internet browsing history and wiretapping

colemic

Sanity check on aisle 3, please.

I have people (non-HR) claiming to me that if a manager wants to see a subordinate's email, or specific web browsing history, that a warrant is required. (Apparently this was this case when he was in the USAF.) Specifically, this was to prevent running afoul of federal wiretapping laws.

I say that is utter poppycock. While it matters very much whether or not appropriate acceptable use/etc policies are signed and acknowledged, email (and especially web browsing history, such as Ironport logs) may be appropriated by the Company at any time, in accordance with their own internal policies. Users have no reasonable expectation of privacy with work email or browsing history, and I think the courts have upheld that several times.

Thoughts?

Kai123

If anyone assumes privacy from their own work computer/network, that's wishful thinking.

SephStorm

I'm not a lawyer, but my company does not require a warrant. Numerous times where this data has been requested and provided.

My understanding that a warrant is not required unless the data is being provided to law enforcement per their request. A company is free to get data from any device/server they control. They can also get data and provide it to LE on their own, however if LE comes in and requests specific data, a warrant may be required or desired.

cyberguypr

I can't cite right now but I've read cases where monitoring even without an AUP was withheld due to the existence of legitimate business-related reason for the search. In cases where there's record of an acknowledged AUP, it's even easier. Of course this all assumes company-owned equipment. Perhaps the person was confused with personal equipment?

colemic

@cyber not sure. I literally have never heard of browsing history being subject to wiretapping laws; he says it's fine to look at logs in aggregate, or by specific site, but targeting a specific user is not allowed under current law.

I am 100% sure he is wrong on this. I can't even FIND anything on the interwebs that suggests wiretap laws and a manager reviewing a subordinate's browsing history require anything, although most companies require HR to be involved - but that's a company decision, not law.

the_Grinch

He's wrong. What you do on a company provided machine using company provided services is subject to monitoring and no warrant is required to get the information. As other's have stated, if law enforcement requested the information then a warrant would be required. The university I worked at needed to go through a person email in the course of an internal investigation and no warrant was required for that to happen.

http://www.bls.gov/opub/mlr/2003/02/art3full.pdf <--Old, but list many cases that cover email and internet monitoring.

colemic

Awesome, thanks!

iBrokeIT

Doesn't even pass the smell test, anything produced on company time or with company resources should be considered property.

DevilWAH

I don't know about in the US, but in the UK while a warrant from the league system is not required unless you have sufficient safeguards in place you can get in to very hot water.

IF your policy says staff can use system for "personal use" then you have to be extra careful, it might be a company system but if you agree to there personal data on it then it is just that and you can't go rooting though it as you wish.

Also access staff data with out a valid reason can end up badly and staff can and have taken the employers to court and won.

General rule of thumb is

You can log and monitor a service (web / email), but not single out an individual.

You need to have reason to access a single users history, and it needs to be a valid reason.

Permission should be given by the user or if this is not possible HR or senior management. Never should the person asking for the information be the one who releases it. In all cases the user should be informed the information has been accessed.

It is a mistake to think that all data on a companies servers belongs to the company. Managers do not have the right to ask with out evidence / justification to see specific information.

Think of it like this. I send a confidential email to my mangers manager, setting out a complaint against my direct manager. I cant do this if I know my manager has total access to my email history! In the same way my manger his no right to access the bank detail on the pay role, they have no right to access my email of browser history. This right is usually reserved by the HR team. This is normally backed by leagle documents and failing to protect a employees data and confidentiality can have serious repercussions to the business.

So do they need a warrent? NO. is the users right to privacy backed up by the law? Most defiantly yes.

It is the company who owns the information, not the member of staffs manage.

philz1982

Without a AUP you are going to find yourself in a world of hurt if you try to do anything punitive to an employee. If you begin to go into personal information and data capture of "private data" like banking transactions, personal e-mail, ect you are in an even deeper mess. Courts tend to side with the employee when no AUP and/or monitoring policy was in place. Additionally, if you have an AUP but no one knows about it and has not acknowledged it then you might as well not have an AUP.

You don't need a warrant to capture data however, you can capture whatever you want on your network. You cannot enforce anything however without the aforementioned policies. Now most employees will not argue with you, but if you get one who lawyer's up you'll be screwed by case law precedents.

This is based on US law. When you get into Canada or the EU privacy goes to a whole 'nother level

colemic

This tends to disagree with you... Email Privacy Concerns - FindLaw

philz1982

colemic wrote: »

This tends to disagree with you... Email Privacy Concerns - FindLaw

Show me the case law...


Case law for using an AUP

United States v. Nosal
Lee v. PMSI, Inc


A good read on why you need an AUP
http://www.aalrreducationlaw.com/have-you-reviewed-your-acceptable-use-policy-lately/

Pay attention to City of Ontario v. Quon (2010) 130 S.Ct. 2619. this shows why having an AUP is critical to privacy matters. Without the AUP Quon would have been able to argue that messaging was private. Remember that the burden falls upon the plaintiff in court...

colemic

I know an AUP is important. And currently, we don't have one. (But that's out of my lane.) We DO have a logon banner though on workstations; not the same, but better than nothing. It clearly states that all communications may be monitored, and employees should have no expectation of privacy. I still contend that businesses own their own information, equipment, and logs, and with proper authorization, may view them w/o a court order.

DevilWAH

colemic wrote: »

I know an AUP is important. And currently, we don't have one. (But that's out of my lane.) We DO have a logon banner though on workstations; not the same, but better than nothing. It clearly states that all communications may be monitored, and employees should have no expectation of privacy. I still contend that businesses own their own information, equipment, and logs, and with proper authorization, may view them w/o a court order.

"with proper authorization" in most companies is backed up by a AUP which is there to insure the company does not fall foul of the law. You could argue that a AUP is a form of up front warranty, or at least asking the users to waver the need for one. If a users personal/confidential data ends up in the wrong hands then company could end up defending it in court