What price will society pay for forcing workers to spy on one another?
The closest I've ever come to being drafted--other than in Little League--was several years ago when a guy from my company's building-services department left me a message saying I'd been appointed to the Weather Advisory Task Force. Our charter, he said, was to help set guidelines for when snow emergencies should be declared and to think about and devise plans for other weather-related contingencies. While understandably humbled and thrilled at this calling, I never attended any meetings and was soon dropped from the task force. I incurred no penalties, and the net impact on me was zero.
A very different sort of impact, however, could be in store for thousands of IT workers in South Carolina under the legislation discussed in our cover story. Under the new law, any IT worker in the state who becomes aware of child pornography within that company's computer systems is required to report the users to law-enforcement authorities. They're not being asked to do this, they're not being encouraged to do this, they're not being urged to do it--they're being told to do it, or they could be sent to jail under penalties expected to be adopted next year.
What's going on here? Who dreamed this up? Who will enforce this? Where does the responsibility end--if front-line IT workers can be prosecuted for this, what about IT managers? CIOs? CEOs? And in these days of ubiquitous computer usage and information sharing, just who is an "IT professional," particularly in the eyes of legislators who have not the slightest hesitation in deputizing thousands of employees without their knowledge or consent?
Some have said the road to hell is paved with good intentions; clearly, the intentions here are good. If there is a more detestable and loathsome activity than the making, selling, and consuming of child pornography, I certainly hope I never hear about it. But is this the right way to attack this despicable industry--by forcibly requiring people who have no training in and no special perspective on this whole matter to become agents of law enforcement? To become arbiters of what is and is not pornography? To have to make the decisions on whether a possible but not definite example of such filth merits turning in a person who might be innocent, or whether to remain silent but risk a criminal record by not turning in that person?
Imagine you're the CEO at a shoe company in South Carolina, and you have 1,000 workers using PCs and networks with Internet access. You hear about this new law and assess your company's potential vulnerability. Do you brush it off and figure it'll blow over? Do you tell your IT team to keep a vigilant lookout for stuff flying through the transom, but don't go on active searches? Or do you look to pre-empt any potentially harmful problem by ordering your IT teams to actively root through every server and hard drive and Web site and attachment in your entire company? What if the search turns up off-color jokes? What if it reveals some employees are engaged in an office betting pool on baseball or basketball or football or hockey?
What about the head of HR who knows that a couple of employees have come to him or her to arrange for confidential counseling related to, say, spousal abuse? Well, we need to wipe out spousal abuse, so let's turn in those people, too. What if we find that some employees have visited Web sites that have links to other sites that are connected in some way to child pornography--do we bust them, too?
I'm not given to conspiracy theories or crazed images of a world gone mad. But I don't think the questions and scenarios I've posed are unthinkable in the context of this law. If we're willing to codify that, then where do we draw the line? This is about steps into the unknown that technology is spawning. It's about ethics and privacy and personal responsibility; it's about the role businesses play in building a better society; it's about defining acceptable levels of governmental activism in the private sector; and it's about tackling profoundly complex issues in a time when everything around us is changing. It's about what is right and what is wrong, and if it's taking place today in South Carolina, it can happen tomorrow all across the country.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.