Legality (of monitoring)

Dave Warren maillist "at" devilsplayground.net
Wed, 06 Jun 2001 07:41:16 +0000


> >I'm just curious if anyone happens to know the rules/regulations on
> >monitoring employees in Canada.
>
> IANAL, and I'm not in Canada.  I'm just wanting to be cautious:

Fair enough.  Thanks in advance.

> It'd be a very good idea to put a monitoring clause in your systems
policy,
> so that it is made quite clear that monitoring can be done.  I would guess
> that to do otherwise would be at best unwise, and possibly illegal.  It's
a
> good idea to disable the pop-up menu as a first step to prevent users from
> disabling VNC, and put an "anti-disabling" clause in the same policy if
you
> feel this is necessary.

I'm *guessing* the same thing.  I'm going to be researching properly in the
next few days, I just haven't had time yet.

At the moment, we've simply failed to load the -servicehelper portion in the
startup, thereby hiding the icon simply by not loading it.  No effort has
been made to disable the configuration options, or stop the user from
loading WinVNC themselves, with -servicehelper, and making changes.

There is a standard "We can record everything you do on our equipment and/or
network" but nothing about disabling such methods.  The specific clause
inplies network monitoring, but doesn't exclude machine specific monitoring.

> >Do they have to be notified when someone is actively monitoring?
>
> See above - I'd at least leave the "tray icon" or other symbol visible,
> which changes colour to denote a connected viewer.  There is also an
option
> in recent versions of WinVNC to display a confirmation dialogue box,
> although this option is more suited to a tech-support role than for
> monitoring.  Advise monitoring supervisors to use the "view only" option
at
> the viewer end, to avoid accidentally disrupting workflow of the employee.

At this point, the icon isn't visable.  I doubt that will change, since they
just deployed new machine imagines network wide.  Given that there is
officially no monitoring software, I think view-only is a good idea :)

> In general, I'd err on the side of openness.  Otherwise, as soon as the
> word gets out (and it will, as soon as the first few employees are
caught),
> you'd be labelled as a spy and your employees wouldn't be happy with you.
> For readers in educational establishments, the same goes for students,
> perhaps even more so.

I would tend to agree.  Especially with people like me, who know exactly
what to look for to see if a system is being monitored, passively or
actively.  Good 'ol NT/W2K, a task list does wonders, 'eh?  And the open
ports are just a WEE bit suspicious too.

I'm an employee, not in the MIS department, and the only member of MIS I've
had time to ask so far denied that any monitoring is happening at all.
Maybe he didn't know, or maybe he lied, I'm not sure.  But since I was able
to get into the config, and I can tell that the service is running, I'm
going to assume they are monitoring us.


Thanks for the information.  As always, much appreciated.


========================================================
Dave Warren,  
 Email:  dave.warren "at" devilsplayground.net
 Priority: dave.pager "at" devilsplayground.net
========================================================
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------