Tracking Gmail and Skype activity

[Roger.Wilco]

I hope you have a VERY thorough IT policy, which clearly states you're allowed to view personal details like personal email and Skype conversations. It it doesn't you're making a lot of trouble for yourself.

 

[The_Unbeliever]

Ah, the janitor have spoken from the broomcloset.

There is a way to block Skype with squid : http://www.net-security.org/article.php?id=876 (PDF download)

Also, you can set up squid to block connection attempts to gmail.com (and other web-based email services), block port 25 for everybody except your email server.

Keep in mind that gmail will use other ports besides port 25, you'll also need to block these. Any firewall with a default-deny policy will be of help here.

We also had a data breach within our company a longish while back, luckily there was logs, and the users implicated haven't bothered to clean out the evidence on their laptops/workstations.

But, as news24 pointed out, data can be copied to USB memory sticks and carried out without anybody being any wiser, and will be a big headache.

 

[Sapphiron]

Blocking at the firewall might not be enough. users can bypass firewalls by pluggin in their cellphones or 3G cards.

as The_Librarian said, data copied to USB is a big threat. Has a look at the spector 360 software from my earlier post. It keeps independent tamper-proof logs of all the above mentioned activities.

treating internal data security threats, like external threats (will a firewall alone) will leave some gaps.

 

[D3x]

I have 2 friends who were fired for bad mouthing their manager over Skype. They were basically ranting about how moody he was etc & used a few harsh words. Txt's were pulled from the server & that was that.

Thanks for coming.

 

[ChilliGirl]

I hope you have a VERY thorough IT policy, which clearly states you're allowed to view personal details like personal email and Skype conversations. It it doesn't you're making a lot of trouble for yourself.

The standard laws are clear on this: If it is a company PC then All the information contained on the harddrive belongs to the company(their wording would be more formal but still mean the same thing). They should have kept personal stuff seperate from work stuff if they wished for that privacy.

So yes people IF you dont want work to know about it....... dont do it at work. & certainly dont use their pc's for it , if you must do it in working hours.

 

[ChilliGirl]

Blocking at the firewall might not be enough. users can bypass firewalls by pluggin in their cellphones or 3G cards.
as The_Librarian said, data copied to USB is a big threat. Has a look at the spector 360 software from my earlier post. It keeps independent tamper-proof logs of all the above mentioned activities.

treating internal data security threats, like external threats (will a firewall alone) will leave some gaps.

If the nature of the data is of such a confidential nature that the company does not want it to move around..... then they should just invest in usb locks. Then no usb device can be used. There are more & more companies doing so already.

 

[Roger.Wilco]

The standard laws are clear on this: If it is a company PC then All the information contained on the harddrive belongs to the company(their wording would be more formal but still mean the same thing). They should have kept personal stuff seperate from work stuff if they wished for that privacy.

So yes people IF you dont want work to know about it....... dont do it at work. & certainly dont use their pc's for it , if you must do it in working hours.

What standard laws are you referring to? I've been involved in this before, and unless the IT policy was very clear about it, the companies always end up in bigger trouble.

Certainly, an employer may monitor whether an employee is distracted from the employer's business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee's personal communications.

Companies normally gets away with this because the workers don't know better. They get bullied into signing admission of guilt forms, because the employer tells them "it's a work pc so we have the right to monitor you".

 

[ChilliGirl]

What standard laws are you referring to? I've been involved in this before, and unless the IT policy was very clear about it, the companies always end up in bigger trouble.



Companies normally gets away with this because the workers don't know better. They get bullied into signing admission of guilt forms, because the employer tells them "it's a work pc so we have the right to monitor you".

No need for admission of guilt forms or any of that.
The PC belongs to you & so does all the data contained on it even with out any confidentiallities & other such come into play.

The PC get provided for work puposes not for other use. This means the PC still belongs to the company & has not been made your personal property. So unless you as the employeee made the boss sign a conttract preventing him from inspecting the company's property, ...... sorry they have all the rights & access to ANY data contained on the PC, even if it was historically deleted(retrieveable permitting HDD has not been formatted).
So basically the first law that comes into play is the law of ownership. The PC firstly belongs to the company & not the employee.
The employer may not set traps for the employee, yes, that is called entrapment. (just to underline) There is no law that says a company manager/boss or owner cannot have a look at or inspect the information belonging to a company. Which it does as it is on the company PC. This information can then be used to protect the company if needed.

 

[Roger.Wilco]

No need for admission of guilt forms or any of that.
The PC belongs to you & so does all the data contained on it even with out any confidentiallities & other such come into play.

The PC get provided for work puposes not for other use. This means the PC still belongs to the company & has not been made your personal property. So unless you as the employeee made the boss sign a conttract preventing him from inspecting the company's property, ...... sorry they have all the rights & access to ANY data contained on the PC, even if it was historically deleted(retrieveable permitting HDD has not been formatted).
So basically the first law that comes into play is the law of ownership. The PC firstly belongs to the company & not the employee.
The employer may not set traps for the employee, yes, that is called entrapment. (just to underline) There is no law that says a company manager/boss or owner cannot have a look at or inspect the information belonging to a company. Which it does as it is on the company PC. This information can then be used to protect the company if needed.

lol. So by your reasoning, it's not even necessary for any employees to sign IT contracts, since the employee should let the employer sign a contract?

There's a huge difference in finding information on a pc, and monitoring PRIVATE emails.

 

[ChilliGirl]

lol. So by your reasoning, it's not even necessary for any employees to sign IT contracts, since the employee should let the employer sign a contract?

There's a huge difference in finding information on a pc, and monitoring PRIVATE emails.

no contracts are good & have a purpose. to protect the company.
for this example I will imagine you work here @ myBB.

your girlfriend sends a provacative pic of her to your work email on roger.wilco@mybb.co.za just before your going home time.

that makes it company property as it was sent to mybb.co.za
however if she had sent the same pic to your cellphone it will remain private & the boss cannot ask to look at your phone unless(but very unlikely) the company had started so in their contract with you.

 

[Roger.Wilco]

no contracts are good & have a purpose. to protect the company.
for this example I will imagine you work here @ myBB.

your girlfriend sends a provacative pic of her to your work email on roger.wilco@mybb.co.za just before your going home time.

that makes it company property as it was sent to mybb.co.za
however if she had sent the same pic to your cellphone it will remain private & the boss cannot ask to look at your phone unless(but very unlikely) the company had started so in their contract with you.

I 100% agree, but that's work email. What's being discussed here is the employer monitoring private emails (Gmail).

 

[TheGuy]

no contracts are good & have a purpose. to protect the company.
for this example I will imagine you work here @ myBB.

your girlfriend sends a provacative pic of her to your work email on roger.wilco@mybb.co.za just before your going home time.

that makes it company property as it was sent to mybb.co.za
however if she had sent the same pic to your cellphone it will remain private & the boss cannot ask to look at your phone unless(but very unlikely) the company had started so in their contract with you.

But the IT policy states that the computer is for work purposes only. So if the user uses it for private purposes they are breaking the rules of the IT policy.

 

[ChilliGirl]

I 100% agree, but that's work email. What's being discussed here is the employer monitoring private emails (Gmail).

I mentioned Skype, which is a programmed that would be installed on the works pc
& if the employee set his/her gmail to DL to the PC well then it is covered under company property also .
By installing/loading such at work the person said it is fine (indirectly) by installing it on someone elses property for that person to view it.
Work may not force you to hand over your passwords & logins for anything.

Skype saved history logs under my Doc's (if I remember right). you dont need to login to view that information = company has access.

It is a vicious cycle. But at the end of the day there is nothing the employee can do to stop them from accessing the data. To the contrary if he now tries to delete any info he can be taken to court for tampering with evidence...

We can go on about this all day but at the end the same things are being said over & over & over AGAIN.

Bottom line is DO NOT do things AT work if they can cause you problems. Respect your place of work & it's boundaries & indirectly you will be respecting yourself.

 

[ChilliGirl]

But the IT policy states that the computer is for work purposes only. So if the user uses it for private purposes they are breaking the rules of the IT policy.

here you need to think carefully. Which will be the greater charge? especially if you do not wish for them to return to work. Stick with that as the main charge. the rest is a bonus. Remember charges are often reduced. If this does go the legal route you do not wish for that person to return to work as it will not create a positive work environment. So if the most minor charge is used & all that happens is that the person gets a fine but can return to work?
From what I can see there is a case of theft here that ranks higher than company policies. theft is a criminal charge where you dont even need to approach legal help, you can go straight to the police & then take it from there.

 

[Roger.Wilco]

But the IT policy states that the computer is for work purposes only. So if the user uses it for private purposes they are breaking the rules of the IT policy.

Exactly, and then you can take action and give them a warning or whatever. But does your policy say that you can monitor private email? Just because they're breaking the rules, doesn't mean you can do it too.

 

[ChilliGirl]

Exactly, and then you can take action and give them a warning or whatever. But does your policy say that you can monitor private email? Just because they're breaking the rules, doesn't mean you can do it too.

As I said he can only view emails loaded on the PC , & they have every right to concidering the policy. If they offender handed over passwords & logins in an attempt to protect himself & there was controvercial evidence found, then it is also free for the taking.

Same token: If i work for you & I have gmail.

Something happens & you want my account details......
I can sit on a chair infront of you & simlpy refuse to divulge that info as if is private & none of that info is contained on the company HDD or file servers.

You might find me VERY frustrating when I sit there & say no & also wont offer any forther comment. With me being a woman, a man would also then attempt to threaten with violence. LOL I would try to remain as neutral as i can. But should he strike at me in ANY manner I will then be fully entitled to lay a charge of assult........

So honestly this can go round & round & round. Your place of work & their equipment is not your private property. Same token though dont save your passwords on the work PC, then you have already handed them that key the moment you clicked remember me.

 

[The_Unbeliever]

Bottom line - a company owns the computer, and they have every right to monitor it/inspect it at any given time.

If it's your personal laptop, then they can refuse that you connect it to their network. The network belongs to the company, not you, and it is in their best interest to refuse nonconforming PC's to connect to the network.

 

[TheGuy]

But your allowed to monitor their internet browsing so if they browse to gmail are you not allowed to monitor that?

 

[Roger.Wilco]

But your allowed to monitor their internet browsing so if they browse to gmail are you not allowed to monitor that?

No. Because you can't get to their emails from browsing their internet history. The have to enter their username and password to get to their private email, and that makes it private. If you monitor their private emails, it means you have something in place like a keylogger, or you're monitoring what's going on while they're working on the pc. That also means that you then have access to all their banking details if they use the pc for internet banking. And this just makes it all a lot more serious for the employer.

Basically, you can take action against them for using the pc for private purposes, but that's a minor offence. You monitoring private emails is a lot more serious, unless you specifically specify that in your it policy.

 

[ponder]

No. Because you can't get to their emails from browsing their internet history. The have to enter their username and password to get to their private email, and that makes it private. If you monitor their private emails, it means you have something in place like a keylogger, or you're monitoring what's going on while they're working on the pc. That also means that you then have access to all their banking details if they use the pc for internet banking. And this just makes it all a lot more serious for the employer.

Basically, you can take action against them for using the pc for private purposes, but that's a minor offence. You monitoring private emails is a lot more serious, unless you specifically specify that in your it policy.

This I agree with. The last big corporate I worked allowed minimal private use like banking & online shopping which works in the companies favour as the employee is less like to pop out to the bank in lunch time and come back 5mins late because we all know how busy it is in lunch time. Permission or not it would be a violation of their privacy to intercept their usernames & passwords with serious consequences for them. Just imaging some IT Tech using that info or selling it on for example. You have no right to that information, period, unless somehow granted to you via court order which will not happen.