Covert Monitoring of Staff?

[DeviantScotland]

I work for a fairly small company and am often called upon to carry out a number of IT type duties e.g. develop new systems etc.

 

Anyway today while working and doing an audit of the network I came accross a number of odd files on the network. I basicall found a log of every website, application and every keystroke I have every pushed on my keyboard since the 13th Nov. On further inspection I found that a keylogger had been installed on my sytem without my knowledge and had an exception added to my Antivirus as well as firewall which mens it was put here. After some further information I have now discovered it was my boss the Managing Director of the company who installed it.

 

Now basicall she has been secretly monitoring everything I do including passwords for when I check my bank etc online.

 

I was never informed that such monitoring was taking place and as far as I am aware have none nothing to warrent this kind of monitoring.

 

Can anyone tell me what the rules are around this kind of covert monitoring? I have read a few articals but they all seemed to be aimed at CCTV etc.

 

As of yet I have not let on I know about the monitoring I want to see where I stand first.

 

Needless to say I am on the lookout for a new job

[monkeychicken]

I think several acts apply here

1. Regulation of Investigatory Powers Act (RIPA)

2. Data Protection Act

3. Human Rights Act

 

There was a thread on this some time ago to which I posted- so have a look on previous threads.

 

Also importantly, look at the Information Commissioners Office (ICO) website.

 

There was a case, niemitz v Germany (I might have got the spelling wrong) in the European Court of Human Rights which established that Article 8 of the European Convention on Human Rights can apply to a place of work, which means our Human Rights Act also applies. Google the case.

 

However, its important to remember that covert monitoring can be acceptable if there is a reasonable suspicion of crime etc. (ICO website will tell you more)

 

Hope this helps.

[flyingdoc]

Now basicall she has been secretly monitoring everything I do including passwords for when I check my bank etc online.

They could claim that you had no right to do this from your work computer.

 

As Monkey says, there is no right for an employer to monitor you full time but if they have suspicion of something then they can legitimately monitor activity to gather evidence.

 

But dont forget to change your bank password details.

[monkeychicken]

A lot depends on what the company's internet/email policy is

[p_cas]

Most companies will monitor emails and web use in some way or other, if for no other reason than to gather evidence on excessive or inappropriate use of the internet. A key logger is a fairly blunt tool for doing this.

 

Also, most companies will cover themselves with a clause in their office procedures, t&c or some other way. Unfortunately many staff either ignore or forget that the employer has told them that their computer use may be monitored.

 

Also, you use the word 'my' in relation to the computer system and antivirus etc when, of course, it's not yours but the company's equipment youre using.

 

If youve been using work computers for home stuff (bank account etc) then change all your passwords. If youve been using work computers for more than that then you may possibly be in trouble.

[Conniff]

As a general principle, Directive 2002/58 prohibits interception of private communications over networks; this includes e-mails, instant messengers, and phone calls. However, the Directive specifically addresses public networks and public employees; thus, surveillance of private employee's communications under internal-private networks is not protected by this Directive. Nonetheless, European private employers have established internal policies informing incoming employees about the guidelines on the use of Internet and other equipment in the workplace. These policies are part of the work contract and upheld by most European domestic courts. In fact, policies prohibiting the use of electronic communications for immoral, criminal, or not job-related activities are deemed legally binding by courts in the EU member states.

[monkeychicken]

Most companies will monitor emails and web use in some way or other, if for no other reason than to gather evidence on excessive or inappropriate use of the internet. A key logger is a fairly blunt tool for doing this.

 

However, it is important to realise that in the former, they would use general monitoring tools, such as filters, automated phrase identifiers etc. and the monitoring has to be of the whole workforce.

 

A keylogger however, is a different kettle of monkey:D (I like monkeys and chickens!).

 

It generates a huge amount of data, which has to be accommodated on the network.

 

It requires physical intervention at the workstation - someone must have istalled on at your PC (and the associated instruction/ works order, payment etc. to the IT people).

 

It probably was done surrepticiously - when you were away from your desk.

 

It records every keystroke and thus does more than merely checking whether you're using the internet/ email for private purposes. To do that, all they require is a copy of all the sites you visit and all your emails, which is very easy to organise by an IT professional with administrator privilages.

 

Also exceptions to the antivirus/ firewall needed more intervention

 

 

Unless of course, every employee of the company is monitored in this fashion - I cant imagine anyone would go to that amount of trouble/ expense though.

 

Also, most companies will cover themselves with a clause in their office procedures, t&c or some other way. Unfortunately many staff either ignore or forget that the employer has told them that their computer use may be monitored.

 

Usually though the monitoring is general monitoring and this is ususally covered by the policies.

 

 

It lookas as if they are trying to target you for something or other

 

The first piece of advice I would give you is to take a copy of all the keylogger data - information may be deleted 'inadvertantly' -and then you will not be able to prove the details.

 

Get copies of the relevant policies (email/internet, grievance, data protection, RIPA if applicable, staff monitoring)

 

Then I would go see an employment lawyer/ CAB or any of the many free legal advice people. You house insurance may have a helpline for legal advice (or you may even be in a Union).

 

I would then start a statutory grievance to establish why they are doing this and see if I have any grounds to start proceedings at the ET. My guess is that they will be extremely reluctant to explain.

 

Better qualified people may advise on which grounds - discrimination is an obvious one but only if you fall into one of the categories and you can prove someone not in that category was treated better (race, sex, disability, victimisation because of having carried out a protected act), or perhaps its something else.

 

Google tribunal jurisdiction list to get an idea of what areas they can hear.

 

A very risky course would be to resign, making it slear you are resigning because of a fundamental breach of trust, and go for constructive dismissal - you have to prove that you could not possibly continue to work under those circumstances, so I would try the grievance route first

to establish exactly why they are monitoring you.

 

Remember the timelimits (areas of tribunal jurisdiction have different time limits) which starts from the time of discovery or the last event - I think this is an area where the monitoring is continuing, so the clock has not started to tick. Also in the past, it has been successfully argued that the act complained of had not 'crystallised' in the mind of the claimant - i.e. you know you were being monitored but did not know why, until they gave an evasive answer to your question. Only then did you realise that this was a case of discrimination (for example). But I( would not rely on that argument as this is still a relatively new area.

 

I would also make a protcted disclosure (under PIDA) to a more senior person that your manager is breaching the Human Rights Act, the Data Protection Act, Regulatory of Investigatory Act and Harassing you contrary to the Protection from Harassment Act (recent case law - conn v sunderland city council - suggests that the act would only apply in workplace situations where the employer has committed a criminal act , but breach of RIPA can be a criminal act).

 

Complain about harassment by the manager in any case.

 

In dealing with the above your employer might divulge why they are doing this.

 

 

 

Alternatively you could get a new job and walk away from is situation. The only issue with that is that it would leave the employer free to do the same to others.

 

 

Apologies if some of the info is a bit basic (as you're an IT person you will already know a lot more than me about the keylogger etc.) but I mean this to be advise to others in similar situations also.

 

Please correct anything here if I am wrong - its just what I have gathered over some time and I have no legal training. So dont take any advice from me without checking all facts at source, and Google is a wonderful thing!!

 

 

Good luck and tell us what happens as I an very interested, having been through a broadly similar situation.

[flyingdoc]

you are of course making the assumption that this keylogger was placed by the employer - it is not unthinkable that another employee has placed it for some mischievous reasons of their own.

 

Before taking any action I would (haveing made a record of the keylogger files and the details held therein) ask whether this was placed by your employer, and if not ask them to investigate who placed it and why.

[godpikachu]

the person who installed the keylogger doesnt even have to be sat at your desk to do it, there are any number of ways which it oculd have been put on, including:-

 

Remote access to your terminal from somewhere else in the network.

 

A serrupticiously (sp?) "hidden" .exe file hidden inside another document.

 

A USB flash drive with the software installed on with an auto installer.

 

I would definatley confront your boss about this, and ask them if it was them who placed the keylogger on your terminal, because a piece of malware like that has the potential to be unbelievably destructive to your works systems, and installing one on to someones work terminal is ridiculously irresponsible.

 

If it isnt your company spying on you, then it would be highly recommended to them that they allow you to conduct an overhaul of the companies I.T security, because someone had to have put it on there somehow, for whatever purpose.

[monkeychicken]

You are all forgetting the following comment by DeviantScotland

 

After some further information I have now discovered it was my boss the Managing Director of the company who installed it.

 

If the MD is monitoring the keylogger data, then it is most likely that the keylogger was put there by the employer.

 

That is why you have to bring a harassment complaint against your MD.

 

Also apologies for my lack of detailed knowledge of keyloggers - I thought they generally had to be physically installed. Thanks for the correction.

[Sali]

Have you actually challenged your boss on this and they admitted it? If so, what reason did they give? If not, I would be checking the event log for installations around the 13 Nov to see if a username is associated. Like Godpikachu says, keyloggers can be installed by many methods - perhaps even inadvertently by yourself. Good advice to uninstall software/reghost asap and change all passwords

[68904]

If you think management are after your hide, for what ever reason, start playing these people at thier own game.

Only use the companies IT for official buisness, do not log onto banks/ personal emails/ to ensure that you give them little or no ammunition to throw at you.

Now you have found the bugs, use the IT with that knowledge and do not play into thier hands.

If you used the IT for other than work reason,go and change all your personal passwords, from a non company set up.

All you want is traffic on your login at your company, is your number, rank and name.

I would not av it out with anyone within the company as you cannot trust no one even the shed cat.

Let them think that they got u by the nuts, then suddenly they get a blank sheet on your log ins, and that will stuff them good and proper.

If you have a company mobile, do the same there, no calls to yer ant fanny, book maker, Asda, home, use it strictly for work.

Same with your company exspenses, only claim what you should claim.

The first place they will look is your time sheets, phone bill and IT, do not give them your head on a silver platter.

I know this as I worked for such a copmany, and you do not get my hide that easy.

[Sali]

To be honest, if the manager has done this dirty deed, they would have taken advice from IT and it is likely that a copy of this keylog file is already in their possession. I think most employers will allow some private use of phones/internet - they just don't want people taking the micky.

Tell us, DeviantScotland, how you know it was your manager who installed the program?