×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Microsoft Lync Server Gathers Employee Data Just Like NSA

timothy posted about 9 months ago | from the except-they're-not-the-government-and-all dept.

Privacy 207

coondoggie writes "Microsoft's Lync communications platform gathers enough readily analyzable data to let corporations spy on their employees like the NSA can on U.S. citizens, and it's based on the same type of information — call details. At Microsoft's Lync 2014 conference, software developer Event Zero detailed just how easy it would be, for instance, to figure out who is dating whom within the company and pinpoint people looking for another job."

Sorry! There are no comments related to the filter you selected.

Slashdot Replacement (-1, Offtopic)

Anonymous Coward | about 9 months ago | (#46313757)

Come join us at Soylent News [soylentnews.org] , the premier Slashdot replacement? Everything about Slashdot you love, none of the shit you hate...except perhaps for the Golden Girls troll. And, get this - it also supports unicode!

-- Ethanol-fueled

Re:Slashdot Replacement (0)

Anonymous Coward | about 9 months ago | (#46313901)

They're getting lonely with so few people commenting.

Re:Slashdot Replacement (-1)

Anonymous Coward | about 9 months ago | (#46314243)

reminds me of antislash like 10 years ago

K5 - Rusty! (0)

Anonymous Coward | about 9 months ago | (#46314791)

Or is that, tin roof, rusty? Nothing a b-52 strike couldn't solve, though nothing for the madness that lurks within.

Looking for a job on company equipment? (1)

Anonymous Coward | about 9 months ago | (#46313759)

Seriously? You deserve to be fired.

Re:Looking for a job on company equipment? (3, Insightful)

flyneye (84093) | about 9 months ago | (#46313963)

A company that has to spy on it's employees deserves, a better business model, new leadership and a tax audit.

Re:Looking for a job on company equipment? (1)

RightSaidFred99 (874576) | about 9 months ago | (#46314153)

Good thing they just made the amazing discovery that a software based (or hardware based) voice system allows the owners of said system to determine who is calling whom, and didn't detail who these companies with a (lol) "bad business model".

Re:Looking for a job on company equipment? (4, Funny)

ColdWetDog (752185) | about 9 months ago | (#46314463)

Imagine, a database. Storing data. That you can run reports on.

Simply amazing what computers can do these days.

Re:Looking for a job on company equipment? (1)

davester666 (731373) | about 9 months ago | (#46314931)

They just might graduate from toys to useful tools for business in a few years.

Re:Looking for a job on company equipment? (0)

Anonymous Coward | about 9 months ago | (#46315215)

Imagine, a database. Storing data. That you can run reports on

Imagine, a communications tool. Allowing USERS to choose whether to store data or not. And companies that don't feel the need to run reports on their team.

Haha, just kidding, this is Microsoft we're talking about.

I mean, which part of "Microsoft product" did they not understand?

Re: Looking for a job on company equipment? (1)

BitZtream (692029) | about 9 months ago | (#46315985)

You do realize Lync will be happy to auto expire that data if you want it to ... Right? What's that? No, you didn't know that? What's that? You didn't realize that every comms system on the planet DOES THE SAME FUCKING LOGGING. If you or Timothy or the poster had a clue about this subject matter you'd not have posted the story or act like MS does something evil here.

Perhaps you shouldn't talk out your ass about things you know absolutely nothing about.

No one is going to throw out log data because you don't want to get caught wasting company resources dicking at work on some else's time, money, network, hardware and other infrastructure.

Your spoiled ass needs to get a good dose of reality and grow the fuck up.

Re:Looking for a job on company equipment? (1)

wiredlogic (135348) | about 9 months ago | (#46317457)

Imagine, a communications tool. Allowing USERS to choose whether to store data or not. And companies that don't feel the need to run reports on their team.

This is a software product meant to be deployed in a business environment. You are an employee not a user. You don't have any reasonable expectation of privacy when using a computer you don't own.

Re:Looking for a job on company equipment? (1)

Kalriath (849904) | about 9 months ago | (#46318455)

And, more importantly, there may be a legal need (public records legislation for public sector, SarbOx for private sector) why they must retain that information.

Re:Looking for a job on company equipment? (1)

VikingNation (1946892) | about 9 months ago | (#46320113)

Very good point. Appears that the author who posted the article has a very uninformed view of the world.

Re:Looking for a job on company equipment? (2)

flyneye (84093) | about 9 months ago | (#46322069)

No, it none of their business. If they run a business where the employees feel trapped into servitude by pre-employment agreements, local talent monopoly, overwhelming bills and bad economy, seniority w/no upward mobility, etc., the company has clearly overstepped the bounds of human decency with no regard for their most important asset. This is WHY we get corporate espionage, if you back someone in a corner without a reasonable choice, they will do whatever they need to in order to survive and prosper. When a business is so large it has to resort to treating its employees like faceless units, it has grown cancerously without dividing into diversified units and begins its own downward spiral in the name of greed of the board and investors. Morons! (like AT&T, Apple, Chrysler, Shell,etc.) The old business models of dinosaur mega companies are showing their age in waste and loss due to sheer size. The day of the dinosaur is over, many smaller businesses will have a surviving advantage in times to come, their survivability will come from a close knit smaller team and will suck the talent from the big boys.
This software in question is a fine example of the suicide happening right now.
This is a new age of business, just like the new age of politics coming after the fall of trust for the current regeime.
Fool me once , shame on you , fool me twice, shame on me, stick me with a fork, Im done.

Re:Looking for a job on company equipment? (1)

LordLimecat (1103839) | about 9 months ago | (#46314707)

An employee who doesnt expect it needs a reality check.

Heres some more shockers, from an IT consultant:
  * Your firewall / IDS is probably proxying all of your connections.
  * SSL is probably being intercepted to. You ever check who issues the SSL certs of your favorite sites?
  * DNS lookups may well be monitored.

The biggest shocker: Its not your machine, or your network, or your electricity. Its not your time, either. Their job, their rules: Get over it. Of course, you generally do have the freedom to walk out if you dont like the whole "not your resources" angle, smaller companies tend to do this less.

Re:Looking for a job on company equipment? (1)

lister king of smeg (2481612) | about 9 months ago | (#46314785)

An employee who doesnt expect it needs a reality check.

Heres some more shockers, from an IT consultant:

  * Your firewall / IDS is probably proxying all of your connections.

* SSL is probably being intercepted to. You ever check who issues the SSL certs of your favorite sites?

  * DNS lookups may well be monitored.

The biggest shocker: Its not your machine, or your network, or your electricity. Its not your time, either. Their job, their rules: Get over it. Of course, you generally do have the freedom to walk out if you dont like the whole "not your resources" angle, smaller companies tend to do this less.

I would but slashdot is won't give me ssl. :-(

Re:Looking for a job on company equipment? (1)

khellendros1984 (792761) | about 9 months ago | (#46314799)

I know that my employer both blacklists certain sites and intercepts SSL (the certs are signed by the company, and you have to either accept constant browser warnings or install the company's certs as a root CA in the browser. I agree; it's not my equipment or my time, so I don't really have a problem with the situation.

Re:Looking for a job on company equipment? (1)

dbIII (701233) | about 9 months ago | (#46314955)

I can't actually see a legitimate case for that, and in fact see it as criminal action unless the employer is actively informing people that they should not do their online banking or anything involving private medical details (or similar confidential information) in the workplace. Someone with access to the cache of their proxy device could do a lot of damage to secure accounts, and if they sell the details instead of steal the money themselves it would be difficult to trace. Do you really think people should be trusted with that in your workplace? I certainly don't want to be trusted with something that should be between the employee and their bank which has nothing to do with my workplace other than that's where the person is connecting from.
Paranoia about people leaking stuff from the workplace should not reach the level of spooks playing at being James Bond. If you are not military then people are going to find a way so there's no point going selectively GITMO on them if they can just walk out the door with things on a USB stick, phone or postit note.

Re:Looking for a job on company equipment? (1)

Anonymous Brave Guy (457657) | about 9 months ago | (#46315027)

I can't actually see a legitimate case for that,

There are certainly legitimate use cases for intercepting encrypted traffic. For example, many corporate networks use security devices that sit on the incoming and/or outgoing links to do things like scanning for malware or leaks of confidential data. Obviously they can't scan properly encrypted traffic.

In principle, the use of such tools can be in everyone's interests, including employees and customers whose sensitive personal information might be held within the network. In some contexts, use of this kind of technology is important both for actual security and to be demonstrate compliance with privacy regulations. However...

and in fact see it as criminal action unless the employer is actively informing people that they should not do their online banking or anything involving private medical details (or similar confidential information) in the workplace.

This is where I strongly agree with you. If the interception is done covertly -- and by that I mean if every employee isn't fully aware of the possibility, not just that someone once made an offhand comment in a company meeting that 50% of staff attended that of course IT do this so of course it's been disclosed -- then this practice is very shady.

It is not impossible to reconcile reasonable security/compliance measures with employee privacy. You just might have to make a modest effort to do it, like setting up a dedicated system in the break room that is suitably isolated from the main company network and employees can use if they really do need to send a private message about a hospital appointment while on a break or to access their bank account to check a salary query. I have no sympathy for an employer who claims this is difficult, given the relative cost of doing it vs. the much higher cost of setting up the kind of security infrastructure we're talking about.

Re:Looking for a job on company equipment? (1)

dbIII (701233) | about 9 months ago | (#46315053)

Obviously they can't scan properly encrypted traffic.

"SSL accelerator" devices get you to accept their certificates so that it goes through the device in the clear instead of being "properly encrypted traffic". Such a MITM attack does require the users to trust it with their certificates but few understand the implications - such as the potential for a junior sysadmin in their workplace to clean out their bank account if they've made the mistake doing online banking from work.

if every employee isn't fully aware of the possibility

That is the problem.

However the very existence of these devices in a workplace appears to be a message that private traffic is just not going to happen. Who ever has access to the SSL box, and in many cases they are externally managed, now has access to the most private traffic from the site instead of it being a secret from anything other than the two endpoints. To me that seems to be defeating the entire purpose of encrypted traffic and is both a security risk and a legal landmine.

I should add (1)

dbIII (701233) | about 9 months ago | (#46315065)

With all the setups of this type I have heard of there is no opt out. Accept the certs, let the MITM box have all your traffic in the clear or no SSL traffic for you. It's a man in the middle attack "for your own good" because it speeds up all the traffic, but whoever has access to that box gets to see what you've sent - usernames, passwords, the entire lot. So instead of having a possibility of security leaks at two ends you've got a third player that knows everything as well, and that's a lot of extra trust that IMHO should never have to happen.
Even if it's 100% company data the junior sysadmin and external consultant should not have a handy and easy way to get the bank login and password that the CFO uses for company bank transactions.

Re:I should add (1)

gnasher719 (869701) | about 9 months ago | (#46315117)

With all the setups of this type I have heard of there is no opt out.

At my place, the company has an unencrypted, password-free WiFi network running in parallel, mostly intended for visitors, but obviously free to use for employees. Of course you can't get at any company resources from that network (except those that can be accessed freely from anywhere). Being unencrypted, it's your responsibility to use https.

Re:I should add (2)

dbIII (701233) | about 9 months ago | (#46315239)

Being unencrypted, it's your responsibility to use https

My entire point is that these devices remove any advantage of using https. The device takes it, decrypts it, deals with the data as plain text, then ecrypts it again to send out. Whoever has control of the device gets to decide what to do with that data. It's a very stupid situation for almost zero extra convenience. If I was the NSA or similar I would love to have a lot of these things out there with only a small number of vendors to lean on about backdoors.

Re:I should add (1)

ArsenneLupin (766289) | about 9 months ago | (#46315493)

My entire point is that these devices remove any advantage of using https.

Obviously, if you used the guest Wifi, you'd use your own device, which would not be infested with the fraudulent root certificate of your employer.

Re:I should add (1)

dbIII (701233) | about 9 months ago | (#46318339)

Which is fine for you and me but most users would just click through accepting it.

Re:I should add (1)

LordLimecat (1103839) | about 9 months ago | (#46321035)

? It's a very stupid situation for almost zero extra convenience

Its not "stupid", and it doesnt remove all protections. If an attacker is controlling your switch and / or firewall, you are boned unless you are very technically skilled and very knowledgeable. They could, for instance, intercept all requests for "www.gmail.com" and proxy the response; your browser would never get redirected to the HTTPS site to begin with, so you wouldnt establish a secure session. Instead you would get an HTTP connection to the proxy, who would forward your credentials on to gmail, and now they have your password. You would have to be very vigilant to see the missing HTTPS on every site you might want to look at. Or they could inject content into the non-ssl components of your bank website which screen-scrape your password; it is not uncommon for there to be mixed content on a SSL site, but it can be difficult to detect.

Re:I should add (1)

dbIII (701233) | about 9 months ago | (#46321715)

You've missed who I'm calling stupid. It's the businesses that buy these appliances or services out of paranoia or a slick sales pitch. If you can't think of implications then read a few more of my posts or others here.
In a lot of countries the owner of a device like this is breaking a pile of laws the second an employee uses it to access their bank account by what they think is a secure method. In some places such wiretapping is against the law even if the employee has been warned that they are being monitored.

Re:I should add (1)

ArsenneLupin (766289) | about 9 months ago | (#46315491)

With all the setups of this type I have heard of there is no opt out.

Worse than, the "SSL accelerator" box would now be responsible to check the certificate of the server, in order to be sure that there isn't a second man in the middle further down the road. But the thing is, how would it react if it encountered a bad certificate:

- if it rejects the connection, suddenly lots of low sensitivity sites which just have expired certificates, or which rely on the user to manually verifiy the fingerprint become inaccessible,
- if on the other hand it accepts (or doesn't check in the first place), we have the security issue outlined above.

Re:Looking for a job on company equipment? (1)

Anonymous Brave Guy (457657) | about 9 months ago | (#46315097)

Such a MITM attack does require the users to trust it with their certificates

But "the users" in this case may well be a system administrator who installs an extra in-house CA as part of the standard image for a new employee's PC. The employee themselves probably never even sees it.

Re:Looking for a job on company equipment? (1)

khellendros1984 (792761) | about 9 months ago | (#46316777)

Do you really think people should be trusted with that in your workplace?

Not particularly, but I understand that they want to know all of the activity on their network and don't want the increasingly prevalant use of encrypted connections to stop that. If an employee in the (rather large) company is doing something illegal and it's traced back to the corporate network, the company wants a CYA option. As a second point, they don't like sites that tend to be high-bandwidth. For myself, if I need to do something like online banking during a break, I usually bring my laptop and tether to my phone.

Re: Looking for a job on company equipment? (1)

BitZtream (692029) | about 9 months ago | (#46317581)

In America, your law suit wouldn't be touched by a lawyer.

Just because think your entitled to do whatever you want at work using their resources doesn't mean the rest of the world shares your ignorant, spoiled view.

Legal precedent says you have no right to privacy at wok outside of the bathroom or if your contract states some level of privacy.

By default, no court is going to give a shit that your company reads your emails and logs your activity at work. In MANY cases, employers are REQUIRED to do some of these things ... And the requirement came from lawyers ... Dealing with people like you.

Nevada for instance requires emails be archived and scanned for personally identifiable information that isn't encrypted before being delivered to the destination.

It's really sad that people like you can be so selfish when your using someone else's resources. Use your own fuckinig connection to hunt for jobs or spank it while streaming pornhub.

Re: Looking for a job on company equipment? (1)

dbIII (701233) | about 9 months ago | (#46320521)

Did you reply to the wrong post?

Re:Looking for a job on company equipment? (1)

LordLimecat (1103839) | about 9 months ago | (#46321003)

Every company Ive been at has an acceptable use policy, as did (if I recall) all the universities ive been to. They tend to be pretty explicit that your communications are monitored.

More fundamentally, you have no expectation of privacy as you are not on your own equipment; you are on equipment and network owned by the company who has not only the right but the duty to monitor their connections. If someone is running a botnet C&C server from the company network over SSL, who do you suppose is liable for it?

In fact this very thing comes up often regarding spambots. When spam originates from your network, it is your IP that gets blacklisted. You therefore have the responsibility to monitor and filter illegitimate SMTP out.

Re:Looking for a job on company equipment? (1)

pnutjam (523990) | about 9 months ago | (#46322791)

I keep an x2go session open to a home server on my computer. Short of screen-shots, It's pretty safe.

Re:Looking for a job on company equipment? (2)

dbIII (701233) | about 9 months ago | (#46314923)

* SSL is probably being intercepted to. You ever check who issues the SSL certs of your favorite sites?

While true due to all those "SSL accelerator" devices in people's workplaces which employees are supposed to allow to do an MITM attack, it's still an utterly insane situation that renders SSL almost entirely pointless in an increasing number of places.

IMHO letting one of those boxes into a workplace should be a criminal offence since people do not understand that it is tracking details of their personal banking transactions (for an example of an SSL situation), if they happen to do it at work. Years of using MS product GUI's have conditioned people to do a quick click through and accept everything so the default ends up trusting some proxy box as if it is the bank.


It's tempting to think that these new SSL proxy devices are all information collecting devices for various intelligence agencies - however it's more likely to be stupidity for the sake of convenience.

Re:Looking for a job on company equipment? (1)

ArsenneLupin (766289) | about 9 months ago | (#46315519)

Years of using MS product GUI's have conditioned people to do a quick click through and accept everything so the default ends up trusting some proxy box as if it is the bank.

If people behave in such a way, they'd be vulnerable anywhere (cybercafé, airport, hotel or even at home (thanks to the many router vulnerabilities)), not just at their place of work. Microsoft, and Microsoft-induced behavior carry security risks. Deal with it.

However, what sets the workplace situation apart from the other scenarios is that if done properly, the employee would see no warning. Because the IT department included the employer's certificate into the list of roots trusted by the browser.

Re:Looking for a job on company equipment? (2)

dbIII (701233) | about 9 months ago | (#46318391)

If people behave in such a way, they'd be vulnerable anywhere

Hence the malware epidemic which would have been written off as bad science fiction if it wasn't already happening.

However, what sets the workplace situation apart from the other scenarios is that if done properly, the employee would see no warning. Because the IT department included the employer's certificate into the list of roots trusted by the browser.

Yes, that is a problem and doing such a thing without informing end users is actually illegal in some countries.

Re:Looking for a job on company equipment? (1)

LordLimecat (1103839) | about 9 months ago | (#46321043)

Are you aware of what a Computer Acceptable Use Policy is, or that most insitutions have one? Are you aware that you almost certainly agreed to one if you attend a university or are employed by a medium-or-larger sized company? Or that they almost universally mention that you may be monitored?

Laws trump acceptable use policies. (1)

dbIII (701233) | about 9 months ago | (#46321725)

Are you aware that you can get in very deep legal shit when someone takes your policy as a merely a guideline to break and then does something that turns your monitoring into criminal wiretapping?
Laws trump petty little acceptable use policies.

In case you want to continue with pretended stupidity here's a very clear analogy. A keep off the grass sign in a public park is not a licence to plant landmines to enforce it.

Re:Laws trump acceptable use policies. (1)

LordLimecat (1103839) | about 9 months ago | (#46323509)

If you tell someone "we are tapping everything sent in and out of our network", I would be astonished if you could get a judge to even consider a "wiretapping" claim. I have EVERY right to tap everything in and out of my equipment, and as long as I have made you aware of that theres really nothing you can say about it.

The analogy breaks down in a whole bunch of ways; it would be more like if there were a sign in a 7-11 saying "CC TV monitoring in use."-- which is completely legal and very common. You can say that the sniffing is "illegal" all you want, I will just point out that it happens in just about every company once you hit a certain size (like 100 or more users).

Rather than just argue with you about this with my own authority, I would point to this:
http://en.wikipedia.org/wiki/C... [wikipedia.org]

This type of monitoring is generally allowed where the employer owns the computers, terminals, network, and Internet access. Depending on the country or legal jurisdiction and the specific methods of surveillance used, there may be additional requirements to notify the employee of the monitoring or monitoring policy to be legal.

You are correct that some countries are more strict about this, but I would be astonished if you could find a country where it was illegal under any circumstances / even if you notified your employees. Certainly it is not in the US; certainly every federal agency does it to their own employees.

Re:Laws trump acceptable use policies. (1)

dbIII (701233) | about 9 months ago | (#46330249)

If you tell someone "we are tapping everything sent in and out of our network", I would be astonished if you could get a judge to even consider a "wiretapping" claim.

If it's in fine print instead of a prominent warning people have to click trough often enough to be annoying then you go down for having a tiny "keep off the grass" instead of "danger - land mines". In some countries privacy laws trump any such warning no matter how prominent it is. I'm sure in your own country you'll find bits about medical information that would render use of such an appliance upstream illegal with harsh penalties, even if you do inform people that it is being done.

a sign in a 7-11 saying "CC TV monitoring in use.

Since we are discussing information that both endpoints assume is very private you analogy only holds if the camera was in the bathroom or other place with an assumption of privacy.

Personally I see it as an intrusive violation of privacy and the legal minefield you get with such things. To be justifiable IMHO requires the similar sort of unusual circumstances where workplace urine tests or opening and reading people's mail delivered to their homes can be justified.
To even the most unimaginative the Target security breach should show the potential consequences of storing employees sensitive personal information on a hackable or backdoored proxy box. If your workplace gets hacked and employees have their bank accounts cleaned out just because they ignored the warning and did their online banking through a stupid proxy box you can bet wiretapping laws get mentioned and some sort of nasty consequences will occur to those responsible for the stupid proxy box.

So in my opinion they are mostly just a intrusive facet of paranoia and an accident waiting to happen. You don't do a bait and switch with privacy. Either you keep informing people that your workplace demands they have none due to it being special in some way, or you don't monitor them in their most private moments. You'll find there are laws to slow down paranoid sociopaths who want to have full control and that things have to be very special to get around them in a lot of places. What people will put up with will vary, but once an incident that goes too far occurs and the lawyers are brought in it can be found that what is assumed to be a "normal" level of monitoring will land the people responsible for implementing it into deep legal shit.

Your reality check bounced (2)

Anonymous Brave Guy (457657) | about 9 months ago | (#46314953)

Its not your machine, or your network, or your electricity. Its not your time, either. Their job, their rules: Get over it.

Unfortunately, as long as employers are employing human beings rather than machines, the only people who think your position is tenable are HR, and Legal will do as much as they can to support it. Everyone else knows that occasionally you need to make a personal phone call during the working day, and everyone else thinks that listening in is creepy (not to mention illegal in many jurisdictions, at least if done as a blanket policy without reasonable grounds). Why should Internet access be held to a different standard?

Of course it's unreasonable for people to abuse work resources to spend all day looking for a new position. I don't see anyone disputing that employees are provided with those resources so they can do their jobs rather than for personal use. I don't see anyone disputing that work time is meant for work either, though of course things aren't so black and white when you get into breaks or what constitutes work time for salaried employees who don't get paid for fixed hours.

But things like deliberately and covertly MITMing secure connections to an employee's bank account, which maybe they're accessing because there's a legitimate question about whether their salary or expenses have arrived yet, is not acceptable. And no, some weasel words at the bottom of page 74 of your employee handbook saying generically that Internet communications may be monitored are not reasonable disclosure that this kind of practice is happening, IMHO. Either make it very clear that work resources may not be used for any personal matters -- and accept any negative consequences in terms of employee morale and/or retention and/or getting taken to a tribunal or sued -- or stop pretending that sysadmins playing Big Brother at work suddenly became acceptable because the word Internet was involved. It isn't, and in many places the law even says that.

Re:Your reality check bounced (1)

Bert64 (520050) | about 9 months ago | (#46315061)

Most of us have cellphones which we can use to make personal calls and even access the internet...

Re:Your reality check bounced (1)

Anonymous Brave Guy (457657) | about 9 months ago | (#46315087)

You might have that. Whether most people do is a different question, because standards of mobile technology and mobile network coverage vary widely from place to place. And even if most people do, there is still the need to look after those who do not.

Re:Your reality check bounced (1)

ArsenneLupin (766289) | about 9 months ago | (#46315527)

Most of us have cellphones which we can use to make personal calls and even access the internet...

... and in an open plan office, your nosy neighbour on the other side of the cupboard still overhears you call...

Re:Your reality check bounced (1)

LordLimecat (1103839) | about 9 months ago | (#46321057)

Most workplaces (at least those ive been to) have a computer use policy. Generally it allows for personal use of the internet, but will generally note that any and all use is both monitored and that you are responsible for how you use it.

Generally they do this because they can be held liable if for example a DDOS originated from their network, for example.

And really, I dont see why you think you get to set the rules on someone else's equipment. You're right that reasonable people understand that people have to do personal stuff at work; thats why they generally make those allowances. That doesnt mean its "do whatever you want" on the network; there are still standards and there has to be a way to ensure compliance. If you want to affect policy, you should probably get a degree or work experience in IT so that you can make informed recommendations. Otherwise I recommend you leave that to those who have done so.

Re:Your reality check bounced (3, Insightful)

Anonymous Brave Guy (457657) | about 9 months ago | (#46321535)

Most workplaces (at least those ive been to) have a computer use policy.

Yes, often the kind of warning you're talking about is included. And I have no problem with that, provided that it is made clear that the employer is also effectively hacking connections everyone is trained to think of as being secure, such as the on-line banking example a few of us have mentioned.

However, I don't think a typical "we might monitor this stuff" footnote is adequate disclosure in that context, because the point isn't the legal weasel words, it's whether the employee understands what the situation is and can choose to act accordingly. For example, an employee who understands the situation might decline to check their bank balance from a work computer when management responds to their question about a missing salary payment and says it should have arrived now.

And really, I dont see why you think you get to set the rules on someone else's equipment.

Don't make this about me personally. It's about employee rights as part of a healthy employer-employee relationship and, in this particular case, about the mutual trust that is fundamental to that relationship. I don't even work as an employee any more, BTW, so I have no personal axe to grind here.

The point is that employees are not slaves and do not forfeit all rights just because they're working for someone else for money. The entire legal field of employment rights and the entire union movement exist to balance the greater negotiating power of the employer, so the employer can't exploit their advantage to impose one-sided conditions. As a society, we've decided that we won't always let employers do what they want.

If you want to affect policy, you should probably get a degree or work experience in IT so that you can make informed recommendations. Otherwise I recommend you leave that to those who have done so.

Wow. It's a shame I'm posting pseudonymously here, because I'd enjoy seeing you discover the stunning irony of that suggestion.

Let me leave you instead with an alternative possibility to consider. Maybe I've actually worked with this kind of technology for a long time. Maybe I do understand the IT implications of what we're talking about, and I do know why IT departments might have a legitimate business need to use these tools.

But maybe I also see the legal/HR perspective. And maybe my position on this issue is motivated not by the arrogance of the naive young employee you seem to think I am but by observing the real consequences after deals were jeopardised because someone screwed this up. Maybe I've seen people find out the hard way that employees/unions/courts didn't support them as much as they assumed they would. It's actually not that unusual if you see, for example, a US business in an M&A deal with a European one, where the cultural attitudes and general legal stances on employees' rights are very different.

Maybe I've concluded that this is a silly problem that is almost entirely created by institutional arrogance and personal egos in management/IT, and that the problem could be almost entirely eliminated by more enlightened management/IT being up-front with their staff about what is going on and why it's being done, and sometimes by providing alternative mechanisms that avoid the problem without compromising security or compliance.

Re:Your reality check bounced (1)

LordLimecat (1103839) | about 9 months ago | (#46323705)

You're basically saying that there should be additional warnings because the user may not realize that their connection is secure. That is an opinion, and there is merit to it, but I would say that the user has no cause to assume any specific privilege to or privacy on an employer network. Absent any specific allowance, they technically shouldnt even be doing anything personal on it; not that most employers are that strict, but the ability to check your bank account at work is a privilege and an allowance, NOT a right.

Whether the user understands the implications of packet capture isnt something that can be remedied in the context of an AUP, but generally as I recall they include language making it clear that everything I do is under surveillance. If the user doesnt understand what that means, they should ask, rather than assuming that there are exceptions.

I would also note that there are still laws governing what can be done with that data. If a tool were run on top of that to extract passwords, that might be illegal, and if an admin abused their access to personal data it would almost certainly be illegal.

But maybe I also see the legal/HR perspective. And maybe my position on this issue is motivated not by the arrogance of the naive young employee you seem to think I am

I may have been wrong to assume that you were unfamiliar with this sort of thing, but you are absolutely incorrect when you say that most people do not think the "my network my rules" attitude is wrong, or that network surveillance with a notice in the AUP is legally insufficient. You will find that MOST places do that kind of surveillance, with just a notice in the AUP, and that in most countries surveillance is legal when a notice is given.

Maybe I've concluded that this is a silly problem that is almost entirely created by institutional arrogance and personal egos in management/IT,

Then I would hazard that there are a number of scenarios which justify surveillance that you have not gone through. For example: spambots on the network getting you listed on SpamHaus; detecting network viruses that may sneak by your scanner; detecting rogue network access; detecting unauthorized network equipment; detecting attempts to leak highly confidential / proprietary data outside of the network; etc.

You mention court cases where courts did not support these policies: can you clarify? Ive heard of cases where a rogue admin abused his access to personally benefit from the surveillance (spying on employees, particularly at home), but never of a case where network packet interception was, in itself, an issue.

Re:Your reality check bounced (1)

Anonymous Brave Guy (457657) | about 9 months ago | (#46324623)

I would say that the user has no cause to assume any specific privilege to or privacy on an employer network. Absent any specific allowance, they technically shouldnt even be doing anything personal on it

That doesn't necessarily follow, because for example there could be issues of implied consent or custom and practice.

However, that becomes irrelevant anyway the moment the supervisor welcoming an employee on their first day says something to the effect that occasional personal use is fine, because now the employee has explicit permission.

I would also note that there are still laws governing what can be done with that data.

There usually are. There are also often laws covering workplace surveillance that would collect the data in the first place, and there may be general laws on processing various specific kinds of sensitive personal data that impose stronger conditions and would apply as soon as any of those kinds of data might be relevant.

You will find that MOST places do that kind of surveillance, with just a notice in the AUP, and that in most countries surveillance is legal when a notice is given.

I have to be careful what I say here because I have information that isn't public, but I think you're wrong that "MOST places do that kind of surveillance". Use of tools for intrusion protection and data leakage prevention, which are by far the most likely to need to MITM encrypted connections, varies widely depending on organisation size and industry. Lots of people say they monitor incoming and/or outgoing traffic, but not all of them do it very well or comprehensively, and even fewer have spent the time to configure certificates/keys properly on the newer generations of device that support intercepting SSL connections (which is still a relatively recent set of features, by the timescales that enterprise-wide management hardware tends to be updated on).

That doesn't really matter, though, because clearly some places do do this, and that's what we're interested in here. Yes, they probably have some sort of document that an employee has theoretically seen saying communications might be monitored. And yes, in many cases that monitoring will be legal as long as the employee has been informed, without requiring their explicit consent. However, while in many jurisdictions an employer is allowed to monitor use of company resources and does not need an employee's explicit consent, they usually must be up-front about that monitoring.

The moment you (a) suggest that an employee visit a normally private site, such as their bank, and (b) intercept resulting communications in a way that the employee wouldn't normally expect, such as a web site with the padlock we've all been trained to think of as meaning a private connection, you are in danger of running into covert surveillance rules, which tend to be much stronger.

Also, the moment you intercept any information of a particularly sensitive nature, you potentially run into much stronger rules. For example, the Data Protection Act here in the UK distinguishes certain types of "sensitive personal information", and there are significantly stronger rules on collecting and processing that data.

Then I would hazard that there are a number of scenarios which justify surveillance that you have not gone through.

Just to be clear, because I think we might be talking at cross-purposes here, I am not disputing that there are good business reasons to employee these kinds of tools. The silly problem I referred to was getting into trouble by doing so without properly informing employees and without taking reasonable steps to keep everyone happy such as providing alternative means for them to communicate without the surveillance where this can sensibly be done.

You mention court cases where courts did not support these policies: can you clarify?

Probably not in a public forum, but to give a somewhat similar scenario, try asking your lawyer what they think would happen if an employer intercepted a message from a trade union rep to the union's head office legal team, sent via the employer's network that was declared to be monitored but over a connection the union officials believed to be securely encrypted, and the employer then attempted to rely on the contents of that communication during a subsequent tribunal involving an employee who was the subject of the communication.

Once again, I'm not saying there is anything wrong with the general principle of intercepting traffic entering or leaving a business network for security reasons. In fact, I've argued at various points in this discussion that this is often a good practice and in just about everyone's best interests. I'm just saying that for something like breaking a connection that appears to be securely encrypted, a brief one-liner in a document that an employee might realistically never have read and understood in its entirety might be insufficient. If the interception is being done for legitimate reasons, there is no problem with being up-front about that so employees are properly informed, and not doing so has no upside and potentially a huge downside if it results in a breakdown of trust. It doesn't do any harm to have a separate isolated/off-network facility that employees can use for any personal matters either; this is less important today as many people have their personal devices and mobile connections anyway, but becomes more important again if you start getting into BYOD situations where the employer has ever had any access to the employee's device.

Re:Looking for a job on company equipment? (1)

flyneye (84093) | about 9 months ago | (#46322113)

But it your life and when backed in a corner with no reasonable choices,there isnt a lifeform on this planet that wont take the destructive path out.
While the company has all the toys and a mission too high to recognise employees as more than replaceable units, it has grown too large for sustainablility and will need ever increasing amounts of bullshit like this in order to even open its eyes in the morning. Like the drunk on a perpetual binge, soon its liver will turn on it and a quick installation of an oil filter just wont do the job, it dies. So a company with the hubris to believe it has so much power and control over its employees will soon see the shortsightedness, but too late. This scurry for security in the midst of political upheaval and poor economy is going to provide a surprise for the big boys suffering from cranial-rectumitis. No one loves them that much. This is an age where the individual is pressed into scrambling for survival and relys on his own talents and will market them at a lower price in exchange for comfort and security, if they dont just outright start their own small business. Party is over, enjoy your toys....

Re:Looking for a job on company equipment? (4, Insightful)

lgw (121541) | about 9 months ago | (#46314533)

Wow, people really believe this sort of shit?

If it bother you that your employees are looking elsewhere for a job, perhaps try harder to retain them? I have standing offers to work for a couple of places, places that make the top paying employers lists. At this point in my career I don't really have to "look" for a new job, I just stop ignoring the offers. Yet I'm staying where I am - and not based on pay.

Want people to stay when they have plenty of choices? Try not pointlessly hassling them over shit like "using company equipment". You'd have to get pretty extreme with that sort of thing before you'd cost more than the cost of hiring someone new and them coming up to speed, even if you were such a dick that you even pay attention.

Re:Looking for a job on company equipment? (1)

LordLimecat (1103839) | about 9 months ago | (#46314709)

At the very least, looking for another job on company time is a waste of company time / resources. Yes, just about everyone goofs off @ work from time to time, but doing it to benefit yourself at the expense of your company is adding insult to injury.

Seriously, wait till you get home, theres really no justification for it.

Re:Looking for a job on company equipment? (0)

Anonymous Coward | about 9 months ago | (#46315073)

Oh fuck off. Going to the bathroom or sharing a joke with colleagues is also a waste of company time.

Fortunately I don't work with a bunch of robots, although there are a few arseholes like you swanning around, usually the sort who are shit at their jobs and can't learn anything even when it's spelt it out to them.

Re:Looking for a job on company equipment? (1)

Rich0 (548339) | about 9 months ago | (#46322501)

Seriously, wait till you get home, theres really no justification for it.

Where is this wonderful place where an employer distinguishes between time at home and time at work? I think what you wrote makes about as much sense as refusing to give your cell phone number to your boss or refusing to take your laptop home.

If you're an exempt employee then there is no distinction between company and personal time. You're being paid to get something done, and whether you could have gotten more done in the same time isn't legally your boss's concern. If they want to hire you for your time then legally they need to pay you for your time, including all of the labor law provisions that requires, which your employer most likely doesn't want to deal with. Oh, and if they do that, then you can call anybody you want to on your 15-min breaks, and if on one of those breaks the boss tells you the server just went down you can tell him what to go do with himself. That is, if we're living in that fantasyland you're talking about where employers respect labor laws and employees respect their employers as a result.

Re:Looking for a job on company equipment? (1)

black6host (469985) | about 9 months ago | (#46314769)

You come across as very arrogant. Have you ever managed a group of low level employees who spent more time chatting, visiting facebook or conducting online personal shopping than they did actual work? How do I explain to the guy/gal across the hall that everyone is losing their jobs because the company is folding due to the other half just plain not doing their jobs.

I'm sorry but if I'm paying you, then you do what I pay you to do. If you're so valuable that you think you call the shots then I've got news for you: If you're not the capital behind the company, if you're not the one that is taking the risk of losing it all, then please do your job as requested. And if that means no personal business than so be it. Feel free to move on to all the other suitors in your professional life if you don't like it.

A company should work as a team, as if everyone's job depended on the success of the company. Because it does.

Re:Looking for a job on company equipment? (1)

dbIII (701233) | about 9 months ago | (#46314979)

On the other hand there's wasting time monitoring people. Sometimes that gets out of hand. Personally I'm sick of HR types saying they are checking what employees are posting on facebook when the proxy logs instead show the HR types are playing some sort of online game via the facebook portal. However I consider both to normally be a huge waste of time (as would me checking the logs if I did it for reasons other than trying to work out why traffic is slow).
That sort of stuff is how you can go from replacing one HR person doing 20 hours/week organising work crews effectively with two 40 hour/week people who are spending too much time reading about employees on facebook to get crews together at anything other than the last minute or later.

Re:Looking for a job on company equipment? (0)

Anonymous Coward | about 9 months ago | (#46315037)

Have you tried actually managing the people, ie. understanding the goals for success, the timeframes, sharing the plan, what's in it for everyone, getting your own hands dirty?

Or are you one of those who just assumes everyone is on board, even though you almost never see them or talk to them, except when you're complaining?

Re:Looking for a job on company equipment? (1)

Bert64 (520050) | about 9 months ago | (#46315067)

Working as a team cuts both ways... If the owners of the company are busy playing golf and rolling around in cash while the low level employees are on minimum wage while being watched and lorded over then it certainly doesn't feel like a team. If you treat employees well then they will feel some level of loyalty to the company and are far more likely to work harder.

And on another matter, regular breaks are key... You can't concentrate on the same thing for hours on end, especially something which is mundane... Someone who *appears* to be working non stop is probably doing so far less efficiently, making more mistakes and having their mind constantly wandering to other subjects because their slave masters can't see what they're thinking about.

Re:Looking for a job on company equipment? (0)

Anonymous Coward | about 9 months ago | (#46315621)

Have you ever managed a group of low level employees who spent more time chatting, visiting facebook or conducting online personal shopping than they did actual work? How do I explain to the guy/gal across the hall that everyone is losing their jobs because the company is folding due to the other half just plain not doing their jobs.

Explaining to or convincing your reports that they need to be productive is a big part of being a manager. If one or two of your people are goofing off, they may be slackers, or working at an inappropriate job, and you might need to send them on their way. If all of your people are goofing off, then you have failed at your job, and you should be sent on your way.

Give people interesting work, reward them for good performance, and they will work. If they aren't performing, help them focus. This makes you part of the team. If you spend your time spying on them, watching their minute-by-minute activities, rather than evaluating their output, you're losing the forest for the trees. More importantly, this makes you jailer, and people will work much harder for the team captain than they will for the jailer.

Re:Looking for a job on company equipment? (0)

Anonymous Coward | about 9 months ago | (#46316185)

Block those sites. The internet it is not required for every job description and can be a complete time waster. There are plenty of jobs so boring that staring off into space is more interesting. Those jobs still need to be done. If your company can't lock down the employee computers and provide training to explain the policies to the employees, then they are implicitly agreeing to paying those employees to play Farmville and other useless things. This is an IT issue and a solvable one.

Re:Looking for a job on company equipment? (1)

Rich0 (548339) | about 9 months ago | (#46322647)

You come across as very arrogant. Have you ever managed a group of low level employees who spent more time chatting, visiting facebook or conducting online personal shopping than they did actual work? How do I explain to the guy/gal across the hall that everyone is losing their jobs because the company is folding due to the other half just plain not doing their jobs.

Are they getting their work done or not? Whether they're spending more time doing other things isn't really relevant to their performance as an employee. Assign work to be done and a timeframe to do it in. If they are getting it done, then what they're doing in their spare time isn't your concern. If you're paying them more to do the work than the work is worth, then you're steadily putting yourself out of business with every assignment you give. Set the timeframe of the job to something where the job is a money-maker for the company. If nobody gets the job done in that time, then either you need to find another way to get the jobs done (change the work, change how it is done, or find somebody else to do it who can get it done at a reasonable cost), or you might as well close shop now as you're just wasting money.

How about an analogy. Imagine a small business that takes the cost they produce their product at, adds 10%, and sells the product at that price. That is not a good recipe for staying in business - it might happen to work in some cases, but it completely neglects just about every principle of microeconomics. Instead you look at the supply/demand of that product, and set the price based on that. If that price is cost+100% then you rake in cash like Apple until the rest of the market catches up. If that price is lower than the cost, then you don't bother to make the product at all, or you change what product you make so that you can find something that you can actually sell for more than it costs to make. You don't just go out with a product that you need to sell at some price hoping that wishing will make it so, and then maybe try to make incremental changes when it isn't going so well.

The costs come down to the supply chain, and employees are just one part of that. If the price of a part in your product was too high you would either find a better way to source that part, find a way to make do without the part, or stop making that product. Well, employees are really no different. If their work output per dollar of spend isn't cutting it then you need to get more out of them (telling them to work harder usually doesn't work), find a way to do the job without them, or stop doing the business that requires those employees.

If you're the employee then you need to think about what value you're adding to your employer. If that value is significant compared to your pay, then it really doesn't matter how busy you are, what liberties you take, and so on. If your manager isn't very business savvy maybe you need to try to look busy, or you need to find somebody to work for who understands your value. On the other hand, if you don't have a good sense of the value that you do add at work, then success is going to be a matter of luck, much like the business owner who doesn't understand the actual value of their products.

Re:Looking for a job on company equipment? (1)

TranquilVoid (2444228) | about 9 months ago | (#46333085)

If you're not the capital behind the company, if you're not the one that is taking the risk of losing it all, then please do your job as requested.

Ironically this is why low-level employees spend their time chatting etc. - they're unmotivated, unless they are desperate for the job. Imagine a utopia where all citizens had equal ownership of capital!

Re:Looking for a job on company equipment? (1)

TapeCutter (624760) | about 9 months ago | (#46315045)

Cuts both ways, I once worked with a guy who racked up $6k of international phone calls trying to get a job in the US. The thing that blew me away is he kept his existing job after he was caught.

Re:Looking for a job on company equipment? (1)

VikingNation (1946892) | about 9 months ago | (#46320143)

Employers have good reasons to monitor employees use of email, chat, and instant messaging. This is especially true for sectors such as business, law, and government. The monitoring has nothing to do with monitoring employee morale.

Assume all MS products are spying on you. (4, Insightful)

Anonymous Coward | about 9 months ago | (#46313761)

I have to use Lync at work, and I'd just assumed it'd be cc'ing keywords etc to HR and management.

Re:Assume all MS products are spying on you. (5, Informative)

dreamchaser (49529) | about 9 months ago | (#46313931)

People should assume that with any means of communication they use in the workplace. There is no guarantee and should be no expectation of privacy when using an employer's systems.

Re:Assume all MS products are spying on you. (0)

Anonymous Coward | about 9 months ago | (#46314087)

I was having a Lync chat with a co-worker a few months ago and she was talking about throwing a co-worker out the window (seriously). I tried to get her to stop but she was on a roll. Surprisingly, we're both still employed ... oh no ...

&(M!..
%#^^.!
NO CARRIER

Re:Assume all MS products are spying on you. (0)

Anonymous Coward | about 9 months ago | (#46314191)

I think we're pretty much there- I mean, do we really have an expectation of privacy anywhere?

Re:Assume all MS products are spying on you. (-1)

Anonymous Coward | about 9 months ago | (#46314283)

Yes. You can't stick you nose in my asshole without my permission. It's private. No electronic devices have been hooked up to my blackhole.

Re:Assume all MS products are spying on you. (1)

ColdWetDog (752185) | about 9 months ago | (#46314465)

Yes. You can't stick you nose in my asshole without my permission. It's private. No electronic devices have been hooked up to my blackhole.

Time for your colonoscopy, comrade!

Re:Assume all MS products are spying on you. (0)

Anonymous Coward | about 9 months ago | (#46314409)

There is no expectation of privacy anywhere. And if MS, FB, ect.. have these abilities then you have to entertain this question.

How deep are they into cooperation with US spying agencies? I am not buying this "we had no idea" excuse, and MS hasn't commented on accusations that they've willfully and secretively been helping out.

And if your communicating using your employers phones, computers, e-mail addresses ect. They shouldn't have the right to willfully collect any data unless they suspect you have been engaging in ill-willed acts against the company. I think you will see lawsuits out of this. But that depends if people working for these companies can find another job, so I also think lawsuits would be unlikely.

Re:Assume all MS products are spying on you. (1)

LordLimecat (1103839) | about 9 months ago | (#46314715)

You are not correct. AFAIK "expectation of privacy" is a legal term, and you DO have such an expectation at home.

I know its fun and all to throw hyperbole out there on slashdot, but lets try to stay in the realm of reality.

Re:Assume all MS products are spying on you. (1)

Kalriath (849904) | about 9 months ago | (#46318943)

Actually, many employers have a legal obligation to collect data, for example public records legislation for public sector or sarbanes-oxley for private sector. They don't have the right not to.

Re:Assume all MS products are spying on you. (0)

Anonymous Coward | about 9 months ago | (#46315033)

People should assume that with any means of communication they use in the workplace.

Yap. Thats why I dont even connect my private devices to the work-network. And why I never look at anything that could trigger any alert while using the corporate devices. No private email. No off-topic websites. Anything I do on the work network is somehow related to my work. If I have to connect from home to a work-system, I use a dedicated VM.

So, it they screen my data, Im either the perfect emploee, or Wally. Truth is, they will never really know :)

Re:Assume all MS products are spying on you. (1)

cascadingstylesheet (140919) | about 9 months ago | (#46315365)

People should assume that with any means of communication they use in the workplace. There is no guarantee and should be no expectation of privacy when using an employer's systems.

Depends on what you mean by "expect".

I don't "expect" people to behave decently in any predictive sense, but I "expect" people to behave decently, as in I think that they should do so.

Re:Assume all MS products are spying on you. (1)

ComputersKai (3499237) | about 9 months ago | (#46314355)

Great. They should've posted this before I got Windows 8. :)

Re:Assume all MS products are spying on you. (0)

Anonymous Coward | about 9 months ago | (#46315217)

No. You should have just not got Windows 8.

Quite apart from the privacy issues, it's a shitty OS.

Re:Assume all MS products are spying on you. (1)

tuxgeek (872962) | about 9 months ago | (#46317369)

One can also safely assume all Microsoft products are all spyware/malware/botnet riddles with viruses.
What a business model!

Re:Assume all MS products are spying on you. (0)

Anonymous Coward | about 9 months ago | (#46322843)

That's a bit harsh. Microsoft products are absolutely skewed towards the enterprise, as that is their major market, but any system that offers phone, IM, online meetings, etc., is going to have the ability to log such information. Note that the article does not talk about logging or indexing the contents of communications; only the metadata. Now, the whole metadata logging discussion may sound familiar, except that in this case, it's being done by an employer who (should) tell you up front that your communications may be monitored.

Honestly, since it would take someone manually connecting an awful lot of dots to make any useful sense of Lync data, I'd call this a non-issue, especially in light of other far more nefarious state-sponsored activities recently come to light.

Re:Assume all MS products are spying on you. (0)

Anonymous Coward | about 9 months ago | (#46319907)

I have to use Lync at work, and I'd just assumed it'd be cc'ing keywords etc to HR and management.

Lync doesn't CC keywords anyone. It's logs call records (CDR) and someone with enough smarts can use call records to make all sorts of predictions. Simple data analysis works wonders.

Can see how own network, messaging is being used!? (5, Insightful)

raymorris (2726007) | about 9 months ago | (#46313767)

I'm shocked and amazed. A company running their own messaging server on their own network can see how it's being used?!
Next you'll tell me that my company's email administrator can see email I send at work, through the server they administer.

Re:Can see how own network, messaging is being use (2, Insightful)

Anonymous Coward | about 9 months ago | (#46313785)

Yeah, and for the morons using company resources to look for a different job: don't. Use your personal cellphone, or something otherwise not funded by the company.

Re:Can see how own network, messaging is being use (5, Funny)

TrollstonButterbeans (2914995) | about 9 months ago | (#46313905)

This is why I prefer to do my job searches on a disliked co-workers computer.

Re:Can see how own network, messaging is being use (0)

Anonymous Coward | about 9 months ago | (#46314843)

This is why I prefer to do my job searches on a disliked co-workers computer.

What a coincidence, I'm doing my job search on your computer right now.

Re:Can see how own network, messaging is being use (1)

trout007 (975317) | about 9 months ago | (#46314045)

We had an email go out saying that people were using Bittorrent from home over the VPN and to please stop since it's illegal and taking up bandwidth.

Re:Can see how own network, messaging is being use (3, Informative)

fluffy99 (870997) | about 9 months ago | (#46314161)

We had an email go out saying that people were using Bittorrent from home over the VPN and to please stop since it's illegal and taking up bandwidth.

You guys need better network admins. Proper firewalling and proxying should block traffic like that.

Also, I shudder to think of the potential mess caused by allowing personal laptops to VPN in the first place.

Re:Can see how own network, messaging is being use (0)

Anonymous Coward | about 9 months ago | (#46314655)

Ever thought about such a lax policy could come from their boss? At the place where I work there are literally no restrictions and I am not at liberty to introduce any because my boss won't allow it. Anything that would in any way impair employees in doing whatever they damn well please is off limits to resrict.
Imagine the fun I'm having as an administrator in a company where everyone has administrator rights.

Re:Can see how own network, messaging is being use (0)

Anonymous Coward | about 9 months ago | (#46314949)

Imagine the fun I'm having as an administrator in a company where everyone has administrator rights.

That's not necessarily unmanageable, I've worked in a really large multinational where all employees had local admin rights, but IT still had full control and very few issues through the right tools, setup and policies -- including Network Access Control.

Re:Can see how own network, messaging is being use (2)

LordLimecat (1103839) | about 9 months ago | (#46314717)

Sometimes you do want all traffic on a work computer being sent through the VPN. There are a number of security reasons why it would be important to know that, for example, a user is connected to bittorrent simultaneously with being connected to corporate resources. Theres also a good reason for it to be against company policy.

Re:Can see how own network, messaging is being use (0)

Anonymous Coward | about 9 months ago | (#46315297)

Sometimes you do want all traffic on a work computer being sent through the VPN.

I could make the argument its more secure in some cases to have a split tunnel rather than a default route? Why? If you need internet traffic while on the VPN with a default route I have to somehow let that go out and then come back in through the corporate firewall/VPN server to route back to your VPN client. I'd just as soon let you access it directly with a split tunnel and have additional security software on your system to figure out if you are doing anything naughty.

Re:Can see how own network, messaging is being use (1)

Zarhan (415465) | about 9 months ago | (#46315039)

Also, I shudder to think of the potential mess caused by allowing personal laptops to VPN in the first place.

Depends. With proper endpoint assessment tools, you can obtain some reasonable security. BYOD is kind of a rising trend, so a generally accepted method seems to be "Sure, you can connect your own laptop or tablet or whatever to the network, but you'll use Anyconnect and the HostScan has to report conformance". This mostly stems from the fact that in all the meetings folks are starting to use their fancy iPads instead of bulky laptops...and are expecting same services being available.

I've seen some customer actually think of this as a benefit - savings in IT budget. If workers are willing to maintain their own devices on their own time and all the IT has to do is a compliance check, all the better for the company.

Re:Can see how own network, messaging is being use (1)

Tom (822) | about 9 months ago | (#46314739)

I would have expected better from the /. crowd.

Especially to understand the difference between a theoretical ability to look at individual data and systematic large-scale data analysis.

You know, one is someone giving you the looks on the street - and the other is 24/7 stalking. As a society, we pretty much agree that one is fine and the other isn't.

Re:Can see how own network, messaging is being use (2)

cellocgw (617879) | about 9 months ago | (#46315505)

Next you'll tell me that my company's email administrator can see email I send at work, through the server they administer.

And the root problem here is that (thanks, FCC) email is *still* not considered a communication the way POTS or USmail is. If some company said "hey, you dropped your US mail envelopes in an Out box that we own, so we can open all your mail," they'd go to jail. Same goes for voice comms. But e-mail somehow magically belongs to the owners of the server? That's crap and the law should be changed. In the meantime, I'll just point out that the ethics (Hey, United Technologies Ethics Officer, I'm talking to YOU) of email spying is beneath despicable.

work telephones have always had the same (1)

raymorris (2726007) | about 9 months ago | (#46315737)

> And the root problem here is that (thanks, FCC) email is *still* not considered a communication the way POTS or USmail is. ...
> they'd go to jail. Same goes for voice comms. But e-mail somehow magically belongs to the owners

When you use the company's telephone network, the same information is logged. Since virtually all systems do so, there's a standard data format they use, called CDR (call detail record). This has been the case for at least 40 years. You need logs to debug problems in the system, for capacity planning, etc. Does the company need to place an order now to have more lines to the outside world installed two months from now? The admin queries the logs to find out. Why is the company suddenly spending so much money on international calls? Again, they query the logs. If you send packages or letters using the company's FedEx account they have records of that too. They need to know how their money is being spent.

this is why they have cell phones (2)

alen (225700) | about 9 months ago | (#46313771)

i work in the same building with a huge Tommy Hilfiger presence and always see people talking on their cellphones in a corner about what they do at their job

lots of products already do this (1)

Anonymous Coward | about 9 months ago | (#46313783)

Cisco and lots of other phone software vendors do this
my wife fired someone because they had the call details to prove she didn't call customers like she was told to do so

Re:lots of products already do this (5, Insightful)

BitZtream (692029) | about 9 months ago | (#46313987)

ALL PBX type software does this.

Anyone who wants to be able to bill internally HAS to keep this metadata to do internal billing.

Its also something that has been collected for the entire 30 years I've dealt with phone systems, and its not like it was new when I first started in telephony.

You're pretty fucking stupid if this is news to you.

Re:lots of products already do this (1)

Grishnakh (216268) | about 9 months ago | (#46314185)

Who would use a company phone to make personal calls in this day and age anyway? Doesn't everyone have a cellphone now?

Re:lots of products already do this (1)

Vrtigo1 (1303147) | about 9 months ago | (#46314235)

Me. It's a lot more convenient to reach over and pick up my desk phone than it is to fish around in my pocket for my cell phone, unlock it, etc. Plus there are a lot of folks that have poor coverage on their cell phone at work and using their desk phone prevents them from having to get up and go outside. Personally, I have a work IP phone at home and use it almost exclusively because my cell coverage is spotty.

If you work at a company that would care about who you're calling, then how happy can you really be with your job? I wouldn't use a work phone to make a personal call to China or somewhere else where the long distance rate might be expensive, but for everyday personal calls I don't see any problem doing it. How much can your employer really find out from knowing who you talk to? If they were recording the calls, then that would be another deal entirely. Fortunately I live in a state where that would be illegal to do without my knowledge.

Re: lots of products already do this (0)

Anonymous Coward | about 9 months ago | (#46314561)

[Your] use of this equipment consents to monitoring...

Re: lots of products already do this (1)

Hognoxious (631665) | about 9 months ago | (#46315609)

[Your] wearing of a six-pointed star constitutes consent[1] to being gassed.

[1] "consents" doesn't work how you used it, you 'tard.

Re:lots of products already do this (1)

LordLimecat (1103839) | about 9 months ago | (#46314721)

Desk phones are more reliable, almost never drop calls, and have a lot of features that either dont exist or suck on cellphones like transfer, hold, conference.

Re:lots of products already do this (1)

Grishnakh (216268) | about 9 months ago | (#46315883)

I don't have problems with dropped calls on my cellphone, at least not at work (maybe if I go out in the boonies somewhere, but that's not often).

Why do I need features like transfer, hold, or conference if I'm making a personal call?

In related news... (-1)

Anonymous Coward | about 9 months ago | (#46313789)

Schools can still search a student's locker because it's THE SCHOOL'S PROPERTY.

Re:In related news... (1, Informative)

The Cat (19816) | about 9 months ago | (#46314041)

It's the taxpayers' property, and the 4th and 5th amendments don't have an age limit.

Either get a warrant, or it's an illegal search. Case closed.

(I'm only replying because you are obviously the same person loudly and obnoxiously defending the corporate status quo above)

Re:In related news... (-1)

Anonymous Coward | about 9 months ago | (#46314095)

When I bend over, my anushole becomes visible. When that happens... oh boy, it's a feces fiesta!

Re:In related news... (-1)

Anonymous Coward | about 9 months ago | (#46314253)

It is not the taxpayer's property. You have been called out on this many times before in other discussions, and yet still have no idea what you are talking about. Please educate yourself instead of spitting out the same incorrect trash over and over again.

Re: In related news... (0)

Anonymous Coward | about 9 months ago | (#46314451)

http://en.m.wikipedia.org/wiki/Poisoning_the_well

A fallacy and a reverse assertion does not a refutation make.

Re: In related news... (1)

LordLimecat (1103839) | about 9 months ago | (#46314733)

He is not wrong to call GP out on his ignorance. Just about everything in that post was completely wrong. If someone continues to post stuff that is factually wrong and trivially provable, theres very little point spending the time to prove it in every post; telling them to "shut up and sit down" is not a fallacy.

Re:In related news... (1)

LordLimecat (1103839) | about 9 months ago | (#46314729)

BZZZT, Wrong. Schools do not need a warrant to search their own property (it is owned by the school, even if the money came from taxpayers), and the supreme court has ruled that during the schoolday, several of the Bill of Rights protections do NOT apply to school children.

Not sure where you got your law degree, but maybe you should take a refresher course.

Re:In related news... (1)

The Cat (19816) | about 9 months ago | (#46317817)

The Supreme Court also ruled that Dred Scott wasn't a person.

If "several" of the Bill of Rights protections do not apply to school children, who gets to decide which is which? Can they be held without trial? Questioned without a lawyer? Denied a jury trial? Convicted on secret evidence?

Forced to pray to whatever god the school deems appropriate?

Oh shit, it looks like your argument just turned around and took a nice thick bite out of your smart ass. Next time a little less mouth might serve you well.

today. (1, Insightful)

epyT-R (613989) | about 9 months ago | (#46313791)

So, as corporate policy becomes more like that of highschool, and highschool policy becomes more like prison, we're all kept in adolescent, fear-driven hell just a little more, already well past the sell-by date. Meanwhile, lawyers and software vendors write laws and software to profit from this stunting of society. More at 11.

Re:today. (3, Insightful)

ScentCone (795499) | about 9 months ago | (#46314149)

Start you own company, and make a point of having absolutely no way to deal with the communications your employers perform on your behalf. Don't worry, you'll never, ever be involved in any sort of lawsuit that would bring out the fact that you don't cover yourself. What could go wrong? You'll be fine.

Re:today. (0)

Anonymous Coward | about 9 months ago | (#46314189)

That's the fear line software sales gives to companies to buy their software. It's like the alarm companies, except the scary guy in a mask is you.

Re:today. (3, Informative)

bloodhawk (813939) | about 9 months ago | (#46314343)

It may be a fear line, but it is also 100% accurate. companies are constantly being sued by there employee's for NOT being vigilant enough in the work place, whether it is sexual harassment, bullying, corruption or workplace safety. Employers have a legal responsibility to demonstrate they are taking steps to prevent and monitor those situations and if they aren't it is a legal bonanza for staff that want to take advantage of it.

Re:today. (1)

Bert64 (520050) | about 9 months ago | (#46315095)

The constant threat of lawsuits is extremely damaging to society as a whole.. Not just in the workplace, but everywhere. People file lawsuits for all kinds of stupid things, like tripping over a loose paving stone or scolding themselves on a cup of coffee.

What ever happened to personal responsibility?

Everyone now has to pay, not just the cost of the lawsuits but the cost of organisations trying to cover their asses to reduce the number of lawsuits. This results in higher prices, higher taxes, and a much higher risk of your job being outsourced to asia where companies don't have to pay for these risks.

Re:today. (2)

Hognoxious (631665) | about 9 months ago | (#46315619)

scolding themselves on a cup of coffee.

Bad me! Naughty me!

Re:today. (0)

Anonymous Coward | about 9 months ago | (#46316045)

If there is a legal safety limit to the temperature that food can be served, then it is illegal to serve food at a higher temperature and claim it's safe to consume.

Re:today. (1)

bloodhawk (813939) | about 9 months ago | (#46318923)

I agree it is insane and personal responsibility has been thrown to the wind, it is always someone else's fault for your own stupidity. Sadly Companies must make their rules to exist in today's society and today's society is a sue happy environment. I wish it would change, and until it does change (not holding my breath on that) then companies must increase controls and monitoring.

Re:today. (1)

LordLimecat (1103839) | about 9 months ago | (#46314743)

...Until one of your employees does something that could bring liability on you (like bringing proprietary information over from their last job, especially if it was federal --> private sector), and you have no way to prove that you werent complicit.

This stuff happens ALL OF THE TIME. Chris Christie is dealing with it right now. "Non-repudiation" is a pretty important thing when it comes to business communications.

Re:today. (0)

Anonymous Coward | about 9 months ago | (#46315135)

That's why you keep the company out of the USA and just sell there.

Re:today. (0)

Anonymous Coward | about 9 months ago | (#46314421)

So, as corporate policy becomes more like that of highschool, and highschool policy becomes more like prison, we're all kept in adolescent, fear-driven hell just a little more, already well past the sell-by date.

Meh. My (LARGE)!employer claims the new corporate policy is that all employees must pre-register with corporate hq when personal travel will take the employee out of our home country. That's all employees, not just those who have monitored access to government secrets.

The more ridiculous their demands to control our actions become the more likely we are to just ignore all their rules instead.

Re:today. (1)

LordLimecat (1103839) | about 9 months ago | (#46314745)

There could be a lot of valid reasons for that, particularly if any of the work you do involves clearances.

I love it when slashdotters complain about how boneheaded policies are without having the faintest clue of the reasons behind them.

Re:today. (0)

Anonymous Coward | about 9 months ago | (#46315113)

I love it when slashdotters defend authority because surely authority has a good reason to do what it's doing. To each his own.

Re:today. (0)

Anonymous Coward | about 9 months ago | (#46315323)

There could be a lot of valid reasons for that, particularly if any of the work you do involves clearances.

I love it when slashdotters complain about how boneheaded policies are without having the faintest clue of the reasons behind them.

I love it when you complain about this while pretending the companies are blameless for not doing a better job of explaining their policies to the employees. "Do this because I said so!" is no way to talk to adults. "Do this thing X for really good and sensible reason Y" is how you increase compliance. If companies don't understand that, that's the company's fault.

Re:today. (1)

LordLimecat (1103839) | about 9 months ago | (#46320951)

It may seem simple to just say "explain it to the employees" but that takes time and effort, and may give someone the idea that if they can mitigate our concerns then they are OK to violate policy. A lot of the time things like "no personal devices on corporate email" arent JUST about "we dont trust you individually", but "trying to have a separate policy for each individual is too much administrative work, and for auditing / compliance reasons it is far more manageable to say no". Explaining this kind of thing to an HR person with no IT expertise is just a waste of the company's time and theirs, and may give them an opening to argue with something that is a non-negotiable.

Certainly I have never heard it explained to me why i cant do the things I cant do at work; as an IT person I understand some of them, and as I know the security team I am able to ask about others, but the fundamental reason is that I am both employed by my employer and I am replaceable. Its really not my business how they choose to run the company; my job is to provide the expertise I was hired for, and to comply with their policies. If those policies are a PITA, well, Im sure its a PITA to deal with several thousand users who each think they know better, and the job isnt there to make my life simple.

Can you read? (0)

Anonymous Coward | about 9 months ago | (#46315479)

There could be a lot of valid reasons for that, particularly if any of the work you do involves clearances.

I love it when slashdotters complain about how boneheaded policies are without having the faintest clue of the reasons behind them.

Since you neglected to quote any portion of the post you responded to, let me quote for you a key sentence in the post you are making fun of:

That's all employees, not just those who have monitored access to government secrets.

The emphasis on "all" was in the OP. Are you being deliberately obtuse, Warden Norton?

Re:Can you read? (1)

LordLimecat (1103839) | about 9 months ago | (#46320959)

The majority of my experience is with private sector businesses. This kind of monitoring is pretty standard once they hit a certain size. And you'll note that my post was not an exhaustive list of reasons; there are others such as legal CYA and preventing the leak of proprietary and / or customer information, or even something as simple as controlling run-away abuse of internet privileges.

I truly do wonder how many of the people raising objections are actually involved in network IT; I would hazard that they are not, as most who are are aware of how common this is.

And why should you expect anything different? (4, Informative)

halo1982 (679554) | about 9 months ago | (#46313815)

If you're instant messaging someone on the company's IM platform on the company's time why the fuck would you have any expectation of any sort of privacy?

I know my company can see everything I can do when I'm logged on to their computer. This is part of the agreement I signed with them. It's also the reason why I don't do stupid shit on my company's network like look for another job or send out resumes from my company email address.

Oh wait, the outrage is because it's Microsoft. Got it.

Re:And why should you expect anything different? (1)

SleeplessDrone (2510746) | about 9 months ago | (#46313859)

Seconded, If you are using company resources to hunt for a new job or flirting with co-workers you're bound to get caught anyways. Also why would you give a potential employer your direct extension or company email?

Re:And why should you expect anything different? (1)

TrollstonButterbeans (2914995) | about 9 months ago | (#46313891)

FORTHed!

[You know, like the programming language that --- aw nevermind ...]

Re:And why should you expect anything different? (1)

Ziran (1931202) | about 9 months ago | (#46314489)

Don't worry, I recognised the reference

Re:And why should you expect anything different? (0)

Anonymous Coward | about 9 months ago | (#46314143)

I know my company can see everything I can do when I'm logged on to their computer. This is part of the agreement I signed with them. It's also the reason why I don't do stupid shit on my company's network like look for another job or send out resumes from my company email address.

Why should that be considered "stupid shit"? Shouldn't it be considered perfectly normal and appropriate to look for another job?

Let me put it this way. Right now I'm a grad student, which means I am essentially an employee of my university -- I teach classes and apply for grants for them, and they pay me to do it. In a year or two, having exhausted the possibilities of my current job, I will be applying for better jobs at my current employer's chief competitors. And, far from discouraging me or punishing me for that, my employer actively encourages me to do so and offers a lot of support to help me find the best job possible.

Why should things be so different in the corporate world? What, really, is the difference? Actually, employees are probably less likely to leave a company like Microsoft than grad students are to leave a university, since they don't get an awesome credential after 5 years at Microsoft that gives them a good chance of getting a better job elsewhere. Instead of being anal, maybe Microsoft should accept that some of their employees will leave, and even help them along in their careers, so that they'll say good things about Microsoft later, and so that Microsoft can brag about them if they succeed?

Re:And why should you expect anything different? (1)

ColdWetDog (752185) | about 9 months ago | (#46314481)

Ah, the innocence of youth.

Re:And why should you expect anything different? (1)

LordLimecat (1103839) | about 9 months ago | (#46314747)

Shouldn't it be considered perfectly normal and appropriate to look for another job?

On company time, company network, and computer? Id call that the height of foolishness, and the company would be right to throw a fit about it.

Re:And why should you expect anything different? (0)

Anonymous Coward | about 9 months ago | (#46315691)

Right now I'm a grad student, which means I am essentially an employee of my university -- I teach classes and apply for grants for them, and they pay me to do it. In a year or two, having exhausted the possibilities of my current job, I will be applying for better jobs at my current employer's chief competitors. And, far from discouraging me or punishing me for that, my employer actively encourages me to do so and offers a lot of support to help me find the best job possible.

A grad student is very definitely *not* an employee of the university in the usual sense of "employee," and the tendency to think of them as such is very damaging to the academic environment. Please remember that the check they give you in exchange for your teaching and grant writing is called "stipend" not "salary" and that a significant portion of your "compensation" is a tuition waiver. The university may be giving you a check, but you (or someone on your behalf) are very literally paying them to be there. The university's product is educated graduates, not any kind of widget, or even research papers. They are paying you because they think that not having to work another job while going through this rigorous training program will make you a better graduate. So, while there are superficial similarities between "a job" and "grad school" they are not the same thing. The university's product is you, so anything you do that makes you a better alumnus, including to line up a good job after graduation, contributes to the university's business and mission.

Re:And why should you expect anything different? (5, Interesting)

Tom (822) | about 9 months ago | (#46314731)

If you're instant messaging someone on the company's IM platform on the company's time why the fuck would you have any expectation of any sort of privacy?

Because you're a human being and don't leave your humanity at the door when you show up for work. Yeah, I know that is a strange concept for americans, but in many other parts of the world, it is very much still alive. Employees are also humans - wow, what a revelation.

Your expectation of privacy should certainly be different, but there's no sane reason it should automatically be zero.

Real-world example: In a company I worked for a few years ago I helped write the policy on this very topic. The final agreement was that the company could look into your e-mail and stuff, but only if they went to the workers council (elected representatives of the employees) and made their case. So if they suspected you of wrongdoing, or you were ill and had crazy important documents in your mail or personal folders, the company could look through it - in the presence of someone representing your interests.

The important difference is the same as in real-life criminal cases: With a system like this or the real world "must get a court order first" approach, you are innocent until proven guilty and it requires at least some reasonable suspicion before someone can breach your privacy. In a blanket surveilance environment, we're all guilty, period.

Re:And why should you expect anything different? (1)

Spad (470073) | about 9 months ago | (#46315075)

This.

If I ever went through someone's emails, documents, IM logs or anything else private on the company network without someone from HR physically sitting with me, I'd be fired on the spot.

I feel really sorry for anyone who works somewhere where IT are allowed to gain indiscriminate access to all your stuff just because they're bored on a Friday afternoon.

Re:And why should you expect anything different? (1)

cascadingstylesheet (140919) | about 9 months ago | (#46315385)

Because you're a human being and don't leave your humanity at the door when you show up for work. Yeah, I know that is a strange concept for americans, but in many other parts of the world, it is very much still alive.

Not strange for this American.

Just because you can do something technologically doesn't mean that you should do it.

I can plant a listening device in my boss's office. But I don't.

You are a naive Slave (0)

Anonymous Coward | about 9 months ago | (#46322953)

..otherwise you would simply do that.

signed

Another naive Slave

Re:And why should you expect anything different? (0)

Anonymous Coward | about 9 months ago | (#46315953)

To this American, that is mind-blowing. What country? Germany?

Re:And why should you expect anything different? (1)

E-Rock (84950) | about 9 months ago | (#46315955)

Certain US government regulations require that electronic communications of publicly traded companies are logged. Once you have to log all that information, someone will get the idea to use it for something.

Where I work, we don't have an obligation to log our Lync conversations, and we have those features disabled.

Re:And why should you expect anything different? (0)

Anonymous Coward | about 9 months ago | (#46325287)

Being human has little to do in an employer/employee relationship, which in most instances is a legal arrangement. The employer establishes the workplace guidelines and expectations. If use of company resources for personal uses are not part of the arrangement (which is the case in most instances) then there is no "right" to use such resources for such reasons. In fact, the compensation you are paid is to perform specified duties delineated by the employer and as a result you have no right to any other expectations. If you don't like the working conditions, don't accept the job or quit. Being human conveys no rights in a work environment that is not specified in the work relationship.

Re:And why should you expect anything different? (0)

Anonymous Coward | about 9 months ago | (#46314775)

If you're instant messaging someone on the company's IM platform on the company's time why the fuck would you have any expectation of any sort of privacy?

Well put George Orwell...

Re:And why should you expect anything different? (0)

Anonymous Coward | about 9 months ago | (#46314893)

If the company stores their info in my brain, how can they expect privacy?

isn't this a feature of all PBXs? (0)

Anonymous Coward | about 9 months ago | (#46313845)

Sounds like Event Zero was looking for some free press...
Every phone system I've ever worked with (Cisco, Definity, Avaya, OCS/Lync) can do this...

Internal Communications (2)

ZeroSerenity (923363) | about 9 months ago | (#46313851)

And a log is being kept about it? Who'dathunkit? *Groan* This isn't news.

My ex-boss would love this (1)

Anonymous Coward | about 9 months ago | (#46313853)

He loved using the phone records as management metrics to be used against us all. No personal phone calls allowed. PERIOD.

He just assumed everyone was plotting against him, stealing from him and looking for new job.

He was right about one aspect: Everybody was desperately looking for a new job but asking for time off or calling in sick was met with suspicion that they were going out on a job interview. He made it very difficult to look for a new job.

He never liked us conferring with fellow employees since he had to control everything. All information flowed down from him. Any information we had was supposed to flow up to him, but he didn't need us since he knew everything and any information we would tell him would be pointless.

Most of my fellow employees would just stop showing up or never come back from vacation. It was hell.

Re:My ex-boss would love this (1)

Immerman (2627577) | about 9 months ago | (#46314665)

An excellent argument for living below your means. Quit first, find a new job second. Enjoy your relaxing savings-funded vacation / job hunt in the interim.

Re:My ex-boss would love this (1)

Cederic (9623) | about 9 months ago | (#46315869)

I've done this. Worked out well for me, and definitely helped on the mental health front too.

Call Detail Records are an "attractive nuisance" (1)

davecb (6526) | about 9 months ago | (#46313877)

They're needed until the customer has paid their bill, and then should be deleted, just like library records of who borrowed what book are deleted when it's returned. Anyone keeping them longer is looking to make themselves a target for break-ins, subversion or court orders.

Telcos are often mandated to keep them, in the kind of "future crime" scenario that belongs in a movie like Minority Report (:-))

Re:Call Detail Records are an "attractive nuisance (1)

BitZtream (692029) | about 9 months ago | (#46313997)

As I recall, you write your name on a card that doesn't get thrown away until its full. when the book is returned, the card is put back in it for anyone to see. You can go to the library, grab the book off the shelf, copy down the names and dates on the card and return the card to the book, likely without anyone realizing your doing it for small numbers of books.

Deleting the info when the book is returned even today sounds unlikely unless they are inspecting every page in the book on return, otherwise when the next guy checks it out and finds missing pages or that someones kid thought it was coloring book, they wouldn't know who to charge for the damage.

Re:Call Detail Records are an "attractive nuisance (1)

Anonymous Coward | about 9 months ago | (#46314199)

The libraries I used no longer use cards. Checkout info is done on a computer system. When this first started, there was a question over law enforcement requests to turn over such info. After 9/11, (IIRC), the position of the Federal Govt. homeland security, etc, was that no warrant was required. A lot of Libraries, a field with a long history or supporting individual liberties and privacy regarding the right to read (censorship issues), and the right to keep it private, (no, not every library or librarian) put in place new polices: delete such info shortly after it is no longer needed. Then they have no info, or only info on the current items checked out, to turn over.
That is what my local library does. Even so, sometimes I think I should check out lots of books at random to create noise in any list of books I've checked out.

Re:Call Detail Records are an "attractive nuisance (1)

davecb (6526) | about 9 months ago | (#46315489)

The library community has been sensitive to this for a long while, and the library software vendors (eg, GEAC and friends) are careful to keep data for a short a period as possible, meeting the requirements of the most privacy-protective countries they sell into. As few countries either have or enforce library anti-privacy laws, the software is therefor saleable everywhere.

Almost ironically, privacy-protective code can be a business advantage.

Re:Call Detail Records are an "attractive nuisance (1)

Zontar The Mindless (9002) | about 9 months ago | (#46314679)

My mom says your troll is about 20 years out of date. (She's a retired public library director.)

United States Workplace (2)

the eric conspiracy (20178) | about 9 months ago | (#46313887)

This sort of thing is ok in a workplace in the United States, mostly because everyone expects the lack of privacy with using employer's equipment.

Other places in the world offer more privacy in the workplace. Such capabilities could cause some real problems in those environments.

Re:United States Workplace (1)

lgw (121541) | about 9 months ago | (#46314563)

I don't care at all about it being private. I care only if my employer gives me shit about what I do on it. Maybe if they see me looking for work they'll give me a larger raise to make sure they'll keep me. But changes are, they don't care at all either - they keep records to respond to lawsuits, or purge them quickly if not required to keep them (keeping anything just makes lawsuits worse, so big companies keep only what the law requires).

Re:United States Workplace (0)

Anonymous Coward | about 9 months ago | (#46315685)

it's their equipment and their data. Don't like it? No one forces you to work there.

Re:United States Workplace (1)

Cederic (9623) | about 9 months ago | (#46315875)

My employer gives a shit and i'm glad they do. We have a moral and legal duty of care to protect an awful lot of sensitive data and monitoring communications channels is an important tool in providing that protection.

Lync can go beyond the corporate network; we really don't want someone copy - pasting sensitive data over IM.

/. crowd played (0)

Anonymous Coward | about 9 months ago | (#46313903)

nice way to run a tabloid, /. "editors"

um, yeah ... (4, Insightful)

cascadingstylesheet (140919) | about 9 months ago | (#46313907)

... because that's the way to retain good employees, spy on them.

Re:um, yeah ... (4, Insightful)

VortexCortex (1117377) | about 9 months ago | (#46314005)

Be careful, you are dangerously close to implying that it is good employees and not obedient workers that are actually in demand.

Re:um, yeah ... (0)

Anonymous Coward | about 9 months ago | (#46314859)

Be careful, you are dangerously close to implying that it is good employees and not obedient workers that are actually in demand.

Are you kidding? If the employee isn't obedient then they're worthless. If they won't do what I tell them then I'm just performing charity by giving them my money.

Re:um, yeah ... (0)

Anonymous Coward | about 9 months ago | (#46315137)

Are you kidding? If the employee isn't obedient then they're worthless. If they won't do what I tell them then I'm just performing charity by giving them my money.

Sad so many companies think this way. I got fired for doing extra on my job. Oh well, turns out their competitor is interested in saving $10 million/year and I may never have to work again in my life. Keep think it's you vs them.

Re:um, yeah ... (1)

Cederic (9623) | about 9 months ago | (#46315889)

If you tell your employee to do something stupid or illegal then you'd better hope they know not to blindly do what you tell them.

Unless you're a stupid cunt, which I can't rule out..

Re:um, yeah ... (1)

cascadingstylesheet (140919) | about 9 months ago | (#46315371)

Be careful, you are dangerously close to implying that it is good employees and not obedient workers that are actually in demand.

Maybe a company that finds lots of hits to Dice, Monster, LinkedIn, etc. could learn from that information and try harder to make their employees happy.

Re:um, yeah ... (0)

Anonymous Coward | about 9 months ago | (#46315663)

Because employees should expect a company to keep tabs on all data/traffic going across their network - like all good companies should.

Don't like it? Go be a cart pusher for Walmart/Target

Re:um, yeah ... (1)

cascadingstylesheet (140919) | about 9 months ago | (#46317257)

Because employees should expect a company to keep tabs on all data/traffic going across their network - like all good companies should.

To quote myself elsewhere ...

Depends on what you mean by "expect".

I don't "expect" people to behave decently in any predictive sense, but I "expect" people to behave decently, as in I think that they should do so.

Re:um, yeah ... (0)

Anonymous Coward | about 9 months ago | (#46327307)

Yes, it is, because the good employees, that want to work and not deal with whiney fucktards will enjoy the ensuing silence.

Company computers, company network ... (2)

MacTO (1161105) | about 9 months ago | (#46313909)

Given that this is dealing with company computers on a company network, it is their right to know how it is being used. I would hope that there is a strong privacy policy in place regarding any personal information that they uncover that is not a violation of company policies, but that is a hope and not an expectation.

Overall though, I would suggest that it is best to avoid doing anything at work that would stir up office politics.

Re:Company computers, company network ... (2)

The Cat (19816) | about 9 months ago | (#46314053)

Overall though, I would suggest that it is best to avoid doing anything at work

FTFY

Re:Company computers, company network ... (1)

haruchai (17472) | about 9 months ago | (#46318767)

Guess you're okay with them spying in the bathrooms, too.

Re:Company computers, company network ... (1)

coolsnowmen (695297) | about 9 months ago | (#46334367)

I get your point, but what you do on the company internet can definitly cause them problems ( virus's /malware /illegal activity). The same is not true (except in the comedic sense) about what you do in the bathroom.

Re:Company computers, company network ... (1)

haruchai (17472) | about 9 months ago | (#46337933)

I was half-joking but I was also half-serious. While waiting outside a single-person bathroom at one of our sites, I could hear the person inside answering interview questions. He must have been really desperate to find another job.

Re:Company computers, company network ... (1)

coolsnowmen (695297) | about 9 months ago | (#46338381)

Or he really had to go.

Is Microsoft good for anyone? (0)

Anonymous Coward | about 9 months ago | (#46314133)

Apart from shareholders (you know who they are: they have hundreds of millions or billions of dollars in the bank). Is microsoft good for anyone? I see people like Forbes fawning over them for years, but unless you are a shareholder, they only thing you share with them is an overpowering greed. They destroy competition in the marketplace not through high quality products or better value buy by manipulation, monopolistic tactics, lies, coercion, threats, cheating and stealing. There are people who also see this as good (just like the overwhelming greed). None of their products are good for the software or technology industries: indeed, most technology companies avoid using their products because their products cannot be integrated into anything else without destroying the bottom line of any other company. They are bad for their employees because they aren't interested in innovation: innovation costs money, if they can keep the same level of profits with stagnation that's much cheaper. They aren't good for customers: the same old products year after year, with enough window dressing to make what is new incompatible with what was old, so customers keep paying for the same software they had 15 years ago (indeed, ID software developers found 16 bit API's in their graphics stack...software that had been originally written in 1992). They aren't good for the local government: they refuse to pay fair taxes: they 'export profits' to other countries with lower tax rates, robbing local schools of income for things like electricity and (ironically) computers, and now we find they spy on employees. We had a good idea that they allowed NSA back doors years ago, confirmed on a massive scale by Snowden that they spy on customers. Is microsoft a candidate for a company that deserves to have its business license revoked worldwide? It would seem so.

New levels of idiocy. (2)

RightSaidFred99 (874576) | about 9 months ago | (#46314145)

Wow, you mean a corporation has access to the numbers dialed by the people within the corporation!? Quick, call Ripley's Believe it or Not - I think I found something for the "believe it" pile!

Don't use corporate Lync for anything other than d (1)

Anonymous Coward | about 9 months ago | (#46314163)

I work for an IT company that is one of the largest users of Microsoft Lync outside of Microsoft.

I never, EVER, use my employer email, my employer lync chat, voice, video, and screensharing service, my employer supplied cellphone, and my employer supplied desktop and laptop computers for personal use. Ever. I have my own personal laptop, email and chat accounts, and personal cellphone for personal use.

Re:Don't use corporate Lync for anything other tha (2)

Vrtigo1 (1303147) | about 9 months ago | (#46314263)

It sounds like you have something to hide. I'm just the opposite of you. I don't have a personal home phone, cell phone, laptop, etc because my employer provides all of that stuff to me and they don't care if I use it for personal stuff as long as it doesn't interfere with business use. I don't see any sense in paying for something I already have access to for free.

Email is free, so I do have a personal e-mail addres but I use my work e-mail for tons of personal correspondence just because it's a lot more convenient and I don't really care if my employer reads the day to day e-mail conversations I have with my friends and family.

Re:Don't use corporate Lync for anything other tha (1)

Zontar The Mindless (9002) | about 9 months ago | (#46314705)

It sounds like you have something to hide.

Let me be the first to say, "Fuck you. (And you're an idiot.)"

Nudist with a vow of povery? (1)

dbIII (701233) | about 9 months ago | (#46315031)

It sounds like you have something to hide

What's a nudist with a vow of poverty doing here?

Don't Panic! (0)

Anonymous Coward | about 9 months ago | (#46314215)

It will get better. Take the "Business Microscope" (curiously removed from the developers website), which will give the boss a log of more than just communications. Bob Greene covered it earlier this month: http://www.cnn.com/2014/02/02/opinion/greene-corporate-surveillance/

They get caught up? (1)

sgt scrub (869860) | about 9 months ago | (#46314315)

"Lync does this no differently than any other enterprise communications system,” says Barry Castle". They are not lying. There have been better solutions for a long time. All of them integrate directory services (AD/LDAP) with information from everything, audio recording of phone conversations, video recording of desktop usage, real time network traffic information.

Regulated industries (2, Informative)

Anonymous Coward | about 9 months ago | (#46314433)

Companies in the financial sector - stock brokers, mortgage dealers, financial advisors and the like - are REQUIRED to archive and monitor their employees' work-related electronic communications, and must be able to demonstrate to regulators that they are actively doing so, or they face stiff penalties. The regulations are deliberately vague, but a general rule of thumb is that if an employee says something they're not supposed to say and the company's own compliance team failed to catch it, then they weren't doing enough monitoring and they can be fined.

Posting anonymously because I work for a company that specializes in communications archiving for the financial industry. And yes, we archive Lync IMs (and AIM and Facebook and Twitter and Salesforce Chatter and Instant Bloomberg and whatever else the kids are using these days, because if we can't archive it they're not allowed to use it).

Re:Regulated industries (0)

Anonymous Coward | about 9 months ago | (#46323489)

This. Posting as AC because I work in financial services. It's a whole different world. Electronic communications are not only archived, but in the case of employees who hold FINRA licenses, actively monitored for violations. Most of the projects I work on eventually funnel their data into the archiving and supervision systems. I used to be like one of the posters above--"hey, my company gave me this laptop and phone, why should I buy my own?" Not anymore. I don't even send personal emails from my work email, apart from "what's for dinner?" to the spouse. I have anything interesting to say to someone, I call them on the phone.

Carve out one exception... (2)

mr100percent (57156) | about 9 months ago | (#46314443)

Once you claim "it's only metadata," then you open the floodgates for all abuse.

You can do exactly the same with Asterisk (1)

blackpaw (240313) | about 9 months ago | (#46314475)

Full call details can be logged from a asterisk server. Its pretty much std features for any PABX. Complete non story.

So? (1)

Bugler412 (2610815) | about 9 months ago | (#46314513)

This is different than any other chat/VOIP/Conferencing system in what way?

Re:So? (1)

lgw (121541) | about 9 months ago | (#46314571)

Well, Lync integrates call, chat, and "are you at your desk" information nicely, so it would give more data to mine than any system that only does one of those. But then, assuming the employer has some sort of system for each, it's still the same data to mine.

It's just CDR records. It's not like it's a secret (3, Informative)

Zarhan (415465) | about 9 months ago | (#46314807)

Lync stores the info in two databases, LCSCDR and QoEMetrics. The first one has info on all sessions, other one has quality data. It's not like it's some super-secret database, MS has full specs in Technet, for example http://technet.microsoft.com/e... [microsoft.com] shows what's exactly stored in SessionDetails table.

Yes, such info *could* be used to do data-mining. Same info could be used to optimize least cost routing, gathering statistics on network performance, planning upgrades, and whatever you like. I've personally crafted a few reports from those DBs on how much folks are calling PSTN from Lync on various customer sites, so they can decide what is the priority in upgrading E1/T1 to VoIP-based PSTN connection.

It's not a conspiracy. Server admins can look at what kind of stuff you are doing on such servers.

Re:It's just CDR records. It's not like it's a sec (1)

acoustix (123925) | about 9 months ago | (#46315733)

Exactly. Cisco's UC has the same capabilities. I'm sure all other UC by other vendors have the same features.

Nothing to see here.

I for sure hope so (1)

drolli (522659) | about 9 months ago | (#46315235)

There are even obligations of companies to keep records of communitcations of their employees. Helps to prevent corruption a little bit, or at least make it more clear when examining it.

oh, the ironiez (1)

Anonymous Coward | about 9 months ago | (#46315275)

Well, so much for Microsoft's Scroogled campaign... case of the pot and the kettle.

Not that employers are parents ... (1)

cascadingstylesheet (140919) | about 9 months ago | (#46315377)

... but I learned early on as a parent that jumping on everything I find my kids doing just teaches them to hide things better.

Re:Not that employers are parents ... (1)

Cederic (9623) | about 9 months ago | (#46315917)

There's a difference between knowing, and acting on that knowledge.

I expect my employer to know every instant message I've sent through their system. I expect them to monitor that for sensitive data (in the business sense). I don't expect them to mine that information to see which of the girls in finance I'm seeing outside of work, and I don't expect them to give a shit even if someone told my boss.

Which is why someone coming to me going, "Our records show that you have a relationship with her" won't result in me complaining about the records, but will get a big fat "So what? Speak to my manager if you have a problem with that" - my manager will tell them to fuck off without me even needing to bother.

Watching your browser too (0)

Anonymous Coward | about 9 months ago | (#46315379)

The whole OMFG the NSA!!1! spin on this article is absurd. If you use a computer while connected to a company network you can be sure the activity is being logged. Email, texts, browsing URLs, all of it is logged no matter what the platform. Can the logs be analyzed? Of course.

Wtf. Don't do stupid shit with company assets (0)

Anonymous Coward | about 9 months ago | (#46315419)

If you're job hunting or dipping your pen in the company ink so to speak, do it with your own mobile phone without any corporate stuff on it. If you're dumb enough to be bangin the bosses wife and calling her using his telephone you deserve toget caught.

In other news... (0)

Anonymous Coward | about 9 months ago | (#46315653)

Microsoft Exchange stores data for all emails for the company.

What a stupid article. Of course any internal communication tool can be monitored by the company - as it should be.

Archiving IM and call details for a Decade (0)

Anonymous Coward | about 9 months ago | (#46316011)

Not new news, this product has been around for over a decade. Before it was renamed Lync it was called Office Communication Server 2007, and before that it was Live Communication Server 2003/2005.

Also there is no need for the employer to analyze the data or "to figure out who is dating whom within the company and pinpoint people looking for another job". They can just enable the Archive feature of the product and use SQL SRS to crank out chat logs, where you probably spelled it out for them plainly. All versions for a decade have had this feature.

MS Technet blog about Archive reports:
http://blogs.technet.com/b/dodeitte/archive/2013/06/02/sample-lync-server-archiving-report-available.aspx

Conversation search results:
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-74-93/0027.2013_5F00_11_5F00_26_5F00_01_2D00_02.png

Conversation details:
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-74-93/2541.2013_5F00_11_5F00_26_5F00_01_2D00_03.png

Don't Panic! (0)

Anonymous Coward | about 9 months ago | (#46317927)

It will get more interesting: http://yro-beta.slashdot.org/story/14/02/03/162216/virtual-boss-keeps-workers-on-a-short-leash

In other news... (0)

Anonymous Coward | about 9 months ago | (#46319503)

Water's wet. The sky is blue. And companies monitor company communications.

Is this a suprise? (1)

bigsexyjoe (581721) | about 9 months ago | (#46320489)

My employer explicitly says they keep your Lync messages. Do other employers pretend they don't?

I mean they give you an email and they keep the record. Tied to that email is your Lync. They keep that data too.

Not really spying (1)

Kimomaru (2579489) | about 9 months ago | (#46322625)

Guys, Gathering data on activity made with corporate property is not spying, no matter the logic or mindset you're using. Sorry, it's just not. It's spying when you're paying for the service and they're going through its records. Not sure how this is news. Also, c'mon really? How is any of this new? It's an extension of monitoring telephony call detail records or email usage.

MS,Google,Apple,Oracle,IBM, Intel == NSA (0)

Anonymous Coward | about 9 months ago | (#46322925)

All the commercial operators are in bed with NSA and sometimes use the same techniques even before they hand your data to NSA on a silver plate so that "government algorithms" can do the same.
"Data Protection" is for Useful Idiots.

Too stupid to be employable (0)

Anonymous Coward | about 9 months ago | (#46330965)

Who the hell would use the company network to look for a job?

Be accurate. (0)

Anonymous Coward | about 9 months ago | (#46333179)

I respect companies' right to control their hardware and their network. However, a true IT professional knows how to safeguard a network without compromising the privacy of employees. If there is a law enforcement need or a matter of theft that a company needs to deal with, then okay. However, blaming data mining on technology is a cop-out.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?