Employee Privacy Versus Corporate Security
Novell Cool Solutions: Trench
Digg This -
Posted: 9 Aug 2002
When do the privacy rights of employees have to yield to the company's right to protect its data and keep the workplace safe and free from harassment? This topic has generated a great deal of buzz in Security publications, and we'd like to see what you think.
Update: We've decided NOT TO include your names with your postings on this topic. As some of you pointed out, this can be a sensitive issue, and while you want to add to the buzz, you don't want it to come back and sting you. Fair enough. Fire when ready, and we'll protect your identity. We just want to know what people really think about this. We know that in some countries this whole issue seems uniquely American and Puritanical, and you wonder what all the fuss is about. In other countries, American workplace policies seem laughably lax. So it might be helpful to know what country you are from, to give your comments some context. Hope to hear from you soon.
What You're Saying
- USA: I think it's scary that someone could be monitoring my e-mail. Not that I've got anything to hide, but I don't like people to eavesdrop when I'm on the phone either. I need my space, and at least a pretense that my private communications are indeed private.
- USA:A few years ago when I was a manager in a publishing house there was a big problem with obscene printouts being left at the printer and in the restroom in our department. It went on for awhile before someone complained to me. Once a manager's been "officially" told about something like this, they have to act. I took it to the department director who called in HR, and they easily traced it back to a guy who had a long history of problems with online porn. They confronted him, and he admitted to it, and he was put on a plan to help him control it. They implemented a tool that tracked all the sites he visited, made him agree to turn his monitor so people walking by could see it, and keep his door open. I received weekly printouts of all the sites he visited. (Huge list, and I never had time to read it very carefully.)
As a woman, I found it very awkward and disturbing to have to work with him on an issue like this. He was embarrassed; and even though the rest of the department never knew who it was, he was convinced that they figured it out when he rearranged his furniture. Eventually he quit and went to work somewhere else. All in all, it was a negative experience for everyone.
I think this whole discussion is fascinating because it is a study in social behavior, community values, worker productivity issues, and our expectations of personal privacy.
- Netherlands: The debate is starting here, too. Unfortunately, management doesn't take a clear stand, except with a view to the privacy of employees.
My feelings are somewhat ambigious: As far as e-mail is concerned, I do think that there have to be at least some grounds for scanning/reading it. No one should be allowed to read other people's mail (electronic or otherwise), unless there's serious suspicion of fraud, malicious intent, etc.
When it comes to an employee's access to the internet via the servers of the employer: I don't think any privacy is needed there. People can surf the net at home, in their own time and with their own computers. So let them do it there. I know the differences between e-mailing and surfing aren't all that big. In fact: there are more parallels than differences to be found between the two of them. Nevertheless: reading someone's mail is far more intrusive than checking what sites someone's been visiting, I think.
- Germany: In Germany, there is a law that regulates the privacy rights of every employee. This special law, called Bundesdatenschutzgesetz, is the result of very intensive thoughts about privacy of any kind of data. Only if a person explicitly allows and confirms his data can be stored, can it be stored, except for public data like name and address of course. In a situation of a real suspicion, the employer has to confront him with it, so that he can agree to the tracing of his data flow.
On the other hand an employee has to sign up in a contract to not using the employer's infrastructure for private tasks. Only through these two commitments from both sides can there be found an acceptable solution for the data security of the company and the privacy of the employee's data.
- USA: We use Novell BorderManager to restrict and monitor Internet Access. We only have a few levels of access, one which allows very limited web browsing and one that allows access to any URL. We monitor ALL access and read through the logs at least once a month. We also use Guinevere to archive all Internet e-mail, but it is not checked unless there is a need to do so.
We make it perfectly clear on the employees first day on the job that any electronic communications can and will be monitored. I don't see it as eavesdropping or invading an employee's privacy. The employee is using a company-owned computer, Internet access paid for by the company, on company time.
- Canada: Having been an employee and now an employer as well as a network consultant, it is my opinion the corporation has every right to monitor the communications and actions of their employees, AS LONG AS the corporation has previously informed and made the employees to understand EXACTLY what monitoring is taking place.
That would include what is being monitored and how, and under what circumstances the data collected during the monitoring will be reviewed and who will be reviewing it.
It should also be required of the employer to ensure that the monitored data is secure from unauthorized access, and be able to monitor who is accessing that data.
- USA: It would be disturbing to find that someone has been reading or listening to my correspondence, but as a Systems Administrator, I see a lot of abuse on my systems, and accept such monitoring activity when I use my employer's systems. Over time, is has worked well to notify our users that they should have no expactation of privacy (via our policies, and login banners), and then begin showing the users what kind of information is gathered about their activites. At this point, the abuse drops dramatically. For those that continue to abuse their privileges, we usually personally warn them, remove their ability to use that aspect of the systems, discipline them via other means, or terminate their employment all-together (the extreme rarity, but it has happened).
Our general definition of systems abuse: personal use of company resources during business hours (before/after their shift, and breaks/lunches are OK), use of the systems for inappropriate or illegal tasks (porn, spam, running their own side-business - yes that did happen), and any other personal uses that cost the company money (ie: personal use of company vehicles, long distance phone calls, etc.)
My monitoring issues also involve looking for unusual or non-business related activity (among many other things). Being able to discern business-related activity vs non-business-related activity, allows me to discover and rapidly disable or minimize internal and external threats to our systems.
All-in-all, these systems are owned and maintained by the employer (at their expense, not yours). If you want privacy when you surf the net, view porn, or make personal calls, do it on your own time in the privacy of your own home.
- USA: It is very tough being an IT guy monitoring the logs when you find a huge amount of very inappropriate activity coming from one of the Vice Presidents of your company. Do you say something and risk your job?
- USA: We have rooms on our facility with total privacy for the employees. They're called bathrooms. Other than these, privacy stops at the entrance gate.
Cameras monitor the parking lot and various areas of the plant. They're not just for corporate security. They protect the employees. Vandalism to both company property and employee property stops when the cameras are on.
Our telephone system keeps detailed logs of inbound and outbound calls. Time of call, duration, number dialed or caller ID (inbound). We produce reports for managers who request them showing how much time their employees spend on the phone and with whom. We're paying the phone bills. We expect the phones to be for company use only. Employees who want telephone privacy from their managers should purchase a cellular phone.
Our network has a WAN link to our corporate offices and to the internet with limited bandwidth that is very expensive. It is sized to be adequate for our Intranet usage and some very limited Internet use. We log detailed traffic information about each workstation and the sites they visit. Non-Business-Related sites are prohibited. Offenders have their access revoked. It comes down to the golden rule. (He who has the gold makes the rules!)
Employees who want to surf the Internet for pleasure should do it on their own time and on their own bandwidth.
E-mail is supposed to be "for business use only" but it is the major source of viruses to corporate networks. We filter e-mails to prevent passing of certain types of attached files. This has greatly reduced the number of viruses we receive.
- USA: If companies are going to be held liable for their employees' actions, why is it so wrong for them (companies) to monitor their activities? If a company can be named in a sexual harassment suit because an employee is looking at graphic material online or listening to obscene wave files, why is it such a bad thing for a company to require an employee and their manager to file requests for internet access, and for the company to monitor the access that is granted? Six years ago this was not an issue. You have to ask yourself how much does it cost a company to offer internet access to its employees. Now we want to make it even more cost prohibitive for employees to have internet access. So simple solution, NOBODY gets internet access.
- USA: As a Libertarian, I've never understood how anyone could doubt an organization's right to monitor and control activity on the data systems it owns by the employees it pays. Requiring signature of an Internet Acceptable Use Policy at the time of hire should remove any ambiguities.
What we should be talking about is whether ISP's and governments have the right to monitor activity! THAT'S where things get truly scary -- then you have no options, even when you own the equipment and pay for the service!
- Australia: As a new employee starts within our organisation (local Government) we run them through an induction process. This covers usage of the systems and also what is considered appropriate use and what is not.
This involves handing out a copy of our staff code of conduct as well.
We have tried to promote it as a 'behave like adults and you shall be treated accordingly' approach. We keep lexical keyword lists to an acceptable minimum and for the most part it works. There are only a couple of people who sometimes abuse the system, and once they realise that their e-mail has been blocked as it has failed a lexical scan, the problem resolves itself.
Our users are a sensible bunch, and realise that we are running on limited bandwidth and that what has been done is for their benefit. The only complaints seem to come from new staff, but once they realise that restricting access to streaming media sites like "Big Brother" is more for their benefit than ours, they accept it well. There is nothing worse than having a deadline for something, needing to use the web for research, and finding out that our bandwidth is being swallowed up by a couple of people watching videos or listening to web radio all day.
We spell out from the beginning that e-mail is policed to try to minimise the amount of porn, viruses, etc., coming in. We also quarantine executables, zip files, VBS, etc., and only release those which are business related. We have made a point of letting the users know that we don't do this to spy on them and actually have a lot more interesting things to do than read their e-mail, but that it is only done to protect the systems from damage, the people from embarrassment, and protect the organisation from possible litigation issues.
As far as Web usage goes, we use Cyberpatrol to restrict access to inappropriate sites.
This system, while it would not suit every organisation, works for us at the moment.
In the end, yes Big Brother is watching, but he's on your side.
- USA: Company purchased equipment for use on the job is not provided for personal reasons. Company property provides no rights to privacy of personal e-mail or web surfing habits.
If you want your personal items to stay private, keep them at home. Do not expect privacy of personal information when the employer pays for the equipment, internet access and storage of the data. All those expenses are incurred for running the business, and that data is business data, not personal data.
- USA: When you use the company car you may or may not be allowed to use it for private use, depending on the business policies. Same with tools -- sometimes you can take them home to use, sometimes not. Again it depends on company policy.
If a company policy MAKES IT CLEAR at the outset that electronics are for ONLY BUSINESS use, and can or will be monitored, then there is no issue. BUT Policies MUST be clear and concise.
When you go to your neighbor's house and receive a phone call do you expect total privacy? NO.
It needs to be thought of as a gun. Is it loaded? YES always!
Do I expect privacy outside of my house? NO!
In closing, don't expect privacy outside of your own domain, either electronic or paper.
- Australia: As an educational institution, for us, the issue is very clear and, yes, undemocratic!
There are issues of "duty of care" and "parental and public" expectations that must be addressed.
The workstations, network, Internet connection and bandwidth and time are all supplied and paid for by our Education Authority and as such their use by staff members and students is subject to a written and highly publicised policy. What has to be understood by users that say "but this is my private work... you don't have the right" is that they are *not* working on a private personal computer in their own time and that under the policy we do "have the right".
Part of the policy describes four levels of security and privacy. Use of the internet and e-mail by staff is categorised as "Confidential" and this means that all computer files and e-mail can be accessed only by particular persons nominated under the policy. This means that they are private and secure, but subject to scrutiny for acceptable use under policy, by the Principal and IT Manager who are the nominated persons. Staff are shown examples of exactly what level of scrutiny either by routine procedures or by accident during maintenance and administration, can occur.
Use of the internet and and e-mail by students is classified as "Internal" and this means all computer files and e-mail can be accessed by any nominated groups. In this case staff members, but not other students or the Public, may access and monitor student use at any time. It is made very clear to students that their work is *not* private. Their workstation may be remote controlled and their actions recorded at any time by the school administration or teachers.
- Ukraine: As I have a history of having lived beneath a government with agencies of surveillance, I am unhappy with thoughts of routinely monitoring the traffic generated by myself and those who work with me. It is a subject of most high emotion here in the Ukraine, and my friends and I have exchanged heated views on this subject of discussion. Ironically, we discussed it primarily via electronic mail.
I have recently been "pranked" by persons unknown into exchanging electronic mail with persons in the United Kingdom in my searches for accommodation in the United Kingdom when I travel there to pursue my studies of the English language. To think that my embarrassments could be known to others who watch my messages would make me reluctant to use the Internet and could harm both messaging and commerce.
My view is that communication should be free from the monitors before the monitors take up powers which, once excessive, they will be unwilling to give up. As we say in Nizhin (which is near Kiev) - once the crow has the foodstuff he is unwilling to fly.
- UK: Unfortunately the UK has a heavy-handed approach to this sort of thing. An ISP (basically anyone who runs their own DNS) has to keep logs of all internet access and warn all users it is doing so in case the police may eventually need the information.
With students as well as staff members we have a duty of care to ensure that materials surfed and e-mailed come within the law.
The downside of this is that with so much information being logged, no one has the time to check it all properly (it cannot sensibly be done in an automated manner) and hence people carry on doing it anyway. It is like all the laws about speeding in your car - some stick within the limits, most push a little over the limits and some completely ignore the limits.
Random checks then become all that is available.
My personal view is this: Any law or rule that allows most people to break it, and only a hand-picked individual not to break it, is weak and only useful for discriminating against individuals. Not something I'm fond of....
- Canada: The company I work for is an Engineering Consulting firm. The management
feels that the professionals and staff should be treated as responsible
adults whenever possible. The engineers are more responsible to their
professional associations than they are to the company in many respects,
and their codes of ethics govern their behaviour in many ways that
corporate policy is secondary to.
Additionally, the employees put in substantially more time than salary justifies. So the company allows personal phone calls, faxes, e-mail, and web-surfing during business hours with the proviso that professional and ethical conduct is observed, and "a fair week's work for a fair week's pay" is still the case. I told the management that logging web-surfing would cause a performance detriment, and they decided it wasn't really necessary yet. After all, an employee's supervisor is responsible to ensure and assess the performance of that employee, so if someone is irresponsible or unproductive, the supervisor is required to take action.
After all, in many respects the employee represents the company in their personal time as well as in their work time, and poor conduct in a social situation may reflect on the company, affecting even the reputations of the other employees. Poor conduct by a company can also ruin the career of employees with personal and professional ethics that are beyond reproach. I'm sure that there are many former employees of Enron whose career futures have been greatly and wrongly damaged.
So the management has decided to publish "guidelines", not policies, when- ever possible. Policies seem to only apply here in response to an incident in which legal liability of some sort became a concern. In some companies this might amount to a "head-in-the-sand" approach, but I'm pleased to say that it seems to work for us. I can only hope that I can continue to work within such reasonable and sensible rules for the remainder of my career. It really helps to foster a sense of trust that is a terrific motivator. -- KC
Add to the Buzz
As a Security professionals, you have undoubtedly experienced this issue from a unique perspective (you are both an employee, and the person who helps the company protect itself). We'd love to hear from you. Let us know what kinds of policies you have in place to address employee's privacy issues. Share your tales of programs that backfired or worked perfectly. Share tips that have worked for you. Or sound off and tell us why you think it's despicable.
If it's something we can use, we'll send you a Novell t-shirt, and add your experiences to this list. Hope to hear from you soon.
Note: We WILL NOT post your name or e-mail address, to protect your privacy. So let's hear the naked truth.
Sample the Buzz
Here's an interesting article that appeared in InformationWeek in August 2001: Beware: Employee Monitoring Is On The Rise
Here's a Fact Sheet published by the Privacy Rights Clearinghouse (the PRC is a nonprofit consumer information, research, and advocacy program, based in San Diego, California): Employee Monitoring: Is There Privacy in the Workplace?
Here's a look at this issue in New Zealand: Online footprints simple to track
Here's a legal paper outlining California law touching Employer Interests and Employee Privacy Rights in Internal Investigations Involving Computer Data
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com