internet browsing history and wiretapping

colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
Sanity check on aisle 3, please.

I have people (non-HR) claiming to me that if a manager wants to see a subordinate's email, or specific web browsing history, that a warrant is required. (Apparently this was this case when he was in the USAF.) Specifically, this was to prevent running afoul of federal wiretapping laws.

I say that is utter poppycock. While it matters very much whether or not appropriate acceptable use/etc policies are signed and acknowledged, email (and especially web browsing history, such as Ironport logs) may be appropriated by the Company at any time, in accordance with their own internal policies. Users have no reasonable expectation of privacy with work email or browsing history, and I think the courts have upheld that several times.

Thoughts?
Working on: staying alive and staying employed

Comments

  • Kai123Kai123 Member Posts: 364 ■■■□□□□□□□
    If anyone assumes privacy from their own work computer/network, that's wishful thinking.
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    I'm not a lawyer, but my company does not require a warrant. Numerous times where this data has been requested and provided.

    My understanding that a warrant is not required unless the data is being provided to law enforcement per their request. A company is free to get data from any device/server they control. They can also get data and provide it to LE on their own, however if LE comes in and requests specific data, a warrant may be required or desired.
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    I can't cite right now but I've read cases where monitoring even without an AUP was withheld due to the existence of legitimate business-related reason for the search. In cases where there's record of an acknowledged AUP, it's even easier. Of course this all assumes company-owned equipment. Perhaps the person was confused with personal equipment?
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    @cyber not sure. I literally have never heard of browsing history being subject to wiretapping laws; he says it's fine to look at logs in aggregate, or by specific site, but targeting a specific user is not allowed under current law.

    I am 100% sure he is wrong on this. I can't even FIND anything on the interwebs that suggests wiretap laws and a manager reviewing a subordinate's browsing history require anything, although most companies require HR to be involved - but that's a company decision, not law.
    Working on: staying alive and staying employed
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    He's wrong. What you do on a company provided machine using company provided services is subject to monitoring and no warrant is required to get the information. As other's have stated, if law enforcement requested the information then a warrant would be required. The university I worked at needed to go through a person email in the course of an internal investigation and no warrant was required for that to happen.

    http://www.bls.gov/opub/mlr/2003/02/art3full.pdf <--Old, but list many cases that cover email and internet monitoring.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Awesome, thanks!
    Working on: staying alive and staying employed
  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    Doesn't even pass the smell test, anything produced on company time or with company resources should be considered property.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    I don't know about in the US, but in the UK while a warrant from the league system is not required unless you have sufficient safeguards in place you can get in to very hot water.

    IF your policy says staff can use system for "personal use" then you have to be extra careful, it might be a company system but if you agree to there personal data on it then it is just that and you can't go rooting though it as you wish.

    Also access staff data with out a valid reason can end up badly and staff can and have taken the employers to court and won.

    General rule of thumb is

    You can log and monitor a service (web / email), but not single out an individual.

    You need to have reason to access a single users history, and it needs to be a valid reason.

    Permission should be given by the user or if this is not possible HR or senior management. Never should the person asking for the information be the one who releases it. In all cases the user should be informed the information has been accessed.

    It is a mistake to think that all data on a companies servers belongs to the company. Managers do not have the right to ask with out evidence / justification to see specific information.

    Think of it like this. I send a confidential email to my mangers manager, setting out a complaint against my direct manager. I cant do this if I know my manager has total access to my email history! In the same way my manger his no right to access the bank detail on the pay role, they have no right to access my email of browser history. This right is usually reserved by the HR team. This is normally backed by leagle documents and failing to protect a employees data and confidentiality can have serious repercussions to the business.

    So do they need a warrent? NO. is the users right to privacy backed up by the law? Most defiantly yes.

    It is the company who owns the information, not the member of staffs manage.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • philz1982philz1982 Member Posts: 978
    Without a AUP you are going to find yourself in a world of hurt if you try to do anything punitive to an employee. If you begin to go into personal information and data capture of "private data" like banking transactions, personal e-mail, ect you are in an even deeper mess. Courts tend to side with the employee when no AUP and/or monitoring policy was in place. Additionally, if you have an AUP but no one knows about it and has not acknowledged it then you might as well not have an AUP.

    You don't need a warrant to capture data however, you can capture whatever you want on your network. You cannot enforce anything however without the aforementioned policies. Now most employees will not argue with you, but if you get one who lawyer's up you'll be screwed by case law precedents.

    This is based on US law. When you get into Canada or the EU privacy goes to a whole 'nother level
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    This tends to disagree with you... Email Privacy Concerns - FindLaw
    Working on: staying alive and staying employed
  • philz1982philz1982 Member Posts: 978
    colemic wrote: »
    This tends to disagree with you... Email Privacy Concerns - FindLaw

    Show me the case law...


    Case law for using an AUP

    United States v. Nosal
    Lee v. PMSI, Inc


    A good read on why you need an AUP
    http://www.aalrreducationlaw.com/have-you-reviewed-your-acceptable-use-policy-lately/

    Pay attention to City of Ontario v. Quon (2010) 130 S.Ct. 2619. this shows why having an AUP is critical to privacy matters. Without the AUP Quon would have been able to argue that messaging was private. Remember that the burden falls upon the plaintiff in court...
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    I know an AUP is important. And currently, we don't have one. (But that's out of my lane.) We DO have a logon banner though on workstations; not the same, but better than nothing. It clearly states that all communications may be monitored, and employees should have no expectation of privacy. I still contend that businesses own their own information, equipment, and logs, and with proper authorization, may view them w/o a court order.
    Working on: staying alive and staying employed
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    colemic wrote: »
    I know an AUP is important. And currently, we don't have one. (But that's out of my lane.) We DO have a logon banner though on workstations; not the same, but better than nothing. It clearly states that all communications may be monitored, and employees should have no expectation of privacy. I still contend that businesses own their own information, equipment, and logs, and with proper authorization, may view them w/o a court order.

    "with proper authorization" in most companies is backed up by a AUP which is there to insure the company does not fall foul of the law. You could argue that a AUP is a form of up front warranty, or at least asking the users to waver the need for one. If a users personal/confidential data ends up in the wrong hands then company could end up defending it in court
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.