Endpoint // Privacy
6/19/2014
12:00 PM
David Melnick
David Melnick
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

What Workplace Privacy Will Look Like In 10 Years

New laws like Europe's "right to be forgotten" in Google search are just the latest examples of how quickly perceptions and practices about personal privacy in the workplace are changing.

Ralph's pajamas gently vibrate him awake. While he is still in bed, he gestures into the air, bringing up a computer interface woven into his pajamas. With a swipe of his hand, he opens his personal space and checks his biometric dashboard to find out how many steps he needs to walk today to reach his weight loss goal and whether his cholesterol has dropped.

After a quick shower, he gets dressed, accessorizing with his smart computing vest, which automatically starts his ultra-dark roast coffee brewing the moment he puts it on. A father of three, he gestures to open his private family view, which is showing live video feeds of his kids waking up. Interrupted by an alert from his car about traffic delays, he grabs a cup of coffee and heads for the garage, where he slides into his car office, closes his personal spaces with a gesture, and opens his business calendar to prepare for work.

Futuristic? Not so much.

This view of increasingly blurred "personal" and "work" places, spaces, and time will shortly be upon us. This reality will continue to challenge our notion of personal privacy, especially in the workplace.

The history of privacy at work
In the mid-1990s, employees began to gain Internet access at work. Eventually, Internet use became mission critical for nearly every job. Everyone was expected to have Internet access on their work computer, and before the end of the decade, they did. As people became able to shop, check bank balances, and pay bills online during working hours, the convergence of personal and professional lives accelerated, leaving employers to balance individuals' privacy concerns against increasing risks from employees' use of the Internet, such as productivity distractions, liability issues, and cyber security threats.

Then came 9/11, and overnight, employers shifted their focus from seeking balance to managing security and other risks. In the past decade, the proliferation of social media, cloud technology, and mobile access to the corporate network has led to increasingly invasive monitoring and controls, which has resulted in the beginnings of a global privacy backlash.

In the last 20 years, technology advancements have enabled unprecedented sophistication in social and personal communications, allowing us to have more personalized interactions at work. This is great, but our view of privacy has not adapted to this new reality, nor have we established any clear expectations of privacy in the workplace. How can we assume our information, which we freely share and that others are hungry to mine and sell, will be kept private? And why should we care when it isn't?

Some (those of us in the United States) assume we are protected by the Fourth Amendment to the US Constitution or by the benign neglect of our employers, but that's not true. Imagine yourself on your personal computer at home. The door is shut, and no one is around. You have a sense of privacy and an assumption that you are not being watched, but there's a pretty good chance that you are. Just this month, The New York Times reported that the NSA is actively harvesting images people share through electronic communications for use in facial recognition programs.

Where we are now with privacy
Just as people haven't changed their perceptions of privacy rights in the digital era, legal frameworks and thinking around personal privacy at work, especially in the US, haven't kept up. This has left employees with a false sense of comfort. There is also a rising tension in the workplace as employees broadly disobey policies (which organizations don't have the will to enforce) that unrealistically forbid personal online activity.

US corporate culture expects you to check your personal freedoms at the office door, but with appropriate company policies, your employer is legally entitled to monitor most of your workplace communications, according to the Privacy Rights Clearinghouse, a nationally recognized nonprofit consumer education and advocacy group.

Regardless of how you feel about Edward Snowden's actions, at least he has gotten us talking about our rights to privacy -- at home and at work -- and has shined a light on the gap between perceptions and reality about individual privacy rights. More than 50 countries have established comprehensive privacy legislation, with Europe, having thought deeply about the privacy consequences of these technologies for decades, leading the way.

What privacy will look like 10 years from now
A decade from now, even if we're not Ralph in our computing pajamas, the privacy landscape will be dramatically different. Computing technologies will increasingly be integrated into our private person, while computing storage and services will be in the cloud. From a legal standpoint, I believe laws will evolve to interpret the Fourth Amendment as providing individuals a right to privacy -- even in the workplace -- as an inalienable right.

I predict that the technology we rely on every day will reflect the integrated nature of our personal and professional lives, and that we will move between them with a simple wave of our hands or the flip of a switch. The dimensions of space and time will no longer define how we use information, whether personal or professional. Our constitutional right to a private life in the workplace will drive a logical separation of information, so that our family-related information will be separated from our business information, ensuring our privacy is protected.

David has worked for 25 years with US and global companies, advising them on strategy, risk-based priorities, and effective governance of highly sensitive and regulated data. He is a CIPP/E/US, CISA, and CISSP and has authored several books through McGraw-Hill Publishing and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hunterpj
100%
0%
hunterpj,
User Rank: Strategist
6/20/2014 | 4:43:19 PM
So true...
So true...

The ECPA has been criticized for failing to protect all communications and consumer records, mainly because the law is so outdated and out of touch with how people share, store, and use information nowadays. For instance, under the ECPA it is relatively easy for a government agency to demand that service providers hand over personal consumer data that has been stored on their servers.

For instance, email that is stored on a third party's server for more than 180 days is considered by the law to be abandoned (amazing), and all that is required to obtain the content of the emails by a law enforcement agency, is a written statement certifying that the information is relevant to an investigation, without judical review. Yet in a patent lawsuit ever piece of electronic communication in your posession including archived backups can be frozen by subpoena and subject to future review for applicibility to the case.

Obviously, the ECPA needs a major overhaul. Just imagine the furor that will be created as every congressman, agency, and lobbyist jockey to put their 2-cents in. And of course any new law will the ultimately play out in the courts as there will be challenges and counter challenges as we have seen with current ECPA.

 

dmelnick
50%
50%
dmelnick,
User Rank: Author
6/20/2014 | 4:27:48 PM
Re: Some US Law Already Exists But Protection is Limited
Great point Hunterpi,

I think its fascinating that we have specifically protected phone communications, but left email wide open and unprotected. I think this is largely law playing catch up to technology. For example, is skype subject to any safegaurds? Still interesting that employers can listen to your voicemail but with a clean Acceptable Use Policy, they can read all your email. 
hunterpj
100%
0%
hunterpj,
User Rank: Strategist
6/20/2014 | 3:47:50 PM
Some US Law Already Exists But Protection is Limited
The Electronic Communications Privacy Act ("ECPA") prohibits employers from listening to employees' personal telephone conversations or voicemail messages in the workplace, whether the calls are made or received on a work telephone or an employee's personal cell phone. An employer also is potentially liable under the ECPA if he or she deletes or prevents an employee's access to voicemail messages. 

Seems like the the precedence is well established, except:

Employers can also generally monitor employee's phone calls for quality control purposes. They are supposed to cease monitoring once they are aware that the call is personal, though. If there is a policy in place against personal calls, however, the employer can listen to enough of the call to determine that it is personal, and the employee may still face disciplinary action for the personal call even if the employer didn't listen to the entire call.

Some states, such as California, require that all parties to a monitored phone conversation receive notice about the monitoring. If your state has such a law, your employer is required to inform you if they plan to monitor your phone calls.

Most of the latest technologies are not specifially detailed.

So a person is entitled to some privacy at work, but have far fewer privacy rights at work than they do in their personal life.
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/20/2014 | 1:35:55 PM
Re: Security vs Privacy vs Performance
@dmelnick

Exciting times :-)  Can't wait to see how that architecture is going to look, and then quickly identifying the exploits so we can make it better.

Look forward to your next article, David.  This is an area I have great interest in.

Cheers!
dmelnick
100%
0%
dmelnick,
User Rank: Author
6/20/2014 | 1:28:03 PM
Re: Security vs Privacy vs Performance
Chrisitanabryant,

I think we are closer in position than it may appear. I agree in the need for separation. A clean barrier. But I believe that we can architect that barrier logically. In fact, I believe the idea of physical bariers may become increasingly problematic in a cloud based, multi-device world. Our interface (UI) tech may increasingly become personally owned. People currently dont expect work to provide their clothes, and someday soon we may bring our own UI to work and just using the work computing power, applications and data to perform our tasks. In this world, we must seek an architecture to safegaurd privacy. I believe a whole software privacy market is in its infancy and will ultimately develop the tools and techniques to enable our privacy amidst work and other computing demands.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
6/20/2014 | 12:59:31 PM
Re: Security vs Privacy vs Performance
 I would like to challenge the idea that we can fully separate our personal and professional use of technology.

I wholeheartedly aggree with that point, Dave. We can't fully separate our personal and professional use of technology and as we move into the IoT the distinction will become even more blurred.  
Whoopty
100%
0%
Whoopty,
User Rank: Moderator
6/20/2014 | 12:25:45 PM
Gesture
The idea of a gesture switching us between personal and professional data profiles has me excited, as I struggle already to differentiate between the two sometimes. 

It's also gratifying to read someething where the future isn't doom and gloom or some 1984 scenario where no person's privacy is sacred. Nicely done. 
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/19/2014 | 7:39:05 PM
Re: Security vs Privacy vs Performance
@dmelnick

"Wrestle" is the key word. While I acknowledge the state you are describing is occurring and will further evolve in the near future, I believe (and in some cases know from first-hand experience) that not keeping a physical barrier between work and life can lead to serious personal privacy and work security concerns (whether that be never reading company email on your own device, or accessing the Internet or cloud for personal use from your work computer).  Can that barrier be inconvenient?  Sure – I have a small Acer GNU/Linux laptop that goes with me to work, and I log onto a non-company network to access personal apps and the Internet.  The reason is that I will never be the source of a malware or virus attack, or intrusion at work that might lead to sensitive information getting out – and we have plenty here.  Walking around the office I see many apps and websites open on company hardware that are ripe for intrusion.  Is that the fault of IT?  Certainly they need to work on policies and procedures to lock down and define workflow, but in the end, it is also the fault of the tech industry (if you subscribe to my view rather than believing BYOD and work/life integration is inevitable) for not writing security and privacy considerations into emerging tech such that someone can have one device, but have a physical separation between work and life (dual boot, for instance) that makes sure that the issues found in one environment can not and never will bleed over to the next.

I know, I'll be wearing tinfoil hats soon if I keep up with that train of thought :-)  But there's something to be said for those of us who "keep it separated" and how our work benefits from it.

   
dmelnick
100%
0%
dmelnick,
User Rank: Author
6/19/2014 | 7:15:35 PM
Re: Security vs Privacy vs Performance
I appreciate your thoughtful observations. It appears you subscribe to the idea of separating your personal stuff from the work place to address privacy risk. I would like to challenge the idea that we can fully separate our personal and professional use of technology.

As the work day grows longer and people increasingly perform work outside the traditional office and at home (extended enterprise). As people use their own devices for work email and work devices for personal use (mobility). I believe emerging mobile technolgoy and the digital space broadly has forever blurred our work and personal lives. Once you accept that our personal and professional lives have become intertwined, we become forced to wrestle with how to manage boundaries to protect both the work place and our private space. 
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/19/2014 | 3:27:42 PM
Security vs Privacy vs Performance
I believe in the tech-integrated/enhanced near-future with enthusiasm. However, I also believe that workplace privacy needs to be carefully standardized. I think part of the issue regarding the understanding for what this actually is stems from confusion by both users and managers regarding the difference between security, privacy and performance.

For example, when it comes to allowing users access to an application like Twitter in the workplace, several questions need to be asked: 1) Is it relevant to the user's job? 2) If not, will having it affect their ability to do their work? 3) Might they post something damaging to the company, whether it be negative comments, or posting sensitive data? 4) Should the company have the ability to monitor what the user is reading/posting?

This collection of questions regarding a single app touches on security, privacy and performance. But "privacy" in the workplace is related to what a user can keep from an employer that will prevent that employer from bullying them, or leveraging information to cause a relationship to happen or to get work from the user that is not part of the contract of work as understood by standard practices (see Richard Stallman's take).

But for my part, I think you should not be able to install applications on your work-related computer if that is not part of the culture, especially if you work for a hospital, security firm, financial institution, and so on, because bringing your personal life to work does, and I stress does, impact the security and performance of your work.

Workplace privacy? Sure, if you like to dress in drag your boss doesn't need to know; but you also don't need to be letting that information out while at work over email, texts, Tweets or any other method that sits on company property meant for getting your job done. Know the difference, be responsible at work.

And if your employer insists on you enjoying all those perks, you may want to double-check your computer for spy-ware, or at least make sure your privacy is guaranteed on paper, because you have just opened yourself up to a slip that could later cost your job.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.