In Depth

Watch Yourself

Monitoring your employees' data and network activities is no longer a technical challenge. But there are critical ethical questions to answer first.

By Simson Garfinkel

November 01, 2006 — CSO —

Most organizations have a straightforward policy when it comes to the electronic privacy of their

employees: There isn't any. As a condition of employment, employees agree that their Internet traffic

may be monitored, their computers may be searched and that their phone calls may be monitored or

recorded. Many organizations go further, enlisting video surveillance cameras, biometric time clocks,

even spies ("mystery shoppers" anyone?) to scrutinize employee behavior and performance.

But if you engage in monitoring at your organization, be sure that you have more than the law on your

side. Unless you collect and use that private information in a manner that is both ethical and

appropriate, revelations about a poorly conceived or badly implemented monitoring program can

damage both your employees' morale and your organization's reputation.

Of course, you can try to keep the details of a monitoring program secret. But running a secret

program is incredibly difficult. If the program's mere existence is secret, then you will need to restrict

how you use the information that the program produces—otherwise the affected individuals will

be able to infer the program's existence from its effects. And because practically everybody eventually

talks, secret surveillance programs rarely stay secret for long—just look at the difficulty the

National Security Agency and the CIA have keeping their surveillance programs hush-hush. If you

engage in any kind of monitoring of your employees or customers, you should assume that the affected

individuals will eventually learn the details of the program. Indeed, there is a good chance that some of

your people will see or hear the very data that's been collected—on either themselves, or perhaps

on their coworkers.

Electronic communications systems create ample opportunities to collect information on employees,

and the massive capacity of today's storage systems makes it possible to retain most of this

information indefinitely. It's trivial to program today's network devices to record employee e-mail,

Internet browsing records and chat sessions. Indeed, many systems retain log files, audit trails and

backups by default: These systems need to be explicitly configured not to record information if that is

your organization's wishes.

There is one good reason why you might want to avoid recording detailed information about your

employees: Once collected, this information can be used against your organization in both civil and

criminal investigations. You may have to suffer the indignity and expense of helping your legal

opponents search through your own information for the most damaging tidbits.

Nevertheless, many organizations are collecting more information every day. Although some of this

collection is driven by best practices and legal requirements, other information is kept because of the

• Email
• Print
• Comments
• Digg This
• SlashDot