Monitoring Vs. Spying: Are Employers Going Too Far?

The email brouhaha that erupted at Harvard recently did not meet my definition of spying. If your company monitors, do it with reasonable cause.

Jonathan Feldman, CIO, City of Asheville, NC

March 18, 2013

5 Min Read
InformationWeek logo in a gray background | InformationWeek

Anonymous: 10 Things We Have Learned In 2013

Anonymous: 10 Things We Have Learned In 2013


Anonymous: 10 Things We Have Learned In 2013(click image for larger view and for slideshow)

I'm on the side of organizations being able to monitor their technology assets without apology. But that's a very different thing from spying.

I'm alluding to the brouhaha that erupted after Harvard University reportedly "spied" on its employees while attempting to find out how a sensitive document left the organization. I use the scare quotes because it appears Harvard did nothing of the kind.

The Boston Globe reported: "News of the incident could nonetheless anger Harvard faculty members, whose privacy in electronic records is protected under a Faculty of Arts and Sciences policy." Not the way I read it.

Indeed, Harvard makes it pretty clear in its Faculty and Staff computer rules and responsibilities that system administrators may "gain access to users' data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules." The policy also states that "users understand that timesharing and network-based system activity is automatically logged on a continuous basis. These logs do not include private user text, mail contents or personal data, but do include a record of user processes that may be examined by authorized system administrators."

[ How to wrangle another employee hot button: bring your own device. Read BYOD: Why Mobile Device Management Isn't Enough. ]

The policy also specifies: "In cases of computer misconduct, HUIT may notify the appropriate dean or University official, who in turn will determine the course of any investigation or disciplinary action."

So how is Harvard's tracing a forwarded email on a sensitive university matter an act of spying? It's not. It's reasonable monitoring.

Global CIOGlobal CIOs: A Site Just For YouVisit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

Says Harvard: "While the specific document made public may be deemed by some as not particularly consequential, the disclosure of the document and nearly word-for-word disclosure of a confidential board conversation led to concerns that other information -- especially student information we have a duty to protect as private -- was at risk." Based on university policy and the situation, Harvard had a clear business requirement to try to identify the source of the leak. Any other responsible organization would have done the same.

And any faculty member angered by the incident doesn't seem to be living in the 21st century.

Let's call monitoring with a purpose "probable cause." In this care, there was probable cause to examine the logging systems.

Monitoring without probable cause is what I would call spying. The most egregious example I can recall was when officials of the Lower Merion School District in Pennsylvania allegedly went through pictures of students, taken in their bedrooms, via Webcams mounted on student laptops. The school district claimed that anti-theft software installed on the district-issued computers had triggered the laptop Webcam.

If anti-theft was the probable cause in this case, how come the school district didn't press charges against the students it has monitored? Instead, it came forward with evidence that the students were dealing drugs or engaging in improper behavior. No criminal charges were filed, but the school district ended up paying more than $600,000 to angry parents.

Even in this post-9/11 era of digital cameras and other surveillance systems, neither IT nor random supervisors should be permitted to use these systems for reasons other than safety or a bona fide criminal investigation unless legal and HR lay out a clear policy or procedure first. But that's the easy part. The hard part is in the middle: When should employers do logging to check up on employee behavior?

The answer, I think, is contained in the wisdom of one of my early career mentors, who frequently said: "Don't confuse management with an accounting mechanism." You can spend a tremendous amount of time listening to every phone call an employee makes, looking at every website an employee visits and reading every email or IM an employee sends, making sure that every communication corresponds to work. But that's the coward's way out.

Before you consider doing that, ask yourself: Why am I checking up? Usually, the answer is that you're unhappy with the employee's performance, and the honest answer is that you're afraid to have that difficult conversation with the employee to get more information about his poor performance. So you search for some "objective data."

Get that objective data, but use it for due diligence (probable cause to follow up) rather than to look for a smoking gun (random spying). Too many managers, looking for the Easy Button, forget that the data is nuanced and at least as difficult to interpret as having that difficult conversation. Was the employee teleworking on a document where a VPN wasn't needed? Almost three hours of video during the week? What time was it? Was the employee taking a half hour lunch break in her office instead of taking a full hour going out?

Nothing will tank employee morale faster than the outing of random employer spying. As my mentor taught me, the accounting mechanism of employee management provides you only with data about a particular activity. It doesn't provide you with the complete set of inputs needed to manage and lead.

The old saying is that "locks are for honest people" because most crooks can bypass them. Management due diligence that uses accounting mechanisms is also for honest people. In most cases, leakers of sensitive company information, if they had mal intent and some level of sophistication, would have covered their tracks.

Employers can and should use accounting mechanisms at times, but without probable cause, they're headed for trouble.

InformationWeek is conducting a survey on security and risk management. Take the InformationWeek 2013 Strategic Security Survey today. Survey ends March 29.

About the Author

Jonathan Feldman

CIO, City of Asheville, NC

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human resources management. Asheville is a rapidly growing and popular city; it has been named a Fodor top travel destination, and is the site of many new breweries, including New Belgium's east coast expansion. During Jonathan's leadership, the City has been recognized nationally and internationally (including the International Economic Development Council New Media, Government Innovation Grant, and the GMIS Best Practices awards) for improving services to citizens and reducing expenses through new practices and technology.  He is active in the IT, startup and open data communities, was named a "Top 100 CIO to follow" by the Huffington Post, and is a co-author of Code For America's book, Beyond Transparency. Learn more about Jonathan at Feldman.org.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights