‘Keylogging’ to check Internet usage: Is it legal?
June 12, 2009 by Jim GiulianoPosted in: Communication, In this week's e-newsletter, Latest News & Views, Records documentation, policies
More and more employers are making use of “keylogging,” or the recording of keystrokes on an employee’s computer to provide a map of what Web sites the employee is visiting. Is the process legal?
Typically, keylogging is done secretly, so the employee is unaware of it. Just as typically, it’s implemented because the employee is under suspicion of using a computer in an unauthorized or illegal way. So far, so good.
However, some targeted employees have dredged up a section of the Electronic Communications Privacy Act as a defense — and a reason to sue employers for invasion of privacy.
Title I of the ECPA amended the federal Wiretap Act covers the “interception of electronic communications,” making it an offense to “intentionally intercept . . . any wire, oral, or electronic communication.”
Test case
The issue came up in a California federal-court case, Brahmana v. Lembo. The question was whether a key logger that records keystroke information in transit between the keyboard and the computer’s central processing unit violated the EPCA.
The short story is that the court didn’t find the company general keylogging to be in violation of EPCA.
There’s a complication because, using the keylogger, the company captured some of the employee’s confidential passwords and used them to access private accounts. The court is allowing the case to continue to determine whether using the passwords violated the EPCA.
So, at this point, the verdict is:
- Keylogging to track Internet usage? Probably OK.
- Using keylogging to access private info? Probably not.
Tags: EFCA, Electronic Communications Privacy Act, keylogging
Are the Benefits of Automatic Enrollment Worth the Cost?
June 15th, 2009 at 1:50 pm
I just can’t fathom how a company using this type of information ON IT’S OWN COMPUTERS can violate an employee’s privacy, provided, of course, that said company has policies in place either prohibiting the use of its property for personal use or advising employees that all use of the computer MAY be recorded and that there will be consequences for inappropriate use.
June 15th, 2009 at 2:07 pm
If the company’s computer use policy prohibits personal use, and that employees should not expect any degree of privacy, how can it be illegal? The computer, time, and ISP are all paid for by the employer. If anything, it should be actionable BY the employer, NOT the employee.
Too many times today, we allow employees to walk all over their employers like they’re entitled to do what they please, when they please with no regard.
June 15th, 2009 at 2:49 pm
I must agree with the first two posts – the computers belong to the company, and our company has a clear “AUP” in place. No privacy should be expected, period. What about employees sending proprietary information from their work computer to their home computer, then on to a competitor that they plan to go to work for? Employees sometimes seem to feel that they have all the rights, and employers have none.
June 17th, 2009 at 11:43 am
I agree with you guys. I work in IT and sometimes this is necessary. What is simply unethical though is this part — “There’s a complication because, using the keylogger, the company captured some of the employee’s confidential passwords and used them to access private accounts”.
One would hope that a company would not, say, use the information to check on a person’s bank account balance or check their hotmail account for personal information like results on a job search… This would be illegal. Though a company can collect this information, since it is from their equipment, any of use it to invade PERSONAL information is unethical and illegal period.
June 17th, 2009 at 12:22 pm
I agree that it would be unethical to look at someone’s bank account, etc. However, what if an employee sent proprietary e-mails and confidential company information to their personal e-mail, then sent it on to a competitor? How would you handle that?
June 18th, 2009 at 7:43 am
To draw a parallel, a bit silly but used as a simple example, suppose I dropped the keys for my car in the office and someone in management found it. Since it was dropped on company property they now have the right to search my car just in case I stored personal company files in my car?
My point is the company equipment being used belongs to the company. The personal account information gathered though found on company property is NOT OWNED by the company. The account that you would be accessing with is NOT OWNED by the company. I used the car example to show that this type reasoning cannot be rationalised. Personal property is personal property. Say I had an after-work party at my house and an IT manager dropped keys for personnel files. I found it on MY PROPERTY so that means I can now go to work and open and search the files since, like the account login information, it was found my property… The sword cuts both ways people…
June 22nd, 2009 at 11:20 am
How many of those who posted comments on this story above just used the company computer and company time to do it?
June 22nd, 2009 at 1:06 pm
I agree with all the above. Most importantly, employers must protect themselves and their employees. With Harassment claims on the rise it would be irresponsible for an employer NOT to have a privacy policy that included keylogging to put the employee on notice. It’s there equipment, on their property, and the employee will be held accountable under any and all circumstances.
June 23rd, 2009 at 8:15 am
Drew, admit it, you just used your company to ask if others used the company computer to read your comment about using the company computer to read this page…. whoh, I’m dizzy.
I love Robster’s key analogy.
June 23rd, 2009 at 10:51 am
Luckily my company doesn’t use keylogging as it would be counter-productive in our case, as we are an internet based company that as a matter of course of business must serf various sites to gather actionable information. I do agree that use of captured personal information is clearly a violation of privacy. The more difficult question to answer: Is the capture of that information a violation even if it isn’t used. Some of the danger in that could be avoided by making it a habit to regularly change passwords to personal accounts, etc… accessed from the company equipment. It does seem necessary that employees are aware through written policy that the practice of keylogging exists. Of course I guess the IT experts in the company get a free pass on all this.