Help my Mom
May 20, 2009 4:57 PM   Subscribe

So, say you find out that your employer has been using a program to record your keystrokes. Is this illegal?

My mother recently found some pretty significant evidence that her employer has installed and used such a program on her work computer. I.E. she found one of her passwords written down, next to said password was her mother's maiden name. First of all, how can she find out if the suspected software was installed? Second, what, if any, are the legal aspects of this? Does she have a legal leg to stand on?
posted by citizngkar to Computers & Internet (25 answers total) 4 users marked this as a favorite
 
Jurisdiction matters. But assuming you live in the US - big assumption - your mom is probably SOL. It's a work computer; it's their property; they have the right.

Now, actually recording her password & mother's maiden name, that's a little sketchy. But the basic notion of keylogging your employees is quite legal.
posted by Tomorrowful at 5:03 PM on May 20, 2009


Agreeing with tomorrowful, location might play a factor as laws, if they exist, will vary.

I don't know how she might detect the software- but what does it matter? It's a company-owned computer, yes? Used for work purposes on company time. No employee should have an expectation of privacy under these conditions. Nor should workers be using the company's computer for something that would run afoul of company rules and policies (typed from home on my personal private computer!)

Does the company where your mother works have a clear policy on computer usage? FWIW, my employer is in Wisconsin. Every employee with a computer signs an Electronic Access Agreement which clearly defines what is and is not permitted on company computers. It must repeat the phrase three times in there-- 'the employee shall have no expectation of privacy'. That goes for all company property- phones, voice mail, desks, lockers, etc.

I have no idea if keyloggers or other spyware have been installed on my work unit. So to be safe and in compliance, I just act as if they were.

If your mother is concerned, all she needs to do is make sure she is using the computer appropriately, for the purpose for which it was intended.
posted by GuffProof at 5:30 PM on May 20, 2009


Just to add... sorry, that sounded a little preachy. I've been in HR too long!

I just don't think that she should be surprised- it's very common for employers to monitor workplace electronics.

BUT- that being said, nobody likes to be 'spied on', even if the employer is legally entitled to do it. I get that, sorry.
posted by GuffProof at 5:42 PM on May 20, 2009


As far as I know, keylogging is completely within their right. What they do with the information is a totally different matter... There is only one use for having a mother's maiden name + password that I can think of offhand, and that is to access a bank account and defeat the security question. My bank actually asks me security questions when I access the site from a different IP than it is used to, whether I have the password or not.

So yeah, that's not within anyone's right, obviously. A felony, in fact. I would operate under the assumption that I am the target of fraud and immediately change all passwords -- from a machine not owned by or on the premises of the workplace, double-check records for use, and possibly notify the bank that you've been compromised. Next, since I highly doubt the company is actively perpetrating identity theft, and is probably the actions of an unscrupulous IT worker, I would bring it to the attention of my manager. If there's evidence her bank has been compromised, I would also file a police report. Does she have any idea who wrote the note? Was it just.. laying around? Very strange and sloppy on the part of whoever is responsible.

If there's a less nefarious reason for harvesting her password/mother's maiden name that someone else can think of, I'd like to hear it, because it's eluding me.
posted by cj_ at 5:43 PM on May 20, 2009 [1 favorite]


It's probably within their right to monitor anything on a company-owned computer without any employee expectation of privacy...but that's still really sketchy.

I hope your mom changes all her passwords and security questions immediately, looks into bank accounts, etc.
posted by radioamy at 5:53 PM on May 20, 2009


Are you sure it's a keylogger, and not someone elsewhere in the company intercepting her unencrypted MMN and password and leaving it on a note to say "Hey, we can see these, you know"?
posted by mendel at 5:54 PM on May 20, 2009


Oh, also, bonus advice: Don't use untrusted networks/computers to do banking for precisely this reason. If they logged her mother's maiden name, it stands to reason she was typing it in at some point. Even if her employer didn't have a keylog policy, anyone could install such a thing on her computer.
posted by cj_ at 6:00 PM on May 20, 2009


she found one of her passwords written down, next to said password was her mother's maiden name.

She found this where? Next to her computer? IT would not do that. If that is what she found she should contact security and report this act. Obviously she should change that password, preferably from home.
posted by caddis at 6:21 PM on May 20, 2009


I agree it's a little creepy, but what's the problem with an employer logging what's going on with their own equipment? It sounds like the problem is that she's logging into non-work sites (facebook, email, etc?) and doesn't want them compromisedf?

She may want to mention it to her boss though just to be sure any logging software that is there was placed officially, rather than by someone using it for questionable purposes...
posted by glider at 6:47 PM on May 20, 2009


I wouldn't like this at all, and would try to counteract it with a blank word document open on my computer. Every time I debated signing into anything, I'd mouse back and forth between the internet window and the blank document, interspersing nonsense words and fake passwords amongst my real passwords so hopefully the powers-that-be would be foiled. And I'd change my passwords every couple days, from home, so it was never clear which of the recorded keystrokes were nonsense code and which were the real thing without a lot of trial & error.
posted by pseudostrabismus at 7:15 PM on May 20, 2009


Corporations may be allowed to monitor & log their employees' computer access but that doesn't give them the right to steal the passwords to their personal accounts, even if the employee accessed the account via the corporate network. As a practical matter it may not be worth it to your mom to try to get law enforcement interested in investigating but I think it's entirely appropriate to bring her concerns to management, to let them know that someone within the organization is acting unethically & illegally & putting the company itself at risk of prosecution. Her accounts don't stop being her property just because they pass through computers & wires owned by her employer.
posted by scalefree at 7:22 PM on May 20, 2009


Like everyone else said, your company probably has every right to log what you do on a work computer, BUT I don't know if that's what's going on here. It sounds more like someone (a co-worker?) is trying to commit identity theft.

I would report this to HR or her boss, and report it to whoever's in charge of IT security (again, probably not the person who did it) and change all passwords and take a really close look at all bank accounts (not from work!) for the next couple of weeks.
posted by mmoncur at 9:06 PM on May 20, 2009


> As a practical matter it may not be worth it to your mom to try to get law enforcement interested

It is if she's already been compromised. My concern is they logged her mother's maiden name, so this probably happened while answering the security question to a bank. I cannot for the life of me think of anyone else who asks this question. Facebook, gmail, twitter, metafilter -- they do not ask you these things. I think it's highly probable whoever is responsible for the note has access to her account, and has the intention of fraud. I would take all measures to deal with this that one would take if it happened outside the workplace. If there is any indication that someone has, for example, authorized a payment or wire transfer using the account, you must get law enforcement involved because you were just ripped off. I mean, unless you want to eat the loss to avoid workplace issues... But IMO, the fact that it is at work is a red herring. Yes, the have the right to keylog. No they do not have the right to commit felony identity theft and fraud with that data. Unless she works for a very shady employer, they will agree enthusiastically and possibly even cover any losses to avoid legal troubles (especially if it's a large corporation).

> It sounds like the problem is that she's logging into non-work sites (facebook, email, etc?)

You don't have to put up with getting your account drained just because you were misusing the company computer to conduct personal business. That is ridiculous. And yes, it's a bad idea, but the law still protects you, the same as you are protected against home invasion if you leave your door unlocked, or any number of crimes where the victim might be seen as "asking for it". Please. Felony crime is illegal to commit no matter what.

Like I said, it could be something else, but I am having trouble thinking of plausible scenarios, so definitely take the precaution of securing the account and checking the transfer/payment records. And depending on the bank, it might also be possible to get the debit card number from the website, which could get ugly. (My bank knows better than to make that available, but YMMV.) If no harm has been done, yeah, she might want to avoid rocking the boat and just be more careful, although I think there is a moral imperative to expose this stuff so other people don't get screwed that you have to weigh that decision against. I could see a scenario where it's her boss that did it and she needs the job badly trumping the ethical considerations, and it's not my place to comment on that. But if nothing else, do make sure she secures any account that uses that password or security question and check for suspicious activity, immediately.
posted by cj_ at 9:35 PM on May 20, 2009


Best answer: Sorry, I realized I didn't answer the actual questions, because warning lights and klaxons started blaring:

1. There is no sure-fire way to detect a keylogger, there are a million ways such a thing can be implemented -- both hardware and software level. The fact that they have her password makes this a no-brainer though. Unless she gave it out or wrote it down, there's no other way to get it. QED. Anyway, it doesn't matter how they got the information, because:

2. If she is in the United States, no, she has no legal leg to stand on with regards to the actual keylogging -- some level of snooping is common and legal. If someone has accessed her private accounts with that information, then she absolutely has a leg to stand on. There are a ton of laws against this sort of thing, here is a good place to start.

Good luck.
posted by cj_ at 9:45 PM on May 20, 2009 [1 favorite]


Sorry if this has already been mentioned above ... It's possible that a mischievous coworker installed the keylogger. Bring it to management's attention, discretely. If it's a company action then she'll have to live with it, but if it's a coworker they should be escorted off the premises.
posted by intermod at 9:51 PM on May 20, 2009


A lot of people jumping to conclusions here, and there's not enough information to support any of them.

1) We need at least a country for your Mom to determine jurisdiction.

2) Where did she find this note? On her computer? In a co-workers garbage? Snooping?

3) What was the password to? Was it to a work related system? (ie: her computer's password or her work email?) or something completely unrelated to work?

At very least she should complain to someone (HR? IT?) That her password has been mishandled, but anything else depends on the answers to these questions.
posted by Ookseer at 11:53 PM on May 20, 2009


oh and

4) Is there anything in her employment contract one way or another about monitoring her computer usage. (She would have them on a breach of contract if they said they wouldn't.)
posted by Ookseer at 11:54 PM on May 20, 2009


> A lot of people jumping to conclusions here, and there's not enough information to support any of them

If it were just a password, I would agree to an extent, but mother's maiden name changes the whole game. My challenge to come up with a plausible scenario that isn't fraud still stands. I want someone to tell me what else this could be!

I agree absolutely that this question would be easier to address with more information (like all of them), but barring that, I would assume the worst and ensure my accounts were secure at the very absolute minimum. Whether to take legal action or not depends on whether there is evidence said accounts were compromised, and influenced by the answers to the questions you posed.

It looks pretty bad on the surface. There is no penalty for ensuring your mother's accounts are secure, especially since she just found her password and the most common security question of all time written on a piece of paper for all to see. Cmon. What more evidence would you require before taking this seriously? You'd have to be a total chump to ignore the possibility you're getting screwed at this point.
posted by cj_ at 1:12 AM on May 21, 2009


Why is everyone still assuming that it was her employer who did this? That seems highly unlikely. If they did it you would not know. They wouldn't need to even go to her desk. Why would they write down the password? There is zero evidence that it is the employer. This is most likely another employee and they have probably targeted other victims as well. Rather than fear her employer she should be reporting this to her employer.
posted by caddis at 4:25 AM on May 21, 2009


I.E. she found one of her passwords written down, next to said password was her mother's maiden name.

So, someone not only intercepted her password, but then proceeded to disseminate said password by writing it down for all to see?

Passwords are protected from disclosure. No employer law is going to trump that. Doesn't matter that it's their computer, doesn't matter that it's their network, doesn't matter that it's their on their dime. The information they obtained is still protected information.

I'd also be really surprised if it was the employer, and not a fellow employee.
posted by Civil_Disobedient at 5:03 AM on May 21, 2009


Response by poster: Sorry for the lack of information. She lives in and works in the U.S. She actually found this note at her employer's Wife's desk. (He employs his wife as well as my mother) The boss and his wife are in the process of turning the company over to another owner, the wife recently left the job for good to shop for a new house in a different state. The wife's computer and desk wasn't being used, so my mother's co-worker and friend was using it and she found the note, which also contained some of her own passwords. Boss's wife has been known to snoop around and will sometimes access her husbands email when he isn't in office and read it aloud to co-workers. Did she sign a contract? I really don't know. I'll ask her. What was the password to? Well.. the bank account. She has already changed it, that was the first thing I asked her to do when she told me what had occurred. She doesn't use facebook or anything like that. She does sometimes need to access her bank account at work. I believe she will be bringing this up with her boss today.
posted by citizngkar at 5:20 AM on May 21, 2009


What Civil Disobedient says. Your mom should, ASAP, change every password on every site she visits that isn't a pointless "resister so we can spam the hell out of you" kind of thing. Particularly if it involves money.

Calling the various credit agencies and checking for recent activity might be wise too. If it's a co-worker, they can probably get her SSN (assuming U.S. here) pretty easily too. If it's her employer, they've probably been pretty lax about handling that as well.

There are ways to get a password besides a key logger - looking over someone's shoulder is the classic - so don't assume a high tech technique here.
posted by Kid Charlemagne at 5:28 AM on May 21, 2009


Did they co-worker take the note? If she did I would take it to the authorities, you'd have a good claim for intent to commit identity theft. As your mum's employer's wife, its highly likely that she has access to most of your mum's personal details already (name, address, date of brith, SSN) and you have evidence that she has through whatever means obtained your mum's bank password and mother's maiden name.

Without the note as proof I don't know if the police would do anything but she should contact all her banks and credit card companies etc and alert them (as well as changing passwords). I also believe you can get a credit freeze that would prevent her opening any lines of credit using your mother's details. She should also get a copy of her credit report in case any lines of credit have already been opened in her name.
posted by missmagenta at 8:59 AM on May 21, 2009


She actually found this note at her employer's Wife's desk.

What was the password to? Well.. the bank account.


Ah. In that case call the cops on the little shit. Also let the new owners that the computers in the office are not safe for business use and that they could be infected with keyloggers and other nefarious things.*

And have your mom turn on a credit freeze, review all of her accounts, etc, etc.

*These things may result in the business sale not going through and she'll end up without a job. This may be a good thing.
posted by Ookseer at 10:18 AM on May 21, 2009


These things may result in the business sale not going through and she'll end up without a job. This may be a good thing.

She may also find herself facing a lawsuit from her boss for interference with the sale or maybe defamation of character. That would be a bad thing.
posted by scalefree at 12:40 PM on May 21, 2009


« Older MMMMM Steak.   |   How to learn Hebrew in the Boston area? Newer »
This thread is closed to new comments.