Thoughts on Keyloggers
Here’s some writing I had to do for an assignment in my Information Security class.. Long time belated post I know..
While I don’t disagree with the idea of keylogging on company computers per se, I do feel that it opens up so many legal liabilities that no sane legal counsel would ever sign off on the idea. I can think of multiple security and legal implications surrounding it.
Many of the earlier comments have stated that they would support keylogging in businesses, provided that the company told their employee’s that it was occurring. What some of those who commented may not realize is they may have consented themselves to keylogging on company computers without being explicitly notified of it. Most employees are required to sign an Acceptable Use Policy (AUP) as a part of their new-hire paperwork when their job description requires the use of a computer or internet access. Most AUPs contain wording such as “by using this system, your actions may be monitored or recorded” and keystroke logging would definitely be covered under that clause.
Many also commented that using keylogging would help to reduce the amount of time that employees would spend using the computer for non-work activities. While this may be true in some cases, the inverse also occurs. Once employees are aware that they are being actively monitored they either chose to quit screwing around or to try to evade the monitoring. Trying to evade the monitoring results in the employee wasting even more time than he/she was before, and usually leads to either voluntary or involuntary termination of the employee. Another important point to remember is that employees have long used company time to take care of personal business before computers were ever used, whether it be a personal phone call or reading the newspaper. This is just a fact that most employers have come to accept.
Another major issue with keylogging I see is regulating access to and securing the logs. Who, if anyone, reads the logs on a regular basis? If they aren’t regularly monitored, than why keep them at all? Keeping them for any significant period of time exposes the company to legal liability, being that the logs would be fair play during legal discovery. If the logs were regularly monitored, the person charged with the responsibility so doing so would most likely be a lowly paid intern or new employee. These employees would be able to read all the information entered into the company’s computers, some of which may be sensitive or confidential in nature. These employees, because of their low spot on the totem poll, could easily leak information to competitors or the press and profit greatly from it.
Keyloggers could be beneficial in gaining additional information on a subject during an already on-going investigation, but the signal-to-noise ratio of blanket logging would bring the likelihood of uncovering devious activities relatively impossible.
Long entry short, keyloggers equal a bad idea in my book. Their disadvantages greatly outnumber their advantages in my book and although they may look like a great way to cure employee time wasting, but after a careful analysis, the cost-benefit just doesn’t seem to be there in my opinion.
related post
Tagged as Security, Sysadmin, Technology + Categorized as School, Technology