Watch Yourself

Monitoring your employees' data and network activities is no longer a technical challenge. But there are critical ethical questions to answer first.

By Simson Garfinkel

E-mail this article | Printer friendly

Webcasts

White Papers

Most organizations have a straightforward policy when it comes to the electronic privacy of their employees: There isn't any. As a condition of employment, employees agree that their Internet traffic may be monitored, their computers may be searched and that their phone calls may be monitored or recorded. Many organizations go further, enlisting video surveillance cameras, biometric time clocks, even spies ("mystery shoppers" anyone?) to scrutinize employee behavior and performance.

But if you engage in monitoring at your organization, be sure that you have more than the law on your side. Unless you collect and use that private information in a manner that is both ethical and appropriate, revelations about a poorly conceived or badly implemented monitoring program can damage both your employees' morale and your organization's reputation.

Of course, you can try to keep the details of a monitoring program secret. But running a secret program is incredibly difficult. If the program's mere existence is secret, then you will need to restrict how you use the information that the program produces—otherwise the affected individuals will be able to infer the program's existence from its effects. And because practically everybody eventually talks, secret surveillance programs rarely stay secret for long—just look at the difficulty the National Security Agency and the CIA have keeping their surveillance programs hush-hush. If you engage in any kind of monitoring of your employees or customers, you should assume that the affected individuals will eventually learn the details of the program. Indeed, there is a good chance that some of your people will see or hear the very data that's been collected—on either themselves, or perhaps on their coworkers.

Electronic communications systems create ample opportunities to collect information on employees, and the massive capacity of today's storage systems makes it possible to retain most of this information indefinitely. It's trivial to program today's network devices to record employee e-mail, Internet browsing records and chat sessions. Indeed, many systems retain log files, audit trails and backups by default: These systems need to be explicitly configured not to record information if that is your organization's wishes.

There is one good reason why you might want to avoid recording detailed information about your employees: Once collected, this information can be used against your organization in both civil and criminal investigations. You may have to suffer the indignity and expense of helping your legal opponents search through your own information for the most damaging tidbits.

Nevertheless, many organizations are collecting more information every day. Although some of this collection is driven by best practices and legal requirements, other information is kept because of the nagging feeling that the data might be useful someday.

According to the 2005 Electronic Monitoring & Surveillance survey by the American Management Association, 76 percent of U.S. employers monitor the websites their employees visit; 55 percent retain and periodically review employee e-mail messages; and 36 percent actually monitor either what their employees type or the time that employees spend at the keyboard. Disturbingly, roughly 20 percent of the 526 companies surveyed do not inform their employees that they are being monitored—a practice that is illegal in many jurisdictions.

The Association did a similar survey in 2001. Comparing data from the two years makes it clear just how widespread detailed data collection has become. For example, in 2001 just 33 percent of the respondents used video surveillance "to counter theft, violence and sabotage." By 2005, this number was up to 51 percent. The number of companies taping their employees' telephone calls jumped from 9 percent to 19 percent during that same period. The 2005 survey also found that 5 percent were using GPS to track the movements of employees through their cell phones, and 8 percent were using GPS to track company automobiles.

Unfortunately, this kind of survey data doesn't adequately distinguish between the various kinds of surveillance and intrusions that employees can experience. Few people would object to video surveillance in a bank or casino; in those environments, surveillance protects the company, the employees and the customers. But people are likely to feel quite differently about video surveillance inside changing rooms.

MIT Professor Gary Marx has thought a lot about these issues. The author of numerous books on surveillance by governments and businesses, Marx published an article in 1998 titled "An Ethics for the New Surveillance" in which he argues that the ethical standing of a particular surveillance act depends on the means that is used, the context in which the data is collected and the purposes for which the information will ultimately be used. As the case of video surveillance so plainly demonstrates, the same surveillance technology that is appropriate in one context can be completely inappropriate in another.

Explain Your Actions

For surveillance to be ethical, argues Marx, the reason for the surveillance needs to be both legitimate and publicly announced. So one type of surveillance—for example, drug testing—might be appropriate for school bus drivers, but inappropriate for high school students who play in the school band. The means should match the goal. There should be a reasonable chance that the surveillance will detect or deter the objectionable behavior. And there must be protections in place so that information collected for one purpose isn't used for other purposes.

With proper explanation, many employees may be willing to accept even significant intrusions into their privacy. But these same employees will feel that their trust has been violated if the resulting information is not adequately protected—or if the information is used for a purpose far removed from the original intent. For example, employees may understand and agree to have their e-mail monitored for proprietary information sent by e-mail outside the company; these same employees will almost certainly object if the organization's security officer starts scanning mailboxes to find out who is available for a date on Saturday night.

Equity is another issue, writes Marx. Does surveillance apply to all individuals in the organization, or just to those who are less powerful and unable to resist? Do the people under surveillance have the right to inspect the raw data to assure themselves of its accuracy? Do people review machine-generated reports before they are acted upon? Is there a right for people who would suffer negative consequences to appeal the decision?

Organizations that engage in monitoring need to have strong internal controls that cover both the storage and use of the resulting data. Special attention needs to be paid to any proposed action that might make collected information available outside of the organization. This is because of the "barn door principle": Once information is out, it's often impossible to recall.

For example, in August 2006 America Online distributed on the Internet 20 million search queries from roughly 650,000 users. The company had released the information with the hope of stimulating academic research into search; according to The New York Times, the only other data sets available to researchers describing what people search for were 10 years old. Although AOL's researchers replaced identifiers for the people engaging in the searches with numeric pseudonyms to protect the privacy of the individuals involved, that wasn't enough. Many people, it turns out, can be identified just by terms they type into search engines. And once they are identified, it isn't hard to learn a lot about a person's interests, be they legal, moral, immoral or not-so-legal.

Although AOL quickly realized what it had done, it was too late: Numerous people downloaded the AOL data set and made their own private copies. Even though AOL took the data down, others quickly put up copies. The incident demonstrated what so many privacy activists have said in recent years: By virtue of monitoring what a person searches for, companies like AOL and Google collect an incredible amount of information about their users.

AOL's employees probably didn't think of this practice as putting their customers under surveillance. But this, in fact, is precisely what AOL and the other search engine companies are doing. And because this information is so incredibly sensitive, companies probably shouldn't keep it in their computers forever.

So if your organization is engaged in monitoring someone, make sure that there's someone watching the watchers. Make sure that uses of the captured data are appropriately logged. Avoid mission creep that might turn a practice that's marginally acceptable into one that's sure to be condemned. And keep your chief privacy officer informed about your organization's monitoring policy.

Simson Garfinkel, CISSP, is researching computation and human thought at Harvard. Send feedback to machineshop@cxo.com.

Add a Comment: Your comment will be displayed at the bottom of this page, at the discretion of CSOonline.
* Name:
* Title:
* Corp:
* E-mail:
* Subject:
* Your Comment:
	* Required fields.
We do not post comments promoting products or services. Comments are owned by whomever posted them. CSO is not responsible for what they say. Selected comments may be published in CSO magazine. We will not sell your personal information. We do display your name, title, and corporation but not your e-mail address.