The use of Keyloggers by employers is becoming commonplace. As an employer, you should be asking, what is a Keylogger? Is it legal to monitor my workforce, and, should I be monitoring my employees?
A Keylogger is a computer program designed to record every action on a personal computer. This not only includes every keystroke, but also every website visited, every email read or sent, every password entered, and any applications or programs run on the PC.
In examining U.S. law in this area, it has been noted that there is no federal statutory framework which covers the use of Keyloggers by employers. The Electronic Communication Privacy Act (ECPA), the Federal Wiretap Act (FWA) and the Stored Communication Act (SCA), all of which could reach Keylogger activity, have never been extended to protect computer privacy in the workplace, or even in the home.
So, while judicial interpretation of the ECPA has broadened its scope, it still does not reach Keylogger technology. As a result of that legislative gap, state courts have searched their own legislative schemes in an attempt to protect the privacy of computer operators.
For instance, a federal court in Indiana heard a case in which a woman was authorized by her employer to access her personal checking and email accounts from her work computer. The employer failed to notify her that they had installed Keylogger software on her work computer. Rene v. G.F. Fishers, Inc., 817 F.Supp.2d 1090 (S. Ind. 2011)
The employer used the password discovered through the Keylogger software, and reviewed both her personal email and checking account history. There were several emails between company management, discussing the contents of those histories.
Importantly for employers, the federal court ruled that the FWA was inapplicable, because the keystrokes recorded by the Keylogger software remained on the PC, and were never transmitted through interstate commerce.
The court, however, went on to review whether the employer’s conduct violated the state of Indiana’s wiretap act. The court noted that the Indiana statute does not include the requirement that the communication be intercepted through interstate commerce, and, therefore, held that the state wiretap law was applicable to Rene’s claim.
Additionally, the federal court ruled that the Stored Communications Act, was also applicable to Rene’s claim. The Keylogger information itself, which included passwords, opened emails and viewed webpages, did not infringe on the Act. However, the employer’s conduct in using the passwords to review Rene’s histories (stored communications) would be covered by the SCA.
Other states have held that the use of a Keylogger violates state privacy laws. In a New Hampshire decision, a court held that obtaining a password through use of a Keylogger, and then using the password to access the computer user’s email history does violate the state’s wiretap act. In State of New Hampshire v. Walters, the court excluded any evidence related to emails which were uncovered by the former housemate of the defendant, because the emails were obtained in violation of the wiretap act which protects privacy from illegal interception of wire communications.
The WPA is a criminal wiretapping law, so it is no surprise that the use of a Keylogger by an employer can be prosecuted. In Ropp v. United States, 347 F.Supp.2d 831 (CD Cal. 2004), a California federal court considered whether an employer’s use of a Keylogger could violate the criminal provisions of the WPA.
Ropp, worked as a manager for an insurance company and installed a Keylogger on the computer of one of his subordinates. The court began its inquiry by noting that the WPA affords greater privacy protection to wire and oral communications as opposed to electronic communications.
The federal court dismissed the indictment against Ropp, finding the Keylogger only intercepted internal communications between the keyboard and the CPU, as opposed to the signal being intercepted on transmission to the company’s network, which was attached to interstate commerce.
The Ropp decision, however, did not put the issue to rest in California. In Brahmana v. Lembo(N.D. Cal. 2011), the federal court questioned Ropp’s restrictive interpretation of the definition of electronic communications found in the WPA.
Brahmana was a sales manager for a VOIP company located in Silicon Valley. Brahmana discovered that emails he had sent on his work computer had been read by the company president through a Keylogger which was installed on Brahmana’s computer. In light of the fact that the keystrokes had been read over the company’s network, the court concluded that there were sufficient facts to allow the case to proceed through discovery as the network might have affected interstate commerce.
We started this discussion by asking what a Keylogger is. The Keylogger in Ropp was actually a machine which recorded the keystrokes of a PC’s keyboard as they were traveling from the keyboard to the PC. In Brahmana, the Keylogger was a network analyzer, which records all the activity of a PC through a network connection to a server. The advancement of Keylogger technology probably puts it squarely within the prohibitions of the ECPA and WPA.
The second question was whether the use of a Keylogger by an employer is illegal. Here’s a list of points to ensure that the employer’s use of a Keylogger stays within both state and federal law:
- As the workplace PC is the employer’s property, the employer may install a Keylogger on an employee’s PC without concern for trespass.
- Use of a networked Keylogger probably violates federal and state privacy and wiretap laws and requires the consent of the monitored employee. An employer should disseminate a policy stating that all employee work stations are monitored and have the employee acknowledge receipt of that policy. This will satisfy the consent requirement to take the monitoring outside of the wiretap laws.
- An employer should not allow anyone access to passwords for an employee’s private accounts which are recovered through use of the Keylogger. Under no circumstances should an employer use the passwords to browse the employee’s private account history. To do so risks a serious civil damage recovery under the Stored Communications Act.
This takes us to the last question, should you, as an employer, be monitoring your employees through use of a Keylogger.
This question is answered with a resounding, “YES”.
In the risk management arena, there are too many potential liabilities carried by providing employees with unlimited network and internet access. These liabilities include:
• Damage to Business – making sure communications with persons outside your company are correct, polite and consistent with your business goals
• Risk Management – monitoring for potentially abusive behavior, such as sexual harassment, bullying or racial hate speech
• Trade Secret or Data Theft – keeping watch for the loss of important company secrets and data
• Illegal Behavior – such as workplace theft, embezzlement and drug abuse
• Productivity – the internet and computers can be time-wasters. Even if you block Facebook, there are other time-wasting websites, games and other forms of entertainment which can seriously impact on productivity.
• Loyalty – is one of your key staff members loyal, or plotting to knife you in the back?
In light of these liabilities, it almost seems like use of Keyloggers in the workplace by should be mandatory. Just make sure to keep within the law, by publicizing and receiving acknowledgement of your monitoring policy, keeping the persons with access to the Keylogger data to an absolute minimum, and never using any private passwords obtained from the Keylogger to access the employee’s private accounts.