OT: Employee 'Net Usage, proxy server, restrictions, legal, etc.

[Daniel A.]

Kevin Kinsey wrote:
> Hello, fellow FBSDers....
> 
> I've had two clients in the last month or so call and ask about
> limiting employee browsing (in addition to killing more spam, *sigh*)
> on their networks.
> 
> I've no problem implementing this sort of thing with Squid (just
> finished setting it up at home; don't want the kids to learn any
> four-letter words from the 'Net before the age of majority [wish
> me luck!]), but I wonder if anyone could share experiences/insight into
> the legal aspects, the employee dynamics and potential responses, other
> issues that may arise, etc., if we proxy all the browsers and start
> banning sites (or, in the contrary, only allowing business-related 
> sites) via a proxy server.
> 
> IANAL.  I also know that YANAL.  This won't be written up in any
> format other than "some experts agree that" 'foo'.*
> 
> Any thoughts?  TIA!
> 
> Kevin Kinsey
> DaleCo, S.P.
> 
> *Unless, of course, you just *have* to have credit, copyright, etc.
> OOPS!  Did I just say 'copyright' ?
> 
Hi Kevin,
there are AFAIK absolutely no legal restrictions in limiting an 
employee's access to the web in his working hours. The company decides 
what the person is (not) allowed to see on the web, because the company 
pays for
a) The Internet connection
b) The employees salary.

Limiting what users can see on the web is only problematic on the 
technical side of things. You can ban every website that contains the 
word "fuck" in them, but if the employee is motivated enough and is 
willing to attain the, relatively low, technical skills to bypass the 
filters - he will do it without any hassle.

You can either set up every machine on the network to use a proxy in the 
web browser, and then deny web access to any unregistered browser (even 
computer), which is the hardest thing to do but yet the most effective. 
This will not work if your employees are allowed to, or need to, connect 
a lot of their own networking devices to the network, in which case 
you'll need some department in your company which will "register" all 
allowed devices and configure them to use your proxy.

On the other hand, if the above case is true (A lot of "unknown" 
devices), then it is easier to set up a transparent proxy, in which any 
device regardless of its own configuration goes through the filtering proxy.

But this arises the problem with the motivated person - They can use yet 
another remote proxy (Tor, for example, or just a public proxy with 
encryption, or maybe they can even set up their own proxy server at 
home, or..., or...) to sneak around your filtering. This can be 
efficiently prevented by disallowing secure (encrypted) streams through 
your network, but THAT would be a very big mistake on your behalf. I 
cant stress my previous sentence enough - it would be a VERY big mistake.

The best way to prevent the employees from browsing "bad" sites on the 
web is to scratch down a clear company policy regarding web browsing in 
working hours. Write down some clear rules which state that any personal 
non-business related web surfing is disallowed, and most of your 
problems will just go away - Except for the few employees who are just 
not motivated enough to care; They are either expendable anyway or too 
important to let go over such a bagatel.

This is also the case with your kids, Kevin. I know it's none of my 
business, but I suggest that you either be proud if your kids find ways 
around your filtering (They're clever, and are more likely to know good 
from wrong. You've raised them right to think independently and 
responsibly!), or just have a talk with them about surfing the web, and 
tell them that you would prefer them to keep away from pornographic 
material on the web. Either way, if they want it enough, they will 
always find a way.

Hope you found my advise worth reading.
Kind regards,
Daniel A. Akulenok.