Dr. Jekyll and Mr. Hyde: Managing online indulgence

Michigan CTO Dan Lohrmann on anonymity, integrity, and corporate culture

I recently read an intriguing Harvard Business Review blog post, The Three Ps of Online Indulgence, by Alexandra Samuel. This guidance begins with the topic of well-known adults displaying split personalities online. While their public activities follow socially accepted norms, their darker "shadow selves" behave very differently. Samuel's witty analysis artfully exposes the online hypocrisy of certain family-values politicians and the now-famous tweets of Congressman Anthony Weiner.

But moving quickly beyond the list of celebrities behaving badly, Samuel accurately unmasks the relentless disease that inflicts all who regularly enter cyberspace—namely the temptation toward online duplicity. This challenge is the 21st-century manifestation of the internal battle dating back to the beginning of time. Each of us must answer the age-old question: Who am I, really?

[Also see Lohrmann's 7 reasons security pros fail (and what to do about it)]

Always-connected adults are especially vulnerable to the smorgasbord of temptations offered on the Net. Samuel writes: "Social media enthusiasts need to be extra cautious about online vices: We're more likely to indulge (because we're online more), more likely to get caught (because we're widely watched) and more likely to disappoint others when we do (because they've seen us as the online standard-setters)."

I agree. There seems to be a never-ending supply of stories about educated adults, people who should know better, or even leaders in society getting into serious trouble because of their virtual-world behavior. The real-world results are showing up all around us: broken relationships, shattered careers, and even jail time.

What's to be done? Samuel says, "You can manage the personal and professional risks of online indulgence by remembering the 3 Ps: Principled, Private and Planned."

This is where I part ways with the blogger. I wonder: Can we really control online vices in this way? The overall effect of her words is to compartmentalize each of us into two (or more) distinct identities using online privacy. This approach may work for a time, but surely it leads to eventual disaster. In a sense, this guidance treats online privacy as the potion that allowed Dr. Jekyll to change into Mr. Hyde.

In Robert Louis Stevenson's The Strange Case of Dr. Jekyll and Mr. Hyde, Jekyll wants to separate his good side from his dark impulses and develops a potion that transforms him into another version of himself, one with no conscience, who is known as Mr. Hyde. But although there is no good in Hyde, there is still evil in Jekyll. At first the doctor enjoys becoming Hyde, with all his freedom from moral and societal restrictions. But Hyde becomes increasingly violent, horrifying Jekyll, who is further dismayed to discover that he is transforming into Hyde in his sleep, even without taking the potion.

One message the book makes crystal clear is that we are each one person. My shadow self is still me. This is true even in virtual worlds, and studies have shown that people often act out their online activities in the real world.

There are many pragmatic questions raised by Samuel's three P's. Here are a few: Can online identities really be kept private to pursue online indulgence? I seriously doubt this is feasible over long periods of time, because the Internet has a great memory. Also, hackers abound—WikiLeaks, for example.

Do you really believe that Congressman Anthony Weiner (or most others) could be open and honest with his spouse about his secret tweeting to women around the country? People often go out of their way to hide online acts from the ones they love and lie to those who love them.

If integrity is doing what you say and saying what you do, how is Samuel's approach truly principled? Isn't duplicity the opposite of integrity?

Does being principled only mean not violating your own ethical bottom line? What if your ethical bottom line allows sending inappropriate pictures of little children? Are my principles merely reflections of federal or state law or company policy? Is that the best we can do?

Are there no principles that transcend our personal sense of right and wrong? Can't we say that the hypocrisy of Ted Haggard or the perversion of Anthony Weiner is wrong, whether it violated their core principles or not?

More important than these objections is the fact that there is actually a better way: Surf your values. Connect your offline values and convictions with your online world. Practice virtual integrity. This means real transparency and accountability for online actions. Yes, we can still have fun and be anonymous on the Internet. But we must be wary of using browser controls, proxy servers, other privacy tools and online anonymity to feed a conscienceless shadow self or we will suffer a similar fate to that of Dr. Jekyll.

Every major tech and security company is trying to build a way to ensure the trustworthiness of online identities (see https://otalliance.org/) or end-to-end trust (see www.microsoft.com/mscorp/twc/endtoendtrust/). How can we have end-to-end trust if people have false identities and are creating separate accounts to deceive others and hide their activities? Many critics point out that Mr. Hyde is a play on words for someone who "hides" their darker side's actions and motives. We can't stop this behavior, but does that mean our best employees should be encouraging it?

[See Lohrmann on GovSpace, Dan Lohrmann's blog on CSOonline.com]

No doubt we all have made (and will make) mistakes. Humbly acknowledging our weakness and vulnerabilities is a good place to start. When we see the appalling headlines about our leaders and celebrities behaving badly in cyberspace, we can say: "There but for the grace of God go I."

Cybersecurity teams see it all the time. Regular visits to the Internet's dark side will be found out.

In terms of dealing with these behaviors among employees, what's to be done?

1. We need more honesty and transparency in Internet transactions. Create a more trusting environment at work.

2. Talk to your boss, coworkers and staff about online boundaries and what's appropriate when surfing. Don't just post policies. Train and mentor.

3. Use your Web monitoring and filtering software to encourage the right behaviors and discourage those that are not allowed. Whether you use Websense or something else, build a culture of trust and openness at the office and with company assets. (This topic is definitely worth its own post.)

Ultimately, honesty, accountability and forgiveness are still the only approaches that work.

Copyright © 2011 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline