Employer Logging into Employees FB and Emails

• 1
• 2

• • • • 

        outlander on 10/07/2017 - 19:31

        +1

        @whooah1979:

        I disagree that the company has stolen the employee's data. The employees of their own free will entered this data into their company's pc

        By that reasoning, it is not stealing if an employee copies off all data from the terminal they are using and uses it however they like, including selling it to a competitor, because ultimately they were just accessing data the employer provided of their own free will.

      • 

        [Deactivated] on 11/07/2017 - 12:33

        @outlander:
        Poor comparison.

        Company resources is made available to the employee to further productivity of/for the company. Entering your private information into a network specifically designated for work purposes is surrendering that information as though it was in line with the agenda of the company.

        Confidential information belonging to the company is again made available to specific staff is not made available for incidental staff to take without permission and to sell. That would be stealing as it is very specific that it does not belong to the individual, and selling confidential information leading to financial loss would certainly be against company policy.

        In both instances, the employee is misappropriating company resources.

      • 

        outlander on 11/07/2017 - 19:10

        @tshow:

        Why is it guys like you are so in love with the system, and eagerly defend it every chance you get, even when it clearly crosses a line. Surely you must know that it's morally wrong for anyone to take advantage of a situation like this. One mistake does not beget another

        The only reason I can really think of is that you think that by seeing things from the point of the system, you can become a part of the system and share in that power and protection. Which I shouldn't have to tell you, is ridiculous

      • 

        [Deactivated] on 11/07/2017 - 23:57

        @outlander:
        I'm sorry to hear of your insecurities. I don't have a need to conform in hopes to be accepted. Clearly you have projected that onto me.

        Using company resources against company policy has its drawbacks. Surrendering information is one of them. The company shouldn't leverage that information, nor is it right for them to use that information to breach personal space. However, the information is there because it was surrendered.

        In OPs case, the company may have obtained log in information due to data logging. This information was lawfully obtained as the network belongs to the company.

        On the other hand, using that log in information to access the emails is not.

      • 

        outlander on 12/07/2017 - 09:00

        @tshow:

        That's very mature of you. And a compete and utter lie. Everyone conforms in some way, everyone desires acceptance. The ones that don't are the ones you'll find on the side of the footpath in the city, smoking drugs from dirty pipes and dressed in rags, because they just.don't.care.

        But why defend the rights of companies so vehemently then? Do you have a company yourself? Or do you plan to one day establish one, is that it..

      • 

        [Deactivated] on 12/07/2017 - 14:02

        @outlander:
        Anyone can extrapolate and exaggerate any circumstance until it becomes ludicrous. Of course I conform to a certain extent like anyone else. I don't walk around naked, I don't take a dump in the middle of the street, I don't steal fruit trees, but neither do you. So are we a conformist, cog of the great evil machine because we do not do that?

        The ones that are smoking dirty pipes and dressed in rags are not non-conformist liberated free spirits. They're bums and they are there because of cocktail of misfortune and laziness.

        I am not defending a company's rights vehemently, but more importantly, I am not trying to create rights and entitlements for an employee when it clearly shouldn't be. It has nothing to do with me owning a company, or a company owning me.

      • 

        outlander on 12/07/2017 - 16:14

        @tshow:

        I am not defending a company's rights vehemently, but more importantly, I am not trying to create rights and entitlements for an employee when it clearly shouldn't be. It has nothing to do with me owning a company, or a company owning me.

        Hmm. While I disagree with you on many points (cocktail of misfortune and laziness), my main problem is the direction you take.

        I think that companies should be affording as little rights as they need to function effectively, while it would appear you take the opposite stance. That is to say, it seems like you think companies should retain all rights, and employees should be given as little rights as possible to be able to effectively work. That is strange to me, because given the bulk majority of the population are employees, that is counter to your interests

      • 

        [Deactivated] on 12/07/2017 - 23:33

        @outlander:

        You vilify corporates as if their sole intent and reason for existence is to exploit employees. Corporates are businesses. They exist to make money as effectively as possible. Part of being effective is careful dispensation of resources.

        I don't think that companies should retain all rights, but they definitely should retain rights to their property; resources and infrastructure being central to that. I am very vocal against outsourcing low skilled jobs (not in support of high skilled either, but that is a different kettle). I have strong assertions against companies that victimize their employees and/or consumers. Companies controlling their resources hardly infringes on any of the aforementioned.

        You are starting to broaden your disapproval to all company rights. I am still speaking only of appropriation of company resources.

        Your views on popular majority and their impact on work ethics has more to do with government policy rather than workplace policy.

      • 

        outlander on 13/07/2017 - 16:37

        @tshow:

        Ahhh, now, I think, we're getting into the thick of it. Yes, that is a good definition, the kind you might find in a business school text book. I remember when I believed in that. At the time it seemed like a logical and precise idea, free of the muddy uncertainty you find in other human endeavors. I even thought I might start a business one day.

        'Business is an abstract concept, easily understood at its core, an idea that can be neatly put in a box' I thought. It acts with a singular purpose, which is to make money for it's owners, and while it may not be morally good, the drive to constantly improve and grow leads to more efficient use of resources, cheaper products for its customers through competition, and jobs for people. It does not have a mind or voice of its own, but the people who think and speak for it are required to act in its best interests, and so in a way it always has the best mind and voice.

        That's what I thought. Now I see, that is an ideal, something that rarely plays out in the real world. It is as much a fantasy as the communist utopia.
        What is a corporate? It acts like a person, but it's not a person. It has a name and rights, but it has no physical body, no will of its own. It's body is how it exists in customers minds. It's will is whatever the people controlling it say it is. A puppet. The idea that a group of people can come together and act as one entity is nice, but in practice everyone acts in their own interests, and leaders can't operate together. Really, in many ways a corporate is more akin to a mask, that a person, generally the CEO but everyone to an extent, wears.

        Now I can't say if this was the defining essence that was envisioned when the first company was created, but it certainly has been noticed as one of the more useful features of the concept. Individuals will try and get away with things while acting under the company name, which if they tried to do by themselves would be considered wrong and would earn them a bad reputation. And if they're caught? 'The company' claims ignorance, fires them and moves on. Because there's no one person, there's no one person to blame, and the lines of consequence become so scattered it takes a long time to figure out whose really responsible, by which time it's often too late.

        If we treated individuals like we do business, you could murder someone, claim your hand acted alone without your knowledge, cut it off and fit another one. They do a lot of good, I don't deny that, but the more rope you give companies they will try and hang you with it.

      • 

        [Deactivated] on 13/07/2017 - 23:52

        @outlander:
        What definition?

        I have never been to business school. I have no idea of this text book you speak off. I don't disagree that a business is an abstract concept nor do I disagree with your sentiments regarding a company (specifically a public listed one) not having any individual accountability, and by extension, no guilt.

        A faceless business is still going to stand for profit through efficiency. The collective of owners still collectively own the infrastructure and intellectual properties.

        Employees under the payroll are still workers in an environment with rules set up by the company within their legal boundaries (rules outside legalities can be ignored).

        This back and forth has digressed. Whilst I found it mostly harmless banter, I think focus is lost and the scope is broadening. That's not a bad thing given the platform this is, but it's not my cup of tea.

        To rope it all up - employees who enter information, any information, through the company network is subjecting themselves through a indiscriminate sieve. All information in that network is rightful property of the company. This is both morally acceptable (to myself and many others here) and within legal boundaries.

        What is outside the legal boundaries, and certainly outside moral ones (in line with my opinion and many others) is the use of the information to access personal information for non-work related reasons.

        No one has really touched on using the information to access personal information that is work related. That's a whole different can of worms and will probably be trialed in court on a per case basis.

        PS. To tie off my initial comment - using the company network for personal activity can be legally prohibited. Taking sensitive information and selling it to a competitor is downright immoral and illegal.

      • 

        outlander on 14/07/2017 - 13:46

        @tshow:

        Yeah I sorta gathered you were getting tired of it. So am I. I'm not here to change anyone's mind, so with no potential reward the effort of typing out concise replies starts to wear on me, and I resort to block text replies that get skipped over. Apologies for that. At least I found out your thought rational, which almost exactly matches what I thought it would be, so it's been worthwhile to get confirmation at least.

        Ideas are like buildings, where each level of reasoning is built up on the level below. I don't think there's anything wrong with your thought building here, it seems robust and solid. It's the foundation that it's built upon that I take issue with. It appears solid enough from the outside, but when viewed from side on its too thin. It'll support a small building just fine, you wouldn't notice the difference between it and something better, but as you build higher and higher the weaknesses of the foundation start to show, and your thought building requires special supports to compensate. That's what I have an issue with, your foundation. But if you rule that as irrelevant, I don't see any further logical arguments I can make.

        Employees should not be treated like slaves, given the 'right' to work. Mistakes and minor transgressions do not grant permission to be abused by individuals acting under company protection.

    • 

      ninetyNineCents on 11/07/2017 - 20:44

      Company policy can do exactly that so long as they don't breach the Workplace Surveillance Act as well as other Privacy and Surveillance Acts.

      Australian law always trumps any company policy or whatever…not just the very limited acts you are mentioning.

      Just ask Apple and their troubles when claiming limited warranties ignoring consumer rights 3 or 4 years back.

      • 

        whooah1979 on 11/07/2017 - 20:57

        Just ask Apple and their troubles when claiming limited warranties ignoring consumer rights 3 or 4 years back.

        i don't understand what apple warranties have to do with op.

      • 

        ninetyNineCents on 12/07/2017 - 11:52

        @whooah1979:

        B ecause a few years back Apple tried to deny Australians their consumer rights referring to their policy and ignoring what the LAW actually says.

• 

  try2bhelpful on 08/07/2017 - 22:20

  +2

  Company is probably breaking the law by doing this but I would never log into facebook or private email at work. Also remember they are probably checking browsing histories as well, so be careful what you search. Most companies also keep records of IM, so that is something to keep in mind as well.

• 

  [Deactivated] on 09/07/2017 - 17:37

  Call bikies or the union. If you are in mining you get both together, CFMEU.

  • 

    [Deactivated] on 10/07/2017 - 06:17

    The two negs I gotten so far are probably from Chris Corrigan and Peter Reith.

  • 

    [Deactivated] on 10/07/2017 - 19:15

    Thankfully some people positively voted. I really like hardlyworkin putting in a supporting vote. It's good to have solidarity with the wharfies on this.

• 

  fenric on 09/07/2017 - 18:14

  +4

  As an Network Admin person myself there are several ways this could happen. The most likely is just an opportunistic boss or IT person (I assume that your friend locks their computer, but even that varies by workplace) opening someone's browser and using their stored credentials. The vast majority of people stay logged into facebook/email because they can't be bothered putting in passwords every time.
  There are other ways (such as monitoring to grab passwords as keystrokes etc), but I think its a 90% chance they are just having a perve at your accounts from your workstation.
  If you are worried that your account has been compromised, just change your password.

  And stop looking at FB at work :P

  • 

    Cyphar on 09/07/2017 - 18:44

    Except OP has explicitly stated that his/her friend does not use it on her work terminal:

    She has not logged into Facebook using a browser at work in years.

    • 

      [Deactivated] on 09/07/2017 - 22:24

      +1

      probably still saved in the Browser from long ago and they haven't changed their password in a long time

    • 

      whooah1979 on 09/07/2017 - 22:28

      So she gave the person her username and password. How else can one explain how this person has access to this information?

      On short don't use the company computers for personal things.

    • 

      Clear on 10/07/2017 - 10:07

      Common for users to have their work passwords the same as their social media.

• 

  horsome on 09/07/2017 - 23:42

  Avoid using work devices and wifi for anything remotely personal, you just never know despite the legal protections.

  And generally forget the appeal of "business" phones, just get your employer to pay you an ongoing allowance to use your own phone. Company phones can be rigged to monitor all sorts of information, unless you can be 100% sure your boss is not a creep it's just not worth it.

  • 

    ThithLord on 10/07/2017 - 08:21

    -1

    What question are you answering? The question was:

    She suspects that they are collecting data from their wifi usage and using it to spy on personal information through several accounts. Is this illegal?

    So why are you telling OP how to avoid what has already happened?

• 

  idonotknowwhy on 10/07/2017 - 15:32

  @SoBargainVerySave: Do you jump on the work wifi with your phone?
  If so, that probably explains your logins from work (FB App).

• 

  ninetyNineCents on 10/07/2017 - 19:33

  -2

  Only fools have a FB account, did you really think your boss wouldnt find you just to look at all that public info ?

  Secondly fools use work computers for anything personal, and stay logged into these things. At best if you really must you should use incognito mode, login then out and kill all incog browser tabs etc.

  Lastly for all your stuff you should turn on 2FA (two factor authentication), so iof anyone perhaps knows or guesses your password, they wont be able to beat the challenge where google etc send a one time pin to your phone.

• 

  outlander on 10/07/2017 - 19:39

  +1

  You're being spied on. The correct way to counter spying, is to supply false information and wait for someone to act on it. If you get other people to spread a rumor that your wife and somebody else are working on something big, then create an email or facebook message chain that says "meet me at lunchtime in the carpark I have a REALLY big secret about the boss to share", all you need to do is wait to see who follows her. Thats a bad example, but you get the picture

• 

  benbarren on 11/07/2017 - 08:17

  definitely illegal i'd be sending that straight to HR using a throwaway email and VPN :)
  some stalkery mid-manager logging into the more attractive staff member's social and email accounts is super creeping at best, hacking possibly not to mentioned them turning up at people's house as he would also have address details and routines.

• 

  minniethemoocher on 11/07/2017 - 08:52

  +1

  Is is possible that your work colleague logged into these accounts and forgot to log off? I know that I logged in about 1 year ago at work and it's been continually logged in ever since. I just checked my Facebook settings and I was still logged in on my partner's phone that I used on Safari over a month ago. It looks like Facebook doesn't automatically just log you out if it hasn't been used for sometime. I checked my gmail and it is the same. Could it be as simple as you your work colleague forgot to log off on these accounts?

  • 

    geoffellis on 11/07/2017 - 22:27

    That page also gives you dates/times. It's one thing if it was years ago, its another if it was last week, and she knows she hasnt used it then.

• 

  shrewduser on 11/07/2017 - 13:55

  i dont know about the facts in the story, there could be something to it, but if she hasn't logged into her account in 'years' then her password must have been pinched 'years' ago and been used by her 'boss' or whatever for years, also the password must not have been changed in that time.

  need something much more solid than that.

• 

  frazel on 11/07/2017 - 18:30

  +1

  I work in IT Security, so I thought I would throw my 2cents in.

  Yes, large enterprises and even Small Medium enterprises proxy your connection. Proxy basically means that you computer does not access the website directly. You contact a proxy (a server). Typically when your computer contacts the proxy wanting to go to 'facebook.com' the proxy will then get the URL and compare it with a 'proxy policy' which basically says if you are allowed to access the requested website. If you are, then the proxy will create another connection to the web server. It will then download the webpage on your behalf and in most circumstances check the data for malware. If the website passes the malware check, it will then pass the website data to the end user's browser, where it gets displayed.

  The main reason for intercepting your traffic is for malware analysis and also logging/reporting of what you are doing. This is so management can see how much personal use you are using your computer for compared with business use. This isn't nesscessary a negative. It may mean that you are using the Internet for work related tasks and the connection is slow, so they may pay to increase it. Typically though, its for HR purposes.

  So how does this work with SSL/TLS or HTTPS websites. Pretty much the exactly same process, the only difference is the client has a internal root and internal intermediate certificate installed in their local Windows certificate store. The proxy has another intermediate certificate and private key. So when the user goes to facebook.com, the proxy creates the SSL connection. Then creates another SSL connection with the client. So its Client > SSL > Proxy then Proxy > SSL > Facebook.com. The client then uses the proxy certificate public key to encrypt data. It then gets decrypted by the proxy private key.

  Realistically, this system does not log everything. It can. But it is too expensive in compute and resources to do so.

  In regards to the OP, the easiest way is to put a keylogger on the PC which tracks all key strokes. But I highly doubt this happened. Tracking keystrokes in not illegal. Abuses the information that is collected, ie using them to access someones facebook is illegal.

  • 

    whooah1979 on 11/07/2017 - 18:43

    back in the days when we still had some digital privacy. there was this software for windows that allowed the teachers to mirror the student's desktops and record it. i can't remember the name. is it still used nowadays?

    • 

      frazel on 11/07/2017 - 19:24

      There's tons of software available from recording your screen all day and uploading to a server to taking forensic copies of your hard drive remotely without you noticing a thing.

      In general the only thing we can't do is take your username and password and log into a system that is not work related.

      If you log onto Facebook and download a bunch of information, that information is stored on work properly so is now visible to work IT. By the user initiating the download, they have given up their privacy to that information and only that information.

      Of course, this is only legal if there is a well written IT usage policy. But is still legal.

      • 

        whooah1979 on 11/07/2017 - 19:29

        +1

        thanks.

• 

  regenade on 11/07/2017 - 19:09

  Some employees create traps and just wait for employers to snoop, I know 2 people who made the CIO beg and paid 100 of thousands of dollars for the fear of snooping in and privacy laws. Work it to your advantage, of course you need to be tech savvy as most of the IT admins I have seen are usually not the smartest of guys lol. If at all OP gets proof that a fellow colleague or boss have logged into an FIR can be lodged pretty quick and most workplace lawyers will guarantee you at least couple of 100 thousand in compensation unless of course you are working for state or federal govt

  • 

    frazel on 11/07/2017 - 19:17

    Good luck trying to prove that in court. All he has to do is deny it. So incredibly difficult to prove without reasonable doubt.

    • 

      regenade on 11/07/2017 - 19:44

      With FIR they can get records from Google and Facebook and link workstations and other browser fingerprints. As I said the snippets and admins are not always very smart, traces are left both ways. But no employer would want this to get the news out , that's the who array of public fear and paying out couple of 100 thousand is pocket change

      • 

        frazel on 11/07/2017 - 20:03

        I now work in security but my background is in forensics. The problem isn't with confirming the computer accessed Facebook at a certain time. The problem is associating that to an identity aka a person. This is typically done by cross referencing CCTV footage with internet logs. Or potentially key card access with internet logs.

        The main problem is that Facebook and everyone else on the internet only sees your work IP address. So it could come from any computer. So Facebook etc cannot really help. And honestly they don't care.

        This is usually far too costly for an employee to do, $4k a day, up to 3 months investigation with no guarantee of a result.

        Also for the court to approve a warrant their needs to evidence. The company is not going to give you the CCTV footage, key card access, or internet logs freely.

        The best thing is to get someone to admit their guilty with an independent witness. But that also depends if you want it to be a civil or criminal matter.

      • 

        regenade on 11/07/2017 - 21:01

        @frazel: so how do the IT management get caught and pay out millions in fines ?

      • 

        frazel on 11/07/2017 - 21:37

        @regenade: do you have an example that made the news?

      • 

        [Deactivated] on 12/07/2017 - 23:44

        You keep mentioning couple of hundred of thousands of… Monies… As compensation.

        We need reference for this.

• 

  worldwidehappiness on 11/07/2017 - 19:37

  At my university, they had instant access to my university email. Just gave them my name, and they opened my email account to check some problem I was having. I thought that was over the top, but the IT guy just looked blankly at me when I pointed out the privacy issue.

  • 

    regenade on 11/07/2017 - 19:45

    That's why he is an IT Admin and not a security analyst or architect.

  • 

    nicbaz on 13/07/2017 - 18:08

    Yep, an Exchange/Office365 Admin has access to all mailboxes. I'm assuming Google Apps is the same.

• 

  Ragnarok1983 on 11/07/2017 - 21:09

  Dont use Facebook, social media or personal email on any work PC.. Really it is that simple.

• 

  pikapika on 12/07/2017 - 09:40

  Whenever I log into Gmail from somewhere else I always get a back up email to another account saying I'd logged in at a certain IP with a certain browser and some other additional info..It tells me the email is just a warning in case it wasn't me who logged in. So, it's not the 'two step' verification but I like it.

  But bottom line don't use the companies wifi or their pcs for personal ANYTHING. OR if you need to do it then use every kind of verification hoops so you can log into it.

• 

  denishdens on 12/07/2017 - 12:15

  Most likely mobile FB app is using WIFI at work and therefor is showing work location on the last login places.

• 

  Sinful on 12/07/2017 - 18:08

  +2

  Probably going to get a lot of down-votes.

  Shouldn't she be doing work during work hours?
  Is she allowed (company policy) to even access facebook at work?
  Why isn't she just using facebook on her phone during lunch?

  Not having a dig, just asking.

  • 

    whooah1979 on 12/07/2017 - 19:28

    +1

    all your questions are reasonable.

• 

  Lancerx on 13/07/2017 - 10:40

  +1

  changed the password and don't do it at work anymore? Just use mobile data

• 1
• 2