British Airways spying scandal: How the world's most famous airline spied on its own staff - Home News - UK - The Independent (http://www.independent.co.uk/news/uk/home-news/british-airways-spying-scandal-how-the-worlds-most-famous-airline-spied-on-its-own-staff-10076738.html)

BA, now part of International Airlines Group (IAG), maintained that as it owned the computers and mobile phones used by many of its staff, it had been acting entirely within the law when it took the decision to “monitor” communications of some staff.

Is it not common for companies to monitor communications on company owned computers?

Really is murky territory and the law needs to be more transparent. I've always been of the mindset that company property (phones, laptops and tablets) should be treated with caution.

Anything I want to keep to myself or private has been used on my own devices. Sad state of affairs nowadays where you can't trust any organisation. Have a feeling we will see much more of this over the coming years.

Yes, it is. OTOH, BA did NOT say it monitored ONLY company-owned computers and phones. I suspect that if it had, it would not have paid out any money...

If they had the facility to listen in or eavesdrop do you not think they would be remiss to not do so on a company phone? It's theirs to do with as they please. You do company business on a company phone. You do personal/union business on personal phones... End of!

I've always been of the mindset that company property (phones, laptops and tablets) should be treated with caution.

Likewise.

Anything I want to keep to myself or private has been used on my own devices.

Unfortunately in the UK even work related information handled in that manner can end up in the company's hands..not through interception but by virtue of the legal process surrounding an Industrial dispute, as the BALPA reps involved in the "Open Skies" dispute found out. Maybe the UNITE reps should have learnt from that slip up.....

This was not posted from my company iPad or from on company property :E

It's theirs to do with as they please.

Absolutely 100% false.

Did BA advise/warn staff that monitoring was a possibility? Surely if it was their intention then staff should have been told. Does the same apply to desk-tops in offices? One hears stories throughout the office world of how much surfing is done by staff during the working day. It could be during lunch/break times, but it is still on company equipment.
It's not quite so simple. Thus it needs to be clarified. Think what the reaction was to the idea of cockpit cameras. This isn't quite the same, but people like to protect privacy, but as others have said why not separate private and company toys.

I do know of a case of phone bugging within the NHS, a doctor had his hospital internal phone bugged by the managment. It would seem that this is not illegal as long as it Is only the internal phone.

What followed was legal action by the BMA on patient confidentially issues, it never got as far as court but the NHS manager was fired and the doctor was paid a great deal of money to take early retirement.

My guess is BA found themselfs in the same grey area and decided not to take the risk of getting this into the public eye with a court case that they might not win ( despite not having the to contend with the doctors rock solid confidentiality issues)

One hears stories throughout the office world of how much surfing is done by staff during the working day.

Am I the only one who has noticed how much more active Pprune is during the working week?:hmm:

To my knowledge the company always had the right to monitor individuals who were using company equipment, particularly computers, as far as I remember, it was strictly forbidden to use SITA, later e-mail, for private use. For the latter there were good reasons, particularly during the Christmas season when " artists " created illustrated messages. The right to monitor was never put in question. It was not allowed to monitor external calls if the line was a telecom ( public ) line, it could only be tapped by court order and only by the police.

My understanding was that simply..
Is what you are using the computer/ communications for part of you role ?
If not were you instructed to do so by a superior ?
Otherwise your actions are not allowed.

Local variation might be allowed. e.g. surfing during lunch break.

It was also suggested that would you be happy for anything you have typed be on public display ? e.g. comments about a customer .

Who cares if they spied... seems that is in on the wrong thread and on the wrong forum

And now, from another "source" :rolleyes:.....

British Airways denies 'paying £1m compensation to staff over spying claims' | Daily Mail Online (http://www.dailymail.co.uk/news/article-2973215/British-Airways-denies-paying-1million-compensation-staff-claims-spied-email-phone-messages-union-dispute.html)

seems that is in on the wrong thread and on the wrong forum

Agreed.

So, some people think they are allowed to use company equipment and accounts for their own personal benefit, or even for anti-company purposes without the possibility of company monitoring or sanction? It would be misuse at the leas, theft at worst, and the company has every right to monitor the use of its equipment, whether we like it or not. I see the same at my company where many of the youngsters are deeply upset at the rule that they're not allowed to install their own files or software on the EFBs, despite the company's explanation of why the Authority prohibited it. I don't understand the mentality behind such a sense of entitlement.

I don't understand the mentality behind such a sense of entitlement.
Nor do I. You do have to be a bit thick to use a company facility, whether tangible or electronic, for anything which could be used against you.

Cathay had, at Kai Tak, and still have, a company bar frequented by 'suits'.
Many a career has been compromised or terminated due to ill considered comment whilst 'relaxed'. Not all managers share the line pilot's sense of humour :p

You do have to be a bit thick to use a company facility, whether tangible or electronic, for anything which could be used against you.

Basil sums it up in a nutshell.

Most people employed by a company of any reasonable size (i.e. anything with a full-time HR rep or department) will no doubt find that if they bothered to read their employment contracts, they would no doubt find words along the lines of "company facilities are company facilities, your usage may be monitored or subject to investigation". People would also do well to read their company's ICT policy.

Quite frankly, people who are subject to optional monitoring should be eternally grateful they don't work in a regulated industry where everything you say on the work phone is recorded and everything you email is securely stored in a read-only tamper-proof archive.

Buy a smartphone or a tablet out of your own pocket and your own SIM card, and use that for any private purposes. Do not use any of the company infrastructure, INCLUDING WIFI for your personal use !

Best to assume that someone, apart from the intended recipent(s), is always listening/reading when making phone calls, and sending out texts and emails.

Once a letter is posted, an email sent, a phone call recieved and recorded, etc., the recipient can do what they like with it. Comments and opinions can go further than intended. Many come unstuck this way.

If it's private or confidential, go in the bathroom, make sure there's water running and say it quietly.

Do not use any of the company infrastructure, INCLUDING WIFI for your personal use !

A reminder of a story a few years ago: does that include charging your mobile phone using company electricity?

British Airways denies 'paying £1m compensation to staff over spying claims' | Daily Mail Online (http://www.dailymail.co.uk/news/article-2973215/British-Airways-denies-paying-1million-compensation-staff-claims-spied-email-phone-messages-union-dispute.html)

Didn't think compensation to staff was ever an issue, the payment was paid, (or so I thought), to the union. :confused:

Ah ha, Good point....

The events portrayed in the NHS/Doctor scenario sound like highly refined bulldust.

I'm a bit worried now.
I always knew (and have experience of such) that companies monitor what 'their' devices - be it laptops, mobiles or pc's are used for.
The company I work for now has given employees the opportunity to use a secure app on our own laptops or iPads to store company manuals and documents.
This is quite handy because it cuts down on the amount of devices you carry with you and the app automatically updates whenever the iPad has wifi connection so we are always up to date as far as company stuff is concerned.
The app we use warned us that in order to satisfy security protocols the content would be monitored.
I wonder now if thru a backdoor the contend on my iPad can also be accessed.
And if so if that is legal.
Any legal or IT experts here who can answer this?

The events portrayed in the NHS/Doctor scenario sound like highly refined bulldust.

It most certainly isn't.

In general, you have a right to privacy/respect for your personal life on the part of your employer (and any other party), by virtue of the ECHR/HRA article 8. It is not unlimited, and your employer certainly has the right within reason to monitor use of its facilities to protect its own operations and to limit or prohibit use of company facilities/infrastructure for private communications where that could compromise operations, etc. What would almost certainly be considered an unreasonable breach of privacy would be any monitoring of communications that they did not tell you about beforehand, of the use of subterfuge to accomplish it (I can't imagine, for example, that password sniffing software would be considered reasonable unless there was a very serious security threat). This stuff tends to rely on notions of reasonableness and proportionality, so the circumstances are obviously important. Dismissal for making a phone call home from an office, for example, would generally be considered disproportionate; making the same call from the flight deck rather less so.

There is also some privileged status for communications to do with trade union activities and that sort of thing. Also spending your entire working hours browsing message boards for quite unrelated occupations is also unlikely to fall within the scope of the ECHR right, so it's lucky that I'm self employed really.

(does not constitute legal advice, etc. etc.)

I wonder now if thru a backdoor the contend on my iPad can also be accessed.
Any legal or IT experts here who can answer this?


On Apple devices running iOS (i.e. iPad, iPhone), as long as you have not been an idiot and "rooted"/"jailbroken" your device, all apps run in their own sandbox and are not permitted to interfere with, share or collect data from other apps.

Apple also runs a very strict permission system as far as access to shared common system data goes (e.g. location data, contacts, photos etc). You will always be prompted for permission to access system data and you can always easily review and revoke permissions in System Preferences.

The story is different on devices running OS X (i.e laptops and desktops), because OS X is a typical standard operating system, so you would expect the security model to be more relaxed. If running company software on a machine running a typical "standard" operating system (OS X, Windows or Linux) then you would indeed need to be more careful because the software will typically run with the same privileges accorded to the user you are logged in as, and therefore theoretically could read anything that user has access to.

I really like the "sandbox" model for app development and data sharing. Gooood kitty.

I love how our Company devices have improved the way we connect to both our customers and our colleagues but since 2012 when I was first issued with a company phone and iPad I have followed EG801.

Read it, respect it.

It may save your career!

Very grey area

I do know of a case of phone bugging within the NHS, a doctor had his hospital internal phone bugged by the managment. It would seem that this is not illegal as long as it Is only the internal phone.

What followed was legal action by the BMA on patient confidentially issues, it never got as far as court but the NHS manager was fired and the doctor was paid a great deal of money to take early retirement.

My guess is BA found themselfs in the same grey area and decided not to take the risk of getting this into the public eye with a court case that they might not win ( despite not having the to contend with the doctors rock solid confidentiality issues)

A and C, are you a criminal lawyer?

Corporate configured iOS devices that are centrally managed are not as secure as mixture's post might make you believe. In fact centrally managed iOS devices allow the administrator pretty much unrestricted access to most data and all apps on that device. Easiest to be done via apple servers, but there are third party companies that do it for you if you want. If you use devices like that in your company better have a CLA about its use and the access the company has to it.

I agree with Denti.

Two years ago, my previous company allowed employees to connect their iPhones to the corporate network by downloading an app. Before being given access, employees had to agree to a draconian corporate policy, which gave the company the right to delete all data, not just theirs, on the iPhone, at any time, without warning. I can't remember whether they also had access to all the other apps and data as well.

I politely declined.

Corporate configured iOS devices that are centrally managed are not as secure as mixture's post might make you believe.

You've probably never even used Apple Configurator or the iPhone Configuration Utility, let alone MDM remote management.

As far as I am aware, putting an iOS device into supervised mode DOES NOT disable the sandbox or other iOS security mechanisms.

The sandbox in particular is an integral and fundamental part of the iOS security model and the only way anybody can disable it is by jailbreaking the phone !

Supervised mode may well allow the Administrator to bypass the lock screen when the Administrator has physical access to your device ... but as we all know in IT .... when an untrusted third-party has physical access to a device (be it laptop, phone or server), its game over as far as security goes.

Remote MDM commands don't allow Administrators to slurp data either !

The purpose of supervised mode and remote MDM is for ease of provisioning and device management in larger IT environments.

If I'm wrong, then please provide me a link to formal technical documentation on the Apple website that explicitly states that.

I'm not interested in something you heard from a friend of a friend. Because if I were to hazard a guess, what you have is a fundamental misunderstanding of the iOS managed accounts and/or managed apps features.

Dingbaticus, post no 28.

Your reference to an EG policy may suggest you have a connection to BA. You state that iPads and phones were issued in 2012. The independent article alleges that 'spying' was taking place in 2011. BA state they monitored company devices.

Dates are not adding up. Why would a company settle a case out of court if they had do nothing wrong.

I am correct to state that there was a case taken against BA on behalf of Unite. That much is seemingly correct.

look, whatever the argument is about IOS security, the fact remains, use corporate devices for work, and personal devices for anything else. and use your common sense most of all. don't criticise management over anything electronic. don't install stuff on company devices.

mobile tariffs these days are so cheap for international data that you shouldn't need to use company devices for anything personal.

if you keep a clear demarcation between the two then you should be clear of trouble.

the fact remains, use corporate devices for work, and personal devices for anything else.

Absolutley, agree 100%. :ok:

That's what I said originally and I stand by that, the iOS stuff remains secondary (and I only posted that because someone specifically asked about iOS).

PC767, company iPads and phones began being rolled out to the cabin crew community in 2011 after which iPads were rolled out to the flight crew community.

There were outstanding cases from the dispute involving the sacked and suspended which were saw 5 cabin crew returned to the work force and the remaining 14 received 'substantial payments'. They all signed a non-disclosure agreement.

We can guess and speculate until the chicken and beef come home but in legal matters it is 'facts' that are important.

I suggest we leave this to the legal SMEs and remember to use our company equipment for company business.

My guess is that they will also be tracking staff movements using their smartphones. It's all on a big database somewhere.

George Orwell was right.

Working for a large corporation has many benefits, but the downside is that you sell a part of your life, a part of your soul, to that corporation.

Indeed, %SLFguy, your post is 100% false (pretty much).

For businesses based in the UK, and I assume BT is, then the Lawful Business Practice Regulations (http://www.legislation.gov.uk/uksi/2000/2699/pdfs/uksi_20002699_en.pdf) will apply. Basically, these mean that monitoring of communications over *his* infrastructure, by your employer, is perfectly legal, so long as he has told you he is doing so.

As to the ECHR rulings about the right to privacy of communications, whilst that is true, and it does mean that your employer must allow you the opportunity to make such private communications, it *doesn't* mean that *he* has to provide you with the means to do so...

[Ob. disclaimer: IANAL]

It should be clear for all ( without an axe to grind) that this is likely to be a grey area of law.

Persons do have the right to confidentiality but also if you give someone a piece of equipment to do a job you have the right to ensure that they are not abusing that equipment.

The courts might well take the view that using the computer for company related Union business was legitimate and the confidentiality protected (a view that I hold) but some in the company who see the union as the arch enemy might not take that view.

The trouble is that in these days of leagal responsibility if an employee has ( let's say ) child porn on his company computer it is likely that the employer who has the deepest pockets is the one who is likely to end up in the high court while the employee ends up in the criminal court.

So it is highly likely that someone in the company IT department might well use the legitimate excuse that they were searching a company computer for porn while really looking at the confidential Union activity.

Dingbaticus, to answer your question I am not any sort of lawyer, I run an aircraft leasing business, one of the things we looked at doing was supplying an iPad to customers loaded with the company Jepp subscription and other useful aviation data. In the end we decided that having company iPads in the hands of the customers was likely to expose the company to unlimited liability if they abused them so we did not go ahead with this idea.

In short it just takes a bit of common sense to see that the leagal structure is running hard to try to keep up with technical advancement, this can only end up in court cases who's outcome is very hard to predict......indeed a very grey area !
I would not put any thing that was not directly work related on a company device and keep all other topics ( including Union stuff) on a device that I own and control........... That way the confidentiality issues are crystal clear.

My guess is that they will also be tracking staff movements using their smartphones.

So, calling in sick from the pub may not be such a good idea then? ;)

So, calling in sick from the pub may not be such a good idea then

Hey as you sick leave the items at home :E
State you were at home all the time and too sick to access anything.

Company i worked for years ago paid for my Internet Access supposedly giving them lots of rights to access stuff.
Friends never understood why I had 2 internet connections one my own completely separate.

Always clear down everything on laptop before handing it back especially temporary files and any history. IT guru who knew his stuff inside out said Average IT Monkey looks only at laptop because they have little time, if its clean they move onto something else and appreciate that there is no detailed stuff to clean. PPrune JB when Slasher was around was regularly deleted from history.

A and C as an employer you will be facing a challenging minefield.

Having a robust policy like our EG801 helps in protecting both employer and employee. It does help if employees are encouraged to actually read and understand the policy.

Technological advances have been so rapid both the law and social netiquette have struggled to keep up.

Only this week four (now former) judges have been in the spotlight for using office computers to view pornographic material.

Three judges removed and a fourth resigns for viewing pornography at work | Law | The Guardian (http://www.theguardian.com/law/2015/mar/17/three-judges-removed-and-a-fourth-resigns-for-viewing-pornography-at-work)

I only use my company devices for company business and my own devices for personal use.

Simples.

My o/h showed me an email that BASSA sent out on Sunday evening. They imply that the £1,000,000 was the amount paid to the crew who lost their jobs. As company iPads were only given to crew in 2011, how could the claim Daniel Taylor handled for hacking have anything to do with the strike in 2010. Somebody is being very economical with the truth but if the article is correct I expect both the company and the union would have a vested interest in that. As there's an election coming up it seems odd that other papers didn't pick up on this.