Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
News Your Rights Online

Instant Message, Instant Transcript 336

Posted by timothy from the better-part-of-valor dept.
shams42 writes: "Although the internet has been far from private for some time now, it seems that public awareness and concern over this issue is mounting. This article at CNN discusses the issue of companies monitoring instant messages for cyberslacking or leaking company secrets. There is also the possibility of them being included as evidence in court cases."
This discussion has been archived. No new comments can be posted.

Instant Message, Instant Transcript More

Instant Message, Instant Transcript

Comments Filter:

  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Sunday April 14, 2002 @01:40AM (#3338004)
    Comment removed based on user account deletion

    • Re:Jabber + SSL (Score:4, Informative)

      by cuteduo ( 136947 ) on Sunday April 14, 2002 @01:47AM (#3338030) Homepage
      If the companies are monitoring for so called cyberslacking it
      may not matter much if you are using SSL/SSH with your instant
      messaging. There is software for monitoring the users' desktops
      and keystrokes which is one of many tools that employers can use,
      not only packet/traffic monitoring on company networks. Just to
      add another formula to things, monitoring can be completely seperate
      from the computer, they (employers) can also use well placed CCTV
      systems.
      • At my school we are about to setup Imagecast 4.6 by Storagesoft. We already use it to deploy hard drive images of all our computers (greatest product ever and it smokes Ghost), but no we're looking at deploying their small management console. It does all the usual like allow us to send messages to computers, shut them down and all that good stuff, but now it comes with VNC built in so from our server we can monitor the screen of any computer. This isn't even the the products real use. Just a side feature. Just think what real snooping client/server apps are up to.

        -Tim
        www.newtechhigh.org
      • First thing I did, and try to do when I am at a new job, is to reinstall the OS of my workstations. Might not be a bad idea for others to consider.

        SealBeater

    • Jabber + SSL is almost worthless. (Score:2, Informative)

      by Anonymous Coward
      Jabber over SSL would solve this problem.
      You'd think it would.
      But you would be wrong.


      The problem is that none of the Jabber clients implement the SSL protocol fully, and are vulnerable to 'man in the middle' attacks. They do not take the most basic precautions that you would find in any web browser (except Lynx, Lynx has this problem too).

      I explained the vulnerability in a presentation at JabberCon 2001, and the client developers have still not taken the basic step of including some mechanism for validating the server certificate, much less added support for client certificates.

      Jabber is interesting, and perhaps an improvement over other IM protocols, but the security is only halfway there.

    • In the late 1990s companies started to monitor their employees' electronic mail, in case anyone was not working, or was not towing te corporate line.

      Then they started to watch where people surfed. After all, employees were not executives, they could not be trusted.

      In 2002 they started to monitor Instant Messages and to log them all.

      In 2004 software to trnascribe telephone calls became common, and these too were logged.

      By the end of 2010 and the unbiquity of the thought transponder, the slavery of the employee was complete, and all human spirit was destroyed in the never-ending quests for profit and longer golf sessions.

      All employees dressed identically, lived in identical houses with identical husbands, and wore identical corporate socks.

      Is this the future we want?

      How do we tell the corporate world that life is about people, not profit? The joy of sharing, of living in a community, of being alive, that is what matters. Take off those corporate socks and be free!

      (is your postal mail is being monitored too? did you have rights, once?)

      It's easy to say, this seems reasonable. It's hard to take a stand for what seems right. Do it anyway.

      --

    • Traffic analysis (Score:5, Informative)

      by driehuis ( 138692 ) on Sunday April 14, 2002 @07:40AM (#3338629)
      Even when you encrypt your traffic, it will not protect you from traffic analysis.

      I happen to be the dude in between management and the users on my site. I refuse to eavesdrop on my users. Not all of my users realize it, but we've got a pretty liberal policy (don't break the law, don't be offensive to others, don't use excessive bandwidth during business hours; that basically sums it up).

      Some of my users know me for cracking down on porn or MP3 downloads, and think I'm reading their every keystroke. Because if I wasn't, then how would I know that they were doing stuff that they weren't supposed to do?

      The reality is, when I get complaints about Internet performance, I run some quick scripts on the logs to find out who is hogging the system. If, after eliminating the obvious business use connections, I'm left with a top ten and number two is downloading a gazillion of .xls spreadsheets from an server in Poland and all the URL's have /..%20%20/ in the path, I give that user a call.

      Usually, the user will accept the lecture that his contractual obligation to stick to the corporate guidelines is not optional. I sometimes learn through the grapevine that such a user thinks I'm a fascist. So be it. If other people can't work because of egregious abuse, I have to intervene.

      Do I even look at the stuff they're downloading? Not if I can avoid it. The only times I look at what they're downloading is when they start yanking my chain, giving me the go around that there is no law against downloading Warez or porn. Maybe there isn't, I've got no clue. I do know what's in their contracts though.

      Most of these issues are dealt with amically. People sometimes don't realize how big their impact on the corporate network is, and even if they do I usually let them get away with it if the abuse stops. They're usually pretty happy when I tell them I've got no clue what they were downloading, but could find out when forced to.

      Over the last year, IM became a bit of an issue because of the way their stupid tools communicated (if only they used persistent connections they'd fly right under the radar). At some stage, 30% of our proxies capacity was used to serve a few dozen IM sessions and it really started to hurt web performance.

      It's always funny when they let it escalate to management level, and I can at that stage let them rant about the invasion of their presumed privacy, and then drop the bombshell that I didn't even look at what they were downloading, and that it was trivial traffic analysis that gave them away, and that the reason they were in that meeting was because they incriminated themselves.

  • Alternate (Score:4, Funny)

    by NiftyNews ( 537829 ) on Sunday April 14, 2002 @01:42AM (#3338014) Homepage
    Ah, yet another story that makes me happy about my 50% purchase of CarrierPigeons.com!
  • I'm gussing that most everything is sent plaintext over the network and there isn't a client that will do this as of yet, but I'm sure that some smart /.'er will figure one out, code one up, and bless all of work-a-day ameriKa with one.

    I really don't have to worry about this, since I'm the 'IT' guy at my company. hehehe

  • Why? (Score:2)

    by glwtta ( 532858 )
    Why would anyone be using any sort of instant messanger at work? I really am curious. Do these people have nothing better to be doing?

    • Re:Why? (Score:2, Informative)

      by malevolence ( 301869 )
      Actually, it's pretty useful for getting answers to quick questions from colleagues. Instead of traipsing(sp?) down the hall or emailing the person, just IM them. Everyone at the office uses it and it has helped my productivity. I no longer get snagged into whatever is going on outside my office.

      • Re:Why? (Score:3, Interesting)

        by DennyK ( 308810 )
        Yes, but there's a large difference between ICQing a coworker to ask about a business-related issue and jabbering with your buddies on AIM for hours on end. One is a perfectly valid activity while working. The other is slacking off, and will probably get you in trouble. The solution is to avoid the second activity. Do you really care if your employer is recording the IM you sent to Joe down the hall asking if he knew the correct syntax for some obscure Perl command, or when the next meeting was scheduled for?

        The company I work for, for instance, uses an internal ICQ server and the corporate ICQ client for interoffice IM, and doesn't allow any other IM clients. This lets people communicate internally without a problem, but keeps them from wasting time on idle chats with outside friends.

        DennyK

    • Re:Why? (Score:4, Interesting)

      by ross.w ( 87751 ) <rwonderley@gDEBIANmail.com minus distro> on Sunday April 14, 2002 @02:17AM (#3338129) Journal
      Actually we use Lotus Sametime in our company quite a lot for instant messaging.

      Being a multi-national company, without this we would be spending a lot of money on international phone calls (although I believe we are looking at VOIP for this too)

      It also allows you to share your desktop so you can collaborate on a document. Sometimes we use a combination of the instant messenger and the phone for this.

      You can also see if the person you are trying to reach is at their desk before you try to reach them.

      It is less intrusive than a phone call and more immediate than email.

      • Re:Why? (Score:2)

        by EvlG ( 24576 )
        I'm glad that IM hasn't caught on at my employer. I would find it incredibly annoying to be distracted by IM popups every few minutes.

        At least with email there is the expectation that a response will come back in a a few hours, or by the end of the day. With IM, I'd be expected to respond within a few minutes. What a chore.

        • Re:Why? (Score:3, Informative)

          by LinuxHam ( 52232 )
          I'm glad that IM hasn't caught on at my employer. I would find it incredibly annoying to be distracted by IM popups every few minutes

          Depending on your level of responsibility, it really doesn't work out to "every few minutes". I, too, use Sametime at work and it, like MSN and Jabber (I never tried any others) allows you to set your online status. So each employee has their contact list up with a little status indicator right next to the name. Green means available, Red means Away (which can be set to not auto-return), and there's a little "international NO symbol" which means "Do Not Disturb".

          I most recently used it to "feed lines" to my project manager while he was presenting to some big wigs in a meeting. He doesn't have time to know all the minutiae, so he would tread water on questions while I fed him better details. Luckily, I looked ahead into a presentation and saw some numbers were way off. I was able to warn him before he got to the page.

          Being a mobile employee means I have to go to many different customer sites (or work at home) all the time. For coworkers with whom I'd occasionally have conversations of a personal nature, I always "take it outside", and off Samtime onto MSN or AIM. The chances of ALL of the customer sites recording IM sessions will always be less than the 100% guarantee that my IM's will be recorded if I use the company Sametime server.
    • Why would anyone be using any sort of instant messanger at work? I really am curious. Do these people have nothing better to be doing?
      There might be a 'business case' for supporting IM at work, but just about every study I have seen admits that 80% of messaging done at work is non-work-related.

      Generally slackers will abuse IM just like they will abuse 'free' phone calls -- to stay in touch with friends and family, make plans to go out after work, or just idle chat.

      It can be difficult to implement a technical ban on instant messaging, webmail, etc. There are two many different services using different protocols and different servers to easily create firewall or filter rules to block them all.

      AOL Instant Messenger is an interesting example. The AIM client is very persistent in trying to establish connectivity with their servers. First it tries the 'official' OSCAR protocol on port 5190, but if that fails, it tries a high port, and also FTP, SSL, and other protocols that many firewalls permit unrestricted outbound client access.

      • Tip for blocking AIM on Windows. Deploy all your computers with login.oscar.com in the hostfile and have it point to 127.0.0.1. This is what I have done for my school and it pretty much kills AIM. That or make a static entry in your DNS server that points to some bogus address. There's way to deal with AOL. It is quite good at getting past firewalls, but there are still ways...
    • you're joking right?

      I can name 12 people off the top of my head (of the 81 on my list) that use IM everyday while at work. Two of those people are parents that talk to their kids at school (one is my father).

      How much time at work do you really spend doing work? Unfortunatly for me I have a job where I am working no less than 95% of the time I am there. For other people I know this percentage is well under 66%

      It isn't that they had nothing better to be doing, it is just easy. Why not do it?
      • Two of those people are parents that talk to their kids at school

        1. The father should do the work he's being paid for.
        2. The kid should pay attention to what the teacher is saying.

    • Re:Why? (Score:3, Informative)

      by ez76 ( 322080 )
      Where I work, Yahoo! Messenger is the preferred means of exchanging short work-related messages.

      Unlike the phone or in-cube appearances, the recipient may respond when it is convenient for them (no interruption necessary if you have your message windows set to auto-minimize), but unlike e-mail, it's more interactive and conversational.

      It's also incredibly convenient to be able to cut and paste example code, command-lines, URLs, etc. to co-workers on the fly.

      • Re:Why? (Score:2)

        by zook ( 34771 )
        I've heard this before, and I'm somehow amazed by it.

        Perhaps I don't understand the protocol well enough, but it seems to me that you're sending eachother messages from inside your network to Yahoo and back, all in the clear. I'm always creeped out by this with idle chatter, but with internal company information?

        Screw firing people for wasting time. If my employees were jeopardizing company data like this I'd have 'em out on their ear.

    • Re:Why? (Score:3, Insightful)

      by The Cat ( 19816 )
      No. Mainly because nine times out of ten, management hasn't the foggiest idea what is going on from day to day. Oh sure, every once in a while there's some frantically organized flailing "initiative" complete with an announcement at an all-hands meeting, but by and large, management doesn't understand a single detail of the work in most companies.

      Then everyone gets laid off. Welcome to the workplace.

    • Re:Why? (Score:2, Informative)

      by ezs ( 444264 )
      Main reasons I use Trillian with my team

      • - instant 'are you online' status

      • - ideal for quick questions and answers

        - removes load from email systems (bandwidth, storage, backup)

        - it is instant. Ideal when taking part in a global con call and you want to check something offline

        - IM cuts down on the number of intl (or even national!) calls you need to make

      The main enhancements I can see corporates needing for this to become as mainstream as email are security, supportability, scalability, the ability to lockdown who can connect (ie internal only, external approved list etc) and centralised logging. It's certainly lessened the load on my email inbox and made me more productive. I work with a large team across the globe. I regularly use IM to answer real quick questions from colleagues in the Americas, Europe, South Africa and Asia.

  • Easy to monitor (Score:2, Informative)

    by dcocos ( 128532 )
    Since the IM clients, as well as most other things you do at the office are so easy to monitor. I've always made it a personal policy not to discuss any thing over IM that I'd be embarassed to have to explain to a judge in court some day. And in case they were monitoring it I'd always add an "Hi Sysadmin, I know you are reading this" every once in while to my messages just to let them know I knew they were there ;)
  • FYI, the Ethereal [ethereal.com] sniffer package includes a decoder module for AOL Instant Messenger traffic.

    The text-interface equivalent is 'tethereal', which provides realtime decoding of AIM messaging traffic, and supports logging raw packets to a file.

    One of the most common ways for AIM to work through a firewall is by pretending to be a SSL connection to the AOL 'oscar' server, and tunnel through a HTTP/SSL proxy. But in reality, that session is still cleartext, easily intercepted.

    I am not sure if any similar software currently exists for MSN, Yahoo or ICQ. IRC is trivial, and Jabber's XML doesn't take much to extract to human readable dumps.

    Even Jabber's SSL support only offers minimal protection, as (despite repeated requests to have the feature added) none of the Jabber client software implementations include any checking of the server certificate, so all Jabber clients are vulnerable to 'man in the middle' attacks.

  • simple solution (Score:4, Informative)

    by ross.w ( 87751 ) <rwonderley@gDEBIANmail.com minus distro> on Sunday April 14, 2002 @02:07AM (#3338096) Journal
    Use SSH link to your PC at home to run text based IM client and/or web browser from your home address.

    I've not heard of an employer that monitors Port 22, and even if they did, it's encrypted so they can't pick up what you said.

    Best program for this is PuTTY (assuming you use NT at work)

    The whole thing assumes you are using *n?x at home and can run an SSH daemon on it.

    OF course best of all is to not shout from the rooftops what should be said in private.

    • Re:simple solution (Score:5, Insightful)

      by Nonesuch ( 90847 ) on Sunday April 14, 2002 @02:41AM (#3338191) Homepage Journal
      IMHO, a 'good employer' does not bother to look unless the employee causes some other problem. The one case I had dealt with was related to using IRC from the office, and the abuser was fired that same day.

      I've not heard of an employer that monitors Port 22, and even if they did, it's encrypted so they can't pick up what you said.
      Every corporate site I have been at, will block port 22 outbound.
      Best program for this is PuTTY (assuming you use NT at work)
      If your employer is nosy enough to be sniffing your IM sessions, they are probably also nosy enough to install LanDesk and/or other software on the desktop for remote screen viewing, keystroke logging, etc.
      The whole thing assumes you are using *n?x at home and can run an SSH daemon on it.
      People that clueful generally have better things to do with their time than instant messaging.

      (Says the guy posting to slashdot in the middle of the night)

      • Re:simple solution (Score:3, Insightful)

        by bmetz ( 523 )
        I work for a very large computer company and I know for a fact they don't block ssh. I think that if you go to the big computer companies they know their employees are very adept at these things. I could tunnel SSH through DNS if I needed to -- so why even bother getting in my way.

        Also, I don't know how the we're-too-cool-for-IM crowd is doing things but in MY software team our internal IM client is very essential for development collaboration. Unless you live in your own little world never speaking to anyone it's a very major tool for tracking people down to ask questions/fix bugs/etc.
        • Some companies block SSH out, some don't. Where I work, all outbound Internet access is done via proxy servers. The SSH proxy doesn't allow any form of port redirection. Of course, this does not stop someone from using something like HTTPTunnel through the web proxy, but...

          -- PhoneBoy

      • Re:simple solution (Score:3, Informative)

        by q-soe ( 466472 )
        Yes we block it
        Yes we block IM
        Yes we block AIM
        Yes you get fired if you break the rules

        When you start work with us you sign an agreement which clearly states what is and isn't allowed - the shock comes about for most people when we enforce that agreement - and we do.

        The employer pays you to work, there are NO work reasons (cut the crap about tech support IRC and suchlike - i've heard it and seen what these guys talk about - there's no tech support going on at all - its chatting) for IM clients that i can see other than wasting time.

        • Re:simple solution (Score:4, Insightful)

          by Stiletto ( 12066 ) on Sunday April 14, 2002 @07:16AM (#3338600)

          That's a slippery slope...

          You might expect employees to clock in in the morning, think and do nothing but work, have no stray thoughts, don't get up to eat, drink, or talk, and then clock out at night, without any second wasted... It's called a robot. Look in to hiring one instead of a human being.

          I don't think I've ever met a collegue that could perform up to that standard.

          You need distractions every once in a while to maintain your creativity.
          • That would be true if i was a nazi but i'm note. I encourage my guys to have fun, if you don't have fun at work then why be there.

            The rules in the AUP were written by the company and my bosses, the 4 regional CIO's and the Global CIO - i did'nt write them but it's my job to see they are followed.

            That being said anyone who equates blocking IM with encouraging slavery has other problems - its software for god sake not thought. We allow access to the web with very little monitoring, we allow unlimited email providing the content doesn't get out of hand (we filter it)

            We tell jokes, have fun, party togethere and my guys are always able to speak up to me - i encourage them to challenge me as a manager every day.

            Rules are rules - if you agree to them when you get a paycheck then thats that, companies set the rules and if you want to work for company A you abide by their rules - thats the workforce.

        • When you start work with us you sign an agreement which clearly states what is and isn't allowed - the shock comes about for most people when we enforce that agreement - and we do.

          I respect that. I'd much rather have my company spell out what is and isn't allowed rather than just disallow everything and then enforce at their leisure.

          That said, I probably wouldn't work for your company. I'm paid to do a job, not to sit a desk for X hours. If you're going to force me to do that job for a certain amount of time, in a certain place, in a certain way, I'm not an exempt employee, and you are required by law to pay me hourly, and pay 150% for every hour over 40 a week.

      • Block 22? Use 443 (Score:3, Informative)

        by wowbagger ( 69688 )
        If you have a server you control, and wish to be able to get an SSH session through a firewall that blocks the "standard" SSH port, place your SSH server on port 443 (https) - both are SSL, and most firewalls will happily let you establish the connection.

        That said - It's not spelled Foxtrot Uniform November, it's Whiskey Oscar Romeo Kilo - if you want to download porn or waste lots of time IM'ing, then do it at home. A quick scan of /., Freshmeat et. al. while waiting for a recompile is one thing, burning huge amounts of bandwidth downloading crap it another.

  • Companies have AUPs for a reason (Score:4, Insightful)

    by Zeddicus_Z ( 214454 ) on Sunday April 14, 2002 @02:12AM (#3338113) Homepage
    People think Instant Messages are like phone conversations - no record is kept, they can say pretty much what they like. People used to think the same about Corporate email too.

    Nearly every company today has an Internet Acceptable Use Policy. Said policy covers allowed surfing habits (work related only, etc), as well as appropriate email useage (no sexist jokes, spamming of jokes). Once companies realise that IM traffic is essentially the same as email, they will need to incorporate policy on usage into their existing AUP.

    Naturally there's privacy concerns here. People don't like their every word and action at work scruitinized. However, as Pamela Housley (director of compliance at Thomas Weisel Partners investment banking firm) said in the CNN article,'It's just easier to archive it all. I don't have the manpower to have somebody look at this all day long.' This will hold true in most cases.

    Most companies already archive all email sent/received by work accounts as a matter of course. However, that's not to say people actually read all those emails. They're there with the sole intent of keeping a record to cover the company's ass if something goes wrong - such as a client accusing an employee of doing something they were not asked to do. If said employee can turn around and say 'I was asked to do it via email, and HERE IT IS!', the company is fine.

    Face it - IM traffic sent/received at work will end up being logged as a matter of course. It has to if companies want to keep themselves out of a legal quagmire. However, just because your communication via IM is logged, doesn't mean someone is going to actually violate your privacy by reading it. In fact, most AUPs specifically prohibit the reading of another's work communications without the proper authorisation.

    Keep in mind that you're using work assets. Keep in mind that you can, and will, be held responsible for abuse of said assets. Stick to the AUP, and everything will be rosy.
    • while companies may archive e-mail, I think many more have a policy of distroying e-mail and all bakups after a certain retention period. Critical messages are explicitly archived, along with other documents.

      They destroy e-mail archives because they don't want it to be used against them later. The roasting Microsoft got over internal e-mail has put the fear into them (if they didn't have it already).

      The same will likely hold for IM traffic, but it is still safe to assume that it will be logged and retained for some period of time.

  • ;-) is all you need. (Score:4, Funny)

    by XBL ( 305578 ) on Sunday April 14, 2002 @02:19AM (#3338133)
    After every questionable comment you might make in a message just put ;-). Problem solved.

    For real though, I really don't care if people see my IMs. 99% of it is just jibber-jabber anyway, so who cares.

    If your are dumb enough to write messages like "My boss is an asshole" over IM, then that is your own fault if your get busted. ;-)

  • IM Use at Work (Score:2, Insightful)

    by Renraku ( 518261 )
    IM use at work should be monitored only if sensitive information could possibly get out through that route. But if you're going to monitor IMs, why not monitor email, phone usage, have searches upon arival and leaving, and so on? I used AIM when I had a job to communicate and plan stuff mostly, of course I used it for friendly chatting as well, but tech supporting is autonomous to me.
    • if you're going to monitor IMs, why not monitor email, phone usage, have searches upon arival and leaving, and so on?

      This is pretty standard. Most large corporations monitor email, search people randomly (and sometimes always) on arrival and leaving. All monitor phonecalls if they feel like it, but rarely record every conversation simply because of the effort involved.

      You've never worked for an employer that searched you upon arrival and leaving?

  • One solution could be to just setup jabberd (on any machine) to run on *only* your local network. Very easy to do.

  • encrypting won't stop you from getting in trouble. (Score:3, Interesting)

    by garcia ( 6573 ) on Sunday April 14, 2002 @02:35AM (#3338177)
    just b/c you encrypt your convo's does NOT mean you will not get in trouble for what you say.

    I seriously suggest that anyone who IMs at work should stop. If you know your company monitors email, etc, I could only imagine that you encrypting your sessions would raise their suspicions even higher.

    If you are that worried that you feel you should have to encrypt, you probably shouldn't be doing it at all.

    Just my worthless .02

  • Tunnelling (Score:2, Interesting)

    by drbyte ( 571780 )

    I would think that tunnelling via SSH would solve most of the problems.

    I currently SSH tunnel for IRC, but for IM related software, I can't seem to SSH tunnel and get the relevant ports forwarded.

    Anyone have a good idea for doing this?

    But I'd think that my IRC connections are rather well encrypted.

    • Re: Tunneling (Score:3, Informative)

      by pbryan ( 83482 )
      I currently SSH tunnel for IRC, but for IM related software, I can't seem to SSH tunnel and get the relevant ports forwarded.

      Assuming you have a recent version of OpenSSH, follow these instructions:

      1. Run ssh -D 1080 hostname. This causes ssh provide a SOCKS v4 proxy services when connecting to localhost on port 1080.

      2. Set your IM client to use your SOCKS v4 proxy server and point it to localhost on port 1080. Most IM clients support the SOCKS proxy protocol.

      3. Chat.
  • First of all, the only reason I use IM these days is for work-related purposes with co-workers on an internal Jabber server. Okay, we do our share of chatting that's not exactly work-related, but who doesn't have f2f conversations with people at work about things that have nothing to do with work?

    In any case, why I consider the instant transcript a "feature" is because my co-workers and I do tech support. We talk to each other frequently about customer issues. These transcripts often contain useful troubleshooting information. It seems awfully silly to type something more than once, so once a conversation is done, it's copied straight from Jabber into a case note. We usually do not make those kinds of notes viewable to customers, but they are good for internal documentation.

    For those of you who have issues with your employer "snooping" on what you're doing, I would not expect any sort of privacy with respect to your computer usage at work. However, your employer needs to tell you your computer usage is subject to monitoring. Employers who fail to notify employees of monitoring are subject to serious trouble if they decide to take advantage of any information they find out as a result.

    -- PhoneBoy

  • I still don't get this.... (Score:5, Insightful)

    by Peridriga ( 308995 ) on Sunday April 14, 2002 @03:01AM (#3338234)
    Privacy at the work place...

    You are in a building that you don't own..
    You are sitting in a chair that you don't own
    You are using a computer that you don't own
    You are using a network that you don't own
    You are using bandwidth that you don't own

    Why do you have any expectation of privacy?

    It's simply a given.... If I am talking on my cell phone in the middle of the IT department I have no expectation of privacy...
    If I am 'yelling' my conversations over the network why do I have expectation of privacy...

    If I want to chat personally or sell company secrets I will do it at my home where I DO have privacy... But, not at work

    • Re:I still don't get this.... (Score:5, Insightful)

      by The Cat ( 19816 ) on Sunday April 14, 2002 @03:49AM (#3338310)
      Why do you have any expectation of privacy?

      Because you're a human being with human rights. One of those rights is freedom of speech, and part of that freedom is the ability to control when, where and to whom to speak. The speech is what should be protected, not the company's stupid network.

      If they don't want to hire people, fine. Let them buy an M$ wizzzzzzzard to set up their databases and sit in meetings. But if they want hard-working, knowledgeable, imaginative people, then they are going to have to accept the fact that they are HUMAN BEINGS, not machines.

      Just because you're in a "building you don't own" doesn't mean you have to hand over control of your entire life to some middle-manager.

      People are people FIRST, then "employees." This "the company rules the universe" routine is getting REALLY fatiguing.

      • "Freedom of Speech" (in the US sense) is the right to not have the government restrict your speech, since eventually it will impinge upon your political speech, which would be bad.

        It really has nothing to do with your employee/employer relationship.
        • Freedom of speech is also the right to not have another person restrict your speech, otherwise it is no freedom at all.

          Why is the employee/employer relationship entitled to so many exemptions from the basics of every other element of society? What if a non-employer corporation sought to restrict the speech of people? The screams would shake the Earth.

          Why is it acceptable then for an employer to do the exact same thing?

      • Because you're a human being with human rights. One of those rights is freedom of speech, and part of that freedom is the ability to control when, where and to whom to speak.

        Another is the right to enter into contracts where you agree to limit your speech. If that contract is excessive (never talk again), or illegal (don't tell them about the ammonia we put in cigarettes), you might get out of it. But if that contract is simply "don't use our network for personal conversations", then it's a whole different story.

        If you want to speak freely, don't sign contracts agreeing not to. If you want job security, make sure you sign a contract giving it to you. If you want privacy, make sure that a) your company signs an agreement to give it to you, and b) you have the sole administrator password to your machine.

        If you want a job, ignore all the things I said above. Or be prepared to not have many choices.

        • But these "contracts" are almost never written. They are decrees delivered from the raised dais of management, usually in the form of a memo.

          To expect to isolate someone from all "personal" conversations during the work day is an unjust exercise of control, basically for the sake of control. It really has next to nothing to do with the company or the work.

          It certainly doesn't give the employer the right to the contents of that conversation.

          For most of the people in this country, a job is a necessity. To withhold necessities from people in exchange for their abdication of their inalienable (an important word) rights is to offend those rights to the point of denying them altogether.

          No person, employer or otherwise, should be empowered, either by necessity or choice, to deny the basic rights of another person.

          • But these "contracts" are almost never written. They are decrees delivered from the raised dais of management, usually in the form of a memo.

            True, but most people don't have real employment contracts at all. Usually employers can fire employees for any non-discriminatory reason, and at most all they get is two weeks severance pay. If you want to be able to speak freely and still keep your job, you need to get that put into your employment contract.

            To expect to isolate someone from all "personal" conversations during the work day is an unjust exercise of control, basically for the sake of control. It really has next to nothing to do with the company or the work.

            Possibly, although there are certainly some circumstances where allowing any unaudited outside communication is dangerous. But the point is that you chose that job. No one is forcing you to work there.

            It certainly doesn't give the employer the right to the contents of that conversation.

            Unless your employment contract that you signed says that the company reserves to right to record any communication you send over their network (or some lawyerly version of that).

            For most of the people in this country, a job is a necessity.

            Sure, but a job in a particular industry, let alone a particular company, is not a necessity. If you and your coworkers aren't good at negotiating employment contracts, maybe you should think about hiring someone else to negotiate your employment contracts for you.

            No person, employer or otherwise, should be empowered, either by necessity or choice, to deny the basic rights of another person.

            What are these basic rights exactly? It seems to me like you've made just about every contract illegal.

            If you want to have rights in this society, you have to stand up for them. There are still good places to work here in the United States. They may not pay as well as selling your soul to the company (who are waiting there to sell plasticware [everything2.com]), but for some people it's well worth the cut in pay to gain the increase in personal freedom.

    • IANAL: There are some circumstances under which the law grants you "reasonable expectation" of privacy. For example, your employer absolutely may not tap in any way a bathroom or changing room (say if your workplace had a gym).

      Of course the bathroom is the easy one. Things start going down hill from there. The courts have general held that people have a reasonable expectation of privacy on the telephone, and employers are usually barred from recording calls to/from an external source. Hypothetical example: An employee waiting to hear the results of a VD test from their doctor will probably want the doctor to call them as soon as the results are in, but won't want it to be management's hot gossip of the week. The employee has a reasonable expectation of privacy when their doctor calls them on the phone whether it is at work or home.

      When you get to email, the courts don't generally find personal issues which need prompt notification are transmitted via email. So the conditions under which you would need an expectation of privacy are far fewer, so monitoring internet crap is usually acceptable.

      • The employee has a reasonable expectation of privacy when their doctor calls them on the phone whether it is at work or home.

        Legally perhaps, but in practical terms employees should assume their employers are listening and act accordingly. Individual employees are virtually powerless when dealing with their employers unless they are in a union and their actions are protected by the contract.

    • ... and the stalls, and the seats, but I sure hope you don't think they can/should install webcams there, for the sole purpose of monitoring excessive bathroom breaks, of course.

    • Granted, but the company is in a country they don't own either. Companies at one time had alot more freedoms, but because they exploited those freedoms to their greedy advantage, (especially on employees) restrictions and regulations were brought in.

      I think people expect privacy just because of the handful of laws that protect workers otherwise (minimum wage, discrimination, etc). While the privacy rights may not exist, there's always a chance they someday might.

  • Logging is mandatory (Score:3, Informative)

    by Glorat ( 414139 ) on Sunday April 14, 2002 @03:04AM (#3338240)
    I've worked at a certain big investment bank over the summer. Internet access there was completely firewalled away except for a port 80 HTTP proxy server. Now, one could tunnel IM programs through this successfully but even then, the company has a zero-tolerance policy that bans any use of IM programs.

    There is a very good reason for this. Apart from the usual virus problems, it is often *mandatory* by law for investment banks to log all communications between employees and clients, just like the article says. It is well known that all telephone calls are recorded for this reason. All proxy requests are naturally recorded and scanned for port and external mail use (also against company policy). Allowing IM would equally thus be in violation of company policy and legal requirements. Unless of course... if a system was introduced where all messages could be reliably logged and traced.

    If you still aren't convinced about these policy issues, consider this. In a IB, if your phones are tapped, all web access is logged and you know it, then perhaps consider that logging IM isn't such a big extra step.

  • My company and the last place I worked (Score:2, Informative)

    by Anonymous Coward
    The last place I worked was a dying publicly owned company on the Canadian Stock Exchange. As one of 3 IT guys in this software company of 100 high-high-maintenance clients, I spent a lot of time monitoring my fellow employees for news of the companies impending doom.

    I discovered that the 'promised-management-positions' crowd was keeping close tabs on their fellow employees as well. Monitoring exactly how long each of us worked, took breaks for, (and of course) never mentioning the major overtime we put in.

    It's funny, because between them monitoring us and talking all day with numerous online boyfriends - the management hardly did any work. We on the other hand managed to keep 100 clients happy, fix the "Interactive Unix" network so that it didn't die each and every day, *and* format all of their MSN chat logs for easy reading off a floppy disk when the inevitable day came that we would quit.

    and man, those chat logs were good!

    Once we left, we started our own Software Company [solidblue.biz] and are almost ready to release software exactly for companies like that. Network Security & Productivity monitoring software [solidblue.biz]. I wish we had a package like this when we were there, but don't get me wrong - NGREP worked pretty well too.

    NGREP src 192.168.10.3 or dst 192.168.10.3 -ql "MSN-IM-Format" >log.log

  • Ah yes (Score:5, Interesting)

    by The Cat ( 19816 ) on Sunday April 14, 2002 @03:37AM (#3338293)
    The famous workplace, where your freedom is checked at the door.

    For people so concerned with freedom, it is astonishing that the entirety of a person's basic rights are handed over like a movie ticket once the workday begins.

    And to top it all off, everyone DEFENDS this by saying, "well, they sign your paycheck."

    Newsflash: signing a paycheck != control someone's life.

    Here are people who tell you what to do 40, 50, 60 hours a week. What time to sleep. How long to spend eating. What kind of house you can buy. Where you must live. What to say. How to dress. How many phone calls to make. What web sites to visit. And so on. It's worse than grade school. If you don't like it, you're "downsized."

    Personal life is not to interfere in the workday. No personal activities of any kind are to be conducted at work, unless you're a manager and you have kids. Then you can "take the afternoon off" or leave early on Friday any time you feel like it. All time off is given begrudgingly, even if it is pre-approved.

    Now they'll just help themselves to every word typed or spoken during the workday. Excuse me, but why is the workplace exempt from a person's inalienable rights? Why are companies allowed to treat people this way? Why is a paycheck carte blanche to control someone's life?

    If it isn't company business, PAYCHECK OR NOT, it isn't company business. Period. People should be given the freedom to be people before corporate drones.

    • Re:Ah yes (Score:5, Insightful)

      by ryanvm ( 247662 ) on Sunday April 14, 2002 @01:32PM (#3339500)
      If it isn't company business, PAYCHECK OR NOT, it isn't company business. Period. People should be given the freedom to be people before corporate drones.

      Who are you, Bodhi from Point Blank?

      No one forces you to take a job. When you do, you engage in a contract with your employer. It says I will provide X amount of hours of labor for X amount of wages. If you are fucking off chatting with your warez buddies on AIM, than you are not fulfilling your end of the bargain. You are ripping off your employer. Period.

      If I pay someone to dig holes for me for 1 hour, then I am entitled stand beside him and make sure he digs for that hour. Even moreso if he's using my shovel. Why do you think that because you work with computer equipment that you are special? It's the same thing.

      Excuse me, but why is the workplace exempt from a person's inalienable rights?

      I don't think you understand. You do not have an inalienable right to use other people's equipment to chat on the Internet. If you want to do that - do it at home, where you pay for it.
    • Note to moderators: The parent was not a troll. I'd say it's a decently reasoned opinion.

      For comparision, here's my take on the issue. First, I'm a bigtime privacy wonk [jerf.org]. Second, despite that, I still believe that a corporation can pretty much do whatever it can get away with to its employees legally, and that legal action should NOT be taken to 'correct' this.

      The fact of the matter is we have a perfectly fine set of union laws, which provide protection. This is a union issue. If you don't want to be monitored like cows, make your union make an issue out of it. It's stress inducing, it's probably a waste of company resources (after a certain point), it's probably not a net business gain (after a certain point) anyhow, rigid rules rarely match reality, it's not hard to come with counterarguments.

      But until people care, and not just a bare minority, nothing will happen. In this case, I am actually against laws... they'd only make things worse. (Not that you were proposing them, I'm just giving my position for comparision to yours.)
  • ...method!!!

    http://www.guerrilla.net/reference/biological/rfc3 043.html [guerrilla.net]

    Try logging that! Then again, the company could shoot the birds down or fire you for having birds in the office. Or to make matters worse, the bird getting hurt along the way (like flying into a window while trying to send the packet).

  • Your "likeness" and natural copyright (Score:5, Interesting)

    by hyrdra ( 260687 ) on Sunday April 14, 2002 @04:02AM (#3338331) Homepage Journal
    This may sound strange, but if a company is recording your chat sessions, instant messages, or e-mail communications, you can sue them for copyright infringement.

    Sure, it would get all the merit of some of the recent patent lawsuits, but it's perfectly legal. At work, you have no expectation of privacy and often you even explicitly waive these rights by AUPs, as others have mentioned, so you have no legal high ground.

    However of all the AUPs I have seen, none mention the property transfer of your communications, which are effectively your thoughts and are unique to you. This is called your "likeness". You are expressing it in your messages and chat transcripts, and by your employer snooping on you and storing records, they are effectively "copying" your copyrighted material, which you can claim copyright to.

    Unless you're in a contract situation, the only works your company owns are those, which it has commissioned. Despite popular belief, it doesn't own everything you do at work -- only the work from your assigned tasks/projects/whatever.

    I am no legal expert by any means, but at lunch with a lawyer friend I brought this issue up, and he said if he had a client in this situation he would have whatever logs found non-admissible due to copyright infringement. He then told me about likeness and how it can be used against an employer and possibly even to be on the plaintiff side of a suit. I found it interesting he would challenge this privacy issue from this interesting angle.

    I guess you're best actually doing work while at work. If you must have security, use the various methods of encryption. Don't be stupid. :-)
    • Wrong. While on company time you don't own your thoughts and you especially don't own what you write. If you create the world's most effective widget in your cubicle while you should be working on something else, guess what? Your employer owns the widget. Or at least that's the standard contract..
    • Nah. Creation during company time, on company equipment, means that you're creating for the company. If nothing else, all this would do is make sure that 'work for hire' becomes standard in employment contracts, or simply remove IM, or Internet access in general, from everybody's desktop.
  • what constitutes permission for fair use?
    • what I mean is, when is it okay to post nude pictures on the internet? And won't you be embarassed when your kids see 'em, especially the pictures their father took the nights they were conceived?

      Seriously though, how much privacy should we be able to insist upon.

      Certainly plenty when our naked bodies are concerned.

  • codetalking ... (Score:3, Interesting)

    by beanerspace ( 443710 ) on Sunday April 14, 2002 @05:15AM (#3338434) Homepage
    My father used to tell me stories of when he was stationed in WWII in the Aleutian Islands, preparing as a SeaBee for the invasion of Japan. One of the stories that continued to amaze him was the deployment of Native Americans to handle communications, now populary referred to as Code Talkers [nsa.gov].

    Not only did they transmit messages in code, but they added a nice little touch, all transmissions were forwarded in their native dialects. Both my father and I would chortle at the prostpect of some enemy intercept trying to figure out Cherokee.

    It makes me wonder, especially when you consider the costs of snooping everone's transmissions ... if it just wouldn't be too expensive if we not only encrypted our transmissions, but perhaps had an IRC in which we could roll our own dialects via tools like Bison [gnu.org] in which only you, and your buddy on the other end would possess the necessary grammar file.

    Sure, I'm sure the employer and their lawyers could still crack it ... but perhaps the process would become so expensive that they'll just move onto hammering the putz down the hall who continues to spew open text.
    • This would be similar to a one-time pad.

      The best way to encrypt communications would be to write a one-time pad and hand it to your buddy everyday. [maybe you e-mail from home it in the morning using PGP?].

      But we are getting off the subject. One aspect is the fact that your IM's become court record. The other aspect is the fact that your employer doesn't want you to do something on their computers.
  • From the article:
    "[Monitoring] changed the employee behavior. Their productivity went up," she said. "They were a little bit more careful with their communication. It will be the same with IM."
    Yeah, it changed it all right. Now they're back to office flirting and gossip via good ol' F2F, the water cooler, and little pieces of paper.

    What's next? X10 cameras in the workplace? :-)

    Say, all the productivity benefits of 'computerization' couldn't have been due to the freedom people using them found to work at their own pace, could it? It's unthinkable that a guy is *more* productive for next two hours after a 2 minute IM conversation with his girlfriend, I guess. Nah, let's watch over every damn move they make. Make 'em think before they pick their own nose. That'll improve productivity, all right!

    Props to all BOFHs. You have a long and prosperous future ahead of you.

  • I always thought that it would be a nice feature for some of the open source AIM Clients to include automatic public key encryption as an option for those clients that support it.
  • SEC regulations require that trading firms keep records of all email and instant messaging. There are severe fines for noncompliance. Any business that falls under these regs really has no choice but to spy on their employees.

  • another article on IM privacy (Score:3, Informative)

    by feed_me_cereal ( 452042 ) on Sunday April 14, 2002 @03:30PM (#3339921)
    For those interested, salon had a simmilar article [salon.com] a few days ago.

  • So they monitor email. And instant messaging. And web browsing. And they "downsize" you if they find that you're using them for personal use.

    Do they do the same thing with the telephone?

    No?

    That, ladies and gentlemen, is a double standard. Also known as hypocrisy.

    Oh, they do monitor your phone conversations? Fine: do they "downsize" you if you use the phone for personal use? No? Then lather, rinse, and repeat.

    Oh, they "downsize" you if you use the phone for personal use? Who do they think they are, the NSA? What do they think you are, a slave?

    If they're going to treat you as a slave at work, then they can fuck off when you're not physically at work: you should refuse to give them the benefit of any thoughts, ideas, or efforts that don't originate at work. And if they press it, then you should be able to bring them up on criminal charges (slavery is against the 13th Amendment of the Constitution, and it doesn't matter whether or not you're being paid: slaves were "paid" in the form of food, too).

  • This seems rather apparent: employees have no right to screw off on the company dime. Although self-evident to anyone with half a brain, I still hear people - mainly younger folks fresh out of college and new in the workforce - complain about their 'rights' at work, or assert that without unmonitored internet access they'd somehow be crippled when it comes to 'creativity'.

    First off, employees don't have the 'right' to dick around on the web or IM when they should be working. I pay them to work and I define what 'work' is; and that isn't it. Second, if they truly can't function without wasting *my* money goofing off for part of the day, then they need to get a job someplace else. I can and will replace them with someone who isn't hampered in terms of 'creativity' when they actually have to put in eight solid hours of work a day. Especially in this economy, it's damned easy to fire the whining kid and hire someone with an actual worth ethic.

    I don't see what the problem is with a company monitoring things like IM. You're at my business, using my equipment - I'll monitor whatever I please in any fashion I desire. If you want to hold private conversations with friends or surf the web, do it at home on your own time.

    Max

Slashdot Top Deals

Some people manage by the book, even though they don't know who wrote the book or even what book.

Close