Monitoring Vs. Spying: Are Employers Going Too Far?

The email brouhaha that erupted at Harvard recently did not meet my definition of spying. If your company monitors, do it with reasonable cause.
Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
I'm on the side of organizations being able to monitor their technology assets without apology. But that's a very different thing from spying.

I'm alluding to the brouhaha that erupted after Harvard University reportedly "spied" on its employees while attempting to find out how a sensitive document left the organization. I use the scare quotes because it appears Harvard did nothing of the kind.

The Boston Globe reported: "News of the incident could nonetheless anger Harvard faculty members, whose privacy in electronic records is protected under a Faculty of Arts and Sciences policy." Not the way I read it.

Indeed, Harvard makes it pretty clear in its Faculty and Staff computer rules and responsibilities that system administrators may "gain access to users' data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules." The policy also states that "users understand that timesharing and network-based system activity is automatically logged on a continuous basis. These logs do not include private user text, mail contents or personal data, but do include a record of user processes that may be examined by authorized system administrators."

[ How to wrangle another employee hot button: bring your own device. Read BYOD: Why Mobile Device Management Isn't Enough. ]

The policy also specifies: "In cases of computer misconduct, HUIT may notify the appropriate dean or University official, who in turn will determine the course of any investigation or disciplinary action."

So how is Harvard's tracing a forwarded email on a sensitive university matter an act of spying? It's not. It's reasonable monitoring.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

Says Harvard: "While the specific document made public may be deemed by some as not particularly consequential, the disclosure of the document and nearly word-for-word disclosure of a confidential board conversation led to concerns that other information -- especially student information we have a duty to protect as private -- was at risk." Based on university policy and the situation, Harvard had a clear business requirement to try to identify the source of the leak. Any other responsible organization would have done the same.

And any faculty member angered by the incident doesn't seem to be living in the 21st century.

Let's call monitoring with a purpose "probable cause." In this care, there was probable cause to examine the logging systems.

Monitoring without probable cause is what I would call spying. The most egregious example I can recall was when officials of the Lower Merion School District in Pennsylvania allegedly went through pictures of students, taken in their bedrooms, via Webcams mounted on student laptops. The school district claimed that anti-theft software installed on the district-issued computers had triggered the laptop Webcam.

If anti-theft was the probable cause in this case, how come the school district didn't press charges against the students it has monitored? Instead, it came forward with evidence that the students were dealing drugs or engaging in improper behavior. No criminal charges were filed, but the school district ended up paying more than $600,000 to angry parents.

Even in this post-9/11 era of digital cameras and other surveillance systems, neither IT nor random supervisors should be permitted to use these systems for reasons other than safety or a bona fide criminal investigation unless legal and HR lay out a clear policy or procedure first. But that's the easy part. The hard part is in the middle: When should employers do logging to check up on employee behavior?

The answer, I think, is contained in the wisdom of one of my early career mentors, who frequently said: "Don't confuse management with an accounting mechanism." You can spend a tremendous amount of time listening to every phone call an employee makes, looking at every website an employee visits and reading every email or IM an employee sends, making sure that every communication corresponds to work. But that's the coward's way out.

Before you consider doing that, ask yourself: Why am I checking up? Usually, the answer is that you're unhappy with the employee's performance, and the honest answer is that you're afraid to have that difficult conversation with the employee to get more information about his poor performance. So you search for some "objective data."

Get that objective data, but use it for due diligence (probable cause to follow up) rather than to look for a smoking gun (random spying). Too many managers, looking for the Easy Button, forget that the data is nuanced and at least as difficult to interpret as having that difficult conversation. Was the employee teleworking on a document where a VPN wasn't needed? Almost three hours of video during the week? What time was it? Was the employee taking a half hour lunch break in her office instead of taking a full hour going out?

Nothing will tank employee morale faster than the outing of random employer spying. As my mentor taught me, the accounting mechanism of employee management provides you only with data about a particular activity. It doesn't provide you with the complete set of inputs needed to manage and lead.

The old saying is that "locks are for honest people" because most crooks can bypass them. Management due diligence that uses accounting mechanisms is also for honest people. In most cases, leakers of sensitive company information, if they had mal intent and some level of sophistication, would have covered their tracks.

Employers can and should use accounting mechanisms at times, but without probable cause, they're headed for trouble.

InformationWeek is conducting a survey on security and risk management. Take the InformationWeek 2013 Strategic Security Survey today. Survey ends March 29.