Employer Logging into Employees FB and Emails

SoBargainVerySave on 07/07/2017 - 19:36

Yo, asking for a friend:

So she works at this place and she noticed that when she checked her facebook "where you're logged in" that one of the locations was a PC at work. She has not logged into Facebook using a browser at work in years. She brought it up with her team and another colleague noticed her Gmail account had been logged in at work while she was on annual leave.

The boss has a history of snooping on other employees computers for their activity and the operations manager had also mentioned that action had been taken against other employees in the company following content that was seen in "group chats".

She suspects that they are collecting data from their wifi usage and using it to spy on personal information through several accounts. Is this illegal?

Fairwork is closed atm so we just want an opinion on workplace privacy.

Education & Work

Comments

resubaehtgnolhcs on 07/07/2017 - 19:46

+9

Does the company have an IT policy around personal use on their network? What you have posted sounds illegal, but most companies cover themselves by having an IT policy that covers them and their ability to track your usage whilst on their network.
- MrTweek on 09/07/2017 - 22:11
  
  +35
  
  Yeah, but sniffing passwords and logging in into someone's non-work-related accounts to read their personal email doesn't qualify as "tracking usage" and is definitely illegal.
  No matter what any IT policy says.
  - resubaehtgnolhcs on 09/07/2017 - 23:23
    
    Yeah I agree with you that tracking and snooping into someone's email are two separate things, but companies seem to do it (as evidenced by the examples below). If it's "non-work related" isn't the argument that they shouldn't be doing it at work in the first place?
    - MrTweek on 10/07/2017 - 00:34
      
      +2
      
      Most companies I worked for would either tolerate or even explicitly allow occasional personal internet usage.
      
      But even if they don't: breaching company policy doesn't justify breaching the law in return.
      
      The correct process would be giving a warning or firing them, but not reading their personal emails.
    - resubaehtgnolhcs on 10/07/2017 - 20:05
      
      @MrTweek: Yeah I agree with you, and my experience has been the same as yours. However, that doesn't seem to stop some unscrupulous people out there!
  - ninetyNineCents on 11/07/2017 - 20:32
    
    Not sure what provider the OP is using, but the big ones like gmail, are all HTTPS, so its impossible to sniff anything.
    - SingMeASong on 12/07/2017 - 08:14
      
      It's very possible. Most internet filtering on business firewalls intercept the HTTPS connections and then re encrypt them and pass the traffic onto the client PCs. Mind you the PCs need to have the CA certificate of the firewall added to their trusted CA of their device. The firewall can't legitimately sign a SSL/TLS certificate as *.google.com, but it can self sign it. And if these devices are owned by the business and joined to a domain, it's trivial to push out the CAs with Group Policy or a MDM.
    - ninetyNineCents on 12/07/2017 - 11:45
      
      @SingMeASong:
      
      sorry i simpilified, you are right, my point which i left out is the user should check the certificate, and if its "green" then you are safe.
    - radradrobotank on 13/07/2017 - 19:02
      
      @ninetyNineCents:
      
      Not if you are using a work managed computer or mobile device. It is possible for a workplace to push out additional trusted certificate authorities to managed (Active Directory, MobileIron, …) devices. This is why you typically won't be warned by your browser on a work computer/device when your secured connection has been intercepted/MITM.
      
      Extracting credentials from intercepted/MITM traffic is quite difficult, and likely not something a non technical manager could do.
    - ninetyNineCents on 14/07/2017 - 20:23
      
      @radradrobotank:
      
      Dont most browsers "tell" you extra trusted certs have been "added" to your chain ?
      
      I thought there was a cue to tell you these additions were added…(different colour etc like yellow rather than green etc)
scotty on 07/07/2017 - 20:07

+88

Both Facebook and Gmail should be on HTTPS so packet sniffing on wifi would not be able to recover the password. As it's work computer so it's still possible with MITM attacks or key-logger on the computer, but I would not accuse the employer without solid evidence. Nevertheless, enable 2-factor authentication on both Facebook and Gmail so having password is not enough to log into those services.
- mbck on 07/07/2017 - 20:14
  
  +36
  
  this. two factor authentication is a must
- bjdchwr on 07/07/2017 - 20:15
  
  +9
  
  MITM is quite popular at workplace these days…IMO,…
  - Clear on 07/07/2017 - 20:27
    
    +1
    
    And very easy. I stay away from public wifi for a reason.
    - bjdchwr on 07/07/2017 - 22:59
      
      +3
      
      True!
      
      Use your mobile data (or at least VPN) if you'd like to surf the web safely.
      
      There are even some open source can do MITM nowadays, including pfSense…
    - theBestBastion on 09/07/2017 - 19:30
      
      +2
      
      @bjdchwr:
      
      VPN can't stop key-logging, and you are going to provide them with one more password ;p
      
      I have a couple of my friends work in IT department of their company. It seems more and more companies install monitoring software on workplace computers. These software are quite cheap now-a-days and usually come with a cloud based dashboard for managers to access remotely. They log key strikes, record every single page you visited, even take screenshots in a set interval.
      
      The data collected is quite interesting. One of my friends' employer gives each staff a laptop, many employees take it home and visit "interesting" websites. He found one of the managers watches gay porn every single night :-D
    - based on 09/07/2017 - 20:40
      
      +2
      
      Doesn't MITM require you to trust their CA?
      Which could happen without users knowledge easy enough on corporate machines, not so much when on a personal device on public wifi
    - nobarginsarehere on 10/07/2017 - 05:00
      
      @based: Certs can be forged, most MITM software does this automatically
    - picklewizard on 10/07/2017 - 09:57
      
      +13
      
      Honestly, it's not really that easy, and public WiFi is safe for HTTPS traffic.
      
      A MITM, HTTPS-decryption style attack is possible only if you can control the local certificate store on the remote PC. In an office environment, where you can configure group policy to trust a local CA, you can intercept HTTPS traffic by decrypting it and then re-signing with a certificate generated by your local CA, which is trusted according to your group policy.
      
      Public WiFi is different. You can only trust CAs in your trusted root store. If your traffic is being captured, decrypted and re-encrypted, your machine WILL NOT trust the certificate presented as the CA won't be recognised, and you'll get a certificate warning.
      
      Sadly, many people will ignore the warning :(
    - Clear on 10/07/2017 - 09:59
      
      @picklewizard: I should have been more clear. I was not referring to HTTPS. There are plenty of unsecured public WiFi's floating about.
    - picklewizard on 10/07/2017 - 10:01
      
      +2
      
      @Clear: Yeah, on public Wi-Fi, assume everything without a 'secure' padlock icon is being captured and harvested :)
    - Clear on 10/07/2017 - 10:36
      
      @picklewizard: And that's why I said they're very easy. Also quite fun if you're in a crowd.
    - mattyman on 10/07/2017 - 11:23
      
      @picklewizard: This can happen in public when someone nearby creates a WiFi hotspot with the same name as the free WiFi in that area and tricks users into logging into it.
    - picklewizard on 10/07/2017 - 11:28
      
      +2
      
      @mattyman: Yeah, but that's not performing HTTPS decryption.
      
      What some of the 'honeypot' style fake APs do is pretend you need to log in to access internet (not uncommon for legit public APs) but will then request facebook credentials ("sign in with your Facebook account!").
      
      Just to be clear, anything transmitted over HTTPS to a KNOWN website (facebook.com, google.com, etc) is safe if logging in from your OWN PC/phone, regardless of how untrusted the wifi connection is. (edit: provided you trust your own PC!)
    - boomramada on 11/07/2017 - 11:32
      
      @nobarginsarehere:
      Certs can be forged? Not really.
      
      You can't forge this signature without stealing the CA's private key, breaking the cryptography involved, or finding a bug in the browser's certificate validation code.
    - frazel on 11/07/2017 - 17:50
      
      @nobarginsarehere: Certificates cannot be forged. That is the whole point of a SSL certificate to provide integrity or to trust the third party is actually the party you are wanting to contact.
      
      The only way a certificate can trick the user, is installing the root certificate and the intermediate into the Windows Certificate store. Then issuing the web browser (for example) with a server certificate with the same CN name as the website. This is not forging, this is creating the same server certificate with a different certificate chain.
    - frazel on 11/07/2017 - 17:52
      
      @bjdchwr: a VPN is not a guaranteed way of stopping a main in the middle attack. a VPN is purely to encrypt your data once the connection is established. The process of establishing the connection can be easily main in the middled depending on your VPN server provider and the security controls they have in place.
    - nobarginsarehere on 11/07/2017 - 23:02
      
      +1
      
      People just need to assume anything you do at work is being tracked, everything is being logged
      
      If you want privacy, do it on your non company phone
  - tomsco on 08/07/2017 - 14:03
    
    +13
    
    Malcolm in the middle?
    - airzone on 08/07/2017 - 18:39
      
      +2
      
      Man in the middle. Of course if the man is really a woman, then the acronym kind of falls apart.
  - DrDollar on 10/07/2017 - 06:30
    
    +3
    
    MITM is not going to work on HTTPS unless the user is stupid enough to trust what would be an untrusted certificate, the browser would have thrown a very obvious warning.
    
    It is most likely that the user logged in to FB and Gmail recently enough and someone simply navigated to FB/Gmail without being required to log in. No PW necessary.
    
    Most companies would not be stupid enough to risk liability on actually decrypting all HTTPS traffic (configured with SOE so that the user will never know) and recording the body of HTTPS content such that they would be stripping personal usernames and passwords for later use by an unauthorized person.
    
    An IT monitoring policy is very different than the kind of activity above.
    
    Highly unlikely that this happened in OP's case. Probably just an account that was never logged out and someone has just opened the browser and navigated to FB/Gmail.
    - picklewizard on 10/07/2017 - 10:07
      
      +2
      
      not going to work on HTTPS unless the user is stupid enough to trust what would be an untrusted certificate
      
      Not strictly true, a GPO could be configured to trust an internal CA that's re-signing the traffic; but as you say it would be a super-dick move and the effort required would be very difficult to justify (instead of just say, blocking the sites.)
    - nobarginsarehere on 11/07/2017 - 23:08
      
      I'm pretty sure most employees will be signing something that waves their rights while using the companies network
    - mattyman on 12/07/2017 - 15:17
      
      Unless they are doing something sneaky with subdomains too and valid wildcard certs.
      
      Like … mail.google.com_.somedomain.com. That sort of thing can trip up basic users.
  - picklewizard on 10/07/2017 - 09:43
    
    +1
    
    In theory, this is possible, but the effort required to do this in order to retrieve Facebook or Gmail passwords makes it unlikely.
    
    Easiest way to check is to have a look at where the website certificate is coming from.
- airzone on 07/07/2017 - 21:29
  
  +3
  
  A bit of light reading for you. https://www.paloaltonetworks.com/documentation/80/pan-os/pan…
  
  This is one of the many different options to intercept HTTPS in a company environment. And combine it with the right words in an IT policy, and you're sweet.
- Captain M on 09/07/2017 - 18:29
  
  +2
  
  Devices like a bluecoat proxy are very common in organisations. They will easily decrypt https traffic and give big brother access to any of your personal information. Check out https interception using a proxy [https interception] (https://imagebin.ca/v/3Skyboa70Y3T)
  
  So just using https doesn't mean very much if you don't trust the network (eg. public free wifi). Thats why its very important to use a VPN when you use these public networks.
  - scotty on 09/07/2017 - 21:59
    
    +8
    
    HTTPS interception requires browsers to trust the CA of the proxy, hence MITM attack as I've stated in my comment. It's easily done in corporate devices but not so with private devices on public free wifi (unless people ignore the insecure CA warning, or the perpetrator has utilised some rogue CA that the client's browser already trusts).
    - MementoMori on 10/07/2017 - 14:25
      
      What if you had admin on your local and were running a private VPN?
    - pembajak_sejati on 11/07/2017 - 09:54
      
      +1
      
      @domcc1: if you had admin on your local, i believe admin don't even bother to sniff. admin can install any app remotely and silently to monitor your activity.
    - MementoMori on 11/07/2017 - 10:20
      
      @pembajak_sejati: I don't understand your response.
      
      I have admin privileges on my local laptop and have installed a VPN client, which connects to a private VPN and I surf through that, via the corporate WiFi. Can this be sniffed?
    - MementoMori on 11/07/2017 - 11:11
      
      @domcc1: My understanding is unless they are doing a MITM attack and my VPN client is too dumb to warn me about the certificates being dodgy then AFAIK there is no way to inspect this traffic.
    - frazel on 11/07/2017 - 17:58
      
      +1
      
      @domcc1: Once the connection is made, it cannot be sniffed. However, at the time of connection it can be main in the middled.
    - MementoMori on 13/07/2017 - 10:23
      
      @frazel: Thanks! I suspect the only other thing to watch for is any locally installed monitoring software running the background.
  - ninetyNineCents on 11/07/2017 - 20:35
    
    dodgy dns poisoning by whatever so they can MIM and send fake CAs.
    
    Again if the user doesnt see green for the certificate when in HTTPS they shouldnt do anything.
- [Deactivated] on 09/07/2017 - 20:23
  
  +3
  
  I'd say they most likely just logged into your computer (asked their IT tech for your network password, logged into your computer/roaming profile) and then opened firefox/chrome and checked your stored passwords.
  
  Get two factor authentication as others have suggested.
- idonotknowwhy on 09/07/2017 - 22:22
  
  +2
  
  +1 for multifactor authentication. It should be enabled where ever possible!
  HTTPS might not work if the work computer has a trusted root certificate owned by the employer. Also, a lot of sites with mfa; like gmail, default to trusting the computer for 30 days. I'll bet a lot of people accidentally leave that option checked at work.
  
  Bottom line: mobile data is not very expensive these days (https://mobile.woolworths.com.au/prepaid.html)
  Neither are extremely high-end phones (https://www.ozbargain.com.au/node/317580) which probably blow most workstations out of the water in terms of speed.
- ninetyNineCents on 10/07/2017 - 19:35
  
  Gmail is https only now.
moonphase on 07/07/2017 - 20:28

+9
On top of 2-factor authentication above:

Do not enable auto-login

always log out

delete cookies when you finished using it or use private browsing (incognito, etc that each browser has)

don't use your company's network if you do not want any personal data taken from your company.
- idonotknowwhy on 10/07/2017 - 10:09
  
  If you can install things on your computer, use the Opera browser. It has a built-in free VPN you can switch on in Incognito mode.
  - moonphase on 10/07/2017 - 14:52
    
    +1
    
    I don't like the concept of free VPN because:
    
    Who operates VPN?
    
    How secure is this VPN?
    
    Also, it leaves bad footprint as they might not able to tell what you were browsing, they can tell you are using VPN - which is not allowed for many corporate environment.
    
    If the company is very serious on security, they may install application to your machine that would track and block accessing pages.
    
    So, if you think that you need to be very secure, the best practice is not using your corporate network for your personal matters.
[Deactivated] on 07/07/2017 - 21:03

+21

Don't use work computers for personal browsing, pretty sure thats a common sense +1 in any job?
IT protocols can and do what they please, you signed an employee agreement when you joined said company
In all honesty, they won't be logging into your facebook account, its probably using the companies WAN External IP to show you logged in there, simply log out?
Accusations of the employer may land you in hot water when you should be using the computer for "work related" usage anyway

I used to just RDP into my own home server when I was in my last role, no monitoring over the RDP link and they couldn't do jack when they checked my machine logs, all which come back clear (using the work pc for personal rdp use during my allocated breaks)
- bjdchwr on 07/07/2017 - 23:01
  
  That's a good hint actually, but this method might not be practical for non-IT-savvy people…
- MrTweek on 09/07/2017 - 22:17
  
  +3
  
  IT protocols can and do what they please
  
  No, they can't. Your IT policy isn't above the law.
  
  It's only legal to monitor employees' internet usage if it was communicated clearly to them.
  So unless you have signed some kind of policy that states that your company does this, they can't do it.
  
  you signed an employee agreement when you joined said company
  
  I didn't ever sign an employment contract that mentions anything about this.
- idonotknowwhy on 10/07/2017 - 15:30
  
  You raise a good point.
  The OP's facebook logs are probably from their phone, using work WiFi for the FB app.
djkelly69 on 07/07/2017 - 23:45

+16

I think there is a big difference between companies monitoring usage of their networks, and acquiring employee's login details for personal accounts and actually using them later on (with one being quite legal and one being completely illegal).

Most of the responses here sound like they are treating it as the same thing…
Hardlyworkin on 08/07/2017 - 08:08

+3

The Fair Work Act 2009 doesn't mention privacy so won't matter if they are closed. You could try contacting the privacy commissioner or get some legal advice. Oh and if you want to go bottoms of the barrel… There's always A Current Affair!
- Diji1 on 08/07/2017 - 10:39
  
  -1
  
  The Fair Work Act is all about screwing employees in case you didn't get that from the Orwellian name.
  - Hardlyworkin on 08/07/2017 - 16:09
    
    +2
    
    What… Compared to work choices? Ever lived abroad?
- [Deactivated] on 08/07/2017 - 12:57
  
  +4
  
  You're looking at the wrong act, its covered in CRIMES ACT 1900 - SECT 308H
  - MrTweek on 09/07/2017 - 22:20
    
    +1
    
    Yep, exactly this.
    If you have evidence, you can report them to the police.
- ninetyNineCents on 11/07/2017 - 20:36
  
  yeh but wiretapping is illegal. Theres a reason the police need a warrant to get a tap for phones or inet.
  - whooah1979 on 11/07/2017 - 20:38
    
    yeh but wiretapping is illegal. Theres a reason the police need a warrant to get a tap for phones or inet.
    
    which this isn't.
    - ninetyNineCents on 11/07/2017 - 20:41
      
      Well if they are using the OP accounts, they are acquiring the details in some illegal way.
      
      If the OP Is simple and leaving their computer with FB and email logged in, its also an offence to impersonate someone using credentials that are not your own.
    - whooah1979 on 11/07/2017 - 20:52
      
      @ninetyNineCents:
      
      there is two separate issues here. the first issue is monitoring the workstations internet usage or the whole workstation. this part isn't an offence.
      
      the second issue is someone may have accessed op's friend's facebook account without their permission. this is an offence as mr drew22 pointed out.
    - ninetyNineCents on 12/07/2017 - 11:53
      
      @whooah1979:
      
      and.. i neer said was "monitoring" was an offense… i was quite precise about my target for commentary.
whooah1979 on 08/07/2017 - 08:45

-6

it sounds like they're resource monitoring using screen mirroring. this has been around for decades.

don't use company resources for personal things.
Diji1 on 08/07/2017 - 10:36

+3

Could be wrong but it sounds illegal. I don't see why being on the enterprise's networks makes accessing people's private accounts any less illegal.
whooah1979 on 08/07/2017 - 10:44

+2

She suspects that they are collecting data from their wifi usage and using it to spy on personal information through several accounts. Is this illegal?

as a private company they're allowed to monitor company resources like network/wifi usage. however, it does depend on a number of things.
https://www.oaic.gov.au/privacy-law/rights-and-responsibilit…

Who has responsibilities under the Privacy Act?

Australian Government agencies (and the Norfolk Island administration)and all businesses and not-for-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions.

Some small business operators (organisations with a turnover of $3 million or less) are covered by the Privacy Act including:

private sector health service providers. Organisations providing a health service include:
traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professional
complementary therapists, such as naturopaths and chiropractor
gyms and weight loss clinic
child care centres, private schools and private tertiary educational institutions.
businesses that sell or purchase personal information
credit reporting bodies
contracted service providers for a Commonwealth contract
employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
businesses that have opted-in to the Privacy Act
businesses that are related to a business that is covered by the Privacy Act
businesses prescribed by the Privacy Regulation 2013.

In addition, particular acts and practices of some other small business operators are covered by the Privacy Act including:

activities of reporting entities or authorised agents relating to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and its Regulations and Rules
acts and practices to do with the operation of a residential tenancy database
activities related to the conduct of a protection action ballot.

The Privacy Act also covers specified persons handling your:

consumer credit reporting information, including credit reporting bodies, credit providers (which includes energy and water utilities and telecommunication providers) and certain other third parties
tax file numbers under the Tax File Number Guidelines
personal information contained on the Personal Property Securities Register
old conviction information under the Commonwealth Spent Convictions Scheme
My Health Record information under the My Health Records Act 2012 and Individual Healthcare Identifiers under the Healthcare Identifiers Act 2010
- chumlee on 08/07/2017 - 10:47
  
  +2
  
  Wouldn't think they are allowed to log into your personal mail though.
  
  Can they search you because you are in their premises? Are they allowed to look through your car cause you are parked in their car park?
  - whooah1979 on 08/07/2017 - 10:49
    
    Wouldn't think they are allowed to log into your personal mail though.
    
    is op's company doing that? can op provide documentation to the authorities if they were to ask?
    - MrTweek on 09/07/2017 - 22:21
      
      is op's company doing that?
      
      Yes, that's the suspicion at least.
      
      can op provide documentation to the authorities if they were to ask?
      
      Just because there is no evidence it doesn't that it's not illegal.
    - ninetyNineCents on 11/07/2017 - 20:42
      
      @MrTweek:
      
      Well from whats said in the OP original post, they might be able to provide examples of activity by SOMEONE at work that wasnt them… they cant prove who it was…
  - whooah1979 on 08/07/2017 - 10:50
    
    -2
    
    Can they search you because you are in their premises? Are they allowed to look through your car cause you are parked in their car park?
    
    that's not what's being discussed here.
  - ninetyNineCents on 12/07/2017 - 12:07
    
    @chumlee
    
    Can they search you because you are in their premises? Are they allowed to look through your car cause you are parked in their car park?
    
    Nobody is allowed to look thru your without asking for your permission. Even the police have to ask you, they cant force you. The police need a warrant if they want to force you.
    
    If you goto a shopping center. they cant force you in anyway to look or take your car, its the same here… if your boss asks you just tell them no, call the police and get a warrant.
  - veej on 12/07/2017 - 18:45
    
    "Are they allowed to look through your car cause you are parked in their car park?"
    
    Yes they can, if you are using a company car.
    
    In short, don't use company equipment if you don't want to be scrutinised.
    
    Do personal things on your own time.
    Look at personal email on your own device.
- Toons on 08/07/2017 - 11:54
  
  +1
  
  Collect info yes we used to have a program that recorded keystrokes which was the first thing i turned off
  
  in any world where we think everything is private it isn't but if described by op is correct that is a breach
  
  under no circumstances can a company log into any personal accounts from data they won't admit to being collected without your concert, they can berate you from using them.
  
  Whats next the bank, not on i'd be taking it further.
  
  IT would have a log just a SOE log that would tell them who logged into what i.e. facebook , gmail time stamp and user logged into the system.
  
  please don't tell me you have shared machines with no personal logins.
- [Deactivated] on 08/07/2017 - 12:56
  
  +1
  
  Wrong act, you need to look at CRIMES ACT 1900 - SECT 308H.
- ninetyNineCents on 11/07/2017 - 20:37
  
  Monitoring simpl;y means measuring time or data transferred. Thats a big difference when compared to actually capturing the data itself.
  
  Thats why the police etc, need warrants to tap communications…
shaybisc on 08/07/2017 - 11:35

+2

Boss is doing her a favour if her security is that non-existent- smarten up.
[Deactivated] on 08/07/2017 - 12:55

+7

This is illegal, regardless of any company policy or contracts or how they obtained the login details or ability to login (saved login).

CRIMES ACT 1900 - SECT 308H
308H Unauthorised access to or modification of restricted data held in computer
(1) A person:
(a) who causes any unauthorised access to or modification of restricted data held in a computer, and
(b) who knows that the access or modification is unauthorised, and
(c) who intends to cause that access or modification,
is guilty of an offence.
Maximum penalty: Imprisonment for 2 years.
- whooah1979 on 08/07/2017 - 13:21
  
  if op believes that the company has committed an offence. then op should present the company with evidence of the offence.
  - MrTweek on 09/07/2017 - 22:25
    
    +1
    
    How is that supposed to work if you believe someone has committed an offence, but you don't have evidence?
    
    That said, if it's a criminal offence (which it might), the only place to report this to is the police.
- edge81 on 09/07/2017 - 20:14
  
  Might want to read up on that one a bit Drew. Company policy can do exactly that so long as they don't breach the Workplace Surveillance Act as well as other Privacy and Surveillance Acts.
  If they used the login then that is completely different
  - [Deactivated] on 09/07/2017 - 20:17
    
    Do exactly what? You're not making sense.
    - edge81 on 09/07/2017 - 20:32
      
      Read up on the Crimes Act as well as Workplace Act, Surveillance Act, as well as any relevant State Acts. The logging of employee web traffic is not illegal. Logging in to their Facebook is.
    - [Deactivated] on 09/07/2017 - 20:37
      
      @edge81:
      
      Where did I say otherwise?
      I was saying that logging in to their accounts, regardless of how the login details were obtained was illegal.
    - edge81 on 09/07/2017 - 20:48
      
      @Drew22:
      
      I read your comment as though the logging of her activity was illegal as well as actually logging into the account. Carry on.
    - MrTweek on 09/07/2017 - 22:24
      
      +2
      
      @edge81:
      
      Logging activity is not the same as collecting passwords.
      Collecting passwords is still not as bad as using them to log into someones' personal accounts.
      
      This is definitely illegal and no company policy can change that.
    - whooah1979 on 09/07/2017 - 22:40
      
      @MrTweek:
      
      Logging activity is not the same as collecting passwords.
      
      All comes under collecting data, which isn't an offence as long as the data was collected while using company computers.
    - MrTweek on 09/07/2017 - 22:47
      
      @whooah1979:
      
      You are saying that stealing someones' password and use it to log in to their personal accounts to read their emails and whatnot still "comes under collecting data" and is legal?
      
      If your company secretly films you on the toilet, could they still argue that they are "just collecting data" and that isn't an offence because it's a company toilet?
      
      Definitely not mate. If that has actually happened, it was illegal.
    - whooah1979 on 09/07/2017 - 22:55
      
      @MrTweek:
      
      You are saying that stealing someones' password and use it to log in to their personal accounts to read their emails and whatnot still "comes under collecting data" and is legal?
      
      Which of my posts state what you said?
    - MrTweek on 09/07/2017 - 22:56
      
      @whooah1979:
      This part:
      
      All comes under collecting data, which isn't an offence
    - whooah1979 on 09/07/2017 - 22:59
      
      @MrTweek:
      
      If your company secretly films you on the toilet, could they still argue that they are "just collecting data" and that isn't an offence because it's a company toilet?
      
      This has nothing to do with op, pc login and is off topic.
    - whooah1979 on 09/07/2017 - 23:02
      
      @MrTweek:
      That was a reply to part of your post->
      
      Logging activity is not the same as collecting passwords.
    - whooah1979 on 09/07/2017 - 23:06
      
      @MrTweek:
      
      Mr drew22 and mr edge81 has already been down this path.
    - MrTweek on 09/07/2017 - 23:12
      
      +1
      
      @whooah1979:
      Fantastic, you cut off half of it and pretended I was wrong. Let me quote the whole paragraph for you again:
      
      Logging activity is not the same as collecting passwords.
      Collecting passwords is still not as bad as using them to log into someones' personal accounts.
      
      I was explaining that there IS a difference between monitoring employees' activity (which can be done legally) and sniffing someones' passwords and using them (which absolutely can't be done legally).
      
      Despite that, it IS illegal to steal your employees' passwords. That is not part of monitoring internet activity.
      There is no generic "collecting data" law that makes anything like this legal.
    - whooah1979 on 09/07/2017 - 23:29
      
      @MrTweek:
      
      Despite that, it IS illegal to steal your employees' passwords. That is not part of monitoring internet activity.
      
      I disagree that the company has stolen the employee's data. The employees of their own free will entered this data into their company's pc which was/is being monitored. The resource monitoring software doesn't automatically turn off just because the employees opens up Facebook, netbank or any other personal website.
    - whooah1979 on 09/07/2017 - 23:43
      
      @MrTweek:
      
      it IS illegal to steal your employees' passwords.
      
      Furthermore, this doesn't meet the definition of stealing under crimes act 1900 p4.
    - outlander on 10/07/2017 - 19:29
      
      @whooah1979:
      
      I'm sure the company doesn't know about it, and would be as eager to know who has been abusing company time and property, and exposing the company to potential liabilities

Employer Logging into Employees FB and Emails

Comments

New Forum Topics