July 8th, 2005, 10:10 PM
Keystroke Logging Now Illegal in Alberta
This is a story in The Globe and Mail about a recent decision by Alberta's Information and Privacy Comissioner, stating that the use of KeyLoggers to monitor employees productivity contravenes the Freedom of Information and Protection Privacy Act.
I can understand why corporations want to monitor what people are doing, but I think using KeyLogging is too extreme. Internet surfing habits can be monitored by a proxy server, E-Mails can be logged on the e-mail server, and login/logout times can be logged on the authentication server.
In conclusion, boo-urns to using KeyLoggers, except for fun
\"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
Phillip Toshio Sudo, Zen Computer
Have faith, but lock your door.
July 8th, 2005, 11:30 PM
I dunno... when I'm at work, I really don't care what my employee is logging. It's his workstation, his internet connection, and his dime... if he wants to read the emails I'm sending my clients or the passwords I'm using to log into company-related sites, then I'm cool with that.
This generally goes against my usual opinion about things like this, but in this case, where I'm being paid to use a computer, I don't mind being watched. I'm usually more productive that way anyhow...
July 8th, 2005, 11:42 PM
Interesting, but I believe the title may be jumping the gun.
Like many news articles sensational headlines are more important then facts. Highlights are covered but not what actually lead to the decision.
I am trying to picture in my mind how they would assess an employee's productivity and the quality of their work using a keystroke logger, justified by the savings of taxpayer dollars. This argument sounds flawed and fishy to me. How much did they spend going through those logs in time and resources? How long did they keep ( or are required to keep ) these logs, and at what cost? ( the article specifically used the employer's example of how many entries a day an employee would actually do. Was this really what they were looking for? )
A better, more defendable position would be using a keystroke logger to verify violations of an AUP, etc. If the policies are written correctly and say the computers are for work purposes only, there should be no "personal information about the employee" to collect and thus should not violate the act, as long as the employer was consistent in enforcement of the policy(s) and the employer can prove the employee knew of the policy(s) and consequences of violations thereof.
Did the ruling address this? What position did the employee take, that the employer was reading their personal email or that their employer was collecting data on their porn habits? And exactly what was the wording of the ruling and how far reaching is it really?
Too many questions left open in this article to use a title like that.
Maybe, maybe not, it will all depend on the circumstances. To rely solely on keystroke loggers because the employer is too lazy to use other means available speaks of the employer's inadequacies. But what about the employee who thinks they are smarter then the admin ( though they may or may not be ) and is bypassing the proxy to surf porn all day using an encrypted tunnel? Or using the same type methods to transfer out sensitive corporate or government information? Or to hack further into the network to escalate privileges to areas and information they are not entitled?
... but I think using KeyLogging is too extreme.
OK, I'll probably get some discussion on this analogy, but bottom line, the employee does not own the computer(s), the employer does. If an employee is given a car to drive around and check remote sites but instead uses the car to drive the same distance to a race track to gamble all day, ( or to a girlfriend's / boyfriend's house ) would you think it unreasonable for the employer to use a tracking device on the car to verify what it is being used for and that the employee was actually going to the sites required?
Just my thoughts.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
July 8th, 2005, 11:50 PM
My thoughts exactly.
Originally posted here by IKnowNot
If an employee is given a car to drive around and check remote sites but instead uses the car to drive the same distance to a race track to gamble all day, ( or to a girlfriend's / boyfriend's house ) would you think it unreasonable for the employer to use a tracking device on the car to verify what it is being used for and that the employee was actually going to the sites required?
Just my thoughts.
July 9th, 2005, 07:44 AM
It's all BS...
Any right you have to privacy at a workplace can be waived through the judicious use of login banners and AUPs.
Something along the lines of "You have absolutely no expectation of privacy on this network" will eliminate any "reasonable expectation of privacy" argument that is so often brought up in Canadian courts. Signed agreements for new hires go a long way for helping ease monitoring also.
If you can make the waiver of privacy rights a prerequisite to network usage, you can monitor anything. Privacy rights are not indivisible in Canada. You cannot contravene privacy laws here when individuals are aware of the facrt that they are being monitored. This is why quite often we have warning signs for photo radar at intersections.
The article says (or implies) that the employee was unaware of the fact that he was being monitored. Had this company implemented a proper login banner, AUP, or employee agreement, this would not have been an issue.
THe problem is not so much the monitoring itself, but the lack of any policy creation, implementation, or enforcement on the side of the employer.
Government is like fire - a handy servant, but a dangerous master - George Washington
Government is not reason, it is not eloquence - it is force. - George Washington.
Join the UnError
July 9th, 2005, 05:54 PM
UK law is slightly different i.e. while employers should inform employees that they are being monitored (why, how, what, where and when) and there is some accepted derogation of the right to privacy as a result, it is not an absolute derogation.
Any monitoring should be commensurate with the risk and should be done overtly and using statistical methods rather than being targeted or covert (except where serious criminal activity or civil liability is suspected).
Anything OTT (e.g. keystroke logging) or targeted surveillance for more minor offences would probably lead to the case against the employee collapsing and the employee being able to sue for constructive or unfair dismissal. This almost certainly covers using keystroke logging to measure productivity (though how you would know the keystrokes were productive I don't know e.g. I could set up a nodding dog to click the keys Homer Simpson style or my keystrokes could really be a sign of how much time I am spending surfing the net and contributing to 'hacker' forums
This is not legally binding but merely a guidance code which the courts can use in intepreting Data Protection laws but I think it would kick in in favour of the employee not the employer.
In addition, there are also laws limiting the right to intercept communications (RIPA).
No one can foresee the consequences of being clever.
July 10th, 2005, 04:10 AM
I wonder how this would fit under the new law ?
Full disclosure key-logger : http://www.multipledigression.com/type/index.html