Endpoint //

Privacy

11/4/2014
11:00 AM
David Melnick
David Melnick
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Workplace Privacy: Big Brother Is Watching

Companies may have the right to monitor employees who are checking their bank balances or shopping online on corporate networks. The real question is, should they?

The technological sophistication of employee monitoring tools available today gives companies the power to scrutinize virtually every move an employee makes using keyboard logging, cellphone tapping, tracking devices attached to office badges -- even chairs that vibrate when an employee gets up from his or her desk.

To be sure, many of these approaches are extreme. But they all raise ethical issues we’ve never faced before as a society.

Why do companies monitor? One reason, according to a study Kansas State University conducted last year called “The Effects of Sanctions and Stigmas on Cyberloafing,” is that between 60% and 80% of employees’ time on the Internet at work has nothing to do with work. Here are a few other scary stats from the study:

  • 77% of people check their social media profiles from work computers
  • 49% of women shop online at work during the holiday season
  • 20% of men view pornography at work

So, companies monitor. They notify employees and gain consent with strong Acceptable Use Policies (AUPs) and then operationalize increasingly sophisticated rules-based monitoring with Data Loss Prevention (DLP), Deep Packet Inspection of SSL activity, and even spyware.

Of course, companies have the right to monitor what travels over their networks, at least in the US. They have shareholder, customer, and employee interests to protect. In fact, in the US, with limited notification and consent, employers have very few limitations as to what they can monitor around employees’ Internet use at work.

In Europe, privacy is a human rights issue
The right to monitor becomes a bit more complicated for companies operating outside of the US, however. Europe, for example, has worked actively on the issue of governing privacy. The EU Data Protection Directive -- which is in transition at the moment -- provides protections for employees’ personal life in the workplace. The European Convention for the Protection of Human Rights, Article 8.1, proclaims that “everyone has the right to respect for his private and family life, his home and correspondence.”

According to the Article 29 Working Party working document on surveillance of electronic communications in the workplace, “Court has made it clear that the protection of private life enshrined in Article 8 does not exclude the professional life as a worker …” This approach to extending personal privacy protection into the workplace has been migrating to other jurisdictions around the world. For now, most employers outside of Europe can access any email or text message or track employee online activity -- anything that relies on a company asset to travel, unless it’s a personal device -- and limit employees’ expectations of privacy at work.

Whoa! Why are we monitoring, again?
Security professionals are keenly aware of the pressure to secure without consideration for privacy, and monitoring seems to be the tactic du jour. But let’s take a moment to step back and reflect on the implications and realities of monitoring.

We monitor because our networks and our employees are under constant cyberattack and because CIOs and CISOs are attempting to maintain command and control over increasingly distributed corporate networks. Employees have 24/7 access to the corporate network via a variety of personal devices. To achieve security and address liability, employer policies often assert no-employee-right-to-privacy, and they often implement monitoring systems in an attempt to regain control over employee Internet use.

These issues are legitimate, but I’m not sure that the end justifies the means. I think we’re monitoring because we don’t know what else to do, and fundamentally, I think we’re monitoring because we can. It’s time to ask ourselves whether we should.

The heart of the problem is that our personal lives are co-mingled with our work lives. Because we use work devices for personal reasons and personal devices for work reasons, it’s difficult for employers not to invade personal space when monitoring work activity. At the same time, we can and should isolate and protect personal activity and privacy. The debate needs to move beyond "we can" and "we should" to how can we separate and protect personal stuff.

Is there a less invasive approach that benefits us all? Let’s chat about the possibilities in the comments.

David has worked for 25 years with US and global companies, advising them on strategy, risk-based priorities, and effective governance of highly sensitive and regulated data. He is a CIPP/E/US, CISA, and CISSP and has authored several books through McGraw-Hill Publishing and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/6/2014 | 10:59:52 AM
Re: Is it really shocking that companies are watching?
Agree, @SecOpsSpecialist,at least in theory, as I type on my work computer in my home office, (right after checking my personal gmail).  It is indeed a slippery slope we are on with workplace privacy at home -- as well as in the office!
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
11/6/2014 | 10:50:39 AM
Re: Is it really shocking that companies are watching?
@Marilyn,


That's a good question actually. Can we reasonably expect that no one is going to do non work related activities on work computers? No. But what we can expect is that if we say that we don't want people viewing adult material on their work laptops, and someone does, we have the reserved right to take disciplinary action against them for violating company policy. As I may have mentioned, there are products out there that can be installed on work laptops to prevent people from going to websites we don't want them to go to. Plus, with logging and log management systems, we can view practically anything on those laptops. By accepting a work laptop, a person is then accepting the responsibility of said laptop into their care and custody. Once at home, if on the work laptop, the person decides to engage in personal activities that are against company policy, technically, the laptop is still company property and therefore is still subjected to the Acceptable Use Policy, even on business trips or in the home.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/5/2014 | 3:37:58 PM
Re: Is it really shocking that companies are watching?
It gets more complicated as  more work takes place outside the workplace -- in our homes, on airplanes traveling for business -- or personal reasons. As the lines blur between work and life, how can you tell a person they can't pay a bill online in the office, when they go home and check email at work? 
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
11/5/2014 | 3:12:41 PM
Re: Is it really shocking that companies are watching?
@dmelnick,

You make an interesting point. The thing that we as workers tend to forget is that the reason companies had to create acceptable use policies in the first place is because something bad happened to the organization. Same reason why the silica packets say "do not eat" and why McDonald's coffee says, "caution hot!". Someone did something, regardless of what it was, caused a problem for the organization and the company had to tighten up what they allowed their employees to do.

Quite honestly, by signing an Acceptable Use Policy, you are, in fact, signing an agreement between you and the employer. I can understand from the employee perspective why it seems unfair that they say "you can't go on Facebook" or "you shouldn't login to your bank account." In a way, the company is trying to not only protect themselves, but protect you as well.

Think about it another way, if the company gets hacked, and the hacker is able to get into the company's credentials, what's to stop them from stealing John Smith's bank account information? It's been logged into the company's system that he's accessed it and therefore, he knows that John Smith banks with ABC Bank and has a username of jsmith252. The hacker can then use that to get access to his bank records. Yes, it seems unlikely, but that's often times what happens.
dmelnick
100%
0%
dmelnick,
User Rank: Author
11/5/2014 | 10:43:13 AM
Re: Is it really shocking that companies are watching?
@SecOpsSpecialist,

You say "People only complain about "privacy" being invaded when they do something that is against company policy on their computer." But what happens when doing anything personal is against company policy. over 70% of companies have Acceptable Use Policies that basically say you cant do personal stuff at work. It seems like we are in a bit of a pickle when the policy is unrealistic. These policies are forcing employees into civil disobedience in a sort of "dont ask dont tell" unwritten policy.
SecOpsSpecialist
100%
0%
SecOpsSpecialist,
User Rank: Moderator
11/5/2014 | 10:17:17 AM
Is it really shocking that companies are watching?
You really have to ask yourself this question: Is it surprising the companies have to watch what it is people are doing? Think about it from this perspective, a company has data that they need to protect, if a person is consistently on Facebook or Twitter, there is a distinct possibility, in the business's mind, that this person could be leaking secrets all over the Internet. So what can companies do?

There's this nifty little thing called URL Filtering, Application Whitelisting and Application Blacklisting which helps to protect the organization. If the organization does it right, they can block social media such as Facebook and Twitter, but leave "professional" sites like LinkedIn available. A business is designed to make money, not lose it. I know when I come to work, I'm being monitored. But the thing is that I also don't do things that I know would get me into trouble. People only complain about "privacy" being invaded when they do something that is against company policy on their computer.

The 20% watching pornography seems like a lot, but quite frankly, it's on the business if they allow it on their computers at all. Products exist on the market to prevent those kinds of things from happening and if the business complains that their users are doing that, then perhaps they should rethink what they actually allow on their work computers.
dmelnick
50%
50%
dmelnick,
User Rank: Author
11/4/2014 | 6:14:42 PM
Re: trust
@Thomas, I agree this discussion is partly about "trust" but I think the real debate is about what constitutes "fair" rules?

@vnewman2, thank you for your comments, I appreciate the way you are working to wrestle with what constitutes fair practices. To your point, our lives have blurred between work and personal and I don't think that is necessarily a bad thing. But accepting that co-mingling leads to a discussion about whether an employee should have any rights to a private live in the workplace. I think the Europeans are out in front of the US in thinking deeply about this important 21st century question from a regulatory perspective.
dmelnick
50%
50%
dmelnick,
User Rank: Author
11/4/2014 | 6:08:23 PM
Re: trust
@Marilyn, I agree the pornography number is surprising, however examples like the high profile EPA users of pornography that led to congressional hearings illustrate the limited controls enforced in many organizations. All the more surprising with the wide availability and maturity of category based web filtering solutions which could limit this type of activity. Pornography often leads to more complicated employer liability risk around creating a hostile work environment/sexual harassment, and in the case of the EPA story child pornography incidents were reference which are criminal. The EU members are not going to protect employees involved in criminal behavior and generally provide for surveillance associated with investigations into employee activity. 
vnewman2
50%
50%
vnewman2,
User Rank: Strategist
11/4/2014 | 5:07:33 PM
Re: trust
Further, here's a little anecdote: During graduate school, I worked part-time as the kid's fitness director at a gym.  If I had a guest teacher come in (let's say for gymnastics), I would sit and read a text book because I wasn't allowed to help (liability) or leave the room.  When the class was over, I would clean up the equipment.  I was wiping things down when my boss and her dad (yeah, i know) walked over to my desk, staring down at the book and whispering.  I asked, is everything ok?

She said, "Yeah, we're just looking at this table."  

I quit the next week. 

 
vnewman2
50%
50%
vnewman2,
User Rank: Strategist
11/4/2014 | 4:59:18 PM
Re: trust
@Thomas - I hear what you're saying but when the rules are antiquated or just obviously don't make any sense, people are going to break them.   Putting all kinds of barriers in place to prevent people from "goofing off" or doing non-work related tasks is near impossible since people can just hop on their personal phone to play games, FB, email, shop, etc.  

The way I feel about it is this: My life does not just stop when I walk in this building.  There will be times when I need to deal with personal issues on the firm's dime.  In the same way, I'm not going to report every second of time I spend checking my work email throughout the night to make sure no one in the office is at a work stoppage.   I feel like it all evens out in the end.

And if my work for day is complete and my projects are current, why can't I go waste some time on Facebook (I don't because that's not my thing, but you get my point).   Or else I could sit here and daydream - you can't police that - yet.   The point I'm getting at is - what's the difference between sitting at your desk drawing doodles and getting on your computer to do bascially the same thing?  I've never understood this kind of mentality.

The only issue I do have is with people who put the entire firm at risk doing stupid things that are outside the confines of their job - visiting rogue sites, circumventing security checkpoints, etc.
Page 1 / 2   >   >>
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.