back to article Sorry, psycho bosses, it's not OK to keylog your employees

Installing keylogging software on your employees' computers and using what you find to fire them is not OK, a German court has decided. In a decision (in German) last week, the Federal Labor Court looked at the case of a web developer at a media agency who was fired for developing a computer game for a different company while …

Page:

  1. Seajay#

    EPO not beholden to national laws

    WTF?

    Don't have to follow national laws on corporate governance, I can see that.

    Don't have to respect workers rights, erm why not? If those laws don't apply does that mean that EPO employees are like diplomatic staff. Can they ignore all local laws?

    1. Pascal Monett Silver badge
      Flame

      The real question

      I can almost understand a complete nutter stating that he is above the law. After all, he's a nutter.

      What I cannot understand is the total lack of smackdown that should logically follow from the competent authorities.

      When ICANN bluntly sets aside legal arguments with a "doesn't apply to us" attitude, the ICANN CEO should be taken by the neck and waterboarded until he is comes around to understanding that yes, it does effing apply to you, you cunt. Batistelli, same boat.

      The real issue is these nutters stating such things, then getting no comeback. That, in effect, makes their words true.

      And THAT really gets me.

      1. Horridbloke

        Re: The real question

        Good grief, yes.

        Working under a nutter is bad news. Conversely getting sacked by a nutter is both awesome and profitable.

      2. Someone Else Silver badge

        @ Pascal Monet -- Re: The real question

        I can almost understand a complete nutter stating that he is above the law. After all, he's a nutter.

        Of course. Exhibit A: The current American President.

        1. DougS Silver badge

          Re: @ Pascal Monet -- The real question

          Trump isn't saying he's above the law, he simply doesn't understand the law. There's a difference.

      3. Anonymous Coward
        Anonymous Coward

        Re: The real question

        The real question, doss windows 10 keylogging apply? If your company upgrades to the latest privacy invading release of Microsoft latest malware and spyware spew, is your emplorer liable?

    2. Inventor of the Marmite Laser Silver badge

      Re: EPO not beholden to national laws

      Whhhooo, goodie! Can I get a job and not pay national income tax "given its status as an international organization"

    3. Shoot Them Later

      Re: EPO not beholden to national laws

      International organisations enjoy quite a lot of immunity from local laws of the host coutnry, and this generally includes employment law and being sued. Various embassies have also used this immunity to avoid repurcussions for unfair dismissal of locally engaged staff. Here's an interesting piece on what anyone entering into a contract with an international organisation should be aware of: Why contracting with an international organisation is different.

      Here's the status of the EPO specifically. You can fire people as you like, but if you get caught speeding you will pay...

    4. Anonymous Coward
      Anonymous Coward

      Re: EPO not beholden to national laws

      "Can they ignore all local laws?"

      As regards employment, yep.

      The EPO was a classic case of a dysfunctional jobsworth type organisation where the employees were operating in "German union" mode. So basically no matter how useless or lazy someone is it was very hard to fire them or even to tell them how their job was to be done.

      That's why the EU bought in the new senior EPO management to kick some arse and ditch the unionisation / dated attitudes.

  2. Anonymous Coward
    Anonymous Coward

    and the boss wonders...

    Why we don't like using our corporate laptops...

    (For the record we have much beefier developer machines that we can set up ourselves with OS of choice)

    Annon. Natch.

  3. XSV1

    What if...

    I am curious if the court would have given the same ruling if the company had informed its staff that keylogging software had been installed.

    But then I suppose the situation wouldn't have arisen because the employee wouldn't have broken the rules he had known that he was being keylogged.

    1. lglethal Silver badge
      Thumb Up

      Re: What if...

      Germany is fantastic for personal privacy protection in the workplace. You're not allowed to film employee areas except for areas where money is being handled and the staff have to be informed beforehand about that sort of thing. Hell, in one Job I worked in, we need to film an assembly being done in order to verify that we had followed procedures on a very expensive build (space industry). The hoops we had to jump through to be allowed to do that were, as an employee, awesome. Including having clauses in the usage Guidelines which prevented bosses viewing the footage without representation being there, etc.

      Keyloggers would never get through any Works council worthy of the name...

      1. Anonymous Coward
        Anonymous Coward

        Re: What if...

        "You're not allowed to film employee areas except for areas where money is being handled"

        Complete bollox. Many German companies including ones I have worked for have CCTV cameras all over the place, and getting access to the footage as a manager wasn't particularly difficult.

        1. DougS Silver badge

          Re: What if...

          Perhaps the "employee areas" he said can't be filmed are places for the exclusive use of employees, like a breakroom? I can't see how you could make a law that employees can't be filmed anywhere. How would you handle say an antique shop if you wanted to have CCTV cameras to deter theft, if you couldn't film anything but the register because it might catch a view of employees?

          1. big_D Silver badge

            Re: What if...

            Public rooms are fine, private areas can't, generally, be filmed.

            One customer I dealt with (slaughter house) had CCTV on the production line, to ensure that carcasses that fell onto the floor were properly disposed of and not just re-hung on the line. That was for hygene reasons and they managed to get an "Ausnahmegenehmigung" (special dispensation) to use cameras. They had to inform employees and the cameras could only film the carcasses ont he conveyor system. They couldn't install cameras in non-production areas or employee changing and break areas.

      2. Kernel

        Re: What if...

        "Germany is fantastic for personal privacy protection in the workplace. You're not allowed to film employee areas except for areas where money is being handled and the staff have to be informed beforehand about that sort of thing. "

        Yep, in the company I work for, which has a worldwide presence, you're not allowed to record on-line meetings unless every attendee gives consent first - just in case there is someone from Germany attending.

        1. big_D Silver badge

          Re: What if...

          @Kernel yes, that is a legal requirement. Our new phone system could record conversations, but we disabled it by policy, because the rules are so compley about when and for what purposes a recording can be used.

          For example, if you say that the recording is for training purposes, you could not then use it in a court case against the customer, even if they said something that proved they are in the wrong or for employee disciplinary cases - as you explicitly said, that it was just for training, you can only use it for training, end of story. You must also give the caller the opportunity to disable the call recording.

    2. GrumpenKraut Silver badge

      Re: What if...

      > ...if the company had informed its staff...

      Still illegal (plus would defeat the purpose). Only with a suspicion based on hard facts you can (limited in time and coverage) do such a thing.

      Example: stuff gets stolen repeatedly in one office. Put a camera there.

    3. big_D Silver badge

      Re: What if...

      Even if they inform the employees, it is illegal to log their personal communications - they can only log official business communications...

      There is a slight workaround, because most email servers, like Exchange, can't differentiate between private, non line of business and line of business communications and therefore logs everything in unalterable form (legal requirement in Germany, all business related (sales, purchasing, customer / supplier contact, internal discussions over projects and customers etc.) have to be stored in unalterable for for 10 years). So it is okay to store those private messages (without reading them), if they have informed the employee that the email system is only for business use, that for regulatory reasons the email will be stored and therefore employees shouldn't use email for private messages.

      Again, even here, they cannot go snooping the emails, they can just store them, so that they are available if there is an audit and the emails are required (even emails the user deleted are stored in a regulatory/legal archive in Exchange, if the feature is turned on - not sure of the English name for the feature).

      Keylogging and monitoring web usage is however illegal, even if the employee is informed, as is reading employees email. As said, by the court, there are exceptions, if the company believes that an employee is doing something illegal, for example.

  4. Codysydney

    Many companies quietly slip spyware on their machines. E.G. Mandiant products. They're SUPPOSED to be for analysis of malware and forensics etc, but seeing as they can silently take whatever info they want off your machine without you knowing, I tend to break them with NTFS permissions.

    1. GrumpenKraut Silver badge
      Big Brother

      > ...slip spyware on their machines...

      Also popular: company "firewall" being one big effing man in the middle.

      That one _should_ be illegal, dunno whether it is.

      1. Adam 52 Silver badge

        "That one _should_ be illegal, dunno whether it is."

        My personal view is that it's a huge great trademark violation; they generate a cert purporting to be a brand that they aren't.

        There's also a false impression of privacy by deception, if you want to go data protection/human rights.

        Can't see any regulator taking action though.

        In my opinion it all boils down to whether that green padlock gives a reasonable expectation of privacy even though there's a policy allowing monitoring. The English courts have tended to be sympathetic to employees (uncharacteristically). In theory the ECHR decision in favour of Romania only means that there's no additional safety net and the previous English decisions stand, but it's hard to see a court not being influenced by it.

  5. John Crisp

    Play the game

    Sorry but I'd take my chances and sack them.

    If you want to do your own work then do it in your own time, not mine.

    Or start your own company and piss about as much as you like.

    Day 1 lecture. Use it but don't abuse it, or you are out.

    (Note I don't run any specific logging as I believe you have to trust your staff. I may enable it if I suspect someone is up to no good)

    1. A K Stiles

      Re: Play the game

      Not my downvote, but if you read the article the guy said it was done on his own time (his breaks are his time), and the lawsuit wasn't about whether he could or not but that the way they had gathered the evidence was against the law, and without their illegal actions they consequently would have had no grounds for dismissing him.

      1. John Crisp

        Re: Play the game

        In my business they read and accept the IT policy on day one. Abuse is a dismissable offence. It's quite clear.

        I have no issue if they do their own stuff in their breaks.

        So, his own time, on his own equipment, and his own connection.

        It's quite simple.

    2. Solarflare

      Re: Play the game

      Very American viewpoint there...

      1. Andrew Moore Silver badge

        Re: Play the game

        Indeed- and we are talking about a country that expects you to give up your own time to attend breakfast and weekend meetings...

    3. Ben Tasker Silver badge

      Re: Play the game

      So he'd been a good employee for years, then spent a few hours, spread over the course of months on a personal project and you'd sack him?

      Well done, you just lost years of experience and a good worker for no good reason (and are going to have to pay recruitment and training costs for his replacement). Had you instead talked to him to give him a warning you'd have kept that experience and skillset, avoided the replacement costs, and he'd probably not have repeated the behaviour once he knew how seriously you viewed it.

      I'll never understand the mindset of those who think firing should be the primary course of action following a mistake. You might feel right and just doing it, but 99% of the time what you're actually doing is hurting the business.

      1. Will Godfrey Silver badge
        Unhappy

        Re: Play the game

        Part of the problem is that many bosses don't recognise that a break is the employees own time. I've lost count of the times I've been asked 'just a quick' question when I had a mouthful of food.

        Also, I can remember when I used to be able to investigate interesting stuff during my lunch break, that had no connection with work. These days half an hour at the computer during lunch would elicit a stream of questions.

        The sad part is that what I was learning for my own benefit would often later turn out to be useful for a company project.

        1. ratfox Silver badge

          Re: Play the game

          I think it's fine to have a few work questions during my breaks, the same way I think it's fine to answer a call from my wife while I'm working. If I really want a complete break, I'd probably hide myself in a corner or leave the building.

          Ideally, your work should be judged by its output, and not by the amount of hours you spend at your desk. But if it's the latter, then doing something else at your desk enters a grey area, because it's not clear if you're working or not... Unless you are also marking down your hours in a timesheet (bleargh).

          Regarding this particular case, I think the employer is allowed to say that while at work, at your desk, you shouldn't work for other companies. But using keylogging to catch trespassers goes too far, and that seems indeed what the court said was the problem.

          1. Anonymous Coward
            Anonymous Coward

            Re: Play the game

            My company doesn't check carefully what I do at what time of the day. But they claim ownership by default of everything I produce. If I want to work during my free time for a pet project, I should in principle ask for an exemption.

            In practice, people don't pay close attention and do whatever they want, and the company doesn't complain until they go overboard... It's just that they decide when that happens.

      2. JimC Silver badge

        Re: So he'd been a good employee

        I think the smart money is that he *wasn't* regarded as a good employee for one reason or another, and they were quite happy to find what looked like good cause to give him the elbow.

        Isn't it rather naive to assume that the legal justification for dismissing someone (or not quite legal in this case) is likely to be the actual reason they want someone out of the door? I can think of two or three cases in a place where I used to work where allegations of some sort of misconduct were blatantly really a way to try and get rid of someone whose face no longer fitted.

        1. Ben Tasker Silver badge

          Re: So he'd been a good employee

          Isn't it rather naive to assume that the legal justification for dismissing someone (or not quite legal in this case) is likely to be the actual reason they want someone out of the door? I can think of two or three cases in a place where I used to work where allegations of some sort of misconduct were blatantly really a way to try and get rid of someone whose face no longer fitted.

          You're right, I made the assumption that he was fired on that basis alone.

          That said, if you're trying to get rid of someone and need to find an excuse, then you really need to examine the legitimacy of your own actions. There's a vast range of reasons you can dismiss someone, and if your reasoning doesn't fit those then there's a good chance you actually deserve an unfair dismissal claim.

          Most of those protections are there to protect us as workers. You can't simply turn a blind eye to shitty behaviour because it's directed at someone you don't like. Are they doing the job they're paid to do? Are they preventing others from doing the same, or otherwise harming the business? If the answer to those is yes, no then by trying to find an excuse to sack them the only justification that you likely have is that you yourself are a cunt. If they're not doing their job (or preventing others etc) then theres a procedure to follow and then they're gone. Keep in mind you can still use that procedure for "there've been complaints that you act like an arrogant arse"

          We've all worked with people we wish would just go, but if you look at it closely, removing someones livelihood just because you don't particularly like them is a shitty and indefensible thing to do.

          So as far as this case goes, he probably had been a good employee for years, at least in terms of anything with legal relevance. He may have been a complete dick at the same time, but if his employer simply used this as an excuse to get rid of him then they've outdicked him.

          1. MonkeyCee Silver badge

            Re: So he'd been a good employee

            What Ben Tasker said.

            If you own the company in a place you can dismiss people on the spot, then that's both your right and 100% your call.

            However if someone has been there for 4 years and is productive for the company, then good management is to help this person improve rather than kick then out. In cases of petty misconduct (~15 hours of personal use of work machine on company time) a formal talking too might be in order, written warning if you feel the need to bring the hammer down and maybe a final warning if you're setting someone up for the chop.

            People are also motivated to change if it affects their livelihood. Use that as a carrot rather than a stick . If someone really isn't wanted, find another way to make it work. Part time, remote work, come back as a contractor, take some leave or cut a cheque and part ways amicably so that down the road their skills are available, rather than belonging to an angry ex :)

            Your competitors are also not stupid. One good dicking deserves another.

            TL&DR

            Management is about improving their workers. Being a dick may cause blowback.

          2. JimC Silver badge

            Re: simply used this as an excuse to get rid of him

            I wasn't defending the practice, simply pointing it out.

            I've seen it happen in a large organisation amongst the executives elbowing their way up the greasy pole. New big boss wants to get his own people in and is also keen to reduce costs, so is looking for anything that will serve to clear some space in the org chart without the expense of paying people off or moving them sideways into non-jobs. A nice allegation of bullying, sexual harassment or something will serve to put someone on ice and sideline them relatively cheaply, and with any luck they'll find a new job and move on by the time the endless tribunals and procedures have gone through...

            After all the victim will want to keep the whole thing quiet just as much as the victimiser, because they don't want to get labelled by the 'no smoke without fire' brigade, especially if the allegation is somewhere in the currently fashionable array of offences that weren't considered offences when they happened...

      3. John Crisp

        Re: Play the game

        "I'll never understand the mindset of those who think firing should be the primary course of action following a mistake. You might feel right and just doing it, but 99% of the time what you're actually doing is hurting the business."

        It's because if he is doing it my time, on my gear, then he is effectively stealing from me.

        That is hurting my business.

        However good he (or she) may be, that's something I don't tolerate.

        And they were warned on day one.

    4. Doctor Syntax Silver badge

      Re: Play the game

      "Sorry but I'd take my chances and sack them."

      Did you read the article? That's just what they did do and it didn't work out well for them.

    5. Steve Evans

      Re: Play the game

      It wasn't so much what he was sacked for than the way they discovered his "indiscretion" that caused this case.

      If the boss had walked round the corner to talk to the programmer, and seen his desktop covered in game developing software, there wouldn't have been any problem... Misconduct, misuse of company equipment, don't let the door hit you on the way out.

      Germany is big on personal privacy, for well known historical reasons. They get a bit jumpy when those above start looking at the behaviour of individuals too closely.

    6. FuzzyWuzzys Silver badge
      Facepalm

      Re: Play the game

      Which is why I would never wish to work for a cretin like you who does not appreciate staff and their multitude talents.

      I couldn't agree more, when there's work to be done I don't want to turn around and see you looking up sofas on the DFS website but if it's a quiet Friday afternoon and you've fired up a VM on your PC to learn something about some new technology that I know will benefit the knowledge pool in our team I'd gladly see if I can get your a beefier machine for testing and might even ask if you'd like to do a small presentation on what you've learned to see if we can use the new tech.

      People have a ton of talent hidden that they rarely share, there are artists, organisers, etc. I know quite a few people who run youth groups in their spare time, that talent for organising kids is very useful. I know people who are musicians and photographers, very talented ones, they're very good are taking basic ideas and turning them into something blindingly useful. If you cut these people some slack for an hour at lunchtime while they organise their outside interests, they feel better, they're less stresses and their ready to plow back into the work during the afternoon with a much better frame of mind.

      You stamp all over that sort of thing and you will end up with a load of simple minded drones who will slowly drive you mad, they will either be too stupid or too afraid to step outside the requirements, either way you can kiss your management bonus goodbye at the end of the year as your team wallows in the doldums of obscurity.

    7. John Brown (no body) Silver badge

      Re: Play the game

      "(Note I don't run any specific logging as I believe you have to trust your staff. I may enable it if I suspect someone is up to no good)"

      So you already have it installed and ready go then? Wow! Not the sort of environment I would want to work in.

  6. David Roberts Silver badge
    Black Helicopters

    This seems similar to the global snooping (encryption) issue.

    I may be wrong but it seems that the illegal thing the employers did was to use keylogger information where it was inappropriate. Firing someone for a minor infraction.

    There are caveats in the article about keylogging and criminal activity.

    So is it acceptable to, for example, log everything but not look unless you have other evidence that something illegal may be happening?[1]

    Or can you (as I think is the case in the UK) gather evidence illegally then use that as a basis for further legally sanctioned investigation?

    Note for left pondians: there is no concept of "fruit of the poisonous tree" in UK law.

    [1] We really, really promise that we won't just look at everything from everyone because "terrism".

    1. Anonymous Coward
      Anonymous Coward

      Re: This seems similar to the global snooping (encryption) issue.

      The idea that evidence that was obtained illegally should be deemed magically "invalid" is utterly mad and it amazes me that so many people seem to accept this bizarre idea. You want murderers released into the community because an incompetent (or perhaps corrupt) policeman didn't follow the correct procedure? This has really happened, of course, but only in countries with stupid legal systems. In any sensible country they'd first prosecute the murderer, using *all* the available evidence, however obtained, then prosecute the incompetent/corrupt policemen.

      Yes, of course you have to take into account the incompetence/corruption while evaluating the evidence, but that's an entirely different matter from excluding the evidence altogether.

      1. Charles 9 Silver badge

        Re: This seems similar to the global snooping (encryption) issue.

        In the US, we call the principle "Fruit of the Poisoned Tree". If evidence was obtained illegally, then ANY subsequent evidence that the one piece led to must be thrown out as well. Meaning, if the tainted evidence was the linchpin of your case, you just lost your case. Now, if you have other evidence to present, you can still present it, but because juries cannot UN-learn something they weren't supposed to learn (thus creating uncorrectable bias and thus tainting the entire jury), illegal evidence can present grounds for a mistrial.

        1. JimC Silver badge

          Re: Fruit of the poisoned tree

          Which is fine if the prime purpose of the legal system is an expensive competition between lawyers - which admittedly is one description of at least your civil law system over that side of the pond.

          But if the point of the legal system is to accurately determine who is guilty and who isn't, then discarding evidence seems to be somewhat counter-intuitive.

          1. David Nash Silver badge

            Re: Fruit of the poisoned tree

            What @JimC said.

            Illegally obtained evidence does not mean it's not evidence. And does not introduce any "reasonable doubt" purely on that basis. So it should not be ignored.

            That's not to say that rule breaches shouldn't be followed up strongly. The rules are there for a reason.

            But evidence is evidence. If I trespassed on your property and saw you stabbing someone, does it mean that it didn't happen because I shouldn't have been there?

            1. This post has been deleted by its author

            2. Someone Else Silver badge

              Re: Fruit of the poisoned tree

              But evidence is evidence.

              Except when it's not.

              In this longitude, one is still (statutorily, at least) presumed innocent until proven guilty. In order to prove one's guilt the Powers That Be must present evidence. And one cannot prove guilt with illegally obtained evidence. Therefore, illegally obtained "evidence" is not evidence.

              Hope that's clear for you.

            3. Charles 9 Silver badge

              Re: Fruit of the poisoned tree

              "But evidence is evidence. If I trespassed on your property and saw you stabbing someone, does it mean that it didn't happen because I shouldn't have been there?"

              That's not considered Fruit of the Poisoned Tree. It covers police procedure in that they have to play things by the book. That means they can't seize evidence without proper authorization (such as a search warrant or acting in the immediate context of an arrest), interviews can only be conducted after the speaker is fully aware of his/her rights (the Miranda decision et al), and so on.

              To understand it a little better, consider the Adam-12 episode "Courtroom" (Season 2, episode 9; Adam-12 is well-recognized for its attention to realism). A man was arrested in his house for outstanding traffic warrants, but during the follow-up, an illegal pill mill was discovered and confiscated. Since the confiscation was not germane to the original arrest (and a search warrant was not obtained to confiscate it properly), the evidence was declared inadmissible due to Fruit of the Poisoned Tree, and the case of illegal drug manufacturing was subsequently dismissed.

          2. MonkeyCee Silver badge

            Re: Fruit of the poisoned tree

            "But if the point of the legal system is to accurately determine who is guilty and who isn't, then discarding evidence seems to be somewhat counter-intuitive."

            But if it's been obtained illegally, it may not in fact be evidence. The whole point of chain of evidence is that it's not been tampered with. If it is obtained in a fashion not in line with the rules governing evidence, then it is invalid from the first.

            At what point to you draw the line? Are we allowed to torture suspects to make them confess, since that is also illegally obtained evidence? How about entrapment? Or evidence tampering, because a cop *knows* you are guilty?

            Almost always the difference between legally gathered and illegally gathered evidence is whether the police presented evidence to the courts that would justify a warrant *before* doing the search. That the cops will avoid this if they can is perceived by the judiciary as them attempting to circumvent certain checks and balances, which is why it will often get a severe reprimand.

            While TV and Hollywood like to present court cases as being very clear cut, with irrefutable evidence and no contradictions, almost always there are at least some things that do not completely line up. Hence why a jury or magistrate has to weigh the evidence and testimony and decide from there.

            1. JimC Silver badge

              Re: But if it's been obtained illegally, it may not in fact be evidence

              Aren't you conflating two separate, if related issues there? It is of course vitally important to establish the accuracy of evidence, but there seems no especial reason why legally gathered must always be truthful and reliable, and illegally gathered evidence automatically unreliable or misleading.

              I'm quite sure that a depressing number of trials end up with the wrong verdict even if every scrap of evidence has been gathered in strict obedience to the rules. It may be that prosecutions who break the rules of gathering evidence are also more liable to fabricate evidence, but association isn't causation.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019