Government // Mobile & Wireless
Commentary
3/18/2013
11:15 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Monitoring Vs. Spying: Are Employers Going Too Far?

The email brouhaha that erupted at Harvard recently did not meet my definition of spying. If your company monitors, do it with reasonable cause.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
I'm on the side of organizations being able to monitor their technology assets without apology. But that's a very different thing from spying.

I'm alluding to the brouhaha that erupted after Harvard University reportedly "spied" on its employees while attempting to find out how a sensitive document left the organization. I use the scare quotes because it appears Harvard did nothing of the kind.

The Boston Globe reported: "News of the incident could nonetheless anger Harvard faculty members, whose privacy in electronic records is protected under a Faculty of Arts and Sciences policy." Not the way I read it.

Indeed, Harvard makes it pretty clear in its Faculty and Staff computer rules and responsibilities that system administrators may "gain access to users' data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules." The policy also states that "users understand that timesharing and network-based system activity is automatically logged on a continuous basis. These logs do not include private user text, mail contents or personal data, but do include a record of user processes that may be examined by authorized system administrators."

[ How to wrangle another employee hot button: bring your own device. Read BYOD: Why Mobile Device Management Isn't Enough. ]

The policy also specifies: "In cases of computer misconduct, HUIT may notify the appropriate dean or University official, who in turn will determine the course of any investigation or disciplinary action."

So how is Harvard's tracing a forwarded email on a sensitive university matter an act of spying? It's not. It's reasonable monitoring.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

Says Harvard: "While the specific document made public may be deemed by some as not particularly consequential, the disclosure of the document and nearly word-for-word disclosure of a confidential board conversation led to concerns that other information -- especially student information we have a duty to protect as private -- was at risk." Based on university policy and the situation, Harvard had a clear business requirement to try to identify the source of the leak. Any other responsible organization would have done the same.

And any faculty member angered by the incident doesn't seem to be living in the 21st century.

Let's call monitoring with a purpose "probable cause." In this care, there was probable cause to examine the logging systems.

Monitoring without probable cause is what I would call spying. The most egregious example I can recall was when officials of the Lower Merion School District in Pennsylvania allegedly went through pictures of students, taken in their bedrooms, via Webcams mounted on student laptops. The school district claimed that anti-theft software installed on the district-issued computers had triggered the laptop Webcam.

If anti-theft was the probable cause in this case, how come the school district didn't press charges against the students it has monitored? Instead, it came forward with evidence that the students were dealing drugs or engaging in improper behavior. No criminal charges were filed, but the school district ended up paying more than $600,000 to angry parents.

Even in this post-9/11 era of digital cameras and other surveillance systems, neither IT nor random supervisors should be permitted to use these systems for reasons other than safety or a bona fide criminal investigation unless legal and HR lay out a clear policy or procedure first. But that's the easy part. The hard part is in the middle: When should employers do logging to check up on employee behavior?

The answer, I think, is contained in the wisdom of one of my early career mentors, who frequently said: "Don't confuse management with an accounting mechanism." You can spend a tremendous amount of time listening to every phone call an employee makes, looking at every website an employee visits and reading every email or IM an employee sends, making sure that every communication corresponds to work. But that's the coward's way out.

Before you consider doing that, ask yourself: Why am I checking up? Usually, the answer is that you're unhappy with the employee's performance, and the honest answer is that you're afraid to have that difficult conversation with the employee to get more information about his poor performance. So you search for some "objective data."

Get that objective data, but use it for due diligence (probable cause to follow up) rather than to look for a smoking gun (random spying). Too many managers, looking for the Easy Button, forget that the data is nuanced and at least as difficult to interpret as having that difficult conversation. Was the employee teleworking on a document where a VPN wasn't needed? Almost three hours of video during the week? What time was it? Was the employee taking a half hour lunch break in her office instead of taking a full hour going out?

Nothing will tank employee morale faster than the outing of random employer spying. As my mentor taught me, the accounting mechanism of employee management provides you only with data about a particular activity. It doesn't provide you with the complete set of inputs needed to manage and lead.

The old saying is that "locks are for honest people" because most crooks can bypass them. Management due diligence that uses accounting mechanisms is also for honest people. In most cases, leakers of sensitive company information, if they had mal intent and some level of sophistication, would have covered their tracks.

Employers can and should use accounting mechanisms at times, but without probable cause, they're headed for trouble.

InformationWeek is conducting a survey on security and risk management. Take the InformationWeek 2013 Strategic Security Survey today. Survey ends March 29.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
edyang
50%
50%
edyang,
User Rank: Apprentice
3/23/2013 | 4:41:07 PM
re: Monitoring Vs. Spying: Are Employers Going Too Far?
It does sound as if this issue is becoming more convoluted to the point of civil or criminal law (requiring probable cause to execute a search warrant via a judge, for example).
edyang
50%
50%
edyang,
User Rank: Apprentice
3/23/2013 | 4:39:38 PM
re: Monitoring Vs. Spying: Are Employers Going Too Far?
Fritz, all good questions. I suspect as these types of issues become more and more prominent, we'll slowly start to learn how different organizations are adapting.
Tony A
50%
50%
Tony A,
User Rank: Strategist
3/19/2013 | 11:24:56 PM
re: Monitoring Vs. Spying: Are Employers Going Too Far?
"the disclosure of the document and nearly word-for-word disclosure of a confidential board conversation led to concerns that other information -- especially student information we have a duty to protect as private -- was at risk."

Did the students feel more secure or less, knowing that the administration might be prying into their own emails at some point?

'Harvard makes it pretty clear in its Faculty and Staff computer rules and responsibilities that system administrators may "gain access to users' data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules." '

That is all but a blanket license to intrude in any way they want into any campus database whatsoever whenever the administration feels threatened. What "other University rules" - getting on the wrong dinner line? Using a faculty bathroom? What are the criteria for believing that the infraction is egregious enough to warrant prying into personal data? What are the criteria for deciding that access to some database is relevant to an incident?

The university, like most employers, wants unrestricted access to information on their systems. So they offer "warnings" that effectively say that if you want to attend or work at this university you have no privacy. But their systems, and those of most employers, are part of a public network. They have no proprietary right to anything on in. Nor do ISP's. I realize this sentiment contradicts some court rulings in favor of employer surveillance and ISP data usage. But the courts are imperfect enforcers of ethics and are clearly at sea when it comes to dealing with technology.
edyang
50%
50%
edyang,
User Rank: Apprentice
3/18/2013 | 10:52:01 PM
re: Monitoring Vs. Spying: Are Employers Going Too Far?
There's monitoring and there's monitoring. Jonathan is correct that outright "spying" will serve to demoralize employees; the irony is that even though most employees realize "privacy" is all relative when it comes to the workplace, they still have the illusion and desire for some. There are tools out there that can strike the right balance between monitoring and privacy, most notably MySammy (http://www.mysammy.com). It gathers just the minimum amount of data necessary to report on employee computer activity, for example, just gathering the website title tag and URL not privy to what exactly is going on on the screen. It also provides employees with the option to stop collecting data if they are on a break or off-work hours and want to use the computer for their own personal use. It's a fine line to walk, but it can be done.
cbabcock
50%
50%
cbabcock,
User Rank: Strategist
3/18/2013 | 8:52:02 PM
re: Monitoring Vs. Spying: Are Employers Going Too Far?
I think Jonathan formulates the argument well. You need probably cause in some form to conduct the monitoring. The Harvard Faculty Arts and Sciences policy needs to counter to some extent the looseness of the Faculty and Staff Computer Rules, which states the large incursions allowed by an administrator without describing the conditions under which he can conduct them. Inspections are allowed "to maintain or prevent damage to systems..." IT staffs are doing that all the time. Not much protection there. Even then the only actual defense is an vigilant staff, understanding probably cause and challenging incursions on its rights; Charlie Babcock, senor writer, InformationWeek
FritzNelson
50%
50%
FritzNelson,
User Rank: Apprentice
3/18/2013 | 6:08:00 PM
re: Monitoring Vs. Spying: Are Employers Going Too Far?
Jonathan, I think this case raises some important issues. While we might agree that there's a policy in place, I would question the need to enforce it here. I could well be wrong, but this is precisely the reason the question needs to be raised. In determining whether to examine e-mails, Harvard should weigh the risk (what it's having to deal with now) with the reward (is it that important that they know who leaked? would they be willing to fire the person who did so? and for what gain . . . because we learned that a big group of students cheated? if the university deals with this correctly, would it really harm the reputation of Harvard?). I wonder how many organizations have gone on a hunt for some miscreant and, looking back, ascertained that it didn't matter as much as they originally thought it would. We're not really talking about leaking classified CIA information here.

I wonder how many organizations have policies like Harvard does. I wonder how many enforce them, and how they do it. I wonder what burdens that puts on IT, which must at some level implement these policies, and enable this monitoring, and possibly even make the IT folks privy to all of it (the doing of it, and what gets discovered).
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.