What To Do Knowing My Boss Is Spying On Me?
April 25, 2005 2:32 PM   Subscribe

I found out a few weeks into a job that my employer had installed spyware (VNC) on my work computer and had been watching what I've been doing (screen mirroring) since I started there. Is this legal? Should I confront him? This all makes me feel extremely uncomfortable.

I have subsequently been let go as my schedule supposedly no longer matched what they needed. I wanted to ask MeFi sooner, when I was still employed but Anonymous questions were not working then. Now that I'm no longer with them, does it change anything? When I was employed, did I have a legal leg to stand on in telling them to stop. Now that I'm no longer employed, do I have a legal leg to stand on in telling them they were breaking the law and should stop doing that to the employees there?

Ok, the details. I work in Oregon, he is located in another state. I was an actual employee, not a contractor. I can understand why being in another state would make one anxious about what is going on in the office, as well as "how's the new guy doing" sort of feelings. However I don't think this is right and like I said before, I just don't feel comfortable with this.

I'm using a Mac (owned by them...) running OSX and ever since I started, several times a day, my mouse would just fly off into one of the corners when I didn't move it. This became annoying, but I can put up with that. I figured it was the non-standard two-button mouse they gave me, or something screwy with the OS and put up with it. Then a few days later I heard my coworker say, "oh the boss is controlling my computer again..." or something like that and it was obvious he was controlling the mouse and keyboard from outside the office. Nobody else in the office seemed surprised by this. I knew this could be done, but I didn't think it could be done so covertly. I remember the days of Timbuktu where an icon would appear informing the user that the were being connected to. Anyway, he's using VNC, I've seen the process listed under Activity Monitor.

Am I wrong for feeling so uncomfortable with this? I know I shouldn't expect much privacy with using an employer's computer and network connection, but I was expecting more privacy than this. I cannot even write a draft of an email to my boss knowing I can edit it before he sees it as he could be watching me as I type it.

What rights do employes have to privacy when using computers these days?
posted by anonymous to Law & Government (24 answers total) 1 user marked this as a favorite
 
Monitoring employees' actions is legal, whether by screen mirroring or surveillance camera. You have no rights to privacy on employers' computers because you are supposed to be doing the employers' work on those computers.

Get used to it. Many places track employees' computer usage in one form or another.
posted by mischief at 2:41 PM on April 25, 2005 [1 favorite]


As a network admin, I'll provide the following: Nothing is private, nothing is "yours." Everything you type and do will be seen, logged, documented and inevitably, held against you.
posted by AllesKlar at 2:49 PM on April 25, 2005


Entirely legal. Do not confront anyone unless you wish to be shown the door.

But yes you are right in feeling uncomfortable about this.
posted by falconred at 2:56 PM on April 25, 2005


Everything you type and do will be seen, logged, documented and inevitably, held against you.

We also may read your email for shits and giggles.

Keep that in mind.
posted by cmonkey at 3:07 PM on April 25, 2005


By the way, it's not really fair to call VNC spyware. It is a completely legitimate and very useful remote control application. It can be used nefariously, but so can a lot of things. "Spyware" generally has a very negative connotation.

Also, on windows, most versions of VNC have a taskbar icon that allows access to server parameters and changes color when someone is connected. I don't know if the OS X server has anything similar, but it is a good way to keep tabs on what's going on (just for future reference).
posted by Turd Ferguson at 3:10 PM on April 25, 2005


We also may read your email for shits and giggles.

s/may/will

...

I always try to accidentally find and report some kind of software malfunction that allows me to disable said program. Like some kind of "haywire Active-X trojan that corrupts currently running applications, or some such.

This can be followed by removing the network cable, opening the vnc.exe file in notepad, copy/pasting randomly, and resaving.
posted by Jairus at 3:14 PM on April 25, 2005


A bit off topic for Turd Ferguson: Apple Remote Desktop (the most likely candidate?) *does* show up in the menu bar by default, but it can be hidden if needed. However, ARD shows up in the system preference pane. I think. A possible solution to the problem would have been to change one's firewall settings.
posted by michaelkuznet at 3:49 PM on April 25, 2005


If your boss is using the Apple Remote Desktop services on OS X, there's a "Show status in menubar" option in System Preferences under Sharing > Apple Remote Desktop. If you have administrative access to your account, you can set your own Access Privileges (make sure "Show when being observed" is checked. While you can also turn off incoming access, you might upset your boss.
posted by maniactown at 3:58 PM on April 25, 2005


That's a pretty dumb way to spy on people. The problem is that default vnc sends everything in the clear across the net. Also the standard password security on canonical vnc is pretty weak (one 12 byte DES challenge and you're in). You can fix these problems easily but I'm guessing your manager didn't. If your manager is stupid enough to use vnc as spyware, then it's likely that he's not logging what you do. Instead he's just watching occasionally.
posted by rdr at 4:01 PM on April 25, 2005


It might be worthwhile to ask your HR department--discreetly of course--whether there is a computer use policy in force.
posted by gimonca at 4:05 PM on April 25, 2005


When I got internet access at work, I had to read & sign a copy of our organization's Acceptable Use Policy. This clearly outlined what we can and cannot use the computers for, and indicated that our activites would be monitored to ensure compliance. These are fairly standard in large organizations, less so in small companies. If you signed something like that, it should come as no surprise. I think every employer would be smart to implement something like this, because it makes clear what the expectations are ahead of time, so you're more likely to prevent questionable use in the first place, and it's easier to deal with when it does arise.

Related question:
I accept and expect that my employer will monitor my activites on our work computers. How far does their right to monitoring go? Could they, for instance, listen in on my phone conversations without my consent?
posted by raedyn at 5:07 PM on April 25, 2005


In the US as I understand it you have zero privacy while using the employer's computer and|or network. Always assume this as a given and behave accordingly.

With that said I would suggest you read your employee handbook for sections dealing with acceptable web-email-internet usage. If you can't find such a policy in your employee handbook then I suggest you speak to HR, if the company is large enough to have such a department, or your boss about obtaining a written copy of the policy. If none is forthcoming then I suggest you never use the corporation computers for anything but business work. This would include, but not limited to, all of the following: visiting non-work related websites, personal email webmail services (yahoo, hotmail, gmail, aol et al.), using work email address for personal email, personal email pop or imap connections over corporate network, non-work instant messenger account. Just about everything.

If you can't live without email|instant messenger... Well get a mobile phone that lets you do those things. Another option is a personal laptop + cellphone + unlimited data plan for cellphone. With both this option you should assume you are in a grey area. Some companies may ban outside computers on premises.

It's their network, their computer and their time since they are paying you.
posted by cm at 5:14 PM on April 25, 2005


"Could they, for instance, listen in on my phone conversations without my consent?"

I don't know about listening, but I know more than a few companies that log the phone numbers called, both local and long distance.
posted by mischief at 5:29 PM on April 25, 2005


cm >>> It's their network, their computer and their time since they are paying you.

That's what it boils down to, really. Their time, their equipment, their rules.
posted by dirtynumbangelboy at 6:33 PM on April 25, 2005


One thing you could do is refuse to work under those conditions. Remember, there are lots of ways to make money, and it was your choice to take this job. Are the benefits of the job, the money, the security, the relative difficulty of finding a job with different circumstances, etc., worth putting up with this kind of intrusion into your privacy? There is no one right answer to this question, but many people act as if they don't even have a choice.

The only reason corporations are able to get away with this is that so many people not only accept it unquestioningly, but even go on to defend the corporation's right to do it.

Their time, their equipment, their rules.

You left out: society's law about what they can and can't do with their equipment and rules. A company can't make you work in dangerous conditions, or let you be sexually harrassed, or fire you based on your race, and get away with it by saying, well, it's our money and our rules. We, individually and collectively, define what these corporations are allowed to do by what we'll put up with. If you're putting yourself in a situation where you feel that your rights are being eroded, consider how that compromise jibes with your values.

(I realize you've left this job already, but I'm speaking in general.)
posted by mcguirk at 7:13 PM on April 25, 2005


Just what kind of privacy do you need at work anyway?
posted by mischief at 8:08 PM on April 25, 2005


Well, some people consider a certain amount of privacy an aspect of basic human dignity. Even as a teenager, you would probably be offended if your parents searched your room for drugs behind your back. As an adult, you may expect to be judged on the quality of your work and your interactions with your peers, and not by having your personal communications and the minutiae of your work habits surreptitiously monitored.

Or you may not care. You may say, they can treat me any way they feel like for however many hours each day. I prefer the convenience of this job and the material comforts it affords me and my family, and so on.

You could just as easily ask, what kind of privacy do you need in your home if you're not breaking the law? Would you approve of your home being randomly searched without your knowledge? If not, why not?
posted by mcguirk at 9:13 PM on April 25, 2005


Big difference between home and office.
posted by mischief at 5:30 AM on April 26, 2005


Mischief - apologist for should surfing bosses trying to earn a living off of slacking off, computer using employees who can't be trusted.
posted by jperkins at 6:42 AM on April 26, 2005


Oppression Now, Baby!
posted by mischief at 6:44 AM on April 26, 2005


It's the casual acceptance of that attitude--the office is different, people don't necessarily have to be treated with a minimum level of respect there because they're being paid--that creates this whole situation in the first place.
posted by mcguirk at 7:31 AM on April 26, 2005 [1 favorite]


(I work in IT, but not systems support.)

Companies are, by and large, perfectly entitled to do this. If you work at a company with more than, say 100 people, you can be assured that your communications are logged, somewhere, and kept around for years.

Now, companies generally due this to reduce liability should the need ever arise, but odds are no one is actively "spying" on you unless you're doing something to merit it- surfing for porn or trying to bypass the company firewall will set off a red flag somewhere that someone will notice sooner or later and follow up on.

Anyone in a corporate IT department (or even worse, someone like your boss- unless you're a developer- who isn't in IT but has been given abusive technology) who goes through an employee's information for any reason other than an active investigation initiated by an executive in HR, IT, or Finance is (a) an asshole and (b) not fit to work in IT. Any company that tolerates that kind of behavior isn't a company worth working for, IMHO.

Honestly, it's a fucking disgrace and a black mark on the industry, made all the worse by people who like to joke around that "yeah, we looooove to snoop in your email for fun".
posted by mkultra at 7:41 AM on April 26, 2005


You could remind, by case law, the company that by engaging in such spying tactics they make themselves legally directly responsible for curtailing the (possible) illegal activities of their employees.

For example, if you install a filter or you closely monitor activities to stop people from downloading pirated music, and they manage to, you may be held liable for their misconduct under misprision of a felony if you don't expediently make sure you send all evidence of wrongdoing to the police upon the slightest hint they're (you're) in trouble for it. Yes, if you don't say anything you might not get in trouble if nobody ever asks you for info, but you are definitely painting a big "GET ME IN TROUBLE" target on yourself when you engage in activity like this.

Fun and games for the whole company (not).

IANAL, but this advice comes from several books which specifically reccomend sysadmins do NOT check emails/files for illegal or offensive content, for that exact reason.

Remember: Hear no evil, see no evil, do no evil.
posted by shepd at 9:18 AM on April 26, 2005


According to the Privacy Rights Clearinghouse:
Are there organizations that assist employees regarding workplace privacy?

Yes. There are several groups that are actively involved in workplace monitoring issues and that advocate stronger government regulation of employee monitoring activities.

National Work Rights Institute
166 Wall St.
Princeton, NJ 08540
(609) 683-0313
Web: www.workrights.org

9 to 5, the National Association of Working Women
231 W. Wisconsin Ave. No. 900
Milwaukee, WI 53203
(414) 274-0925
Hotline (800) 522-0925
Web: www.9to5.org

Workplace Fairness

* www.workplacefairness.org
* Affiliated with the National Employment Lawyers Association, www.nela.org

American Civil Liberties Union
125 Broad Street, 18th Floor
New York, NY 10004-2400
(212) 549-2500
Publications Ordering: 1-800-775-ACLU (2258)
Web: www.aclu.org
The American Civil Liberties Union (ACLU) also has information related to workplace privacy issues that are not discussed in this fact sheet. Some of the issues of growing concern involve psychological testing, drug testing, polygraph or lie-detector testing and off-the-job surveillance of employees. Visit the ACLU's Web site at www.aclu.org.
posted by pracowity at 9:33 AM on April 26, 2005


« Older Where can I get books printed?   |   Big blinds, small blinds confusion Newer »
This thread is closed to new comments.