Slashdot Mirror
Stealth Software Used To Spy On Employees
Baraka writes "As if reading the e-mails of their employees wasn't enough, some corporations have gone as far as to install hidden software on their client boxes. The software secretly monitors all keyboard and app activity. At the end of the day, the gathered information is e-mailed to the "offending" employee's boss. Read it and weep, folks. Looks like Big Brother is alive and well in the officeplace. "
Actually, in retrospect, this might be a ploy by the company to generate interest in its product. The more controversy surrounding this product, the more people who are informed about it -- kinda like Apple complaining about export policies in order to brag about how fast the G4 is.
Personally, I think monitoring is not a good idea. If an employee can double his/her productivity by taking short breaks to chat with friends online, then by all means that employee should do so. It should be painfully simple to discover when someone is making trouble online. At that point, convensional methods should suffice unless special surveilance is required. In general though, spying on employees betrays trust.
It seems American companies are willing to just about anything to spy and generally make life suck for there employees, but at the same time I keep hearing about how companies are scrambling to find people for there technical jobs.
If having to worry about finding another job is not a problem, why would anybody stay at a company when it starts spying on you, forbidding you to send private email etc etc? Is this just a matter of greed, because I know that as far as I am concerned some level of freedom at a job is worth a number of K $s.
Maybe I'm just not disillusioned enough yet...
-
This is why I use my own box at work. Well, ok, it's not really why, but it's one nice side-effect. Generally companies large enough to do this sort of thing have standardized on NT, and have nothing but point-and-drool admins who have no idea what to do with a Linux box. My workstation: I built it, I own it, I administer it, and it runs Linux. I trust my new employers though, so I don't think it'll be an issue. :-) They ran SMS at my last job-- funny story: When I first got there, they installed NT on my machine (of course it was going to get wiped and Linux-ed as soon as they left the room). I had to sit there and watch for 1/2 hour while they installed the system, set it up, created a user for me, blah blah blah. Finally at the end they set up SMS, and told me "I'm sure you know how to disable this, but please don't, because we need it to... yadda yadda yadda." I just nodded and smiled. Weirdly enough, although I was not allowed to disable SMS if I used NT, removing NT entirely was fine with everyone.
----
We all take pink lemonade for granted.
There is no K5 cabal.
I am not the real rusty.
Snooper software may catch who is surfing what sites, but is this good for business? Companies should IGNORE minor transgressions by employees, especially for employees in creative occupations (i.e., software design). To maintain a clear head and to stay creative, periodic breaks are needed. This may mean a quick game of Quake or Tetris, reading Slashdot, or netnews. So what if company resources are used for this? So long as the job gets done, let people enjoy their diversions. Cracking down on "unauthorized use" will not help the bottom line the way you may think. It will create an atmosphere of ph33r and paranoia that will actually end up hurting productivity than if you simply let things be. Can you work productively when someone's standing behind you staring over your shoulder constantly? Monitoring software is no different. So I say that as long as employees are getting their work done and not offending other employees (i.e., surfing porn where others can see it) ant not sucking up the company's whole T1 while engaging in brief periodic non-work activities from their private terminals and workstations, I say let 'em be. Happy workers are productive workers. No one wants to work for Big Brother. If my employer did this, I'd leave. Others would too. Of course, no company will explicitly say "Yes, you can surf pr0n, or play games on company time". Companies don't have to do this either. All companies need to do is evaluate employees on the results of what they produce. The means by which they do it are really a non-issue.
The best way in Win 9x to see what's running would be msconfig in the run box. If some are really brave they can take a look at the Registry and find the Run under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run and any of the other ones in that general area that have Run in them.
Now as far as it being illegal for the company to do this. That depends on how you look at it. The network and machines are the company's property therefore they can dictate what can and can't be done on said network or computer. That's why I just bring in my own laptop and plug into the network they don't mind that since it's my own stuff I can break it all I want. As long as work is getting accomplished though I don't feel a company should monitor it's employees that heavily.
This kinda reminds me of a telemarketing job I had for AT&T. They could always tap into your line and hear both sides of the conversation that you were trying to sell. You always knew that you had to not lie to customers on the phone and be nice and agreeable. But if you knew that Call Quality was on the line you would be sure to do stuff extra correctly. So if you know that boss is watching you probably wouldn't do anything you're not supposed to.
Good is never enough, when you dream of being great!
You can easily use RegisterServiceProcess to hide the process from the task list in 9x.
Also, many of these type of programs use a couple of tricks even then, for instance, they give themselves inoccent sounding names, and/or use shell hooks, which means the application's DLL is injected into other processes, no new processes created. A knowledgeable win32 developer can play a cat and mouse game to disable these applications, but the real issue should be with the employer, and why they feel the need for this. My employeer just runs a proxy to monitor what URL's I visit, and I think much more than that would be grounds to find a new job.
-- It is too late for the pebbles to vote, the avalanche has already started.
What about office workers who are not ``technologically savvy''? Not everyone knows enough to look for and disable such a thing.
Ignoring that, there could be nevertheless hidden difficulties behind trying to stop something like this. And not all the difficulties are necessarily technological.
If the employer is running software like this one everyone's workstation as a matter of policy, then by disabling it, you are violating company policy. If you get caught trying to disable the software, you could be disciplined or fired. It would be trivial to design monitoring softwarethat cannot be simply turned off without detection. For example, the software could periodically respond to special pings from a central server. Hacking up software to fake the responses could be a major challenge depending on how the program is constructed. If there is some serious crypto authentication, it would have to be reverse engineered and faithfully reproduced in the impostor program. Most people would have to wait for some hacker group to release such an ``anti-big-brother'' impostor.
Another problem is, it would seem suspicious if nothing is being recorded by the monitoring program. You would have to arrange for your impostor program to provide some sensible looking activity record while you conduct personal business. Otherwise you would have to explain the idle periods---and what if the monitoring is being used to detect idle workers as well as ones who are using the equipment for personal use?
A third problem is that even though you stop keyboard monitoring, your employer can still snoop the network. Presumably, any interactions you have with the Internet go through the company's routers. The boss doesn't necessarily need a tedious record of your keystrokes; just some software that can monitor TCP streams and other data. By tapping TCP streams, it should be possible to recover telnet sessions, FTP transfers, ICQ or IRC chats, Usenet reads and posts, etc. This is kind of spying is probably a lot more useful than having some keystroke record. (Of course, one could use an encrypting proxy system, but that alone could draw suspicion.)
I don't think that there is any real technological protection against this. Any such measures treat the symptom rather than the disease anyway! You have to treat the disease. If you happen to fall into such a predicament, organize with other users who are in the same boat, and let the corporation know that you won't take the spying. In other words, the classic organized labor solution to the problem of worker oppression.
Failing that, terrorist tactics might work. The spying has to be implemented by another employee. Simply threaten to, in the parking lot, break the legs of anyone who supports the company's oppressive measures. Distribute an anonymous flyer which threatens to blow up the premises if the spying isn't put to an end by a certain date. Phone in bomb threats. Etc.
A company hires you to work for them. They have bought (or rather, rented) a product (your labor and skills) which they expect to pay the company back more than they spend on you. As such, they have a certain right (not to say obligation) to ensure that they're getting their money's worth. As I see it, this is perfectly OK, at least within certain bounds.
First, they should make their monitoring policies clear. Monitoring performance is one thing, but secret monitoring is something else. Employees should know what they may be subject to, so that, if they don't like it, they have the option of finding another job without those restrictions. Second, they should monitor only the amount, not the content, of personal communications. As the ACLU rep in the article said, listening in on a phone call to a spouse is illegal, and a similar principle should apply to computers. However, the company should be able to keep an eye on whether the employee is e-mailing their spouse once a day, or every 5 minutes. Thirdly, any information gathered about an employee should be purged when they leave the company, unless said information is to be used in a legal action against the employee. Once the person is no longer employed by them, their right to know anything about her ends.
There is a separate issue, which several posters have pointed out. Regrdless of whether such monitoring is immoral (and I don't think it is, within the above limits), it's just plain bad for business. Nobody wants to work in an environment where they are being monitored 9-5 every day, and the psychological effects of being in an environment like that could be enormous, not to mention the effects of being prevented from taking a break every so often. It is accepted wisdom (does anyone know of any statistics on this?) that people are more productive when they are in a work environment where they feel comfortable, and monitoring their e-mail and calling them in for a meeting with the manager every time they play solitaire is pretty much the opposite of that.
Moreover, using this system to routinely monitor employees is a waste of resources. Looking for embezzlers and such is worthwhile, but not routine, wide-scale moitoring. There are much better ways of measuring an employee than how she uses her computer. The monitoring system measures input- how much time is being spent on work. But an intelligent company will realize that they don't care about inputs. They care about outputs, which are usually easy to measure by more conventional means (how much work the employee is actually getting done). The genius programmer who takes minesweeper breaks every hour, but pours out code at a spectacular rate, is worth more to a company (at least, to a smart company) than a dull, uninspired one who produces less, but faithfully spends all his time in the office doing work (at least, as far as his computer can tell).
"Never let your sense of morals prevent you from doing what is right" -Salvor Hardin
These guys really push my buttons....
Look, if the company owns the network, and the hardware, etc.... that's fine, they get to say what happens on them. Do work at work, yes I agree.
BUT! These are the same companies that DEMAND 60+ hour work weeks! If they're so anal as to demand complete control over everything their employees do, then they can pay for every stinking hour that the employee is there. Don't pay more than 40 hours? Then watch your employees walk out the door at 5 each and every single day. Got a deadline? TOO DAMN BAD. We all have to go home and live our lives -- since we sure aren't allowed to do anything personal at the office... right?
-- "No Vir, the Universe is an evil place, but at least it seems to have a sense of humor about the whole thing." -- Lo
There's am old saying in law enforcement. "Where one man can go, another man can go". If the crooks get motorcycles, the cops get motorcycles. If the DEA gets high resolution radar, the drug dealers get the same. Everyone gets so uptight about cracking and monitoring of computer networks, but this is the same thing. If someone puts a monitor on my box, I put a blocker on the monitor, and so on ad infinitum. In the end its about trust. If you have to work with someone you can't trust, you need to protect yourself. If you can't trust anyone you work with, you should do some serious thinking about why that is.