OT: Employee 'Net Usage, proxy server, restrictions, legal, etc.
Daniel A.
alive at dienub.org
Thu Jun 22 00:03:58 UTC 2006
Kevin Kinsey wrote:
> Hello, fellow FBSDers....
>
> I've had two clients in the last month or so call and ask about
> limiting employee browsing (in addition to killing more spam, *sigh*)
> on their networks.
>
> I've no problem implementing this sort of thing with Squid (just
> finished setting it up at home; don't want the kids to learn any
> four-letter words from the 'Net before the age of majority [wish
> me luck!]), but I wonder if anyone could share experiences/insight into
> the legal aspects, the employee dynamics and potential responses, other
> issues that may arise, etc., if we proxy all the browsers and start
> banning sites (or, in the contrary, only allowing business-related
> sites) via a proxy server.
>
> IANAL. I also know that YANAL. This won't be written up in any
> format other than "some experts agree that" 'foo'.*
>
> Any thoughts? TIA!
>
> Kevin Kinsey
> DaleCo, S.P.
>
> *Unless, of course, you just *have* to have credit, copyright, etc.
> OOPS! Did I just say 'copyright' ?
>
Hi Kevin,
there are AFAIK absolutely no legal restrictions in limiting an
employee's access to the web in his working hours. The company decides
what the person is (not) allowed to see on the web, because the company
pays for
a) The Internet connection
b) The employees salary.
Limiting what users can see on the web is only problematic on the
technical side of things. You can ban every website that contains the
word "fuck" in them, but if the employee is motivated enough and is
willing to attain the, relatively low, technical skills to bypass the
filters - he will do it without any hassle.
You can either set up every machine on the network to use a proxy in the
web browser, and then deny web access to any unregistered browser (even
computer), which is the hardest thing to do but yet the most effective.
This will not work if your employees are allowed to, or need to, connect
a lot of their own networking devices to the network, in which case
you'll need some department in your company which will "register" all
allowed devices and configure them to use your proxy.
On the other hand, if the above case is true (A lot of "unknown"
devices), then it is easier to set up a transparent proxy, in which any
device regardless of its own configuration goes through the filtering proxy.
But this arises the problem with the motivated person - They can use yet
another remote proxy (Tor, for example, or just a public proxy with
encryption, or maybe they can even set up their own proxy server at
home, or..., or...) to sneak around your filtering. This can be
efficiently prevented by disallowing secure (encrypted) streams through
your network, but THAT would be a very big mistake on your behalf. I
cant stress my previous sentence enough - it would be a VERY big mistake.
The best way to prevent the employees from browsing "bad" sites on the
web is to scratch down a clear company policy regarding web browsing in
working hours. Write down some clear rules which state that any personal
non-business related web surfing is disallowed, and most of your
problems will just go away - Except for the few employees who are just
not motivated enough to care; They are either expendable anyway or too
important to let go over such a bagatel.
This is also the case with your kids, Kevin. I know it's none of my
business, but I suggest that you either be proud if your kids find ways
around your filtering (They're clever, and are more likely to know good
from wrong. You've raised them right to think independently and
responsibly!), or just have a talk with them about surfing the web, and
tell them that you would prefer them to keep away from pornographic
material on the web. Either way, if they want it enough, they will
always find a way.
Hope you found my advise worth reading.
Kind regards,
Daniel A. Akulenok.
More information about the freebsd-chat
mailing list