Mixing
Getting user login details without his permission. Is it not illegal [closed]
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
-6
down vote
favorite
I work as a software engineer. In my current job, my boss has asked me to device a way wherein all login details, like time of login, number of users login in client application are stored in our company database. I will have to track their logins and store them on our company server. Is that not illegal. It is morally wrong. I told same to boss, he said, there is no problem with that. But common sense says it is illegal. Now option for me would be to quit job on this ground, which unfortunately I can't as of now.
privacy legal
asked Mar 11 '15 at 4:51
ubaid ashraf masoody
922
closed as off-topic by yochannah, gnat, David K, IDrinkandIKnowThings, Jonast92 Mar 11 '15 at 15:47
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – yochannah, gnat, David K, IDrinkandIKnowThings, Jonast92
 |Â
show 13 more comments
up vote
-6
down vote
favorite
I work as a software engineer. In my current job, my boss has asked me to device a way wherein all login details, like time of login, number of users login in client application are stored in our company database. I will have to track their logins and store them on our company server. Is that not illegal. It is morally wrong. I told same to boss, he said, there is no problem with that. But common sense says it is illegal. Now option for me would be to quit job on this ground, which unfortunately I can't as of now.
privacy legal
asked Mar 11 '15 at 4:51
ubaid ashraf masoody
922
closed as off-topic by yochannah, gnat, David K, IDrinkandIKnowThings, Jonast92 Mar 11 '15 at 15:47
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – yochannah, gnat, David K, IDrinkandIKnowThings, Jonast92
If company is working for client and that product is developed by your company then its fine that you get and analyze every user track. Still better thing is to be honest that you tell your client that we are tracking this. Also did you ask your manager that why we need to track those information?
– Helping Hands
Mar 11 '15 at 4:59
3
This just sounds like standard analytics that's performed for many (most?) products. If it's not mentioned in the relevant agreements/terms, that could be an issue, but wouldn't otherwise see this as an ethical problem.
– user2
Mar 11 '15 at 5:58
2
Illegal? Not in the US since the servers are the organization's property. Immoral - according to whom? The job of sys admins is to track users' access to company resources including confidential company resources. And the company has the right to know who is using its resources at any time. Most of security break-ins are inside jobs.
– Vietnhi Phuvan
Mar 11 '15 at 9:20
1
You are asking "is it illegal". That's not a workplace related question then. If you say "I think it might be illegal. What do I do to make 100% sure my company doesn't ask me to do something illegal" or "This is illegal. What should I do" then it is workplace related.
– gnasher729
Mar 11 '15 at 9:29
2
a way wherein all login details, like time of login, number of users login in client application are stored in our company database- BTW every Web server out there does exactly this. Every user who logs in is obviously logged at the server level. Every user who hits the Web server is logged as well, although there are laws in some regions (e.g. EU) regarding how long you are allowed to retain those records without anonymizing them. However your situation involves only clients who have a login to the system (and who have implicitly agreed to be audited), so I don't understand the problem
– Brandin
Mar 11 '15 at 12:58
 |Â
show 13 more comments
up vote
-6
down vote
favorite
up vote
-6
down vote
favorite
I work as a software engineer. In my current job, my boss has asked me to device a way wherein all login details, like time of login, number of users login in client application are stored in our company database. I will have to track their logins and store them on our company server. Is that not illegal. It is morally wrong. I told same to boss, he said, there is no problem with that. But common sense says it is illegal. Now option for me would be to quit job on this ground, which unfortunately I can't as of now.
privacy legal
asked Mar 11 '15 at 4:51
ubaid ashraf masoody
922
I work as a software engineer. In my current job, my boss has asked me to device a way wherein all login details, like time of login, number of users login in client application are stored in our company database. I will have to track their logins and store them on our company server. Is that not illegal. It is morally wrong. I told same to boss, he said, there is no problem with that. But common sense says it is illegal. Now option for me would be to quit job on this ground, which unfortunately I can't as of now.
privacy legal
asked Mar 11 '15 at 4:51
ubaid ashraf masoody
922
asked Mar 11 '15 at 4:51
ubaid ashraf masoody
922
asked Mar 11 '15 at 4:51
ubaid ashraf masoody
922
asked Mar 11 '15 at 4:51
ubaid ashraf masoody
922
922
closed as off-topic by yochannah, gnat, David K, IDrinkandIKnowThings, Jonast92 Mar 11 '15 at 15:47
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – yochannah, gnat, David K, IDrinkandIKnowThings, Jonast92
closed as off-topic by yochannah, gnat, David K, IDrinkandIKnowThings, Jonast92 Mar 11 '15 at 15:47
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address only a specific company or position are of limited use to future visitors. Questions seeking legal advice should be directed to legal professionals. For more information, click here." – yochannah, gnat, David K, IDrinkandIKnowThings, Jonast92
If company is working for client and that product is developed by your company then its fine that you get and analyze every user track. Still better thing is to be honest that you tell your client that we are tracking this. Also did you ask your manager that why we need to track those information?
– Helping Hands
Mar 11 '15 at 4:59
3
This just sounds like standard analytics that's performed for many (most?) products. If it's not mentioned in the relevant agreements/terms, that could be an issue, but wouldn't otherwise see this as an ethical problem.
– user2
Mar 11 '15 at 5:58
2
Illegal? Not in the US since the servers are the organization's property. Immoral - according to whom? The job of sys admins is to track users' access to company resources including confidential company resources. And the company has the right to know who is using its resources at any time. Most of security break-ins are inside jobs.
– Vietnhi Phuvan
Mar 11 '15 at 9:20
1
You are asking "is it illegal". That's not a workplace related question then. If you say "I think it might be illegal. What do I do to make 100% sure my company doesn't ask me to do something illegal" or "This is illegal. What should I do" then it is workplace related.
– gnasher729
Mar 11 '15 at 9:29
2
a way wherein all login details, like time of login, number of users login in client application are stored in our company database- BTW every Web server out there does exactly this. Every user who logs in is obviously logged at the server level. Every user who hits the Web server is logged as well, although there are laws in some regions (e.g. EU) regarding how long you are allowed to retain those records without anonymizing them. However your situation involves only clients who have a login to the system (and who have implicitly agreed to be audited), so I don't understand the problem
– Brandin
Mar 11 '15 at 12:58
 |Â
show 13 more comments
If company is working for client and that product is developed by your company then its fine that you get and analyze every user track. Still better thing is to be honest that you tell your client that we are tracking this. Also did you ask your manager that why we need to track those information?
– Helping Hands
Mar 11 '15 at 4:59
3
This just sounds like standard analytics that's performed for many (most?) products. If it's not mentioned in the relevant agreements/terms, that could be an issue, but wouldn't otherwise see this as an ethical problem.
– user2
Mar 11 '15 at 5:58
2
Illegal? Not in the US since the servers are the organization's property. Immoral - according to whom? The job of sys admins is to track users' access to company resources including confidential company resources. And the company has the right to know who is using its resources at any time. Most of security break-ins are inside jobs.
– Vietnhi Phuvan
Mar 11 '15 at 9:20
1
You are asking "is it illegal". That's not a workplace related question then. If you say "I think it might be illegal. What do I do to make 100% sure my company doesn't ask me to do something illegal" or "This is illegal. What should I do" then it is workplace related.
– gnasher729
Mar 11 '15 at 9:29
2
a way wherein all login details, like time of login, number of users login in client application are stored in our company database- BTW every Web server out there does exactly this. Every user who logs in is obviously logged at the server level. Every user who hits the Web server is logged as well, although there are laws in some regions (e.g. EU) regarding how long you are allowed to retain those records without anonymizing them. However your situation involves only clients who have a login to the system (and who have implicitly agreed to be audited), so I don't understand the problem
– Brandin
Mar 11 '15 at 12:58
If company is working for client and that product is developed by your company then its fine that you get and analyze every user track. Still better thing is to be honest that you tell your client that we are tracking this. Also did you ask your manager that why we need to track those information?
– Helping Hands
Mar 11 '15 at 4:59
If company is working for client and that product is developed by your company then its fine that you get and analyze every user track. Still better thing is to be honest that you tell your client that we are tracking this. Also did you ask your manager that why we need to track those information?
– Helping Hands
Mar 11 '15 at 4:59
3
3
This just sounds like standard analytics that's performed for many (most?) products. If it's not mentioned in the relevant agreements/terms, that could be an issue, but wouldn't otherwise see this as an ethical problem.
– user2
Mar 11 '15 at 5:58
This just sounds like standard analytics that's performed for many (most?) products. If it's not mentioned in the relevant agreements/terms, that could be an issue, but wouldn't otherwise see this as an ethical problem.
– user2
Mar 11 '15 at 5:58
2
2
Illegal? Not in the US since the servers are the organization's property. Immoral - according to whom? The job of sys admins is to track users' access to company resources including confidential company resources. And the company has the right to know who is using its resources at any time. Most of security break-ins are inside jobs.
– Vietnhi Phuvan
Mar 11 '15 at 9:20
Illegal? Not in the US since the servers are the organization's property. Immoral - according to whom? The job of sys admins is to track users' access to company resources including confidential company resources. And the company has the right to know who is using its resources at any time. Most of security break-ins are inside jobs.
– Vietnhi Phuvan
Mar 11 '15 at 9:20
1
1
You are asking "is it illegal". That's not a workplace related question then. If you say "I think it might be illegal. What do I do to make 100% sure my company doesn't ask me to do something illegal" or "This is illegal. What should I do" then it is workplace related.
– gnasher729
Mar 11 '15 at 9:29
You are asking "is it illegal". That's not a workplace related question then. If you say "I think it might be illegal. What do I do to make 100% sure my company doesn't ask me to do something illegal" or "This is illegal. What should I do" then it is workplace related.
– gnasher729
Mar 11 '15 at 9:29
2
2
a way wherein all login details, like time of login, number of users login in client application are stored in our company database - BTW every Web server out there does exactly this. Every user who logs in is obviously logged at the server level. Every user who hits the Web server is logged as well, although there are laws in some regions (e.g. EU) regarding how long you are allowed to retain those records without anonymizing them. However your situation involves only clients who have a login to the system (and who have implicitly agreed to be audited), so I don't understand the problem– Brandin
Mar 11 '15 at 12:58
a way wherein all login details, like time of login, number of users login in client application are stored in our company database - BTW every Web server out there does exactly this. Every user who logs in is obviously logged at the server level. Every user who hits the Web server is logged as well, although there are laws in some regions (e.g. EU) regarding how long you are allowed to retain those records without anonymizing them. However your situation involves only clients who have a login to the system (and who have implicitly agreed to be audited), so I don't understand the problem– Brandin
Mar 11 '15 at 12:58
 |Â
show 13 more comments
3 Answers
3
active
oldest
votes
up vote
10
down vote
login details, like time of login, number of users login in client
application are stored in our company database. I will have to track
their logins and store them on our company server. Is that not
illegal.
Assuming you aren't stealing passwords, then I see nothing illegal here. Storing login times and login attempts is pretty standard practice for many systems.
Most of those details may already be available in web server or application logs anyway. Importing them into a database may just make them easier to query and use. Sometimes such details are used to find out what is happening when under hacker or denial-of-service attack.
The details and numbers may even be required for auditing and/or billing purposes.
(For questions about legality in your particular locale, consult a lawyer)
It is morally wrong. I told same to boss, he said, there is no problem
with that. But common sense says it is illegal.
I suppose anything is possible, but I think you are confused.
Perhaps you should have a longer conversation with your boss to understand why it isn't a problem. Perhaps this is part of the customer requirements. Perhaps you are imagining something being stored or used that isn't actually happening. Perhaps you just need more knowledge of local laws.
You might wish to check your common sense with that of your boss and your coworkers.
answered Mar 11 '15 at 10:59
Joe Strazzere
223k106656922
suggest improvements |Â
up vote
5
down vote
What you are talking about is generally called auditing and is often done when logins to a system are involved. It can be important information related to security and billing in computer systems. If you access your bank website, you can be pretty much assured they have a log record indicating when you were on the system. In general, the auditing of any account that has login credentials is a routine component of an application with robust security. In fact it's required to meet certain security compliance protocols.
Legality of specific auditing methods may vary by country and legal experts should be consulted instead of posting a legal question on an opinion board like this. If your company has a legal department you can take your concerns to them or your company security team if such exists.
answered Mar 11 '15 at 5:53
KenB
720510
suggest improvements |Â
up vote
0
down vote
What you should do, after telling your boss that you think it might be illegal, and your boss telling you that it is not illegal, is to ask your boss to confirm in writing that you had objections and that he decided that your objections are wrong.
This has two effects: First, if someone finds out, and it is indeed illegal, and people get sued, then you are off the hook (maybe not completely, but you are in a much better position). Second, if someone finds out, and it is indeed illegal, and people get sued, then your boss is in a much worse position because he cannot claim that he didn't know it was illegal, and the logging was done absolutely intentional. If your boss has doubts but doesn't care very much, that increase in risk might change his mind.
If he refuses to sign such a statement, then you have a bigger problem and should ask another question.
BTW. It probably depends on the situation. If the users logging in are customers, then I would think that in many countries collecting information about customers beyond what is needed for the business would be illegal. For example, if Amazon kept track who I am and how long I stay on their website. On the other hand, if the users are employees of the company, that would be different. It would be like checking whether the employees are sitting at their desks or are standing around the coffee machine.
A boss who asks you to deliberately collect passwords of customers deserves his kneecaps to be broken or worse.
answered Mar 11 '15 at 9:39
gnasher729
71k31131222
1
The boss isn't asking OP to store the customers' passwords. OP is only being asked to store the login times, which is pretty normal these days. (Own very own Enthusiast & Fanatic badges work this way, for example.)
– Masked Man♦
Mar 11 '15 at 16:27
Also, no, you aren't off the hook just because your boss sent you an email saying "it's all ok.". A company telling you to do something that you believe is illegal is no defense against going through with it. And, no, you aren't "in a better position." Actually you'd be in a worse position because it's now in writing that you thought it might be but went ahead anyway just because the boss said so. Lot's of people have gone to jail for that.
– NotMe
Mar 11 '15 at 18:44
suggest improvements |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
10
down vote
login details, like time of login, number of users login in client
application are stored in our company database. I will have to track
their logins and store them on our company server. Is that not
illegal.
Assuming you aren't stealing passwords, then I see nothing illegal here. Storing login times and login attempts is pretty standard practice for many systems.
Most of those details may already be available in web server or application logs anyway. Importing them into a database may just make them easier to query and use. Sometimes such details are used to find out what is happening when under hacker or denial-of-service attack.
The details and numbers may even be required for auditing and/or billing purposes.
(For questions about legality in your particular locale, consult a lawyer)
It is morally wrong. I told same to boss, he said, there is no problem
with that. But common sense says it is illegal.
I suppose anything is possible, but I think you are confused.
Perhaps you should have a longer conversation with your boss to understand why it isn't a problem. Perhaps this is part of the customer requirements. Perhaps you are imagining something being stored or used that isn't actually happening. Perhaps you just need more knowledge of local laws.
You might wish to check your common sense with that of your boss and your coworkers.
answered Mar 11 '15 at 10:59
Joe Strazzere
223k106656922
suggest improvements |Â
up vote
10
down vote
login details, like time of login, number of users login in client
application are stored in our company database. I will have to track
their logins and store them on our company server. Is that not
illegal.
Assuming you aren't stealing passwords, then I see nothing illegal here. Storing login times and login attempts is pretty standard practice for many systems.
Most of those details may already be available in web server or application logs anyway. Importing them into a database may just make them easier to query and use. Sometimes such details are used to find out what is happening when under hacker or denial-of-service attack.
The details and numbers may even be required for auditing and/or billing purposes.
(For questions about legality in your particular locale, consult a lawyer)
It is morally wrong. I told same to boss, he said, there is no problem
with that. But common sense says it is illegal.
I suppose anything is possible, but I think you are confused.
Perhaps you should have a longer conversation with your boss to understand why it isn't a problem. Perhaps this is part of the customer requirements. Perhaps you are imagining something being stored or used that isn't actually happening. Perhaps you just need more knowledge of local laws.
You might wish to check your common sense with that of your boss and your coworkers.
answered Mar 11 '15 at 10:59
Joe Strazzere
223k106656922
suggest improvements |Â
up vote
10
down vote
up vote
10
down vote
login details, like time of login, number of users login in client
application are stored in our company database. I will have to track
their logins and store them on our company server. Is that not
illegal.
Assuming you aren't stealing passwords, then I see nothing illegal here. Storing login times and login attempts is pretty standard practice for many systems.
Most of those details may already be available in web server or application logs anyway. Importing them into a database may just make them easier to query and use. Sometimes such details are used to find out what is happening when under hacker or denial-of-service attack.
The details and numbers may even be required for auditing and/or billing purposes.
(For questions about legality in your particular locale, consult a lawyer)
It is morally wrong. I told same to boss, he said, there is no problem
with that. But common sense says it is illegal.
I suppose anything is possible, but I think you are confused.
Perhaps you should have a longer conversation with your boss to understand why it isn't a problem. Perhaps this is part of the customer requirements. Perhaps you are imagining something being stored or used that isn't actually happening. Perhaps you just need more knowledge of local laws.
You might wish to check your common sense with that of your boss and your coworkers.
answered Mar 11 '15 at 10:59
Joe Strazzere
223k106656922
login details, like time of login, number of users login in client
application are stored in our company database. I will have to track
their logins and store them on our company server. Is that not
illegal.
Assuming you aren't stealing passwords, then I see nothing illegal here. Storing login times and login attempts is pretty standard practice for many systems.
Most of those details may already be available in web server or application logs anyway. Importing them into a database may just make them easier to query and use. Sometimes such details are used to find out what is happening when under hacker or denial-of-service attack.
The details and numbers may even be required for auditing and/or billing purposes.
(For questions about legality in your particular locale, consult a lawyer)
It is morally wrong. I told same to boss, he said, there is no problem
with that. But common sense says it is illegal.
I suppose anything is possible, but I think you are confused.
Perhaps you should have a longer conversation with your boss to understand why it isn't a problem. Perhaps this is part of the customer requirements. Perhaps you are imagining something being stored or used that isn't actually happening. Perhaps you just need more knowledge of local laws.
You might wish to check your common sense with that of your boss and your coworkers.
answered Mar 11 '15 at 10:59
Joe Strazzere
223k106656922
edited Mar 11 '15 at 12:39
answered Mar 11 '15 at 10:59
Joe Strazzere
223k106656922
answered Mar 11 '15 at 10:59
Joe Strazzere
223k106656922
answered Mar 11 '15 at 10:59
Joe Strazzere
223k106656922
223k106656922
suggest improvements |Â
suggest improvements |Â
up vote
5
down vote
What you are talking about is generally called auditing and is often done when logins to a system are involved. It can be important information related to security and billing in computer systems. If you access your bank website, you can be pretty much assured they have a log record indicating when you were on the system. In general, the auditing of any account that has login credentials is a routine component of an application with robust security. In fact it's required to meet certain security compliance protocols.
Legality of specific auditing methods may vary by country and legal experts should be consulted instead of posting a legal question on an opinion board like this. If your company has a legal department you can take your concerns to them or your company security team if such exists.
answered Mar 11 '15 at 5:53
KenB
720510
suggest improvements |Â
up vote
5
down vote
What you are talking about is generally called auditing and is often done when logins to a system are involved. It can be important information related to security and billing in computer systems. If you access your bank website, you can be pretty much assured they have a log record indicating when you were on the system. In general, the auditing of any account that has login credentials is a routine component of an application with robust security. In fact it's required to meet certain security compliance protocols.
Legality of specific auditing methods may vary by country and legal experts should be consulted instead of posting a legal question on an opinion board like this. If your company has a legal department you can take your concerns to them or your company security team if such exists.
answered Mar 11 '15 at 5:53
KenB
720510
suggest improvements |Â
up vote
5
down vote
up vote
5
down vote
What you are talking about is generally called auditing and is often done when logins to a system are involved. It can be important information related to security and billing in computer systems. If you access your bank website, you can be pretty much assured they have a log record indicating when you were on the system. In general, the auditing of any account that has login credentials is a routine component of an application with robust security. In fact it's required to meet certain security compliance protocols.
Legality of specific auditing methods may vary by country and legal experts should be consulted instead of posting a legal question on an opinion board like this. If your company has a legal department you can take your concerns to them or your company security team if such exists.
answered Mar 11 '15 at 5:53
KenB
720510
What you are talking about is generally called auditing and is often done when logins to a system are involved. It can be important information related to security and billing in computer systems. If you access your bank website, you can be pretty much assured they have a log record indicating when you were on the system. In general, the auditing of any account that has login credentials is a routine component of an application with robust security. In fact it's required to meet certain security compliance protocols.
Legality of specific auditing methods may vary by country and legal experts should be consulted instead of posting a legal question on an opinion board like this. If your company has a legal department you can take your concerns to them or your company security team if such exists.
answered Mar 11 '15 at 5:53
KenB
720510
answered Mar 11 '15 at 5:53
KenB
720510
answered Mar 11 '15 at 5:53
KenB
720510
answered Mar 11 '15 at 5:53
KenB
720510
720510
suggest improvements |Â
suggest improvements |Â
up vote
0
down vote
What you should do, after telling your boss that you think it might be illegal, and your boss telling you that it is not illegal, is to ask your boss to confirm in writing that you had objections and that he decided that your objections are wrong.
This has two effects: First, if someone finds out, and it is indeed illegal, and people get sued, then you are off the hook (maybe not completely, but you are in a much better position). Second, if someone finds out, and it is indeed illegal, and people get sued, then your boss is in a much worse position because he cannot claim that he didn't know it was illegal, and the logging was done absolutely intentional. If your boss has doubts but doesn't care very much, that increase in risk might change his mind.
If he refuses to sign such a statement, then you have a bigger problem and should ask another question.
BTW. It probably depends on the situation. If the users logging in are customers, then I would think that in many countries collecting information about customers beyond what is needed for the business would be illegal. For example, if Amazon kept track who I am and how long I stay on their website. On the other hand, if the users are employees of the company, that would be different. It would be like checking whether the employees are sitting at their desks or are standing around the coffee machine.
A boss who asks you to deliberately collect passwords of customers deserves his kneecaps to be broken or worse.
answered Mar 11 '15 at 9:39
gnasher729
71k31131222
1
The boss isn't asking OP to store the customers' passwords. OP is only being asked to store the login times, which is pretty normal these days. (Own very own Enthusiast & Fanatic badges work this way, for example.)
– Masked Man♦
Mar 11 '15 at 16:27
Also, no, you aren't off the hook just because your boss sent you an email saying "it's all ok.". A company telling you to do something that you believe is illegal is no defense against going through with it. And, no, you aren't "in a better position." Actually you'd be in a worse position because it's now in writing that you thought it might be but went ahead anyway just because the boss said so. Lot's of people have gone to jail for that.
– NotMe
Mar 11 '15 at 18:44
suggest improvements |Â
up vote
0
down vote
What you should do, after telling your boss that you think it might be illegal, and your boss telling you that it is not illegal, is to ask your boss to confirm in writing that you had objections and that he decided that your objections are wrong.
This has two effects: First, if someone finds out, and it is indeed illegal, and people get sued, then you are off the hook (maybe not completely, but you are in a much better position). Second, if someone finds out, and it is indeed illegal, and people get sued, then your boss is in a much worse position because he cannot claim that he didn't know it was illegal, and the logging was done absolutely intentional. If your boss has doubts but doesn't care very much, that increase in risk might change his mind.
If he refuses to sign such a statement, then you have a bigger problem and should ask another question.
BTW. It probably depends on the situation. If the users logging in are customers, then I would think that in many countries collecting information about customers beyond what is needed for the business would be illegal. For example, if Amazon kept track who I am and how long I stay on their website. On the other hand, if the users are employees of the company, that would be different. It would be like checking whether the employees are sitting at their desks or are standing around the coffee machine.
A boss who asks you to deliberately collect passwords of customers deserves his kneecaps to be broken or worse.
answered Mar 11 '15 at 9:39
gnasher729
71k31131222
1
The boss isn't asking OP to store the customers' passwords. OP is only being asked to store the login times, which is pretty normal these days. (Own very own Enthusiast & Fanatic badges work this way, for example.)
– Masked Man♦
Mar 11 '15 at 16:27
Also, no, you aren't off the hook just because your boss sent you an email saying "it's all ok.". A company telling you to do something that you believe is illegal is no defense against going through with it. And, no, you aren't "in a better position." Actually you'd be in a worse position because it's now in writing that you thought it might be but went ahead anyway just because the boss said so. Lot's of people have gone to jail for that.
– NotMe
Mar 11 '15 at 18:44
suggest improvements |Â
up vote
0
down vote
up vote
0
down vote
What you should do, after telling your boss that you think it might be illegal, and your boss telling you that it is not illegal, is to ask your boss to confirm in writing that you had objections and that he decided that your objections are wrong.
This has two effects: First, if someone finds out, and it is indeed illegal, and people get sued, then you are off the hook (maybe not completely, but you are in a much better position). Second, if someone finds out, and it is indeed illegal, and people get sued, then your boss is in a much worse position because he cannot claim that he didn't know it was illegal, and the logging was done absolutely intentional. If your boss has doubts but doesn't care very much, that increase in risk might change his mind.
If he refuses to sign such a statement, then you have a bigger problem and should ask another question.
BTW. It probably depends on the situation. If the users logging in are customers, then I would think that in many countries collecting information about customers beyond what is needed for the business would be illegal. For example, if Amazon kept track who I am and how long I stay on their website. On the other hand, if the users are employees of the company, that would be different. It would be like checking whether the employees are sitting at their desks or are standing around the coffee machine.
A boss who asks you to deliberately collect passwords of customers deserves his kneecaps to be broken or worse.
answered Mar 11 '15 at 9:39
gnasher729
71k31131222
What you should do, after telling your boss that you think it might be illegal, and your boss telling you that it is not illegal, is to ask your boss to confirm in writing that you had objections and that he decided that your objections are wrong.
This has two effects: First, if someone finds out, and it is indeed illegal, and people get sued, then you are off the hook (maybe not completely, but you are in a much better position). Second, if someone finds out, and it is indeed illegal, and people get sued, then your boss is in a much worse position because he cannot claim that he didn't know it was illegal, and the logging was done absolutely intentional. If your boss has doubts but doesn't care very much, that increase in risk might change his mind.
If he refuses to sign such a statement, then you have a bigger problem and should ask another question.
BTW. It probably depends on the situation. If the users logging in are customers, then I would think that in many countries collecting information about customers beyond what is needed for the business would be illegal. For example, if Amazon kept track who I am and how long I stay on their website. On the other hand, if the users are employees of the company, that would be different. It would be like checking whether the employees are sitting at their desks or are standing around the coffee machine.
A boss who asks you to deliberately collect passwords of customers deserves his kneecaps to be broken or worse.
answered Mar 11 '15 at 9:39
gnasher729
71k31131222
answered Mar 11 '15 at 9:39
gnasher729
71k31131222
answered Mar 11 '15 at 9:39
gnasher729
71k31131222
answered Mar 11 '15 at 9:39
gnasher729
71k31131222
71k31131222
1
The boss isn't asking OP to store the customers' passwords. OP is only being asked to store the login times, which is pretty normal these days. (Own very own Enthusiast & Fanatic badges work this way, for example.)
– Masked Man♦
Mar 11 '15 at 16:27
Also, no, you aren't off the hook just because your boss sent you an email saying "it's all ok.". A company telling you to do something that you believe is illegal is no defense against going through with it. And, no, you aren't "in a better position." Actually you'd be in a worse position because it's now in writing that you thought it might be but went ahead anyway just because the boss said so. Lot's of people have gone to jail for that.
– NotMe
Mar 11 '15 at 18:44
suggest improvements |Â
1
The boss isn't asking OP to store the customers' passwords. OP is only being asked to store the login times, which is pretty normal these days. (Own very own Enthusiast & Fanatic badges work this way, for example.)
– Masked Man♦
Mar 11 '15 at 16:27
Also, no, you aren't off the hook just because your boss sent you an email saying "it's all ok.". A company telling you to do something that you believe is illegal is no defense against going through with it. And, no, you aren't "in a better position." Actually you'd be in a worse position because it's now in writing that you thought it might be but went ahead anyway just because the boss said so. Lot's of people have gone to jail for that.
– NotMe
Mar 11 '15 at 18:44
1
1
The boss isn't asking OP to store the customers' passwords. OP is only being asked to store the login times, which is pretty normal these days. (Own very own Enthusiast & Fanatic badges work this way, for example.)
– Masked Man♦
Mar 11 '15 at 16:27
The boss isn't asking OP to store the customers' passwords. OP is only being asked to store the login times, which is pretty normal these days. (Own very own Enthusiast & Fanatic badges work this way, for example.)
– Masked Man♦
Mar 11 '15 at 16:27
Also, no, you aren't off the hook just because your boss sent you an email saying "it's all ok.". A company telling you to do something that you believe is illegal is no defense against going through with it. And, no, you aren't "in a better position." Actually you'd be in a worse position because it's now in writing that you thought it might be but went ahead anyway just because the boss said so. Lot's of people have gone to jail for that.
– NotMe
Mar 11 '15 at 18:44
Also, no, you aren't off the hook just because your boss sent you an email saying "it's all ok.". A company telling you to do something that you believe is illegal is no defense against going through with it. And, no, you aren't "in a better position." Actually you'd be in a worse position because it's now in writing that you thought it might be but went ahead anyway just because the boss said so. Lot's of people have gone to jail for that.
– NotMe
Mar 11 '15 at 18:44
suggest improvements |Â
If company is working for client and that product is developed by your company then its fine that you get and analyze every user track. Still better thing is to be honest that you tell your client that we are tracking this. Also did you ask your manager that why we need to track those information?
– Helping Hands
Mar 11 '15 at 4:59
3
This just sounds like standard analytics that's performed for many (most?) products. If it's not mentioned in the relevant agreements/terms, that could be an issue, but wouldn't otherwise see this as an ethical problem.
– user2
Mar 11 '15 at 5:58
2
Illegal? Not in the US since the servers are the organization's property. Immoral - according to whom? The job of sys admins is to track users' access to company resources including confidential company resources. And the company has the right to know who is using its resources at any time. Most of security break-ins are inside jobs.
– Vietnhi Phuvan
Mar 11 '15 at 9:20
1
You are asking "is it illegal". That's not a workplace related question then. If you say "I think it might be illegal. What do I do to make 100% sure my company doesn't ask me to do something illegal" or "This is illegal. What should I do" then it is workplace related.
– gnasher729
Mar 11 '15 at 9:29
2
a way wherein all login details, like time of login, number of users login in client application are stored in our company database- BTW every Web server out there does exactly this. Every user who logs in is obviously logged at the server level. Every user who hits the Web server is logged as well, although there are laws in some regions (e.g. EU) regarding how long you are allowed to retain those records without anonymizing them. However your situation involves only clients who have a login to the system (and who have implicitly agreed to be audited), so I don't understand the problem– Brandin
Mar 11 '15 at 12:58