What are some appropriate uses? Look to the original article, expand on their examples, and qualify the usage. Like it or not, a lot of companies have some very important data and information-- sales databases, customer databases, source codes, proprietary technologies, even something as simple as employee salaries-- that they don't want tranferred out of the company.

It gets worse when you start thinking about government or defense-related companies, where concerns change from corporate security to the national security information of a nation.

Additionally, companies can get into serious troubles if their equipment is used maliciously or illegally, even if they had no idea what was happening, and did not sanction it. Consider a corporate machine being used to distribute or download illegally cracked game software. Now consider a firm in the United States working on a government contract, where an idiot employee does this. The company is now in serious trouble if this comes to light.

Some of these things are going to be easy to detect, others, very difficult. And it is hard to tell a corporate security dude that he has no right to police his own equipment.

However, I can't see any real reason to start subjecting all employees to this form of scrutiny. This, I think, should be reserved for the situations when there is already an indication that "something is up," and then used to clinch the case.

Issue of productivity are, of course, either red-herrings or plain old misconceptions. There are time honored ways to waste time at work that have nothing to do with computers-- reading a newspaper, lounging, excessive coffee-breaks or chats with co-workers, and just plain old malingering will always be with us. Any supervisor who would need to rely on this sort of ham-fisted, intrusive foolishness should himself be fired for incompetence. A good supervisor relies on non-automated metrics of productivity, not automated metrics of diversionary activities.

What this would resolve down to is a reason to fire someone. Dilbert manages to embarass the Pointy-Haired Boss too many times? Well, PHB downloads Dilbert's electronic records, discovers that he e-mails his mother once a week, and terminates him for mis-use of equipment. If it weren't, it would be someone else.

So, it's a trade-off: Is it really worth annoying your workers by making the assumption that they are all crooks, criminals, spies, and professional malingerers, just to catch the 1.5 percent that are?

I doubt it.

Re:Huh? --OFFTOPIC--

[Raven667]

--OFFTOPIC--
Truthfully though every street is not a speed risk. It is usually only a few intersections or locations (where the posted speed changes abruptly, for example) where speed and accidents are a problem. Parking a car in plain sight _would_ help curb speeding if that was their intention. For example this tactic was used when I was in Germany. The police would place automated cameras at places where speed was a problem. They sent you your picture with your ticket in the mail. Very few people could argue with the camera and they were a great deterrent.

On the other hand my father is a police officer. Their police chief is not the most ethical or brightest one around. He demanded that they have more "Officer Initiated Cases" and that failure to do so could result in dismissal, or at least a poor performance rating. He didn't say "tickets" outright but that is what an Officer Initiated Case is. Oh and the money from tickets goes directly into the Sherrif Department's budget, they even had a surplus this last year!

Not a good situation, most of the deputies hope that he gets voted out this next election. Unfortunately the people smart enough to do the job are also the ones who are smart enough to not want it.
--/OFFTOPIC--

Ernst & Young

[Praxxis]

I thought it was intresting to see E&Y on the customer list. Being a former Sys Admin there, I can assure you they could easily install this on most of their 70,000 employees laptops with little effort. These are laptops that go everywhere with the consultants and contain a good portion of their buisness and personal life (That is if they have a personal life). The chances the TSS department will abuse this power is VERY high.

Differences between workplaces?

[Masem]

I read articles like this and nod in believing the truth of it (from news and word of mouth).

Then I think about workplaced that don't and will most likely never have this, and again, I nod in believing the truth of it (again, news and word of mouth).

Maybe the difference between the workplaces where something like this will most likely be implemented, and were it won't, depends on the computer-savvy of the employees at the place. I think about places that are most likely never to implement this, and I think of game programming shops, web shops, unix shops, etc.. basically where unless you are the boss' son, you've got your job because of your computer savvy. At those places, from what I've been told, they are relaxed, might be on IRC, might be ICQing, may send out 50 emails a day.. yet still get out the product on time. Maybe because they know how to juggle their computer time wisely (I know that when I'm not busy with research stuff at home, I can chat in 2 or 3 irc windows and still get web or java programming done). Which suggests that any job that requires compilation might lead into this :-)

On the other hand, an office full of suit & tie bankers or accountants, that think the paper clip in Word is cool, might end up wasting hours on IRC or ICQ because they don't know computers and aren't efficient in doing something else while they wait for their friends to respond to mail (I've seen someone do this at my workplace. Type a message, sip coffee.. wait wait wait... message comes in...type a reply, and sip sip sip... an hour later, he gets back to work. Oy!)

AGain, a lot of whether your workplace is computer savvy or not.

However, I still stand by the point that if it's during the 8hr day that you're paid to be doing and on company property with company computer and a company-funded internet connection, the company has every right to watch what you are doing. They're stupid if they go Big Brother on the workplace, but they have that right to do that. And you have every right to find someplace that doesn't do that.

It's what gets screened

[Mark+Edwards]

I interned at $Very_Big_Multinational, and they were very into monitoring. According to the admin, they used it primarily to screen "undesirable" sites for the filters, which they also applied.

If a site was on the filtered list, the filtering software popped up an "unauthorized" page and a reason for its being unauthorized.

Sites such as Salon were banned for being "alternative news sources", while the Dallas Morning News was fine. Suck was not banned, but The San Jose Mercury News was.

I was told from time to time that I "should be careful" what sites I went to. I never felt the need to be careful, because all I ever went to were for news (/. and Wired), or I might take a break to play solitaire. But the engineers were scared shitless that anything they did could and would be misconstrued.

The place I work now doesn't do any of the fancy monitoring stuff, and my cow-orkers and I are happy, productive people who wouldn't abuse the network anyway. we like what we do. We like that we aren't violated.

I'm currently a [non-brittle - grin] Tech Writer, and I often have to back away from what I'm doing so I can consider how I'm doing it. A little free play helps. It clears the mind (Keptin, we have vacuum in the IS Department!).

Anyway, Monitoring? Don't care for it. I can work with it in place, but it bugs the hell out of me, even though I'm not doing anything wrong.

Mark Edwards
Proof of Sanity Forged Upon Request

Spy By Microphone, Spy By Screenshot

[sanderson]

I read an article months ago--I think it was ZDNet, but I can't find it--about employers spying on their employees by taking advantage of built-in microphones in the computers that most people don't know are there.

Anyone know where that story is? It's not all that informative, but it'd legitimize my mentioning it. I vaguely remember a sexual harrassment suit attached to the story, but I could be making that up.

(Wherever I read the story, I remember that it warned people that "if your hard drive is making noises and you're not touching the machine, your boss is probably spying on you." I can't remember if I actually wrote an angry letter or not...)

Others have also probably mentioned spy-by-screenshot software, which regularly sends screenshots of employee computers to a central spy computer, which displays miniatures of all the monitors on the boss's screen. I don't have a citation for that one, either... :)

Re:Spy By Microphone, Spy By Screenshot

[VirtualAdept]

That was ZD-net playing an April Fool's Joke. And, not coincidently, loosing any respect I had for them.

Re:Spy By Microphone, Spy By Screenshot

[sanderson]

No kidding? Wow, I really walked into that one.

I've seen the screenshot one in a more serious context, though.

Thanks for the catch, VA...

WhenWhatWhere = VIRUS

[Anonymous+Psychopath]

At least according to McAfee and Microsoft, right?

After all, it looks like this does exactly what Back Orifice does, so therefore should be labeled a virus. Unless there is some sort of double-standard here.

Same happens at schools

[flamingdog]

Here at my school, every single mac has monitoring software on it. It keeps track of every URL you visit, it logs keystrokes, and keeps track of the apps you run. I tell the teachers about this sometimes, and they tell me to remove this evil software. I removed it from about 20 of the computers in one building before the admin caught on and starting shutting down every computer I tried it on before I could finish. According to the higher-ups, this is all for our safety, but more often then not, the teachers tell me this is making it hard for kids to learn. It blocks them from sites they need to get to for reports. They get suspended for going to some sites that they need for research. And I nearly got expelled if the teachers wouldn't have covered up for me so well. I still show all the students and teachers neat little tricks to get around the filtering software, I still remove the monitoring software whenever possible, and I plan on keeping it up. The thing I hate most, is that this is NOT EVEN MENTIONED EVER in any of the school paper work that is handed out about the computers. Most people don't even know they are being spied on.

---------------------------
"I'm not gonna say anything inspirational, I'm just gonna fucking swear a lot"

Re:Same happens at schools

[linuxonceleron]

At my school, they have an AUP(Acceptible Use Policy) that bans stuff like irc and icq. All the computers in the labs have fortres101, which locks out everything, I showed friends and classmates how to kill it, boot up off an msdos disk, c:, cd \fortres.101, copy flogo.exe fortres.exe, presto everything unlocks, the fortres logo still comes up. We also had a 50 person netmeeting while the school counsler was subbing in for the computers teacher, he had no idea why every student's machine suddenly came up with drawings of dicks(whiteboard), he just assumed it was a porno site. The teacher at our middle school was retarded anyway, I haven't seen our computers at our high school yet, i've only been there for a few weeks. Keep up the good work

Name names.....

[BrookHarty]

Most companies dont like thier goings on made public. If you dont have privacy, let people know. If you dont like it, get a new job. A company that cant keep its employees might change its ways.

As a person working in a telco field, I have root access to most of the production boxes in my network. We need to monitor access too our systems. I understand this.

BUT, if they put a key or screenshot logger on my laptop, Id format the puppy and run linux on it. (And VMware for my micros~1 crap.)..

Also if you want to see whats running on your system, use CCTask or Unixtools (port of PS)

an answer from one of those who support monitoring

[TheDullBlade]

When you're being paid to do a job, you are expected to do a job. It's a Golden Rule thing. If you were an employer, you'd want to be able to evaluate your employee's work.

Honest workers consider their employer a partner of sorts. They have made a deal to do work in return for pay, and they don't have the right to use company resources (including their paid time) for their personal gain or entertainment, unless the employer gives permission, any more than the company has the right to decide not to pay them. They resent any lazy and deceptive co-workers they may have, who take the same pay but don't give the same work, especially since the honest workers usually take up the slack and the dishonest ones claim credit for work they didn't do.

I've had co-workers I would have been glad to see fired. It is an embarassment to be in a department considered a joke by the rest of the company because only a few people do any work.

Don't forget that the "pointy haired bosses" are usually employees too, and potentially subject to the same monitoring. Many a Dilberted employee would love to see his boss get caught by one of the higher-ups, even more so than than he'd like to see a lazy co-worker he's been carrying get the same.

This is no different from a construction foreman watching his workers to make sure they are actually working. If they didn't do so, then one man might be screwing around or doing a half-assed job and all the boss would know is that his group isn't working as productively as possible. Just because information workers are given cubicles to reduce distractions doesn't mean that they have some right to privacy so their boss can't see them screw around on the job.

Put simply, employees don't have a right to privacy on the job, and they don't have any right to expect to be trusted purely by virtue of being employees. Employers have a right to know that their employeers are working and trust has to be earned.

The truth is, the honest employees have nothing to fear. They expect their bosses to check that they are working and don't care, or even appreciate the attention, the evidence that the boss does care about and value what they are doing. They also know that a competent boss won't interfere with a certain amount of networking and an occasional idle moment as they gather their thoughts. At any rate, nobody you want to work for is going to fire you for catching you being lazy once, they're just going to talk to you about it and straighten you out about what the boundaries are. It is the liars and cheats who see a system of constant fear growing from this.

What I wonder about is the psychology of people who think "cubicle drones" and "pointy haired bosses" are the norm, and employers and employees are natural enemies who try to screw each other as much as possible. What a vicious mindset! It seems to me that incompetent bosses and deceitful workers find each other, while people who do real work move on to where they are recognized an appreciated. Many people have moved through these miserable places because they are always hiring replacements, but only the ones who would choose a place where they can sneak around and get paid for doing little or no work actually stay there. We make our own Hell, and it can only be a Purgatory for those who don't deserve it.

Fortunatly for me....

[Jonathan+Hamilton]

Or High School Sysadmin is a dumbass. I seriously think that I know more then he does. (Or at least could make the network run better/more efficent at a cheaper cost. That also goes for the IS department at the school board. I have been to a begining WINNT class where their where 2 people from the school board IS team. My friend had a MCSE class with 1 person from the school board. Any my other friend who dropped outta high school went to work for the school board and said they are idot's. My goal for this year is to hack our pitiful webpage but I'm going to have to learn more about WinNT before I do that.I suppose I could just be a script kiddie and download somthing off rootshell, but that just wouldn't be as fun. Their also using the Netscape web server, I have no idea what its called, as well as the proxy, firewall combo.

Re:Deal with it!

[KingBob]

What a great heights to aspire to eh?

crappy companies

[rcooper]

High tech jobs are a dime a dozen. With that said, I would simply *NOT* work for asshole companies that have nothing to do but hire a bunch of Nazi Gestapo megalomanic dipshits snooping around at what I'm doing. Companies that must resort to this type of micro management have serious problems anyway. The very existance of such software on your workstation at the office should be setting off alarms and redflags in your head.

In the end, its just easier to flip the bird to idiot companies who do this. There are many good companies who have TRUST in their employees by default. Not though constant threat of monitoring what you are doing on your workstation. It's absolutely incredible that anyone would seriously consider working for Gestapo companies like this. But like I said, high tech jobs are a dime a dozen, so finding a new employer usually involves just a few phone calls. Your mileage may vary.

Getting OT... Re:Why do employees put up with it?

[bug-eyed+monster]

What you see is the phenomenon called "the grass is always greener on the other side of the fence." Non-Americans migrate to US either chasing the American dream or just wanting to experince a new culture for a while. Americans migrate to other countries either chasing that country's dream or just wanting to experience new cultures. Some folks migrate from one country to another (neither being USA) for the same reasons.

This is all a Good Thing(tm). It makes people from different countries experience other cultures and, hopefully, pick up the good sides of the new culture and integrate it back in their own, or vice-versa. IMHO, this sort of thing should be even more encouraged, a sort-of international trade, not only on goods, but also professionals and their minds to bring a better understanding of other cultures to everybody.

Bring your own equipment

[Redundant()]

There are valid reasons for monitering company assets, liability issues are the major reason. If you don't want to be tracked bring your own personal Red hat laptop and dial out over a cell phone.

Re:Huh? --OFFTOPIC--

[ZorinLynxie]

Here in Miami, officers actually have a quota of tickets they have to give out each month. For this reason, most speeding tickets end up being given out toward the end of the month when quotas are "due".

Kinda scary when you think of it.

Encryption, etc.

[Kaz+Kylheku]

Encryption is a technological protection, yes. But what if you are told that its use is against policy? Remember, you are dealing with assholes who are hell-bent on monitoring everything, who
can spin your use of encryption into a policy violation.

Encrypting your e-mail will prevent your boss (or sysadmin or whoever else) from reading it. But it won't prevent them from detecting that you are encrypting your e-mail.

E-mail encryption is sensible and it should be used for privacy regardless of the nature of your workplace; it is not, however, protection against workplace oppression. The protection against that is to either somehow change the workplace or just leave.

Required reading for PHB's!

[Stigma]

The following article should be forwarded anonymously to all the PHB's out there. The Hacker FAQ (for managers). Anyone who is, or works with hackers should immediately see its relevance.

*NOT* easy to get around

[kwalker]

While it is true that it can be side-stepped if it's in the registry, anyone smart enough and devious enough to want to install software like this would find a way to do it without allowing a user to disable it. Yes, they can do that. Here's how:

1) Policy Editor. If you're running Windows on a large network, and especially if you got an MCSE or MCP from a creditable school, you came in contact with the Policy Editor. It was a great tool for taking control away from clients. With it, you could lock just about any part of Windows, including REGEDIT. Want to get into Network in the Control Panel? "This function has been disabled by your network administrator." REGEDIT? "Registry editing has been disabled..." Get the picture?

2) Windows NT Logon scripts. Those run any time you log into an NT-controlled domain. You can stop them from running, but that is also likely to stop your login process and deny you access to vital network resources (The company's knowledge base for instance). If they start SMS, WhoWhatWhenWhere, or Bo2k from there, you can't stop it, and with at least some of those programs, they don't come up in the Process List.

As for how legal and ethical it is, there's no law preventing it currently so--sadly--it is legal. It is far from ethical though. Most companies don't use it to monitor their hardware. Most companies use piece of junk P133's that have more than lived a useful life. They don't need a program like this to see if you're sucking up 2/3 of a T1 line downloading pr0n. They do things like this to make sure you're not stealing their "valuable intelectual property" (read: dirty company secrets).

One company I worked at used the Policy Editor heavily. They had .reg files that imported whenever you logged onto their Netware or NT domains. There was no way for anyone to stop them, and they used this to keep the highly-techno-savvy support department in a tight grip of fear. We let them get away with this because there were no jobs better than flipping burgers for more than forty miles in any direction, period.

At the last company I worked for, we didn't have Internet access, they had that blocked both ways by the firewall, yet they still insisted on installing MS SMS on each and every one of our systems. Virtually everyone in the company was very loyal to the company and would never steal anything. As a matter of fact, there was only one employee who was terminated for violating policy, and that was for abusing the phone system, not the computers.

It's not the tools, it's the reaction.

[Kris_J]

I'm sorry, but I fail to see what is wrong with a company monitoring its employees to make sure they're at least working and at worse not stealing.

What is wrong is the reaction when these sorts of things are first discovered. There seems to be a nieve belief that nobody ever does personal stuff on company time - so if you're the first one that gets detected doing something "wrong", all hell breaks loose, even if you've just played a game of solitare and the guy next to you is into child pornography

Companies typically react before all the data is in. A product such at the one in the article should be used across all staff over a period of time to determine a "normal" level. Then the company can have a quiet word with the "worst offenders".

I say this from a place were several staff are known to waste huge amounts of time with personal e-mail, personal phone calls and even personal web browsing. Heck, at the moment, I'm at work and I'd hardly call what I'm currently doing part of my job.

And to all the workers out there, don't do personal stuff on company time/equipment - or if you do, keep it to a minimum. If you abuse the system you wreck it for the rest of us.

CJ.

You should see my school..

[redled]

Although this is kind of off topic, I can relate to how you feel about your admin. At my school, after someone unknowingly infected two NT machines with a macro virus, we haven't been allowed to use the internet at all, or even to bring in disks from home (even if all it contains is a 5kb text file -our admin thinks that anything can spread a virus). To disallow access to the internet, our admin deleted the IE and Netscape icons (he's a real genius). Of course, one can simply use my computer or run to launch their browser of choice.
As for the two infected machines, AFAIK they are still down. And don't dare turning one on, because it will damage the motherboard! Apparantly the only way he can fix them is to "reghost and reinstall" the hard drives. That is, take a hard drive from a working computer, put it in the non-working computer, and make an exact copy of it. His excuse for not doing this already? He doesn't have a boot disk.
Some of his other cool ideas include using an 8088 as a print server for a huge color deskjet used mostly to print blueprints on A1 paper. It takes between 5-30 minutes to spool. Of course his most greatest achievement would have to be setting up 386's to run windows 3.1 plus applications remotely (well, everything was stored remotely, then whatever you needed was copied, as you needed it). Imagine a class of 30 students booting windows as all needed files copy from a single server over 10baseT -not fun.
Anyways, I would be afraid this guy would install monitering and filtering software, but somehow I doubt he's capable. (wow, a whole 1 sentance on topic -sorta ;)

--

Data Recovery

[zenray]

Only slightly off topic. Check out, if you can, DOD5220.22-M, the data recovery countermeasures document. Ever here of it? Its the specs on how to covery your tracks and not leave any evidence of your crimes. I mean, how to stop spys from finding out what I was up to. The goverment can do what the general population cannot.

Re:Ok, I'll flame you!

[linuxonceleron]

Can you run linux where you work? If you can, damn, i'd love to work there, hell I'd work there if you ran NT all day, even MacOS. I wouln't have much of an urge to surf porn at work, slashdot, etc. are enough distractions from work. On the topic of motitoring, it sucks. Period.

Thank you

[Rares+Marian]

I'm so fucking sick of people who don't realize time is not money but is valueable. Just because I apply for a job doesn't mean I'm the employer's property. That's why they sign papers before they hire you. The fact is if an employer wants me to cover more than a few positions I should get paid more. That way they won't interfere with the projects I do ehen I'm free.

I say if you don't pay I choose my work, if you pay I choose something else. Frankly I think we should all get a leased line instead of a company car.

I'm also not an engine. I also don't pull results

[Rares+Marian]

out of thin air. Why do people expect that every momemnt you learn somethinmg new. You don't! You learn some bullshit then it all cooks a while then it bears fruit. Same with work. You contemplate, think, and then after some time you lay it down on paper or program it or build or whatever it is you do.

As a result you have to wait for work to be done. all this monitoring shit is a Fascist, shallow efficiency theory fopr people who don't want to be involved just be at press conferences.

It does not work!

It goes on at even the high-tech companies...

[starman97]

I used to work at one of the 'Dilbert top 5' companies, they rolled out some snooping software in the guise of 'Asset Control' It tracked your machine's configuration. They did have a problem with theft even at this High-tech place with a LOT of highly paid engineers. So this program would report back every day what your hardware config was. Well, then soon after we had to report all the software on the machines, BillG must not have been getting his cut.. So then the software started checking for all your executables. You'd get dinged if you had anything other than the 'Official' programs on your machine. Try telling the software police, I WROTE that program, It's my code!! They'd look at you like you're some sort of subversive... Hmmm writes his own code, better keep an eye on this one...
Then they started getting usage-based licenses, this required tracking also, the tracking program started running 100% of the time logging everything used on your system. It was a great tool to get rid of people, hmm, you're only using MSword 2 hours a day, you're not productive...
I guess it didnt check how much time was spent in rebooting. If you disabled it, the manager of IS came around and had a talk with your manager about you disabling corporate asset tracking software, bad news..
The only place that was safe was the lab, I took to hiding out in there with my un-monitored Sun and what the sysadmins called a 'Rogue' NT network. A friend who is still there has a Linux machine, they dont mess with him too much, but I'm sure the monitering software company is working on a Linux version.
They had the idea that if you work for them, they do own you, they had drug tests and phone logs and all that. I got fed up and left to do contract work, for them sometimes. Things there have gone downhill, control-wise. They do work that requires creativity under this evironment. They've phased in NT corp-wide not because it's better, but because they can control the desktops better. It keeps a level of fear that stops any sort of dissent, if you dont like things, dont complain becuse they have something on you, and could always trot it out and fire you. A complete list of URLs is kept for every user, if you are a good boy, no-one says anything, if you are on the 'list' be prepared to defend every URL you ever visit.
It's no surprise they are currently floundering internally despite having some new products out. This stuff started a few years ago, it takes time for a big corp to rot out it's insides until the outside world can see it, remember IBM?
It's the corporate culture of control that kills creativity and runs off your best people, when I see the top folks leaving, it's time to get out.
I'm talking about the people who are 'good' , everyone knows who they are, with the exception of PHBs and other weasel-types. They are the folks who really make things work. They dont have to put up with any crap. At the first sign the best jump, then as the BS rises, more leave and your dont ever see them replaced, sure, warm bodies may occupy thier old cubes, but things dont get done.

(been there, done that, got the hell out...)

Living well is the best revenge...

Boo hoo. No sympathy.

[mindstrm]

Oh wahh.
Oh no, how unfair of them to monitor what the $2000 computer they let you use in your $500 desk on $100/mo of floor space while they are paying you $50,000 a year, using their $2000/mo internet connection and $100,000 in network servers. BOO HOO.
Feh.

A rebuttal

OK, you made you point. Here's the deal -

One company I know made it a policy for people to sign in at 8 AM, to make sure they came in on time (or they didn't get paid). Now there were two types of reactions:

* Some people were pissed off and thought it was stupid and authoritarian

* Some said "This is a good policy. It will make sure everyone comes in on time. After all, the employer has a right to expect us to work hard."

You belong to the second category, which we shall refer to as "weasels". The weasel has a feudal mentality, and likes to support his ruler's rights.

Nobody is saying the employer doesn't have the right to make policies. Fuck, the company can make it a policy to time clock visits to the restroom. Sure, they have the right to log every key stroke and mouse click. And it's remarkable that you people actually support it.

"The honest employees have nothing to fear". My, such a proud little boy scout. I bet your shoes shine bright too.

As for the psychology of people who "think cubicle drones and PHBs are the norm", who said it's the norm. You're kinda thick, aren't you? I was asking about EMPLOYEES who support a company policy of monitoring EVERY key stroke. By definition, that is a very authoritarian and controlled atmosphere.

Re:A rebuttal

[TheDullBlade]

An employer is not a ruler. If you don't like your employer's policies you can go work somewhere else, unless you're incompetent, in which case you don't deserve the job anyway.

That an employer monitors his employees actions does not make it a very authoritarian and controlled atmosphere. What he might do with the information could make it so. If he uses it to weed out the slackers and incompetents, I say more power to him, he does his honest employees a favour. If he uses it to harass productive workers, he's obviously an authoratarian jackass and I would choose to seek other employment. The information has valid uses and there's nothing inherently wrong with gathering it.

In any non-desk job it is expected that the boss will watch you work sometimes, or even most of the time. Why should it be different for computer workers?

Incidentally, I run my own business (I don't have any employees). I enjoy the freedom, and I hope I'll eventually make more than I would have by working for somebody else. I do have to work a lot harder though; my days had ends when I was a corporate employee. Regular paychecks were nice too. It's not for everyone.

As for requiring people to punch in at 8AM, there are clear benefits to having everybody at work at the same time, not to mention the way a professional atmosphere can boost productivity. Is it stupid and counterproductive? Maybe, I don't know all the details, I can see how it could be in a few cases (with really dedicated workers, and/or work that is ideally suited to flex-time). For all I know, they could have had a major problem with people traipsing in at 11AM and leaving at 5PM and taking pay for a full 8 hour day. Anyone who didn't like it could find other work, though, or threaten to do so unless the policy is changed. But they didn't, did they? They grumbled among each other and maybe a few played childish tricks to get back at the management and maybe some used it as an excuse to screw around and do less work, all the while telling managers that they were okay with it. Which sounds more like weasels?

I'd give you good odds for a wager that if the management announced a new policy that everybody had to wear kilts to work, the whiners would grumble among themselves again but comply while the people you call "weasels" would complain to the management and quit if the policy was not cancelled.

I'd also be willing to bet that the "weasels" get a good deal more work done, while the grumblers think it's unreasonable to be forced to be at work since they don't really do anything there anyway. It's similar to the way that stupid children often call the brightest ones "teacher's pets" because they don't want to admit to themselves that the fundamental difference is ability, not attitude (though there are also cases where the epithet is accurate).

If people worth hiring refuse to accept unreasonable policies, then businesses will not have them. As I said, you make your own Hell.

Power trippin' SysAdmins galore!!!

[Crack-Fu]

I counted more than there were instances of the Fuck word in "Scarface". Just look for the Pro-monitoring arguments.
All companies monitor employees to a certain degree and more often than not make the employees aware of such practice.
But 'Stealth monitoring' = Entrapment. Pure and simple. I've been witness to the true extent of abuse this power can afford the upper management hatchet boys. I've also seen some right little shits shown the door. There's nothing really dignified about having to skulk about in your own backyard.
Disrespect your employees and you can expect the same sentiment in return, then you'll be looking at much worse issues than abuse of work practices.
As an aside, lets start monitoring the sysadmins, the true core of irresponsible computer abusers.
I know, cause I do :)

Re:I'm nearly always on the side of 'privacy' but.

[radja]

There is no place or time where privacy is not merited, and I am glad to say that this kind of monitoring without the employee's knowledge is illegal in the Netherlands.

Good point about stocks

[jflynn]

You make an excellent point about the danger of monitoring re insider stock information. I think the same argument could be made for medical privacy in a hospital, credit privacy at a credit company, or confidentiality of sources at a newspaper. Any company or government agency that claims to protect anyone's privacy has issues if they monitor their employees.

In the context of current law though, I don't have an answer to this. If an employee engages in illegal activity thru company equipment then seizure for evidence is a possibility. Also harrasment suits from employees offended by other's tastes. To prevent that the company must become their own police force to catch criminals and harrassers before the real police or courts can.

The question is whether the loss of employment and productivity due to the surveillance outweighs the risk to the company. For a small company this argument is more convincing, chances of criminal employees are not very significant, and harrassers are usually pretty well known as such fairly quickly. For a large corporation the equation isn't nearly so clear, they are almost gauranteed to see abuses. I still think zero tolerance for any discovered abuses plus insurance for liability might be a better route for them, especially given your arguments about liability due to additional people seeing critical information.

Set a trap

[Helge+Hafting]

If they monitor you, consider setting a trap of sorts. Perhaps saving important work to "porn.gif" or something. Then the clueless try to bust you and make fools of themselves. Maybe they even delete the file so you can point out how they kill productivity.
For the really advanced, try cracking the thing so it sends bogus reports...

Such setups are indeed easy to forge

[mvw]

It's great to use Back Oriface to drop KP into other peoples browser cache, then tell the boss you noticed them browsing something naughty

The attitude of this Anonymous Coward sucks considerably, but he points to an interesting problem - the evidence value of certain digital information.

I am a bit disturbed, because most networks at companies and universities I have worked so far, were pretty unsecure. And if I know how to do so, there are likley to be some other folks around who have that knowledge too.

It is hard to say what I would do, if someone planted comprimising material on my workstation. How should one defend oneself against such. If noone actually saw me downloading, the case will be based on matters of evidence. So I would like to know what kind of digital information actually gets accepted as evidence by court.

I was always surprised to see how e-mail memos were brought up in US trials, like the Microsoft one, or some case when a programmer at Borland left. After all such is so easy to forge, isn't it? Same holds for firewall logs etc.

In the end, depending on your relation with the company, it might damage trust and reputation considerably and ultimately force one to leave anyway.

Let's not confuse two different things!

[Gandaman]

Monitoring performance is not the same thing as monitoring exactly what a person does.

It seems these companies can't check that employees are doing what they should, so they turn to checking that employees aren't doing what they shouldn't.

Every point you make is true, but it is not the same as the issue we are discussing. The whole point is that companies _ought_ to be able to evaluate what the person produces, just like you said, instead of checking exactly what or how they did it.

If some secretary is so brilliant that (s)he can surf the net with the left hand while typing a document with the right, then if I were the boss, I'd have no problem with it.

I don't see the value in knowing exactly how much time the person spent in Word or how much time they spent compiling. The only interesting thing ought to be the amount and quality of the result.

I have very little respect for companies who have such poor process that they can't measure the performance of employees and the team as a whole so as a last resort they have to turn to things like these.

If you can't measure the result of an employee, you're not going to get rid of the real slackers anyway! They might stop goofing off at the computer but they will bring the latest Grisham novel to work instead. What do you do then? Install cameras in the bathroom?

Companies definitely have the right to demand good work from their employees. A good company will know whether they are getting good work or not.

what Big Brother means

[dooling]

Sorry to bust balls on this, but when people talk about Big Brother it really ticks me off. Has anyone read 1984? If you have, you know that Big Brother has come to mean something completely different in our society than it did in Oceania.

Sure, Big Brother was omnipresent in everyone's life, but he was a welcome presence. He brought security and order (much like Nixon promised when he got elected). People accepted the monitoring because they valued these other things more then their own privacy. Even Winston didn't mind the invasion of privacy so much, he was rebelling against the control of ideas and lack of idealogical freedom within the system.

So whereas we go ballistic at any mention of Big Brother, the people of Oceania _loved_ Big Brother. So the comparison is faulty.

As for the monitoring software, it only has partial, minimally significant aspects of Big Brother. On the other hand, these aspects are also the most disturbing ones.

It's not your computer, it's the company's

[swb]

Employers have been "monitoring" their employees in some way or other forever. Since most people aren't doing piecework anymore, it's kind of hard to gauge productivity, especially in the "service" sector or other job areas where there's no good measure of productivity. Couple this with a web-enabled PC, and you have the *ideal* environment for totally screwing around. Loads of BS games, email to friends, but no work getting done.

The fact that some employers would want to ensure that their employees are actually working and not screwing off is hardly surprising. A salary isn't a right, it's a privilege you earn by doing meaningful work. It's tiresome to hear people whine about their employers actually wanting to know what they're doing as they sip coffee.

The only credit I'd give the anti-monitoring crowd is that I wish employers would be more direct-dealing with employees. But the leftists have pretty much eliminated the employer's ability to deal directly with employee malfeasance for fear of racism, sexism, homosexism, or some other nonsense the lazy and shiftless are goaded into claiming by the legal profession.

We've had several employees where I work get canned with secretly gathered email. They weren't out-and-out fired up front for their REAL problems because management was so scared that the employees would claim discrimination of some kind or other that they just gathered BS evidence and canned 'em for that instead.

And why shouldn't they?

[jabber]

I'm writing this from work, on company time. I'm playing devil's advocate, but... Let's consider this for a minute from the point of view of the employer.

- It is simply too much work to monitor all employee's 'break' habints individually.
- Many employees (ab)use work resources for their entertainment or personal gain.
- All employees are paid for a certain number of hours of WORK in a day.

When I work, I am paid for my 8 hours, plus OT as needed. I expect to be paid for that amount of time, so why should the employer not expect to get that much work out of me?? It's only fair, equal work for equal pay and all that. In this, the employer is simply protecting itself from exploitation by workers. (the degree of 'break' is at issue though)

Monitoring individuals is a resource black hole. It can not be done effectively without devoting a significant staff and resources. An automated monitoring system serves to gather statistical data about employee work and break habits, so that these statistics can be used to reduce privilige to 'acceptable' levels. What counts here is a conscientious and sensible HR/IT regulator that defines what 'acceptable' is. And hey, if we feel that our surfing during work hours is reasonable - and we expect out employer to trust us, why should we not trust that regulator to NOT be a slave-driver? If the average stats show a reasonable non-work usage, fine.

If certain individuals skew the stats, they are singled out. Isn't that fair? Would we want to lose all access to /. just because one person stays on it all day? Should all web access be cut off because one person has a thing for kiddie-porn? Should all employees have to live within restrictive disk-quota policies because someone is running a rogue web business off of the company server?

Monitoring helps the company protect itself legally from those few employees who abuse and expose the company by engaging in questionable or unprofessional behavior on company time.

Monitoring helps the company protect itself from widespread abuse, by allowing the tailoring of 'freedom' to within acceptable levels.

We have to remember that while we are being paid for our time, we are renting ourselves to the company. Our employment agreement states that we are there, working, for 8 hours per day. If we are not, then we should not be getting paid for that much time. If we are, then we are violating the terms of our rental agreement.

We are the ones exploiting the employer, not vice-versa.

Security?

[sjx]

I can't help but think that using software such as this to monitor your employees (or students) is, well, pretty damn malicious. The last thing I'd say any company would want is an atmosphere where people phear The Management. Of course, this kind of atmosphere is exactly what so many companies out there actually have already, so that argument probably won't work... but what about this one:-

So, we're collecting all the keystrokes? Even the ones for passwords? Everything you type, confidential documents, the lot? And then emailing it to your boss?

Now, try to think like a malicious cracker for a moment. Grow younger by X years (where X is any appropriate integer), switch 90% of your brain over to caffeine, get yourself into a mental state where Beavis and Butthead laughs (heh, heh) sound normal. (Drugs are optional.) Heh. Heh.

(Don't worry, it won't be for long enough to cause psychological damage. Probably. )

Now all Mr. (Master? (Miss?)) Kiddie has to do is crack your boss's email account, then - presto, swimming in account passwords, company secrets, you name it. A single point of attack. Heh. Heh. Hey, and they don't even have to get some bozo to install kiddietools like BO2K for them, because some bozo already bought the cracktools, actually went and paid for a site license for them... (What security model are you using, people? Hoping the Nasty People laugh so much and so hard that by the time they picked themselves off the floor, they forget what they were doing?!)

Now, how might they crack the boss's email account? I mean, it's not as if anyone or anything's watching the boss type his password; is it...?

Okay, you can (sober|grow) up now. (Again, optional.) I've made my point.

People with a Clue should probably avoid software of this kind like the plague, and view with righteous suspicion anyone who would try to use it. In fact, people with a Clue should probably remove the software from any machines they actually need to properly use, on the grounds of it being a security disaster waiting to happen.

But hey, I'm preaching to the converted here. If more PHB's read Slashdot, then... er... well, okay, then everyone else would probably move out, in case their PHB noticed how much time they were spending reading it.

Re:Tough! The computers are not yours

[raindog2]

Actually, Americans do continue to have constitutional rights at work - regardless of what they sign - except perhaps those in the military. I don't know whether privacy is actually a constitutional right, though, or what it entails if so. Certainly some elements of privacy were legally removed during the corporate-happy legal environment of the 80's and 90's, but by no means all of them. That there are slashdotters who believe this demonstrates that the "if you don't like it, find another job" argument needs some serious rethinking. Then again, that's exactly what I myself did.

for I am a doofus, too

[raindog2]

Guess "document contains no data" doesn't mean it wasn't posted ;)

Rights of the Employer vs. Rights of the Employee

[soldack]

This battle has been raging for a long time but I think that it must be dealt with now before it gets worse. If an employer can not monitor phone coversations then they should not be able to monitor Internet activity unless there is a reason to do so (like missing money, accounts being taped, etc).
Will this hurt the company? No. The fact is, if Joe Programmer can get all his work done while posting to /. several times day, it is not a problem. His work is getting done and his surfing is not creating a need for a new T1. The old ways still work fine for determining if a guy is goofing off. If he can't get his work done in a timely manner then he isn't suited for the job. If overall net usage spikes a tremendous amount (read: porn site running from his box) then you can easily tell he is abusing the system without these privacy destorying programs.
A company can not be allowed to assume that all employees are guilty until provent innocent by some program. There must be trust for any successfull business relationship.

employer's stealth spy software

[KimmBadd]

Haven't you already figured out about a dozen of other people's passwords? You might still be logged at the same machine, but not the same user.

Re:terrorist tactics

[unitron]

How about the "terrorist tactic" of just not working there if you don't like the way they do things. Last time I checked quitting in protest didn't carry near as much jail time as bomb threats, was less likely to get you shot as a pre-emptitve strike by a fellow employee who didn't care for being threatened with physical violence over a difference of opinion, and doesn't look nearly as bad on your resume.