Spyware vs. spyware: Employer and employee monitoring

By Jon Boroshok, Contributing Writer 06 Oct 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A would-be whistleblower working for the Alabama Department of Transportation spied on his boss in an attempt to prove that the supervisor wasted time and taxpayer dollars doing anything but work while on the clock. The systems administrator installed a spyware program on his supervisor's computer and, during seven months of surveillance, discovered the majority of captured images showed the supervisor playing Solitaire.

When the spyware was discovered and traced back to the employee, it was the employee who was fired -- for installing unauthorized software. The supervisor received a letter of reprimand for his game playing.

Now, an Alabama judge must decide if the punishment was just, while companies nationwide review their own computer use and monitoring policies based on that court's decision.

More information Security Help Desk: Freeing yourself from spyware's grip Read our guide to the latest antivirus resources.

This case questions the rights and responsibilities of employers to monitor how their employees use company computers, and whether an employee also has rights to monitor others in the company. It may help define what's private and what isn't.

"Privacy in technology is so important because technology is so pervasive," said Jeremy Mishkin, chairman of the Internet and Web-based business practice at Montgomery, McCracken, Walker & Rhoads, LLP in Philadelphia. "People misunderstand privacy. They cannot have a reasonable expectation of privacy when they have been told their employer may be monitoring what they are doing."

Mishkin strongly suggests a set company policy on authorized computer use, and that the policy be acknowledged in writing by employees.

Richard Shaw, a labor and employment law attorney with Jones Day in Pittsburgh agrees. "Most people in the workplace have a concern about privacy, just like society in general. Privacy is not absolute in the workplace," he said. There may be workplace restrictions.

Employers know there will be issues about employees using the company's high-speed networks for personal reasons. The network of an employer is exposed to danger from viruses, downloads and other sources. Most employers want to protect against this, and to ensure that computers are used for business purposes. One way of doing this is by monitoring the system.

California Gov. Arnold Schwarzenegger recently vetoed a bill that would require employers to notify employees in writing if they planned to monitor workers' e-mail or other Internet use.

While the law doesn't usually require formal notice, Shaw advises an upfront policy. "Smart employers set up policies that spell out what is allowed and what is not allowed," Shaw said. "Disclosing such monitoring to employees also takes away any suggestion that the employee had an expectation of privacy." Setting up such policies in advance puts the employees on notice of expected and prohibited behaviors.

Under the common "right to work" laws in most states, the employer sets the ground rules for permissible computer use and conduct as a condition of employment. The rules often include prohibition on installing any software programs on company computers. This includes any program that is not licensed to the employer, and would logically include the installation of spyware.

Thus, while keeping tabs on employee use is perfectly acceptable, especially if advance notice is given; switching the tables on employers is quite another. Rod Satterwhite, a partner and chief counsel at McGuireWoods LLP in Richmond, Va., said that no legal right by statute or case law allows any employee to monitor an employer.

He advocates setting clear policies on computer use, and making sure employees know that they do not have a right to privacy on company computers. "It's only fair. You communicate with employees on other issues, too."

While employee passwords generally do not ensure privacy, some courts may say that an employee has a reasonable expectation of privacy if he can set a password and not have to share it with an administrator or supervisor. A clear policy avoids this loophole.

Satterwhite added that at some point, the Electronic Communications Privacy Act might be applied to spyware. Privacy laws vary locally and from state to state and may also play a role.

Accepted behavior on computer use should be spelled out and acknowledged in writing by employees. Another possibility: checking off a box at login in, similar to the licensing agreement for most software. That protects both employer and employee from uncomfortable situations.

Tags: Information Security Policies, Procedures and Guidelines,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Policies, Procedures and Guidelines Expert: Information security spending often restricts innovation GAO report cites government weaknesses, data leakage Twitter risks, Facebook threats trouble security pros How to select a set of network security audit guidelines Cybersecurity czar candidate questions clout of new position Incident response planning The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary