Question about Enterprise Monitoring and Tracking of employee computer usage

[The Watcher]

I’m having a debate with a college about privacy and what a company can and can’t do.

If a company clearly, regularly and openly states that all computer and internet usage is monitored, tracked and recorded, and you as an employee both signed an acceptable use policy and agree to the terms every time you use their computers and internet connection… Is there any law in Australia that prevents them from recording your UN&PW when you logon to a website.
Note: in this example this is not acceptable personal use clause in the policy

I’m also not saying they will use the username and password to logon to said website, just record it along with all other data that flows across the network.

I’m not asking if its morally or ethically upstanding, and I’m not saying that they wouldn’t have people quit their jobs and leave in droves, just is there any law that prevents it.

I’m also pretty sure that anyone asked to install and manage this type of monitoring software would also quit if it was done in a shady manner.

[Creekin]

Quote:

Originally Posted by The Watcher

Is there any law in Australia that prevents them from recording your UN&PW when you logon to a website.

I certainly hope so.
That would defeat the whole purpose of the pw imho.

Is this just a hypothetical discussion or has this actually happened and you are rightly against it.?

[Gunna]

You are using their hardware and their Internet connection. If they have an IT policy that states they monitor emails and traffic and you signed, they can monitor what they want.

[The Watcher]

Quote:

Originally Posted by Creekin

I certainly hope so.
That would defeat the whole purpose of the pw imho.

Is this just a hypothetical discussion or has this actually happened and you are rightly against it.?

No, It honestly hasn't happened anywhere (or I'd be looking for a new job), this is just a heated debate that we've been having and we decided to throw it out to OCAU and Whirlpool for input.

[BAK]

Are you even able to log usernames/passwords from https sites?

[broccoli]

Privacy Act. Probably.

What is the reason for recording the logon information? National Privacy Principle 2 : "Personal information may not be collected unless it is necessary for an organisations activities and must only be used for the purpose it was collected." Is recording username information necessary for the organisation to maintain the integrity of its system? Surely, just logging which sites are accessed is sufficient? What would make recording and storing username information necessary?

National Privacy Principle 1: "Organisations must ensure that individuals are aware their personal information is being collected, why, who it might be passed on to and that they can ask the organisation what personal information it holds about them." You'd have to do more than just advise that the computer system is monitored, you'd have to specifically inform that usernames and passwords were collected and stored and what the organization was doing with them.

[HUMMER]

as far as i know they only record the sites you visit and not the username and password that you have used on them. this is because it could constitute an issue if they inadvertantly capture your username and password for netbanking.

as far as i can tell access to netbanking comes under a portion of some personal use of the corporate internet because this is a way you can check if you got paid or not.

[Sunder]

That's an interesting question, and my guess and bear in mind it is only a guess, is that nothing in law forbids it. The reason I say this is that I have seen cases where judges have ruled that there is no expectation of privacy in the work place. This includes the privacy act, which is intended to protect users of a company's services, not the employee.

In addition, I used to work as an ethical hacker (no longer ). During that time, we would intercept traffic including to passwords and session information to business related cloud sites - this was only to prove that they should change their provider though, we ignored any websites like gmail or facebook, though in some cases it would have been technically possible.

During that time, we never had anyone complain, and our corporate lawyer never warned us of what we were doing, despite rewriting our limitations of liability three times to include expanded scope.

I suspect this is an area of law which will have to be set by the first case, and not by statute. It may well be the case that it is easier to ask forgiveness than permission - that is, many companies will do it until the first one is sued.

[chip]

There seems to be some legislation covering workplace privacy, at least in NSW: http://www.austlii.edu.au/au/legis/n...ct/wsa2005245/

Probably worth getting a legal opinion.

[HUMMER]

i know where i use to work. the building had cameras practically everywhere except change rooms/toilets and the area were we are in. the network operation centre. i know they do not have cameras here as this was a requirement so that no cameras recorded any log in activity of a staff.

however our internet was monitored by a security group that monitored all our network traffic. as far as i can tell from speaking from these guys all they log is the sites we have been viewing.

[ewok85]

Quote:

Originally Posted by BAK

Are you even able to log usernames/passwords from https sites?

If you are using a company computer they own the hardware - nothing stopping them from key-logging. Fair game.

If you are using your own personal device, which isn't used for work purposes, but are using a work resource (network and internet) they are fully welcome to track everything that happens on their network. If they can pull my password out of that, I'd be more impressed than pissed.

[Creekin]

Quote:

Originally Posted by IACSecurity

At least that is how I have operated, and I have done this for various Law Enforcement agencies, so you would hope they have some idea of what they can/can't do.

errr if u were the one doing it.....why didnt YOU have some idea of what you can/can't do?

and how would that apply to say netbank details which would make the corresponding UI/PW PII?
what's stopping IT staff with access to the users UI/PWs from logging into and trasnfering funds out of users personal bank accts?

[Iceman]

I have no idea about the legality of capturing usernames and logins for websites. I strongly suspect it's an area for which law hasn't been written, at least in australia.

Quote:

Originally Posted by Creekin

what's stopping IT staff with access to the users UI/PWs from logging into and trasnfering funds out of users personal bank accts?

This on the other hand is quite clear, there are a whole raft of oddly written laws that cover this situation. Off the top of my head you could probably apply "accessing a network without permission" various levels of "fraud" involving impersonating someone with intent to steal. Plain old theft.. although I'm sure there's some 80's filled buzzworded version involving "theft across telecommunication wires" or some such that adds a disproportionate number of years to the sentence.

[Creekin]

Quote:

Originally Posted by Iceman

there are a whole raft of oddly written laws that cover this situation.

laws dont stop ppl from doing things, only punish them AFTER the fact..
handgun anyone?
it would be plain and simple theft, with other charges of using a network illegally etc..
they should not ever have that information or ability in the first place.
thats like giving say, the police, master keys to every door in the country and then saying..
but its ok..if any of them steal anything we will book them...

[Creekin]

Quote:

Originally Posted by IACSecurity

only when you combine that with the banks internal information is it PII.

yeah thats what i am saying, once they log in they will have your name addy etc, making it PII.

Quote:

Originally Posted by IACSecurity

Whats stopping people transferring money out? Fraud, abuse of public office and Theft laws.

as per previous post, thats not stopping anyone..

Quote:

Originally Posted by IACSecurity

Just because you don't like the idea of people knowing your passwords, doesnt make it illegal.

you seem to misunderstand my post..
all i am saying is that a corporate IT policy that allowed the collection and storage of users personal UI/PW combos would allow IT staff access to users bank accts for eg: and that imho is a bad policy...
if the users PWs were never stored then there would not be a security risk.
edit: u might also want to "get all techy" and lrn to multi-quote/edit