Federal Judges Take a Stance Against Workplace Monitoring

parvati writes: "The NYTimes is reporting that federal judges on the US Court of Appeals for the Ninth Circuit (the largest of the 12 regional circuit courts) disabled software on their office computers that monitored downloading of music, streaming video, and pornography--software that had been installed by the Washington-based Administrative Office of the Courts after a survey showed that 3-7% of the judicial computer traffic included streaming video and the like. The judges say that they are concerned about "the propriety and even the legality of monitoring Internet usage." The AOC is not pleased."

Leonidas Ralph Mecham

[thebitninja]

Leonidas Ralph Mecham sounds like a rat faced little man who combs his hair across his bald spot, and has a massive inferiority complex. Why else would he feel the need to implement systems like this on his co-workers. He then has the audacity to moan about how shutting down the software causes security risks. I mean who gave a whiner and a moaner like this any power what so ever?

A google search for Leonidas Ralph Mecham turns his name up many times in all CAPS. Must be a prat =)

Re:Leonidas Ralph Mecham

[Lumpy]

Actually I can give you a fairly accurate phyc profile of most any government administrator.

1. They know very little about what they are supposedly in charge of.. Example: his whining about how turning off the "watch-the-judge" software will allow hackers in.
2. they are power freaks. They got their job by either stabbing others in the back or because noone else wanted the job so the powerfreak took it. Generally these types of people are Social misfits.
3. Whiney. Almost every one of them get pissy and act like 9 year olds when their "orders" are countermanded. They hate employees that tell them to go to hell when they say " I order you to do this" and they pout and whine when the Unin files greviances against them for being a-holes or just plain stupid.

Go to any level of government, local to federal.. These are people who could not make it in the private sector, and act like spoiled brats. and it is prevalent in any position where they are over any amount of people.

Kozinski makes Sense (plus full text of article)

[kris_lang]

Here is the full text of the article.

Note that in the article, Judge Kozinski is reported to state in a memorandum that he believes monitoring for content is a violation of anti-wiretap statute. This is independent of whether the judges themselves or the judiciary employees want to avoid monitoring for idealistic and legalistic reasons or simply as an end-run around being caught downloading MP3s, AVIs, inappropriate content for the workplace, or simply stealing the bandwidth provided to them as a matter of course for their use in their employment. Don't forget that the judges are employed by us (the taxpayers) via the government to administer and adjudicate the laws that are created by the legislative and executive branches that we choose to elect.

Kozinski's point is actually a very good thing. He asserts that regardless of why he or the judiciary may oppose this monitoring of employee web usage, he has a valid point because this sort of invasion of privacy is violating the anti-wiretap laws.

This may have an interesting effect on the case before FBI's keystroke-logging of Scarfo's computer to acquire his PGP key.

August 8, 2001

Rebels in Black Robes Recoil at Surveillance of Computers

By NEIL A. LEWIS

WASHINGTON, Aug. 7 -- A group of federal employees who believed that the monitoring of their office computers was a major violation of their privacy recently staged an insurrection, disabling the software used to check on them and suggesting that the monitoring was illegal and unethical.

This was not just a random bunch of bureaucrats but a group of federal judges who are still engaged in a dispute with the office in Washington that administers the judicial branch and that had installed the software to detect downloading of music, streaming video and pornography.

It is a conflict that reflects the anxiety of workers at all levels at a time when technology allows any employer to examine each keystroke made on an office computer. In this case, the concern over the loss of privacy comes from the very individuals, federal judges, who will shape the rules of the new information era.

The insurrection took root this spring in the United States Court of Appeals for the Ninth Circuit, based in San Francisco and the largest of the nation's 12 regional circuits, covering 9 Western states and two territories. The Judicial Conference of the United States, the ultimate governing body of the courts, is to meet on Sept. 11 to resolve the matter.

The conflict between the circuit judges and the Administrative Office of the Courts, a small bureaucracy in Washington, deteriorated to a point that a council of the circuit's appeals and district judges ordered their technology staff to disconnect the monitoring program on May 24 for a week until a temporary compromise was reached. Because the Ninth Circuit's was also linked to the Eighth and Tenth Circuits, the shutdown affected about a third of the country and about 10,000 court employees, including more than 700 active and semiretired judges.

Leonidas Ralph Mecham, who runs the Administrative Office of the Courts, and who ordered the monitoring of all federal court workers, said in a March 5 memorandum that the software was to enhance security and reduce computer use that was not related to judicial work and that was clogging the system. A survey by his office, he wrote, "has revealed that as much as 3 to 7 percent of the judiciary browser's traffic consists of streaming media such as radio and video broadcasts, which are unlikely to relate to official business."

Officials in the judicial branch on both sides of the issue provided several internal memorandums written as the dispute continued over the weeks.

After the shutdown, Mr. Mecham complained in a memorandum that disconnecting the software was irresponsible and might have resulted in security breaches, allowing unauthorized outsiders access to the judiciary's internal confidential computer network. "The weeklong shutdown put the entire judiciary's data communication network at risk," he wrote on June 15.

Mr. Mecham warned in that memorandum that on the days before the software was disabled, there were hundreds of attempts at intrusion into the judiciary's network from places like China and Iran.

But Chief Judge Mary Schroeder of the Ninth Circuit responded that the concerns were overblown and that the circuit's technical people carefully monitored computer activity during the week that the software was disabled.

In a June 29 memorandum, she said that there was no evidence that the electronic firewall used to block hacking had been breached and suggested that Mr. Mecham had exaggerated the potential of a security breach because having hundreds of attempted breaches per day was routine and routinely blocked.

The Ninth Circuit disconnected the software, she wrote, because the monitoring policy was not driven by concern over overloading the system but Mr. Mecham's concern over "content detection." Many employees had been disciplined, she noted, because the software turned up evidence of such things as viewing pornography, although they had not been given any clear notice of the court's computer use policy.

Moreover, she wrote, the judiciary may have violated the law.

"We are concerned about the propriety and even the legality of monitoring Internet usage," she wrote. Her memorandum said that the judiciary could be liable to lawsuits and damages because the software might have violated the Electronic Communications Privacy Act of 1986, which imposes civil and criminal liability on any person who intentionally intercepts "any wire, oral or electronic communication."

She noted that the Ninth Circuit had ruled just this year that the law was violated when an employer accessed an employee Web site. In fact, the issues of what is permissible by employers have produced a patchwork of legal rulings and the matter has never been addressed directly by the Supreme Court.

Judge Alex Kozinski, a member of the Ninth Circuit appeals court, drafted and distributed an 18-page legal memorandum arguing that the monitoring was a violation of anti- wiretap statute. [italics added]

Judge Kozinski, widely known for his libertarian views, said the court employees who were disciplined, an estimated three dozen, could be entitled to monetary damages if they brought a lawsuit.

A spokesman for Mr. Mecham said that the software could not identify specific employees but workstations. When unauthorized use was detected, Mr. Mecham's deputy, Clarence Lee Jr., wrote to the chief judge of the district, urging that the employee who used the workstation be identified and disciplined. One such letter includes an appendix listing the Web sites that employee had visited, some of them pornographic. There is no evidence that any alleged abuse of the system involved judges.

Judge Kozinski said: "Aside from my view that this may be a felony, it is something that we as federal judges have jurisdiction to consider. We have to pass on this very kind of conduct in the private sphere."

Prof. Jeffrey Rosen of the George Washington University Law School, author of a recent book on privacy, "The Unwanted Gaze" (Vintage 2001), said, "It's fascinating that the courts have to grapple with these issues so close to home." The law is evolving, he said, adding: "This drama with the judges reminds us of how thin the privacy protections are. There's a real choice right now whether e-mail and Web browsing should be regarded like the telephone or a postcard."

Judge Edwin L. Nelson, who is chairman of a judges' committee that deals with computer issues, said in an interview that his group met last week and drafted proposals to deal with monitoring. Judge Nelson would not discuss the proposals but they are almost certain to resemble policies used in the rest of the federal government, in which clear notice is given to computer users that they may be monitored.

Jim Flyzik, vice chairman of an interagency group that considers computer privacy issues in the federal government, said that each department had its own policy but that clear and unambiguous notification of monitoring was usually an element.

In the private sector, a survey by the American Management Association this year found that 63 percent of companies monitored employees' computer use. END OF ARTICLE

Goes to show you can't assume common sense

[lingenfr]

My workplace uses blocking software. In conjunction with an investigation, a supervisor request or normal network maintenance, we occassionally monitor Internet (primarily WWW) usage. Each time we can't a half dozen folks who are then reprimanded or fired.

Our CEO's feeling is that we should not have to tell our employees that using a company provided PC and Internet bandwidth during the workday to surf porn it not OK. With the last few rounds of discipline however, we have put out a notice to all employees, the boss put out a letter to supervisors requiring them to council their staff and we initiated a user statement of agreement that is signed prior to being issued an account.

All that is great CYA. It is disappointing to see folks who should be setting the example protect the immature habits of a few. It is crap like this that is that is causing American jobs to go elsewhere. I am not for worker abuse, but like one of my bosses used to tell me "When you name is on the bottom of your paycheck, you will get a vote in workplace policy".

People don't read.

[Mr Krinkle]

First the judges did not disable the monitoring software. The judges had the IT dept disable the software. Also these judges say in there that the only reason they took issue with this monitoring is because the employees were not clearly notified. Where I work we have started firing people on third shift for looking at porn all night. It pisses me off as I am the guy who has to track them down via IP and a log file from a firewall. While I disagree with firing people for the first offense here it was clearly stated in the employment handbook that everyone here signed. It says basically use of company computer resources will be monitoring and going to non buisiness related sites can result in termination. Since it is clearly stated they, the judges, would have no problem with this. Basically, as long as your company tells you that they are monitoring you they can. Same as video surveillance in the workplace. As long as they tell the employees they can tape all they want.

WORKplace inet monitoring is absolutly acceptable

[Brawyin_Neytal]

WTF? Why would an employer not have complete control over what you do with THEIR computers while they are PAYing you to WORK for them. This is not play time, you are not at home. You have a computer at work so that you may use it for specific functions to accomplish your job. They are not a common carrier, they are not your home internet provider, they do not host your default mode of private communication. An employer's computers and network connectivity exists for one purpose. To DO WORK. Would you expect to use the business car with out accountability, use the business phone without accountability, use business stati

Re:WORKplace inet monitoring is absolutly acceptab

[vidarh]

Why would you not consider being able to access some non-work related sites as part of the payment?

I wouldn't have a problem with being monitored if it was spelt out in my employment contract that I would be. If I cared about that, I could then insist on higher pay, or not take the job, if I didn't want to be monitored.

The problem occurs if employers can just start monitoring without informing employees, and without creating the expectation that they will follow through, so that employees can decide for themselves whether to accept it or not.

Re:WORKplace inet monitoring is absolutly acceptab

[vidarh]

Everytime they give access to a new service, they should at least inform about rules for accessing it. And when you're joining the company they should inform you about any existing policies. When where you last informed about excessive monitoring and restrictions on privacy during a job interview?

Re:WORKplace inet monitoring is absolutly acceptab

[japhmi]

1st, there are(/should be) ways to see if someone is doing something they're not supposed to without monitoring. Sort of like how an employer shouldn't wiretap all the phones, the boss should pay attention to what his employees are doing, to see if they are spending hours every day talking to friends.
2nd, what about if someone is looking up something during say, a lunch break. Or during mandatory paid break time. (in Oregon, the law requires something like 1 15-min paid break for every 4 hours working)

There are, of course, things that should and should not be done. If your entire office is on one DSL link, don't be downloading ISOs etc. It's called common sense, and everyone should use it.

Re:WORKplace inet monitoring is absolutly acceptab

[japhmi]

So, what exactly is the difference between a boss looking over your shoulder and using a tool to do it over the network? Same thing, different way of doing it.

What's the difference between my boss listening to me talk on the phone by standing near me and installing a wire tap? What about if I have some good reason for doing something, not just being some statistic. If a boss is looking over your shoulder, they may understand _why_ you are doing something. The fact that according to statistics you contacted a porn site 3 months ago can get you fired, even though that porn site was a re-direct from another site that was one letter off of some other site that _was_ business related.

I'd love to see the rule that says your employer is required to allow you to surf the web and use their network while you are on break.

Well, at _my_ job I'm allowed to browse the web whenever I like, or read a book etc. If nobody is asking for my help, I can do pretty much whatever I want. But my job isn't like most, so I wasn't trying to be specific to me. I'm at work right now, and my boss is very happy to let me read /.

I'm not saying that an employer sould be _required_ to let someone browse the web on break, but I think it's a good idea. You have a break, you decide you want to look up something, so you do it. It's called employee morale.

At least come up with some real arguments.

See above, employee morale sinks if the employees think bosses are checking up on every little thing they do. If there seems to be a problem, there are other ways of dealing with it than "everyone's a criminal, we're monitoring you, trust the computer, the computer is your friend."

This is WRONG

[mESSDan]

Judge Alex Kozinski, a member of the Ninth Circuit appeals court, drafted and distributed an 18-page legal memorandum arguing that the monitoring was a violation of anti- wiretap statute.

Judge Kozinski, widely known for his libertarian views, said the court employees who were disciplined, an estimated three dozen, could be entitled to monetary damages if they brought a lawsuit.

Does anyone else think this is completely wrong? He isn't using his personal computer, he's using his computer AT work. He used his lawyering abilities to write an 18 page memo about how he can get pr0n at work and that he and his fellow court employees (paid with US Tax Dollars) could be entitled to monetary damages if they sued because they couldn't get pr0n at work, and because they were monitored on what they viewed. IMHO, It is perfectly okay to monitor people's web usage at work, especially when I foot the bill, as a US Taxpayer. It helps if you remember that judges were lawyers once too.

Re:This is WRONG

[Tassach]

Using the company computer at work to do non-work-related surfing is no different than using than making a personal phone call. People make personal phone calls from work, and in 99% of the cases, there is no problem. The same is true for surfing. People goof off on the job since the beginning of civilization, we just have more ways to goof off than our ancestors did.

If you had phone sex with your lover from the office phone, it would be just as inappropriate as if you were surfing porn or boinking a co-worker in the supply closet. However, a company cannot ethically monitor it's employees just because their employees may be doing somthing inappropriate on company time.

If a company wants to monitor IP traffic, it should be held to the same legal standards as one that wants to bug the telephones or put up spy cameras. Even at the office, there are certian expectations of personal privacy which an employer may not violate.

Hurrah, But...

[deebaine]

She noted that the Ninth Circuit had ruled just this year that the law was violated when an employer accessed an employee Web site.

Wait a second here. I read this to mean that it was ruled a violation of privacy to visit someone's website? This seems a bit far in the other direction. Does anyone have any more information? I am firmly against workplace monitoring, but at the same time, I can't imagine how some one could post a web page and not expect visitors.

-db

Re:Hurrah, But...

[chegosaurus]

> I can't imagine how some one could post a web page and not expect visitors.

You never worked for a dotcom startup then?

Ack!

[The Abominous Salad]

As a former manager of a staff of phone support techs, this doesn't sound good. Privacy doesn't (or shouldn't) apply in cases where you're using company products to conduct company business. You're there to work, and they have every right to see what you're doing when you're doing it.

I know that monitoring software (via software pretty similar to VNC but neither beer-nor-speech free) helped us get rid of a few folks who were surfing porn, netsexing, and even downloading 1337 h@><0r utilities. I think once we even stopped a rep from verbally abusing a customer via a trouble ticket response because we caught him typing the message. Without these tools, they would have just minimized the windows and the company would have been open to liability. Now, if this precedent applies to all monitoring of workstations, companies are far less able to enforce their employees' behavior, for which the employer is accountable. In short, bunk.

Re:Ack! I agree

[kris_lang]

I agree with you regarding wasting company or government resources, bandwidth, and money. Monitoring is appropriate if it is explained that it is going to occur. This has to be explicitly articulated. I believe that Kozinski's point was that it was not spelled out at all.

Note that in the article, Judge Kozinski is reported to state in a memorandum that he believes monitoring for content is a violation of anti-wiretap statute. This is independent of whether the judges themselves or the judiciary employees want to avoid monitoring for idealistic and legalistic reasons or simply as an end-run around being caught downloading MP3s, AVIs, inappropriate content for the workplace, or simply stealing the bandwidth provided to them as a matter of course for their use in their employment. Don't forget that the judges are employed by us (the taxpayers) via the government to administer and adjudicate the laws that are created by the legislative and executive branches that we choose to elect.

I didn't elect them to use workplace time and equipment for personal use. Now I agree with Kozinski that if this policy was not well-articulated, then it is wrong for monitoring to be allowed to occur. But I also feel that it is not appropriate to suck bandwidth or waste time on the company dime. Especially when that company dime came from my pocket via taxes.

I also feel that if the company or gov't office allows people to use telephones to make personal calls, they ought to allow some leeway in using internet bandwidth for personal use.

But since it would be inappropriate to use the office telephone system to call Mabel in Australia every day from the AOC office in the U.S.A., it would be just as inappropriate to waste huge amounts of bandwidth for MP3's (unless you are Judge Marilyn Patel, working on the Napster case), porn (unless you are working on a porn-related case), or even voice-over-IP phone calls (unless you are going to work on that case that ATT, MCI, et al, all WANT to file!).

Helloooo!!

[4of12]

My workplace monitors IP traffic left, right and sideways.

My thoughts on the matter...?

Well, lessee, <tap>,<tap> ...areyou listening, OK!

"My employer is in full compliance with all regulations, procedures and the full letter of the law in every regard. All employees are fully educated in management's policies to respect rules governing our corporation. No corporate computer may be used for anything besides corporate business, during corporate business hours, that we all respect constantly. As a matter of fact, my co-workers and I came in 3 hours early this morning because we love our jobs so much and the compensation packages approved by upper management are, well, just darn so good. After work I'll volunteer at a local homeless shelter as long as I'm wearing my corporate logo T-shirt..."

Memorandum to Chief Judges, July 11, 2001

[nevis]

To: All Chief Judges, United States Courts

From: Chief Judge Mary M. Schroeder

Re: Clarification of AO Correspondence on Intrusion Detection System Shutdown

You have received a memorandum from Director Mecham dated June 15, 2001, regarding the Administrative Office's use of intrusion detection software on the Data Communications Network (DCN). This memorandum will provide you with additional information about why the Judicial Council of the Ninth Circuit directed that this software be disconnected for a brief period. Before doing so, let me emphasize two points:

1. The security of our computer systems has not been compromised. The firewall that protects the Internet gateway for the Eighth, Ninth and Tenth Circuits was not breached during the few days that the intrusion detection software was inactive. Our computer staff has assiduously investigated every rumored firewall breach both within and outside the Ninth Circuit. Thus far, every report of an incident has proven to be groundless.

2. All the Ninth Circuit seeks is a responsible, common sense resolution of the issues involved in Internet monitoring, after careful deliberation by the Judicial Conference. Internet Security The computer and networking equipment that permits courts in the Eighth, Ninth, and Tenth Circuits to access the Internet is located in San Francisco. These Internet access servers are controlled remotely from the AO offices in Washington, D.C. The servers are protected by a security system (hardware and software) that establishes a firewall between the DCN and the greater Internet. The firewall prevents unauthorized persons (hackers) from gaining access to the DCN and PACER networks. The servers also are equipped with an intrusion detection system, consisting of internal and external sensors, which enables the AO to detect hacking attempts. The intrusion detection system has some limited capacity to stop hackers, but is not a substitute for the firewall.

The best analogy is to a locked door and a surveillance camera. It is the door that keeps intruders out. The surveillance camera simply keeps track of who tried to enter and when. At no time has the firewall protecting the DCN been deactivated. Nor is there any evidence that the firewall has been penetrated. Our systems staff hosts the Internet websites for courts in the three circuits. We have contacted all the systems managers in the three circuits and none of them report any evidence of intrusion or damage to their court web sites. Furthermore, the current debate has nothing to do with the PACER network on which the court Pacernet, Electronic Case Filing, and Internet web servers reside, a point that is confused in Director Mecham's June 15 memorandum. These websites are protected by a separate arm of the intrusion detection system, which was unaffected by the actions of our judicial council. The PACER network's intrusion detection sensor was never touched, and thus continually operational during the period in question.

Internet Monitoring

The intrusion detection system also can be used for purposes unrelated to security, such as use of Internet bandwidth (capacity). In this case, the AO had configured part of the system to identify individual computers within the DCN that had been used to access Internet sites dealing with pornography, music, stock trading, and gambling. Information gleaned from this surveillance was being used by the AO to seek disciplinary action against court employees. On May 23-24, 2001, AO monitoring was discussed by both the Executive Committee of the Ninth Circuit Court of Appeals and the Judicial Council of the Ninth Circuit. Reaction from both bodies was sharply negative. The Executive Committee adopted a resolution urging the Judicial Council to direct that the relevant internal intrusion detection system be disconnected until such time as the AO agreed to use it for security monitoring only. The resolution was passed unanimously by the Judicial Council. The circuit executive immediately disconnected the relevant internal intrusion detection system and notified the chief judges of the Eighth and Tenth Circuits and the AO of this action. As it turned out, the relevant portion of the intrusion detection system had shut down on its own sometime over the previous five days. This shutdown apparently went unnoticed by AO systems staff, which is responsible for DCN monitoring, 24 hours a day, seven days a week.

Our Reasons

The Judicial Council of the Ninth Circuit took these actions for the following reasons:

1. We are concerned about the propriety, and even the legality, of monitoring Internet usage by court employees. A non-frivolous argument can be made that such activity violates the Electronic Communications Privacy Act of 1986, 18 U.S.C. 2510-2511, which imposes civil and criminal liability on any person "who intentionally intercepts . . . any wire, oral or electronic communication." This is of particular concern in our Circuit because of the construction given the Act in Konop v. Hawaiian Airlines, 236 F. 3d 1035, 1046 (9th Cir. 2001), which found liability when an employer accessed an employee website. The Act defines "electronic communication" quite broadly, including "any transfer of signs, signals, writing, images, sounds, date or intelligence of any nature." 18 U.S.C. 2510(12).

2. We are particularly concerned that inadequate notice about the practice of monitoring had been provided to the judges and court staff. Most judges felt that surveillance of individual Internet activity as a means of enforcing an Internet policy without notice to the employee was inappropriate. If such an activity were to be put in place, it ought to be the result of official action of the Judicial Conference with notification to court staff.

3. We believe that there had been inadequate discussion about this policy and practice by the Judicial Conference of the United States. Indeed, it appeared to us that surveillance of employees and possibly even judges had been initiated without specific authority from the Judicial Conference or the Executive Committee. Judges were also concerned that the policy had been implemented without the input and consideration given other similar actions, such as the protection of privacy in electronic case filing. Many judges were concerned about the potential scope of the monitoring. The system has the potential to allow real time observation of individual Internet activity. Indeed, virtually the only function of the "inside" sensor is to monitor the Internet activities of court personnel, not to track incoming Internet activity. Much of the monitoring was not driven by bandwidth concerns, but content detection. Judges believed that a careful policy needed to be in place defining the scope of any monitoring and disclosure of monitoring results.

4. We are concerned about chief judges being asked to report to the AO on actions they may have taken. This is particularly troublesome without Judicial Conference policy directives. Why should a chief judge respond to the AO? Moreover, if a chief judge chooses not to respond, what would the AO believe is the appropriate next step? What is the basis for this? Since there is a "perk" aspect to some Internet use, how much privacy should be given to courtpersonnel? If an employee engages in phone sex at work or places bets over the phone to his/her bookie, it would be embarrassing to the Judiciary, but we do not monitor all Judiciary personnel's phone calls to try to catch such potentially embarrassing conduct.

5. We are concerned that the definition of "inappropriate use" is too broad or might otherwise not be accepted by many chief judges. We are not convinced that downloading music or video files compromised bandwidth to the extent meriting monitoring. Many judges believe that less intrusive methods of administering an Internet policy ought to be pursued before actually conducting surveillance on employee Internet activity. Most court units have only just begun to educate and inform court staff about Internet concerns, particularly bandwidth usage. For example, many employees who were simply innocently unaware of bandwidth consequences would "stream" audio newscasts, particularly during the recent election and aftermath. In many court units, this practice was not against any official policy. Some judges believe that we ought to give court units an opportunity to address this in the first instance before monitoring.

6. Many judges were concerned that recording and monitoring information kept by the AO would be an inevitable part of any Senate confirmation process. In addition, some judges observed that if limiting embarrassment were the goal, we were creating great potential for embarrassment by intercepting, organizing and summarizing this material.

The Judicial Council of the Ninth Circuit fully supports legitimate system monitoring to detect hackers and outside threats to the security of the DCN. It believes that to the extent that the Committee on Automation and Technology and the Judicial Conference of the United States authorized any monitoring to date, it was for purposes of detecting hackers. The council does not believe that the judiciary leadership intended the process to be used to monitor the activity of judges and court personnel with the concomitant disciplinary action

sought by the AO.

Next Steps

The Executive Committee of the Judicial Conference of the United States has directed the AO to cease monitoring for non-security purposes and asked the Conference's Automation and Technology Committee to develop a policy before the full Conference meets. The Automation and Technology Committee has formed a subcommittee that is looking into the issue.

Our need as a Judiciary to discuss these important issues and formulate an informed, legally viable and necessary policy is indeed the original point raised many months ago by our circuit executive with the Administrative Office. We gain nothing by disparaging each others' motives or by engaging in threats, but gain everything from a full, accurate, and candid discussion of the important issues at the heart of this problem. We in the Ninth Circuit welcome the opportunity to participate in that discussion.

My question:

[sulli]

What was the monitoring tool used, and (more importantly) how do we find and disable it? I have deleted lots of remote-admin tools from my PC but not because of pr0n - they are slow and cause crashes, particularly when they [tivoli.com] try to update Internet Explorer when I'm on a dial connection from an airport payphone. (I think that was the last straw.)

Think of it this way: Users should have the ability to maximize performance and reduce overhead, just like admins.

Being monitored in the workplace..

[Bowie J. Poag]

Being monitored in the workplace isn't so bad..Just ask Microsoft CEO Steve Ballmer [system26.com]. :)

Re:Being monitored in the workplace..

[Anonymous Coward]

augh! don't be fooled by the link -- it's really bowie j poag's weblog!!!

i hate being tricked into going there!

Owner control

[zenray]

Sorry Judges, the owner of a computer system that is used in the workplace by employees has the right to monitor anything on their system. If I actually owend the system you disabled IDS on I would have had you up on charges for makeing unauthorized changes to MY computer system. If you don't like the law then change it via your elected legislators, not because you are Federal Judges who think they are somehow privleged.

Let's not stop here!!

[trailerparkcassanova]

They should be made to take lie detector tests and piss in a cup.

Missing the Point

[isa-kuruption]

One thing I noticed half-way through the article was a reference to employees being disciplined despite not being made aware of the policy. This is illegal.

Is a company monitoring your actions while at work illegal? Well, if they notify you upon receipt of employment they will not tolerate certain acts (sexual harrassment, firearms, smoking, downloading streaming video) then you have a choice. Take that job and follow the rules... or don't. It's that simple. Since the equipment you are using belongs to the employers and the bandwidth you are using belongs to the employers, they have the right to state any policy they want.

Monitoring isn't bad. As a security guy, we have to monitor people daily. For instance, we watch any downloads >10MB and do content filtering... sometimes we need to investigate exactly what a user has been downloading. We watch files over 10MB because there isn't much that is downloaded over 10MB, and we only have maybe 25-30 legit downloads per day that are that size. Sometimes we see someone downloading a .mov or .rm file, but unless the site has sexually explicit content we don't bother investigating.

It IS in our company policy that using company computers for downloading pornography is illegal and all employees are made aware of this through a signed statement they return to H.R. upon being hired and through a mention of it at orientation at their first day of work.

It isn't illegal to do this, unless the company doesn't tell you they are doing it. If they use a "full disclosure" policy regarding things like this, then this is and should be completely legal.

Re:Missing the Point

[peccary]

Well, if they notify you upon receipt of employment

Except that NOBODY notifies employees of policy concurrently with the offer. The policy notification only happens *after* you have started the new job, when they have you over a barrel. And they change policies freely during your employment, leaving you no choice but to accept or walk out. This is a significant power differential, and it suggests that these are not "contracts freely entered into", but that there is some measure of coercion involved.

For further proof, imagine asking for a copy of the employee handbook in an interview. Do you think you'll get that offer? I'll bet it wouldn't help your chances. That says volumes about the coercive nature of this so-called "contract".

Re:Missing the Point

[isa-kuruption]

This is why, as my company has done, the company should also place the current policies on a website for access to everyone and inform all employees when even the slightest change takes place. (Again, we do that here.)

The company isn't "out to get you". In fact, they prefer to NOT have to replace you. To replace you would cost 2 to 2.5 times your salary. Why would they WANT to get rid of you? If you feel you were wrongly terminated, that's one thing and you can take them to court for that, but to blindly believe they just want to get rid of people is folklore. (Not to say some companies don't or don't play tricks, but again, time for a lawsuit if you feel you were not terminated correctly.)

Re:Missing the Point

[mojotoad]

Monitoring downloads >10MB... Speak for yourself. In the oil industry, at least, downloads in the GB range happen hundreds of times a day in research...er, technology centers. On the other hand, I suppose at this end of the spectrum porn is unlikely as well. Or if it is likely, then I need a new source for my director's cuts.

Re:Missing the Point

[DrSkwid]

er how do you monitor the download of chunked data in separate connections available in the ftp, http and napster protocols?

downloads > 10mb make no sense (particularly as thousands of pr0n mpgs are 10Mb (and I know cos I have them here)

Re:Missing the Point

[gilroy]

Blockquoth the poster:

It's that simple. Since the equipment you are using belongs to the employers and the bandwidth you are using belongs to the employers, they have the right to state any policy they want.

It's not as simple as you -- and most employers -- believe. Look at the following:

• http://www.nytimes.com/2001/07/27/technology/27CYB ERLAW.html [nytimes.com]
• http://www.greenbag.org/rosenbaum_harddrive_intro. htm [greenbag.org]

Re:Missing the Point

[kris_lang]

I agree with you.

Note that in the article, Judge Kozinski is reported to state in a memorandum that he believes monitoring for content is a violation of anti-wiretap statute. This is independent of whether the judges themselves or the judiciary employees want to avoid monitoring for idealistic and legalistic reasons or simply as an end-run around being caught downloading MP3s, AVIs, inappropriate content for the workplace, or simply stealing the bandwidth provided to them as a matter of course for their use in their employment. Don't forget that the judges are employed by us (the taxpayers) via the government to administer and adjudicate the laws that are created by the legislative and executive branches that we choose to elect.

I didn't elect them to use workplace time and equipment for personal use. Now I agree with Kozinski that if this policy was not well-articulated, then it is wrong for monitoring to be allowed to occur. But I also feel that it is not appropriate to suck bandwidth or waste time on the company dime. Especially when that company dime came from my pocket via taxes.

I also feel that if the company or gov't office allows people to use telephones to make personal calls, they ought to allow some leeway in using internet bandwidth for personal use.

But since it would be inappropriate to use the office telephone system to call Mabel in Australia every day from the AOC office in the U.S.A., it would be just as inappropriate to waste huge amounts of bandwidth for MP3's (unless you are Judge Marilyn Patel, working on the Napster case), porn (unless you are working on a porn-related case), or even voice-over-IP phone calls (unless you are going to work on that case that ATT, MCI, et al, all WANT to file!).

Re:Missing the Point

[kevlar]

Once again, I need to point out to a /. user that an employer can fire you for any reason. You may sue to get your job back or to be compensated, but thats another story. When it comes to it, an employer can fire you for *NO* reason at all. Its not your right to work for an employer, its a privilege. If they don't like you looking at porn on their time, they can fire you, regardless of whether its "in the handbook" or not. They don't need to give you a reason. Sure sue all you want, but there are plenty of excuses to fire someone and have plenty of blanket protection in court.

Monitoring is pure PHB

[King Of Chat]

I do not understand what my employees do so I can't help them do things which are productive.

I can stop them doing things which are unproductive.

Now we have open plan offices, e-mail and web monitoring. We cannot relax and get on with our jobs in peace and quiet - but at least we're not wasting time.

Dunno about you, but I find it quite hard to design and code in the middle of a fscking zoo.

Mind you, I'm getting away with this ... so far

This is odd...

[Lxy]

"the days before the software was disabled, there were hundreds of attempts at intrusion into the judiciary's network from places like China and Iran. "

How does Monitoring Software == firewall software all of a sudden? Please don't tell me that their monitoring software is also a "personal firewall" package. If they're relying on firewalling at the workstation level then all of my faith in the judicial system is lost. "We didn't have the staff to support a redundant SOHO system so we ordered up a few copies of Norton's Personal Firewall". Oh, the humanity!

Sued if you do, sued if you don't

[Billly Gates]

You can thank all the lawyers in the nation for starting this censoring craze. A woman for example might be fired for being incompetent but knows the boss goes to penthouse.com. She can sue her boss for sexual discrimination. A sleazy lawyer can say "hey he looks at porn all day long. Does he look at all women like sex objects and not as competent employees?"

On the other side someone could sue on constitutional grounds of freedom of speech for things such as email monitoring and blocking. But now the New York state supreme court itself questioned the legality and it opened the door to hundreds of potential lawsuits. After all in the lawyers eyes a state supreme court itself questioned the legality. If I were a HR manager, I would be pretty pissed. On hand you can risk being sued if you don't monitor through sexual discrimination and on the other hand through abusive searches and preventing freedom of speech. So what is a workplace suppose to do?

I suppose the real question is with the privacy laws. I am in favor of corporation monitoring only under the condition that they do it under their own office with their own equipment during work hours. I believe we have no right to privacy other then the government cannot prosecute you with evidence taken without a search warrant. A private enterprise is not a government so it has a right to search its own computers. We never did have freedom of speech at work. Can a cuss in front of my boss or bosses boss or have any opinion or believe I want while on the job? I didn't think so and it's ok because a corporation is not a government. Think not about the costs of bandwidth and productivity but the costs of potential lawsuits.

our best defense

[bobalu]

Cool. Our best defense against this stuff is when it starts to affect judges, prosecutors and Conress-critters.

Re:our best defense

[caseydk]

This is probably a small victory in the direction of workspace liberties, but is it a correct one?

I work for a consulting firm that does a great deal of work for the government. If I'm surfing porn or whatever during their time, then that's not a legitimate use.

Mass downloading on the other hand is something else entirely. As I type, I have slackware 8.0 downloading and I regularly listen to streaming radio feeds while I'm doing my work. Those are the uses that I think are the most important. IMHO, It's no different from having the radio on or listening to a cd.

Re:our best defense

[dirk]

This is probably a small victory in the direction of workspace liberties, but is it a correct one?

I work for a consulting firm that does a great deal of work for the government. If I'm surfing porn or whatever during their time, then that's not a legitimate use.

Mass downloading on the other hand is something else entirely. As I type, I have slackware 8.0 downloading and I regularly listen to streaming radio feeds while I'm doing my work. Those are the uses that I think are the most important. IMHO, It's no different from having the radio on or listening to a cd.

Except you are using some of their finite amount of resources to do this. Listening to the radio takes no resources (except for the tiny amount of electricity, which they give you permission to use by saying you can listen to the radio). Downloading Slackware and listening to streaming audio uses a piece of their bandwidth.

I work at a company that only has a partial T-1 (768 kb/s). If we had people downloading Slackware and listening to streaming audio, it could potentially impact our bandwidth for legitimate work related activity. Should we be able to monitor and make sure people aren't using our (limited) resources for things they shouldn't and thereby negatively affecting the productivity of others? Of course we should, so how is this any different? If you are continually on the phoen making personal calls, you can be disiplined (they can't monitor the content of your calls, but they can monitor how much you use the phone). That is because it is a limited resources (there are only so many lines) and if you are using then for non-business related activities, you could impact people trying to use then for business.

judges may need to check things out

[bobalu]

How do you tella judge what they can and can't look at in the course of their duties? If they're working on a case that involves online porn they may need to visit the site!

Re:our best defense

[rosewood]

Ah but you are using THEIR bandwidth and THEIR time (THEY are PAYING you to be there to do whatever it is you do - NOT to download ISOs and not to listen to music. If your boss says okay - then its okay. If you did not ask or especially if he or 'someone in corporate' said no - then youre not suposed to do it - EVEN IF *YOU* THINK IT IS OKAY Im starting to see a weird patern in /.'s that just do what they think is right - IE writing an anti code red worm that nukes the partition 'because if they didnt patch it - they deserve it'.

Re:our best defense

[GreyPoopon]

then youre not suposed to do it - EVEN IF *YOU* THINK IT IS OKAY Im starting to see a weird patern in /.'s that just do what they think is right

Not to single you out (ok, so I am), but you and several others appear to be missing the point. Yes, I believe that such uses of employer's computers are just wrong. But that's not really the issue here. The issue is instead the methods by which they were being monitored. If I walked up to my boss and made some side comment about how I was using my computer to watch videos during the day, then he'd have the right to fire me. On the other hand, if my employer uses stealthy monitoring tools to "spy" on me while I work, this is an invasion of my privacy, and in my mind no different that tapping my phone without a warrant. Just wait till somebody monitors you and cans you for some pornography popover that came up while you were reading an article on *news source X* about a new deal between your company and another.

See how we feel

[Deanasc]

So maybe if the judges know how the little guy feels they may see us in a favorable light.

Judge not lest ye be judged... or something like that.

Re:See how we feel

[Maskirovka]

So maybe if the judges know how the little guy feels they may see us in a favorable light.

So you're say that judges get horny during the day just like the rest of us?

Maskirovka

Re:See how we feel

[rosewood]

Quite often judges are put in the possistion where 'morally' or 'justifiably' they want to rule with the downtrodden, the little guy, the underdog, the just one - etc. However, what they want to do is not always the lawful thing to do. Justice is not always lawful. How fucked up is that?

Sensationalism

[Wind_Walker]

These judges didn't "take a stand" against "workplace monitoring", Michael. These judges wanted to download MP3s, view porn, and watch videos. That does NOT mean that they disagree with monitoring, they just wanted to get around it.

Don't try to make this out to be more than it really is. This is just a bunch of co-workers using their own smarts to get around the IT department.

Re:Sensationalism

[Big Nothing]

The judges did not use their smarts to get around the IT department. They used their influence to get the IT department to disable the monitoring software. I have no doubt that the ultimate reason for doing this is that they want to download porn. However, they do make a stand against privacy-invading monitoring software, and they do question whether this kind of software is legal and/or ethical.

The bottom line is that this might be a good thing for the average Joe.

Re:Sensationalism

[MartinG]

"take a stand" and "workplace monitoring" are both fairly vague terms. I believe this is NOT sensationalism and that what was said was correct.

If anything it was perhaps overly ambiguous or too vague, but correct nontheless IMO.

Re:Sensationalism

[mikethegeek]

"Don't try to make this out to be more than it really is. This is just a bunch of co-workers using their own smarts to get around the IT department"

Everywhere I've worked, I've BEEN in the IT department, and we are the first ones to by-pass any blocks/filters for ourselves. After all, we're responsible for maintaining them...

This also as DMCA implications. The DMCA would seem to create an open season on placing bugs in software that monitors browsing, collects information, etc, and "phones home", yet disabling this or even breaking into the code to find out WHAT it's doing would be a DMCA violation.

I guarantee soon monitoring software will be appearing in closed-source programs, like games, etc before long, when the Doubleclicks of the world start spreading the $$$ around. And it'd be nice to have judges who are aware of the implications.

Re:Sensationalism (Please RTFA!!)

[pq]

These judges didn't "take a stand" against "workplace monitoring", Michael. These judges wanted to download MP3s, view porn, and watch videos.

If you'd bothered to read the fascinating article, you'd have seen that the NYT explicitly says: "There is no evidence that any alleged abuse involves judges." Just so you know.

And in fact, the issues they are worried about are :

• Judge Alex Kozinski, a member of the Ninth Circuit appeals court, [argues] that the monitoring was a violation of anti- wiretap statute.
• "Aside from my view that this may be a felony, it is something that we as federal judges have jurisdiction to consider. We have to pass on this very kind of conduct in the private sphere."
• "In fact, the issues of what is permissible by employers have produced a patchwork of legal rulings and the matter has never been addressed directly by the Supreme Court."

That's what they are worried about. And as for using their tech smarts: they just ordered their sysadmin to disable monitoring software. Try reading the article, mmmkay?

Re:Sensationalism

[Detritus]

A survey by his office, he wrote, "has revealed that as much as 3 to 7 percent of the judiciary browser's traffic consists of streaming media such as radio and video broadcasts, which are unlikely to relate to official business."

In spite of the author's characterization, using streaming media is not necessarily the same thing as downloading Metallica mp3s from Napster and watching live horny coeds. There are legitimate business uses for streaming audio and video, something that the control freaks in the Administrative Office of the Courts may not understand.

Finally!

[Dancin_Santa]

Now I can resume downloading pr0n at work unhindered!

That was the point, wasn't it?

Dancin Santa

Could be good news for Dmitry

[T1girl]

Any appeals in Dmitry Sklyarov's case will go to the 9th Circuit, which is just one rung below the Supreme Court (and in fact, is the final say in most cases; only about 2% of cases appealed from Circuit Courts of Appeal are ever accepted for review by the Supreme Court.) It's cool that we have judges so high up the ladder who have a sense of individual liberties and enough tech know-how to work around The System to achieve it.

IANAL

Close

[rjh]

The number is actually far less than one percent. For well over ninety-nine percent of all cases, the Federal Appellate Courts are as far as it goes.

Difference Between Monitoring Web and Other Stuff?

[KelsoLundeen]

What I'm curious about -- and I've even asked our company's counsel about this -- is what's the difference between monitoring web activity and monitoring, say, the lunchroom for suspicious "non-work" activity?

Or monitoring the content of our telephone calls for "non-work" communication?

Or monitoring the bathrooms for "non-work" activity?

If there were microphones in the lunchroom -- or, even worse -- in the bathroom -- employees would be furious.

But what's the fundamental difference -- since we're talking "content" here -- between "non-work" jibber-jabber (which surely wastes huge amounts of time) in the hall and "non-work" jibber-jabber surfing from, say, MarthStewart.Com or Kmart.com or Walmart.com?

Our company's counsel said, well, you have a good point. But he couldn't explain the difference.

Why is form of communication more "privileged" than the other? And why do employees sit by and allow their computer clicks to be monitored yet would raise holy hell if they found their "non-work" bathroom conversations were being taped, logged, and then catalogged for a manager's later perusal.

I suspect all this monitoring stuff boils down to two things: (1) liability and (2) bad managers. The liability I can understand -- sexual harrassment due to pornoography, etc. etc. Okay, I understand that.

But (2) is more complex. This isn't a newsflash to anyone on Slashdot, of course, but why is it that more and more managers are farming out their "managerial duties" to the IT department? "Hey, I can't monitor my employees all the time, but I can damn sure monitor what web pages he/she views. Ergo, I retain control."

We needed these guys for the Microsoft trial...

[Curious__George]

Too bad we didn't get a judge with this degree of technical savvy to understand the arguements in the Microsoft anti-trust trial. If they knew enough to disable this software (and what it was really doing) they wouldn't have had much problem figuring out some of the "technical" issues that had to be explained in the case.

Understanding that the browser was NOT an intrinsic part of the operating system, for example would have taken all of 60 seconds.

Curious George

Re:We needed these guys for the Microsoft trial...

[mystery_bowler]

Not to seem argumentative (because for the most part, I agree with you), but you don't need technical savvy to understand privacy violations. Your average human being understands what it means to have your every move watched. Your average human being (at least, the ones who were raised in the United States) also have a problem with being needlessly watched. Even with all the grief we tend to give federal judges, they are people as well and I'm sure they want the same basic rights as any one else, privacy being one of them. This stuff is just common sense. Understanding what the caveats are in an anti-trust case when you've got lawyers and experts throwing legal and technobabble at you...now that takes a special kind of judge.

Re:We needed these guys for the Microsoft trial...

[Mark Bainter]

Read his comment again. His reference to technical savvy was their ability to recognize what the software was doing, not what the implications were, and even more than that their ability to disable that software.

Re:We needed these guys for the Microsoft trial...

[DrSkwid]

read the article once

they did not disable it themselves

and i doubt you needed tachnical savvy to read the memo "employees please note that from next monday all internet access will be monitored"

We sure did, integrating a browser is not a crime!

[Shivetya]

Understanding that the browser was NOT an intrinsic part of the operating system and did not consititute a threat to consumer choice, for example would have taken all of 60 seconds.

just paraphrasing what you wrote, but any non-biased judges would see that browsers mean SQUAT when it comes to operating systems, so their inclusion or not is irrelevant.

Ms was guilty of monopolistic ideals only through their marktet and forced licensing deals with OEMS. What they integrated into the OS should be of ZERO concern.

Why? Because it comes down to, who decides what is and is not allowed to be integrated?

What if MS started to include compilers for C++ and such in their OS? How about source code so that making windows apps using their compilers was many times easier?

So, yes, technically capable judges are nice.

The point is Microsoft CLAIMED it was impossible

[Curious__George]

Understanding that it WAS not only possible, but SIMPLE (to remove the browser without crippling the OS) certainly hurt Microsoft's credibility in the entire case. Judge Jackson DID get the point (after it was demonstrated to him) and is surely one of the big reasons that everything Microsoft said was viewed with suspicion from that point on.

Curious George

It's it great when things happen to judges?

[mikethegeek]

If stupid laws and practices affected judges more often, I think we'd get better outcomes of cases.

It's obvious a lot of this monitoring goes over the line.

Too bad "judge" Kaplan didn't have a kid who downloaded Metallica and was one of the 300,000 kicked off, etc, or liked to buy out of region DVD's.

The more pissed off judges get the better.

Re:It's it great when things happen to judges?

[UberLame]

Judges are just to interpret the laws, not rule wether they are just or not. If there is a law they don't like (say the DMCA), they can't do anything about it.

Being pissed off just makes it easier for the loser to get the ruling overturned on appeal.

No-login Link

[zerosignal]

http://archive.nytimes.com/2001/08/08/national/08C OUR.html

Re:No-login Link

[Jack9]

Thank you for the no-login link :)

Monitoring is here to stay.

[Kefaa]

Control your enthusiasm. While they may have shut off the software, this will almost certainly be a "Do as I say not as I do." result. Consider that most judges who break the speed limit getting into court are probably not revoking their own licenses.

Workplace monitoring is here to stay and has been upheld too often for it to be easily overturned. Any case brought to challenge would have to be in the legislature and the infamous "What do you have to hide" mentality will hold most representatives at bay.

Sad but true...

Better to remain silent and thought a fool than to speak and remove all doubt

Re:Monitoring is here to stay - so I'm leaving

[JWhitlock]

Control your enthusiasm. While they may have shut off the software, this will almost certainly be a "Do as I say not as I do." result. Consider that most judges who break the speed limit getting into court are probably not revoking their own licenses.

Did you hear the story about the two judges arrested for drunk driving on the same night? They get to talking, and figure out that they could be the judge at each other's trial, and get off a lot easier.

So, on the day of the trial, the first judge takes the bench, the second says he is representing himself, etc., etc.. To speed things up, the defendant pleads guilty, the judge asks, are you sorry for what you did, etc., etc., the defendant shows "due remorse", and the judge decides to let him off with time served.

The two then switch places, even swapping the same black robe there in the court room, each wearing their golfing outfits underneath, and switch places.

The current defendant pleads guilty, and shows "due remorse". The judge looks over the desk, and says, "if memory serves, this is the second DUI in a row that has come before the court. In the past, the court has been lenient on this particular offense, but it looks like we have to send a message to the community. $5000 fine and time served!"

I agree, this probably won't turn into a real court case. All this talk about illegal wiretaps and other nonsense sounds scarier than a nice, simple privacy amendment to the constitution. I wouldn't like my IT department getting a court order to "wiretap" my connection because they think I may be "stealing" excessive bandwidth from the company. Is it a worse crime if you are "stealing" from a government institution?

The solution is clear - either a privacy ammendment, which clearly states the right to privacy and lets future legislation and court cases decide the boundaries (not likely in the near future), or just go to a better company, one that's not as draconian. And you wonder why there is a shortage of tech workers for government jobs?

There are two ways of monitoring.

[Saggi]

Good: You can use systems that anonymously monitor the use of the Internet in a department. This is interesting, as it would allow detecting possible "problems". If the survey showed that X % downloaded porn when they worked, the department would be able to raise the issue and start setting focus on the problem (if it is considered a problem).

Bad: On the other hand, monitoring personal information would target everyone, and would force any worker in the department to become paranoid. This would lead the way to do personal manhunts, and would be a very bad thing.

Re:There are two ways of monitoring.

[vidarh]

Actually, a company I usd to do consulting for did prepare "hitlists" listing the top ten visited sites that where "bad" according to company policy. It quickly improved things. Perhaps because people got embarrassed even if they weren't identified to anyone.

It's worth trying, and certainly less invasive than monitoring traffic from individual machines.

Not gain!

[garoush]

We keep talking about monitoring at the workplace -- I am all for *if* it is aimed at:
a) making sure that nothing "outside the law" is taking place
b) making sure that its not being over done by utilizing company and work bandwidth.

HOWEVER, what I don't see being studied and reported on is, if letting employee surf at work is adding value to their productivity and therefore to the company. For example, it is a fact that listening to music (via radio, et. al.) is a way to improve ones productivity. Doesn't surfing improve productivity as a way of taking break, et. al.?

Can we for once get some study done on this "monitoring" stuff from a positive angle please?

Re:Not gain!

[farmhick]

"Doesn't surfing improve productivity as a way of taking break?"........Not if the employee spends 7 hours surfing. Of course that 'never happens' in the real world. If the problem wasn't so bad, the companies would have never spent the money to monitor or filter Internet activity. Basically a few losers at a few companies have loused it up for everyone else. Still doesn't mean that public employees have any more freedom from monitoring than you or I do.

What's sad...

[Xaje]

is that the higher-ups only begin to question the legality/ethics of software monitoring when it happens to them directly.

Although I'm not a big fan of workplace monitoring, this instance smacks of that guy [slashdot.org] whose neighbor told him about the how p2p likes to find kids, give them pr0n and take their bikes.

In a perfect world, the folks in D.C. would listen to the concerns of those of us who are bugged by privacy intrusions when they first start. I guess I'm not really one to complain, since I've never written a letter to my congressdude.

Maybe we should start writing. That way we'll be justified in complaining when congressmen/judges only care about things affecting them directly, or when they hear it from their neighbor's kid's cat.

Will this change anything?

[daoine]

While it's interesting to think that federal judges wanting their privacy might have an effect on how the workplace monitors people, how will it actually affect the private business sector? It may be a case where they could (eventually...) decide that the government has no right to monitor, but private businesses might remain unaffected...

Re:Will this change anything?

[Anonymous Coward]

You're forgetting that sexual harassment laws would essentially allow all the female employees (and with a good enough lawyer the male ones) of the company to sue and collect billions in damages for the fact that a single individual was storing porn on company equipment. Remember the presence of pornography in the workplace, even if only one person ever looks at it, constitutes sexual harassment under U.S. laws and that monitoring all employees is required to avoid liability.

hmmm

[4n0nym0u$ C0w4rd]

I'm not as concerned about employers monitoring what their employees do while at work as I am about the government monitoring what citizens do while at home. Has anyone here heard anything recent about Carnivore, the FBI's E-mail monitoring software? I remember there being a luke-warm rash of arguments against it, then it just kind of faded away in to the "Oh well, we tried." train of thought. What about RIAA monitoring file-sharing? Employers have at least a decent argument on monitoring internet usage, after all they are paying people for their time but the government of RIAA have no right at all to monitor what we do in our homes.

txt done dirt cheap

[Anonymous Coward]

August 8, 2001

Rebels in Black Robes Recoil at Surveillance of Computers

By NEIL A. LEWIS

ASHINGTON, Aug. 7 -- A group of federal employees who believed that the monitoring of their office computers was a major violation of their privacy recently staged an insurrection, disabling the software used to check on them and suggesting that the monitoring was illegal and unethical.

This was not just a random bunch of bureaucrats but a group of federal judges who are still engaged in a dispute with the office in Washington that administers the judicial branch and that had installed the software to detect downloading of music, streaming video and pornography.

It is a conflict that reflects the anxiety of workers at all levels at a time when technology allows any employer to examine each keystroke made on an office computer. In this case, the concern over the loss of privacy comes from the very individuals, federal judges, who will shape the rules of the new information era.

The insurrection took root this spring in the United States Court of Appeals for the Ninth Circuit, based in San Francisco and the largest of the nation's 12 regional circuits, covering 9 Western states and two territories. The Judicial Conference of the United States, the ultimate governing body of the courts, is to meet on Sept. 11 to resolve the matter.

The conflict between the circuit judges and the Administrative Office of the Courts, a small bureaucracy in Washington, deteriorated to a point that a council of the circuit's appeals and district judges ordered their technology staff to disconnect the monitoring program on May 24 for a week until a temporary compromise was reached. Because the Ninth Circuit's was also linked to the Eighth and Tenth Circuits, the shutdown affected about a third of the country and about 10,000 court employees, including more than 700 active and semiretired judges.

Leonidas Ralph Mecham, who runs the Administrative Office of the Courts, and who ordered the monitoring of all federal court workers, said in a March 5 memorandum that the software was to enhance security and reduce computer use that was not related to judicial work and that was clogging the system. A survey by his office, he wrote, "has revealed that as much as 3 to 7 percent of the judiciary browser's traffic consists of streaming media such as radio and video broadcasts, which are unlikely to relate to official business."

Officials in the judicial branch on both sides of the issue provided several internal memorandums written as the dispute continued over the weeks.

After the shutdown, Mr. Mecham complained in a memorandum that disconnecting the software was irresponsible and might have resulted in security breaches, allowing unauthorized outsiders access to the judiciary's internal confidential computer network. "The weeklong shutdown put the entire judiciary's data communication network at risk," he wrote on June 15.

Mr. Mecham warned in that memorandum that on the days before the software was disabled, there were hundreds of attempts at intrusion into the judiciary's network from places like China and Iran.

But Chief Judge Mary Schroeder of the Ninth Circuit responded that the concerns were overblown and that the circuit's technical people carefully monitored computer activity during the week that the software was disabled.

In a June 29 memorandum, she said that there was no evidence that the electronic firewall used to block hacking had been breached and suggested that Mr. Mecham had exaggerated the potential of a security breach because having hundreds of attempted breaches per day was routine and routinely blocked.

The Ninth Circuit disconnected the software, she wrote, because the monitoring policy was not driven by concern over overloading the system but Mr. Mecham's concern over "content detection." Many employees had been disciplined, she noted, because the software turned up evidence of such things as viewing pornography, although they had not been given any clear notice of the court's computer use policy.

Moreover, she wrote, the judiciary may have violated the law.

"We are concerned about the propriety and even the legality of monitoring Internet usage," she wrote. Her memorandum said that the judiciary could be liable to lawsuits and damages because the software might have violated the Electronic Communications Privacy Act of 1986, which imposes civil and criminal liability on any person who intentionally intercepts "any wire, oral or electronic communication."

She noted that the Ninth Circuit had ruled just this year that the law was violated when an employer accessed an employee Web site. In fact, the issues of what is permissible by employers have produced a patchwork of legal rulings and the matter has never been addressed directly by the Supreme Court.

Judge Alex Kozinski, a member of the Ninth Circuit appeals court, drafted and distributed an 18-page legal memorandum arguing that the monitoring was a violation of anti- wiretap statute.

Judge Kozinski, widely known for his libertarian views, said the court employees who were disciplined, an estimated three dozen, could be entitled to monetary damages if they brought a lawsuit.

A spokesman for Mr. Mecham said that the software could not identify specific employees but workstations. When unauthorized use was detected, Mr. Mecham's deputy, Clarence Lee Jr., wrote to the chief judge of the district, urging that the employee who used the workstation be identified and disciplined. One such letter includes an appendix listing the Web sites that employee had visited, some of them pornographic. There is no evidence that any alleged abuse of the system involved judges.

Judge Kozinski said: "Aside from my view that this may be a felony, it is something that we as federal judges have jurisdiction to consider. We have to pass on this very kind of conduct in the private sphere."

Prof. Jeffrey Rosen of the George Washington University Law School, author of a recent book on privacy, "The Unwanted Gaze" (Vintage 2001), said, "It's fascinating that the courts have to grapple with these issues so close to home." The law is evolving, he said, adding: "This drama with the judges reminds us of how thin the privacy protections are. There's a real choice right now whether e-mail and Web browsing should be regarded like the telephone or a postcard."

Judge Edwin L. Nelson, who is chairman of a judges' committee that deals with computer issues, said in an interview that his group met last week and drafted proposals to deal with monitoring. Judge Nelson would not discuss the proposals but they are almost certain to resemble policies used in the rest of the federal government, in which clear notice is given to computer users that they may be monitored.

Jim Flyzik, vice chairman of an interagency group that considers computer privacy issues in the federal government, said that each department had its own policy but that clear and unambiguous notification of monitoring was usually an element.

In the private sector, a survey by the American Management Association this year found that 63 percent of companies monitored employees' computer use.

Re:txt done dirt cheap

[sporkraper]

It is a sad world where you can not mirror the site without hiding behind the AC checkbox because you will be mercilessly assaulted as a karma whore.

Piss off a few judges...

[PRickard]

This story shows that the best way to get legal action going is to piss off someone who can make it happen. Rip off a lawyer, invade the privacy of a judge.... They don't care about my ability to access porn at work, but take away theirs and it's the biggest courtroom issue since OJ and the bloody glove.
Maybe there's a judge somewhere who misses Napster and can bring legal action against the RIAA for shutting that service down. That might be why the DOJ is investigating the music industry: the lawyers want their free music back.

fun and games

[jbarnett]

It is all fun and games till a judge loses his p0rn.

Oh leave the employers alone...

[volkris]

It's their computer equipment, their buildings, their officespaces... let them do with their property what they want. Let them monitor all they want.

I don't want anyone telling me what I can do with my computer, so if I want to monitor my computer I will. Same with the employers: if they want to
monitor their computers they should be able to.

I consider it a huge inconsistancy in nerd viewpoints that they want freedom for themselves (let me put whatever OS I want on my computer!) but not for some other groups (don't you DARE monitor what goes on on your computer while your employee is using it!).

If you don't want to be monitored, don't work there. It's that simple.

And then there's the solution that the employees can always insist that the executives of the company are monitored too and everyones' records are made available to both employees and stockholders. After all, I'm sure the stockholders will go for any proposal that would increase productivity from the executives too.

The key is to leave the decision to monitor or not to the company itself, and not the government.

so?

[townmouse]

Chuck Berry owned the womens' toilets in his motel.

Re:so?

[volkris]

So?

What Bravery!

[rnturn]

A bunch of judges decide take a stand against some bureaucrats who wanted to monitor their computer usage. Like I said: Oo-o-oh! What bravery. If you and I were to do that in our workplaces, we'd soon find that we'd be providing our professional services elsewhere. I'm not sure about New York but a lot of the judges here in Illinois are elected and it's pretty hard to get rid of them. Pretty easy to take such a stand when there are, essentially, no consequences. I wouldn't count on seeing these guys written about if Profiles in Courage II ever comes out.

Try siding with employees the next time a case involving workplace monitoring is brought to trial in your courtrooms. Then maybe this'll mean something.

Who are they trying to kid - FUD

[andreass]

In the article, Mr Mecham, who is the it person, stated:

'After the shutdown, Mr. Mecham complained in a memorandum that disconnecting the software was irresponsible and might have resulted in security breaches, allowing unauthorized outsiders access to the judiciary's internal confidential computer network. "The weeklong shutdown put the entire judiciary's data communication network at risk," he wrote on June 15.'

This it total FUD! How can a monitoring program on a judges workstation have ANY effect on the integrity of the firewall. I don't know of any firewall that requires client programs on end users workstations to be active in order to maintain protection.

Re:Who are they trying to kid - FUD

[Royster]

The monitoring program ran on a computer connected to the firewall. That computer had several functions. One was to monitor web browsing. Another was intrusion detection. By ordering the techs to diconnect this computer from the network, they also diconnected the intrusion detection for the entire federal judiciary's intranet.

Re:Who are they trying to kid - FUD

[rnturn]

``This it total FUD! How can a monitoring program on a judges workstation have ANY effect on the integrity of the firewall.''

Well... He's only parroting what what they told him in MCSE class!

Questions

[Dr_Cheeks]

Hah, great! Reminds me of the time Stand.org [stand.org] implicated a member of the UK government under our own RIP bill.

I've got a couple of questions about the article though. Firstly, it says:

"Mr. Mecham warned in that memorandum that on the days before the software was disabled, there were hundreds of attempts at intrusion into the judiciary's network from places like China and Iran."

Anyone got any idea how many such attempts a network like this typically gets? I'm guessing it'd be a similar number regardless of the filters, but there's plenty of people here who've got more experience than me.

Secondly, how do these monitors work? I ask, because I'm amazed that disabling content monitors would constitute a security risk of the sort they're talking about. Surely they just log what each user is downloading, rather than actively blocking content or attempts to connect to the network. They're not even filters, just logs!

Re:Questions

[gorilla]

you mean www.stand.org.uk. [stand.org.uk]. www.stand.org is a US based charity, nothing to do with the UK one.

Re:Questions

[Dr_Cheeks]

Oops - apologies to all. That'll teach me to check my URLs properly. Sorry about that one.

Re:Questions

[nevis]

As for numbers of attempts. Literally thousands in a week.

What is not clearly stated is that the AO installed IDS equipment both outside and inside the 9th Circuit gateway. The equipment disabled was the inside equipment. So there was never any security risk.

1984 is dead long live 1984

[GrumpyOldManager]

After reading this I was reminded of the computer forensics "How-To" article in Computer World 7/9/01, http://www.computerworld.com/community/security/se curity_manager/0,,NAV65-663_STO61959,00.html . In which a company visits the desktop machine late at night and copies the hard drive for later study. Thinking about it even more it seems like you could just backup the client hard drives each night then scan the "data" for interesting items. To completely automate the system you could just e-mail HR the violation information for appropriate action. "Please fire so-and-so, they visited web site such-and-such from a company machine, twice today!"

I've found over the years that there is often a correlation between an employee's time spent inappropriately browsing the WWW and job performance. My personal policy has always been to trust employees and reward good job performance.

In the rare case that an employee breaks the laws of the land we've been able to retroactively piece together the evidence needed by the police from logs and backup tapes. May not be as proactive as real time monitoring but it seems to be just as effective.

As for security threats. There are lots of ways to prevent viruses and system compromises that don't involve monitoring what client users are browsing on the internet.

I think if management came to me and asked that we monitor computer usage by employees I'd suggest that we find new supervisors who are more in touch with the day to day activities of their charges.

Which reminds me, do you monitor your children's internet activities? I personally just put the computer in a public place in the house (like the kitchen) and make a point of walking by it every once and a while.

Re:It's not your computer.

[vidarh]

The question isn't whether or not you have the "right" to use the computer that way, but whether or not you are expected to have any privacy at work.

Whether or not society allow corporations to take away privacy is entirely up to society.

The right to incorporate is no inherent natural right - it is a privilege granted by the people via their governments. It originated as royal orders to create a "virtual person" with rights defined in a charter. Even today most corporations are governed by a charter, but the charter granted is usually much wider.

In most states in the US laws have been or is on the book to allow the legislatures in the respective states to dictate the contents of the charter on a case by case basis, to limit the time the charter is granted for (a charter used to be time limited), and even to dissolve the corporation if it is decided that it does not serve the public.

Revoking charters used to be common if a corporation was seen as abusing the powers granted to it by the people, and restricting privacy for its employers could quite well have been considered as abusing its powers.

A corporation in the US can still in many states be argued to have no "rights" other than what is granted to it by the legislature. Some may say its unfortunate that its now uncommon for the legislatures to write, rewrite or revoke charters on case by case basis...

(Information about charter revocations in the US can be found here [co-intelligence.org])

Typical reply without the facts.

[FrankieBoy]

Hey smart-guy, check your time zone. 10:21AM EDT equals 7:21AM PST. Not everyone lives next to the Atlantic.

I'm a tech guy manager.

[FrankieBoy]

Yeah...that's right. I came up from the ranks.

Must be great to be indispensable.

[FrankieBoy]

Henry Ford once wrote "If you find yourself with and indispensibe employee, fire him as quickly as possible." As an IS&T Manager I run into developers like you every day. Your shit doesn't stink and your code is the best and everyone else is stupid, right? Wrong. I would rather work with a professional who can do his job properly without the attitude. You'll be suprised how fast your company replaces you and won't even miss a beat. It amazes me when I hear someone spouting off like the company "owes" you something. They pay your salary and you do the job according to their rules for that salary, that's it. Don't do work from home. It's OK. But your replacement probably will, and he/she will be rewarded for it.

Re:Must be great to be indispensable.

[grepnyc]

My shit does stink ( just not as much as my bosses' ), and my code isn't the best.... not by a long shot. But it is good.

I'm not a primadonna by any means. My sleeves are always rolled up, and I do everything from enhancing old COBOL reports, to training interns, to writing the API for our distributed system. I put out a lot of fires, and I take on a lot of jobs that the primadonnas don't want to be bothered with. And besides that, my users know that they can TALK to me. I try hard to keep an open, honest relationship with them.

Despite all this, I don't think that the company owes me a damned thing (except maybe a raise and a promotion :). I am the kind of IT worker that you want in your shop. I work hard, nothing is beneath me, and I know the business.

If I spend half an hour a day, reading the news, or the next chapter of the JAVA API tutorial, it's because I need a frigging break... not because I'm being unproductive. I work hard. Managers like you probably don't realize this, you think that we're ALL slackers. You're so wrapped up in increasing productivity that you blindly put the squeeze on the guys that keep your shop running.

Maybe I should spend some more time reading Dead Tree manuals... You can't track that. Or maybe I should start spending time in stall # 3 with my copy of Information Week... when does their next salary survey come out?

The problem with the firewall reports/usage monitoring, in my shop anyway, is that the guys that make the decisions about how much online time is too much, or who gets laid off next are so far removed from the day to day work, that they have no idea what's really going on. They just see numbers... function points.. how far above or below budget were X department's projects last quarter. IMO, their ties are tied a bit too tight and they forget that they have real people working for them. Not bodies, but people.

Sure, you'll find another programmer when someone like me leaves. Maybe he/she will work out. Maybe they wont. But I'm sure that the leadership just radiates from your body, and you'll inspire your team to help the new guy along while he figures out how to fit in.

Sure.

And then the next guy will quit, and you'll have to replace him... more valuable project time wasted while HE tries to figure out what's going on. Then YOU can explain to the boys upstairs why the projects are late.

Oh, one more thing. I was rewarded for working from home. The key word is 'WAS'. Now it's expected from me. It no longer comes up in my reviews, and I'm no longer thanked when I do it. So how should it feel for me to take time out of my personal life, to solve a problem (which is usually caused by someone else), to have the work pretty much ignored? It pisses me off to no end.

My reward for my continued hard work is a talk about how all employess need to be more productive and productivity is being measured, in part, by internet & phone usage. Give me a fucking break... why do I even need to hear this kind of stuff?

pressure/grep

Re:NY Times without the login...

[Dr_Cheeks]

You say "Please be kind to your fellow /.ers", but bear in mind that the editors review any such links before the original story is posted. If they were to post links that directly circumvented the NYT login procedure (i.e. the NYT valuable user profiling / SPAM system) then the NYT would have grounds for complaining (i.e. lawsuit) that their profits were being hurt. However, if users post the links in the discussion then they can try and claim that it's not their fault - see that note in the small print that says "Comments are owned by the Poster."

So even if you post a story with a login-free link included, the editors will clean it up to cover their backs. Frankly, I can't blame them; since almost everyone knows how to dodge the info-collector it's not worth risking a fairly well justified law-suit.

Re:NY Times without the login...

[arglesnaf]

now if only I had gotten my html correct =)

Re:Need an article mirror...

[Dr_Cheeks]

Login schmogin; try replacing the "www" in the URL with "archive" and you'll go straight to the page, no messing. This always works just fine for me.

Re:No spam from NYTimes

[nanoakron]

Good analogy! - just like coins in a newspaper dispenser, your e-mail address will be returned to the wider circulation of e-mail addresses around the internet by large companies. You have no say where that coin goes after it enters that machine, and the same goes for your e-mail address once given out.

-Nano.

Re:AOC?

[Anonymous Coward]

"...that had been installed by the Washington-based Administrative Office of the Courts..."

Re:Hmm.

[Wyatt Earp]

US Court of Appeals.
http://www.ca9.uscourts.gov/

Then the US Supreme Court, which may or may not hear it.
http://www.supremecourtus.gov/