In Depth
Watch Yourself
Monitoring your employees' data and network activities is no longer a technical challenge. But there are critical ethical questions to answer first.
By Simson Garfinkel
November 01, 2006 — CSO —
Most organizations have a straightforward policy when it comes to the electronic privacy of their
employees: There isn't any. As a condition of employment, employees agree that their Internet traffic
may be monitored, their computers may be searched and that their phone calls may be monitored or
recorded. Many organizations go further, enlisting video surveillance cameras, biometric time clocks,
even spies ("mystery shoppers" anyone?) to scrutinize employee behavior and performance.
But if you engage in monitoring at your organization, be sure that you have more than the law on your
side. Unless you collect and use that private information in a manner that is both ethical and
appropriate, revelations about a poorly conceived or badly implemented monitoring program can
damage both your employees' morale and your organization's reputation.
Of course, you can try to keep the details of a monitoring program secret. But running a secret
program is incredibly difficult. If the program's mere existence is secret, then you will need to restrict
how you use the information that the program produces—otherwise the affected individuals will
be able to infer the program's existence from its effects. And because practically everybody eventually
talks, secret surveillance programs rarely stay secret for long—just look at the difficulty the
National Security Agency and the CIA have keeping their surveillance programs hush-hush. If you
engage in any kind of monitoring of your employees or customers, you should assume that the affected
individuals will eventually learn the details of the program. Indeed, there is a good chance that some of
your people will see or hear the very data that's been collected—on either themselves, or perhaps
on their coworkers.
Electronic communications systems create ample opportunities to collect information on employees,
and the massive capacity of today's storage systems makes it possible to retain most of this
information indefinitely. It's trivial to program today's network devices to record employee e-mail,
Internet browsing records and chat sessions. Indeed, many systems retain log files, audit trails and
backups by default: These systems need to be explicitly configured not to record information if that is
your organization's wishes.
There is one good reason why you might want to avoid recording detailed information about your
employees: Once collected, this information can be used against your organization in both civil and
criminal investigations. You may have to suffer the indignity and expense of helping your legal
opponents search through your own information for the most damaging tidbits.
Nevertheless, many organizations are collecting more information every day. Although some of this
collection is driven by best practices and legal requirements, other information is kept because of the
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
The Surest Path to Effective and Efficient Compliance
In this webcast, we explore why and how with best practices, practical tips and solutions that work to ease your compliance challenge.



