Yes, you may watch porn on your UCPH computer

This does not concern you personally.

But it is good news for staff and managers who use their work computer to see the kind of stuff online that it wouldn’t be convenient for others to see too: Nobody at the University of Copenhagen (UCPH) is looking at what you do.

At UCPH we assume that people are responsible

Head of Information Security at UCPH Poul Halkjær Nielsen

»The university is a very liberal place with broad guidelines for what an individual can do. There are also people here who do research on pornography and have a legitimate need to see it,« says Head of Information Security at UCPH Poul Halkjær Nielsen, who however does not recommend that people use their work computers for everything.

»We know that porn sites and religious sites are those that typically spread the most malware and malicious code,« he says.

»The rule of thumb is that these types of sites are the most rotten. If you visit them, they entail the greatest risk of installing unwanted programmes on your device.«

Rules from 2009 ensure work privacy

If you want to visit the dark recesses of the net, you can easily do it.

In fact, the University of Copenhagen may not – as a starting point – keep an eye on what employees see online, or, for that matter, who they send emails to.

This is stated in an agreement (requires log-in) between the UCPH General Collaboration Committee and Management, which has been in place since 2009. It states that:

Ongoing monitoring of the content of communication, and the registration of who the individual employee corresponds with, must not take place. The workplace may not monitor the individual employee’s search behaviour or other use of the internet.

The text of the agreement from the University of Copenhagen does also contain an important exception, however, which does actually permit UCPH to monitor its employees. But this can only be done on the basis of management’s specific suspicion that something’s amiss:

If a suspicion arises that the internet is being used in a way that damages the university’s reputation, monitoring may take place. In this case, a staff representative must be involved.

It is unlikely that the University has ever made use of this opportunity to monitor in this way. Poul Halkjær Nielsen says he has set off the monitoring of a staff member a total of »zero times« in his years at the University of Copenhagen, where he has held various positions since 2006.

This bears out with what the Vice Director for HR Lisbeth Møller states in an e-mail: That nobody in the joint HR unit at UCPH has knowledge of cases at the University of Copenhagen where staff monitoring has been initiated.

However Lisbeth Møller also writes that »there has been a single case in recent times in which non-work-related ‘traffic’ on the internet was included as one of several elements in a case that ended with a written warning.«

This makes it clear that just because it is not prohibited to roam the net with abandon while at work, it will not necessarily advance your career or your relations with colleagues if you do so.

»It’s not criminal to look at porn pages, and UCPH does not have a policy that prohibits employees from looking at sites like this. Just like UCPH does not have a policy that prohibits employees from going on, say, Facebook, their online bank, or surfing on various websites,« emails Lisbeth Møller. »This naturally presupposes that the employee carries out his work duties, does not offend his colleagues, and that the employee, of course, strictly complies with safety regulations.«

The antivirus program logs your data

Although UCPH does not actively monitor online traffic, it is still registered and logged for a shorter period of time, says Poul Halkjær Nielsen. This happens, for example, when data passes the firewalls, which will protect UCPH systems against known IT threats.

This is in accordance with normal Danish practice, because according to the Danish Data Protection Agency there is a wide range of options for logging online traffic at Danish workplaces. According to the law, the monitoring may be for “technical and security considerations” and for the sake of “checking the use of the internet by employees”.

According to Poul Halkjær Nielsen, logging is not the same as the monitoring of employees.

»Nobody is reading this logging data to monitor. It’s a passive defense, and that’s the crux of the matter,« he says. »The whole starting point is that we at UCPH assume that people are responsible.«

However, if UCPH wants to clarify how a system has broken down, it is possible to find the log and analyze what has happened on the web, just like the anti-virus system sometimes raises a red flag if an employee’s machine has been infested, or blocks unwanted code.

There are also people who do research on porn and have a legitimate need to see it

Head of Information Security at UCPH, Poul Halkjær Nielsen

Many people will have tried visiting webpages with banner ads. The sites for the Danish tabloids BT and Extra Bladet, for instance, have occasionally been found to contain ads that the UCPH firewall has blocked because they contain questionable code that could potentially threaten the University’s data.

The police might also want to investigate a case by examining UCPH network traffic, and this is theoretically possible until the logging data is deleted.

Most people are happy to be notified of viruses

Poul Halkjær Nielsen says that employees from time to time are personally contacted by the UCPH IT staff if the system has detected that there is a problem with their computer.

So if I’m, say, visiting Russian porn pages from my work computer every day, will there be red flags popping up somewhere in the organization at some time?

»Probably. You don’t get warnings about unsafe sites for fun. At some point, your PC’s contents would be stolen or abused. We can get notifications that a machine is infected and we can contact people and say: We can see in this console that this machine is infected with viruses – may we help you? At the Faculty of Science, where I used to work, we called people up and they were happy about it. Most people want help,« says Poul Halkjær Nielsen.

Apart from the passive logging that takes place at UCPH, Denmark makes a quite extensive record of data and telecom traffic. Telecom providers in Denmark are obliged to save people’s telecom and web traffic for a year, even though an EU court at the end of 2016 actually ruled that this type of ongoing mass surveillance is illegal.

In the absence of new rules that comply with EU law, the Danish government has ordered telecom companies to continue the unlawful registration, and they have chosen to comply.

According to an analysis from the Justitia think tank, Danish authorities increasingly collect information about citizens’ behavior online. Read more about the UCPH IT security policy (login required).