Forgot your password?
typodupeerror
Privacy Communications Microsoft

Microsoft Lync Server Gathers Employee Data Just Like NSA 207

Posted by timothy
from the except-they're-not-the-government-and-all dept.
coondoggie writes "Microsoft's Lync communications platform gathers enough readily analyzable data to let corporations spy on their employees like the NSA can on U.S. citizens, and it's based on the same type of information — call details. At Microsoft's Lync 2014 conference, software developer Event Zero detailed just how easy it would be, for instance, to figure out who is dating whom within the company and pinpoint people looking for another job."
This discussion has been archived. No new comments can be posted.

Microsoft Lync Server Gathers Employee Data Just Like NSA

Comments Filter:
  • by Anonymous Coward on Saturday February 22, 2014 @09:44PM (#46313761)
    I have to use Lync at work, and I'd just assumed it'd be cc'ing keywords etc to HR and management.
    • by dreamchaser (49529) on Saturday February 22, 2014 @10:31PM (#46313931) Homepage Journal

      People should assume that with any means of communication they use in the workplace. There is no guarantee and should be no expectation of privacy when using an employer's systems.

      • People should assume that with any means of communication they use in the workplace. There is no guarantee and should be no expectation of privacy when using an employer's systems.

        Depends on what you mean by "expect".

        I don't "expect" people to behave decently in any predictive sense, but I "expect" people to behave decently, as in I think that they should do so.

  • by raymorris (2726007) on Saturday February 22, 2014 @09:45PM (#46313767)

    I'm shocked and amazed. A company running their own messaging server on their own network can see how it's being used?!
    Next you'll tell me that my company's email administrator can see email I send at work, through the server they administer.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Yeah, and for the morons using company resources to look for a different job: don't. Use your personal cellphone, or something otherwise not funded by the company.

    • by TrollstonButterbeans (2914995) on Saturday February 22, 2014 @10:23PM (#46313905)
      This is why I prefer to do my job searches on a disliked co-workers computer.
    • by trout007 (975317)

      We had an email go out saying that people were using Bittorrent from home over the VPN and to please stop since it's illegal and taking up bandwidth.

      • by fluffy99 (870997) on Saturday February 22, 2014 @11:36PM (#46314161)

        We had an email go out saying that people were using Bittorrent from home over the VPN and to please stop since it's illegal and taking up bandwidth.

        You guys need better network admins. Proper firewalling and proxying should block traffic like that.

        Also, I shudder to think of the potential mess caused by allowing personal laptops to VPN in the first place.

        • Sometimes you do want all traffic on a work computer being sent through the VPN. There are a number of security reasons why it would be important to know that, for example, a user is connected to bittorrent simultaneously with being connected to corporate resources. Theres also a good reason for it to be against company policy.

        • by Zarhan (415465)

          Also, I shudder to think of the potential mess caused by allowing personal laptops to VPN in the first place.

          Depends. With proper endpoint assessment tools, you can obtain some reasonable security. BYOD is kind of a rising trend, so a generally accepted method seems to be "Sure, you can connect your own laptop or tablet or whatever to the network, but you'll use Anyconnect and the HostScan has to report conformance". This mostly stems from the fact that in all the meetings folks are starting to use their fa

    • by Tom (822)

      I would have expected better from the /. crowd.

      Especially to understand the difference between a theoretical ability to look at individual data and systematic large-scale data analysis.

      You know, one is someone giving you the looks on the street - and the other is 24/7 stalking. As a society, we pretty much agree that one is fine and the other isn't.

    • by cellocgw (617879)

      Next you'll tell me that my company's email administrator can see email I send at work, through the server they administer.

      And the root problem here is that (thanks, FCC) email is *still* not considered a communication the way POTS or USmail is. If some company said "hey, you dropped your US mail envelopes in an Out box that we own, so we can open all your mail," they'd go to jail. Same goes for voice comms. But e-mail somehow magically belongs to the owners of the server? That's crap and the law should be changed. In the meantime, I'll just point out that the ethics (Hey, United Technologies Ethics Officer, I'm talking

      • > And the root problem here is that (thanks, FCC) email is *still* not considered a communication the way POTS or USmail is. ...
        > they'd go to jail. Same goes for voice comms. But e-mail somehow magically belongs to the owners

        When you use the company's telephone network, the same information is logged. Since virtually all systems do so, there's a standard data format they use, called CDR (call detail record). This has been the case for at least 40 years. You need logs to debug problems in the syst

  • by alen (225700) on Saturday February 22, 2014 @09:46PM (#46313771)

    i work in the same building with a huge Tommy Hilfiger presence and always see people talking on their cellphones in a corner about what they do at their job

  • today. (Score:2, Insightful)

    by epyT-R (613989)

    So, as corporate policy becomes more like that of highschool, and highschool policy becomes more like prison, we're all kept in adolescent, fear-driven hell just a little more, already well past the sell-by date. Meanwhile, lawyers and software vendors write laws and software to profit from this stunting of society. More at 11.

    • Re:today. (Score:4, Insightful)

      by ScentCone (795499) on Saturday February 22, 2014 @11:33PM (#46314149)
      Start you own company, and make a point of having absolutely no way to deal with the communications your employers perform on your behalf. Don't worry, you'll never, ever be involved in any sort of lawsuit that would bring out the fact that you don't cover yourself. What could go wrong? You'll be fine.
  • by halo1982 (679554) * on Saturday February 22, 2014 @09:59PM (#46313815) Homepage Journal

    If you're instant messaging someone on the company's IM platform on the company's time why the fuck would you have any expectation of any sort of privacy?

    I know my company can see everything I can do when I'm logged on to their computer. This is part of the agreement I signed with them. It's also the reason why I don't do stupid shit on my company's network like look for another job or send out resumes from my company email address.

    Oh wait, the outrage is because it's Microsoft. Got it.

    • by Tom (822) on Sunday February 23, 2014 @03:32AM (#46314731) Homepage Journal

      If you're instant messaging someone on the company's IM platform on the company's time why the fuck would you have any expectation of any sort of privacy?

      Because you're a human being and don't leave your humanity at the door when you show up for work. Yeah, I know that is a strange concept for americans, but in many other parts of the world, it is very much still alive. Employees are also humans - wow, what a revelation.

      Your expectation of privacy should certainly be different, but there's no sane reason it should automatically be zero.

      Real-world example: In a company I worked for a few years ago I helped write the policy on this very topic. The final agreement was that the company could look into your e-mail and stuff, but only if they went to the workers council (elected representatives of the employees) and made their case. So if they suspected you of wrongdoing, or you were ill and had crazy important documents in your mail or personal folders, the company could look through it - in the presence of someone representing your interests.

      The important difference is the same as in real-life criminal cases: With a system like this or the real world "must get a court order first" approach, you are innocent until proven guilty and it requires at least some reasonable suspicion before someone can breach your privacy. In a blanket surveilance environment, we're all guilty, period.

      • by Spad (470073)

        This.

        If I ever went through someone's emails, documents, IM logs or anything else private on the company network without someone from HR physically sitting with me, I'd be fired on the spot.

        I feel really sorry for anyone who works somewhere where IT are allowed to gain indiscriminate access to all your stuff just because they're bored on a Friday afternoon.

      • Because you're a human being and don't leave your humanity at the door when you show up for work. Yeah, I know that is a strange concept for americans, but in many other parts of the world, it is very much still alive.

        Not strange for this American.

        Just because you can do something technologically doesn't mean that you should do it.

        I can plant a listening device in my boss's office. But I don't.

      • by E-Rock (84950)

        Certain US government regulations require that electronic communications of publicly traded companies are logged. Once you have to log all that information, someone will get the idea to use it for something.

        Where I work, we don't have an obligation to log our Lync conversations, and we have those features disabled.

  • And a log is being kept about it? Who'dathunkit? *Groan* This isn't news.
  • They're needed until the customer has paid their bill, and then should be deleted, just like library records of who borrowed what book are deleted when it's returned. Anyone keeping them longer is looking to make themselves a target for break-ins, subversion or court orders.

    Telcos are often mandated to keep them, in the kind of "future crime" scenario that belongs in a movie like Minority Report (:-))

  • by the eric conspiracy (20178) on Saturday February 22, 2014 @10:20PM (#46313887)

    This sort of thing is ok in a workplace in the United States, mostly because everyone expects the lack of privacy with using employer's equipment.

    Other places in the world offer more privacy in the workplace. Such capabilities could cause some real problems in those environments.

    • by lgw (121541)

      I don't care at all about it being private. I care only if my employer gives me shit about what I do on it. Maybe if they see me looking for work they'll give me a larger raise to make sure they'll keep me. But changes are, they don't care at all either - they keep records to respond to lawsuits, or purge them quickly if not required to keep them (keeping anything just makes lawsuits worse, so big companies keep only what the law requires).

      • by Cederic (9623)

        My employer gives a shit and i'm glad they do. We have a moral and legal duty of care to protect an awful lot of sensitive data and monitoring communications channels is an important tool in providing that protection.

        Lync can go beyond the corporate network; we really don't want someone copy - pasting sensitive data over IM.

  • um, yeah ... (Score:5, Insightful)

    by cascadingstylesheet (140919) on Saturday February 22, 2014 @10:23PM (#46313907)
    ... because that's the way to retain good employees, spy on them.
    • Re:um, yeah ... (Score:5, Insightful)

      by VortexCortex (1117377) <VortexCortexNO@S ... t-retrograde.com> on Saturday February 22, 2014 @10:49PM (#46314005) Homepage

      Be careful, you are dangerously close to implying that it is good employees and not obedient workers that are actually in demand.

      • Be careful, you are dangerously close to implying that it is good employees and not obedient workers that are actually in demand.

        Maybe a company that finds lots of hits to Dice, Monster, LinkedIn, etc. could learn from that information and try harder to make their employees happy.

  • by MacTO (1161105) on Saturday February 22, 2014 @10:23PM (#46313909)

    Given that this is dealing with company computers on a company network, it is their right to know how it is being used. I would hope that there is a strong privacy policy in place regarding any personal information that they uncover that is not a violation of company policies, but that is a hope and not an expectation.

    Overall though, I would suggest that it is best to avoid doing anything at work that would stir up office politics.

    • by The Cat (19816)

      Overall though, I would suggest that it is best to avoid doing anything at work

      FTFY

  • Wow, you mean a corporation has access to the numbers dialed by the people within the corporation!? Quick, call Ripley's Believe it or Not - I think I found something for the "believe it" pile!
  • "Lync does this no differently than any other enterprise communications system,” says Barry Castle". They are not lying. There have been better solutions for a long time. All of them integrate directory services (AD/LDAP) with information from everything, audio recording of phone conversations, video recording of desktop usage, real time network traffic information.

  • Regulated industries (Score:2, Informative)

    by Anonymous Coward

    Companies in the financial sector - stock brokers, mortgage dealers, financial advisors and the like - are REQUIRED to archive and monitor their employees' work-related electronic communications, and must be able to demonstrate to regulators that they are actively doing so, or they face stiff penalties. The regulations are deliberately vague, but a general rule of thumb is that if an employee says something they're not supposed to say and the company's own compliance team failed to catch it, then they were

  • by mr100percent (57156) on Sunday February 23, 2014 @01:17AM (#46314443) Homepage Journal

    Once you claim "it's only metadata," then you open the floodgates for all abuse.

  • Full call details can be logged from a asterisk server. Its pretty much std features for any PABX. Complete non story.

  • This is different than any other chat/VOIP/Conferencing system in what way?
    • by lgw (121541)

      Well, Lync integrates call, chat, and "are you at your desk" information nicely, so it would give more data to mine than any system that only does one of those. But then, assuming the employer has some sort of system for each, it's still the same data to mine.

  • by Zarhan (415465) on Sunday February 23, 2014 @04:19AM (#46314807)

    Lync stores the info in two databases, LCSCDR and QoEMetrics. The first one has info on all sessions, other one has quality data. It's not like it's some super-secret database, MS has full specs in Technet, for example http://technet.microsoft.com/e... [microsoft.com] shows what's exactly stored in SessionDetails table.

    Yes, such info *could* be used to do data-mining. Same info could be used to optimize least cost routing, gathering statistics on network performance, planning upgrades, and whatever you like. I've personally crafted a few reports from those DBs on how much folks are calling PSTN from Lync on various customer sites, so they can decide what is the priority in upgrading E1/T1 to VoIP-based PSTN connection.

    It's not a conspiracy. Server admins can look at what kind of stuff you are doing on such servers.

    • by acoustix (123925)

      Exactly. Cisco's UC has the same capabilities. I'm sure all other UC by other vendors have the same features.

      Nothing to see here.

  • There are even obligations of companies to keep records of communitcations of their employees. Helps to prevent corruption a little bit, or at least make it more clear when examining it.

  • ... but I learned early on as a parent that jumping on everything I find my kids doing just teaches them to hide things better.
    • by Cederic (9623)

      There's a difference between knowing, and acting on that knowledge.

      I expect my employer to know every instant message I've sent through their system. I expect them to monitor that for sensitive data (in the business sense). I don't expect them to mine that information to see which of the girls in finance I'm seeing outside of work, and I don't expect them to give a shit even if someone told my boss.

      Which is why someone coming to me going, "Our records show that you have a relationship with her" won't result

As far as we know, our computer has never had an undetected error. -- Weisert

Working...