Jesus M. Salvo Jr. wrote:
Is placing a keylogger even legal, with or without the employee's knowledge ?
Some states have specific laws on "workplace surveillance". NSW does, but I'm not sure of the details because I live in SA.
It's dodgy in all states because you don't know what the employee is going to type. If they type a letter to their doctor (say about a workplace injury) then you are in deep trouble. Similarly if they converse with a lawyer. And similarly for ABS forms, union officals asking OH&S questions, WorkCover, and a whole mass of "privileged" conversations.
Then there are practical matters. If they enter a PIN number and their money later goes missing and they accuse you, just what is your defence? Hope you've got a good memory for where you were when for all the moments after you installed that keylogger and they typed that PIN.
In all the above scenarios, it doesn't matter if you have the employees' permission or not. The employee has given permission for logging, not for you to empty their bank account, eavesdrop on their medical consultations, etc. For some privileged conversations it's illegal to even ask to participate, so arguments that some boilerplate Message of the Day is sufficient permission turn into a Lose-Lose scenario [1].
And finally, what are you going to do with the logs? You've now got a massive duty of care (certainly a liability up to the employees bank balance, in the last example). You can't leave them on an Internet-connected computer, that would just be negligent. And how are you going to show that you destroyed the logs, when you do that. After all, no one's going to take you at your word that you destroyed them, in some circumstances they're going get a court order to take all your hard disks to make sure.
In short, keylogging your employees carries significant risks (eg, losing all your assets, since this would be a non-insurable event) and you should seek real legal advice.
Hopes this helps, Glen
[1] And if you've got employees under 18, just forget about any implied permission from a MOTD. You're asking the wrong person for permission. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
