The tell-tale signs of someone slacking off at work are usually Internet logs and slower productivity. But one German company took the unusual step of installing keyloggers on its employee’s work computers, resulting in it shitcanning one staffer for working on another firm’s computer game.
That employee subsequently sued, arguing the evidence gathered to justify firing him was gathered illegally. Germany’s Federal Labor Court agreed.
The court stated that the keylogger — which recorded every keystroke and stored it on a central server — was an excessive level of surveillance, and was an inappropriate and unlawful way of controlling employees. Although, as The Register pointed out, keyloggers can be “used legally if it was to root out evidence of a criminal or serious offense.”
Moonlighting during the business day does not fit that description.
For what it’s worth, the employee fessed up to working on the game — although he pointed out that the game was for his father’s company, and he only worked on it during his lunch hours, spending three hours over the course of four months.
Germany isn’t the only European country that’s taken a hard line against keyloggers. In 2013, a the French Data Protection Authority (CNIL) ruled that keyloggers represent a permanent state of monitoring of employees’ professional and private activities, and are therefore prohibited in the absence of a “strong business justification,” like preventing the disclosure of trade secrets.
Unfortunately, there is no EU-wide prohibition of keyloggers, leaving it to individual member nations to decide whether it is a practice they wish to permit or prohibit.
Elsewhere, in the US, the use of keyloggers as a tool to keep staffers in check exists in a bit of a legal gray area that varies from state-to-state, how the keyloggers are used, and how the data obtained is used.
However, it’s absolutely true that employees can (and have) sued their employers for using keyloggers to monitor them. One of most notable cases comes from Indiana.
In Rene v. G.F. Fishers, a woman took her bosses to court after they accessed her personal email and checking accounts, using credentials they obtained through a keylogger. Another case, State of New Hampshire v. Walters, saw key evidence excluded because it was obtained using a keylogger in violation of the state’s wiretap act.
I’m glad the German courts saw sense. Not least because capturing everyone’s keystrokes (like passwords) and storing them in plaintext in a single location seems like a bad idea from a security perspective. Oh, and it’s also really creepy too.