Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
What Workplace Privacy Will Look Like In 10 Years
Oldest First  |  Newest First  |  Threaded View
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
6/19/2014 | 3:27:42 PM
Security vs Privacy vs Performance
I believe in the tech-integrated/enhanced near-future with enthusiasm. However, I also believe that workplace privacy needs to be carefully standardized. I think part of the issue regarding the understanding for what this actually is stems from confusion by both users and managers regarding the difference between security, privacy and performance.

For example, when it comes to allowing users access to an application like Twitter in the workplace, several questions need to be asked: 1) Is it relevant to the user's job? 2) If not, will having it affect their ability to do their work? 3) Might they post something damaging to the company, whether it be negative comments, or posting sensitive data? 4) Should the company have the ability to monitor what the user is reading/posting?

This collection of questions regarding a single app touches on security, privacy and performance. But "privacy" in the workplace is related to what a user can keep from an employer that will prevent that employer from bullying them, or leveraging information to cause a relationship to happen or to get work from the user that is not part of the contract of work as understood by standard practices (see Richard Stallman's take).

But for my part, I think you should not be able to install applications on your work-related computer if that is not part of the culture, especially if you work for a hospital, security firm, financial institution, and so on, because bringing your personal life to work does, and I stress does, impact the security and performance of your work.

Workplace privacy? Sure, if you like to dress in drag your boss doesn't need to know; but you also don't need to be letting that information out while at work over email, texts, Tweets or any other method that sits on company property meant for getting your job done. Know the difference, be responsible at work.

And if your employer insists on you enjoying all those perks, you may want to double-check your computer for spy-ware, or at least make sure your privacy is guaranteed on paper, because you have just opened yourself up to a slip that could later cost your job.
dmelnick
100%
0%
dmelnick,
User Rank: Author
6/19/2014 | 7:15:35 PM
Re: Security vs Privacy vs Performance
I appreciate your thoughtful observations. It appears you subscribe to the idea of separating your personal stuff from the work place to address privacy risk. I would like to challenge the idea that we can fully separate our personal and professional use of technology.

As the work day grows longer and people increasingly perform work outside the traditional office and at home (extended enterprise). As people use their own devices for work email and work devices for personal use (mobility). I believe emerging mobile technolgoy and the digital space broadly has forever blurred our work and personal lives. Once you accept that our personal and professional lives have become intertwined, we become forced to wrestle with how to manage boundaries to protect both the work place and our private space. 
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
6/19/2014 | 7:39:05 PM
Re: Security vs Privacy vs Performance
@dmelnick

"Wrestle" is the key word. While I acknowledge the state you are describing is occurring and will further evolve in the near future, I believe (and in some cases know from first-hand experience) that not keeping a physical barrier between work and life can lead to serious personal privacy and work security concerns (whether that be never reading company email on your own device, or accessing the Internet or cloud for personal use from your work computer).  Can that barrier be inconvenient?  Sure – I have a small Acer GNU/Linux laptop that goes with me to work, and I log onto a non-company network to access personal apps and the Internet.  The reason is that I will never be the source of a malware or virus attack, or intrusion at work that might lead to sensitive information getting out – and we have plenty here.  Walking around the office I see many apps and websites open on company hardware that are ripe for intrusion.  Is that the fault of IT?  Certainly they need to work on policies and procedures to lock down and define workflow, but in the end, it is also the fault of the tech industry (if you subscribe to my view rather than believing BYOD and work/life integration is inevitable) for not writing security and privacy considerations into emerging tech such that someone can have one device, but have a physical separation between work and life (dual boot, for instance) that makes sure that the issues found in one environment can not and never will bleed over to the next.

I know, I'll be wearing tinfoil hats soon if I keep up with that train of thought :-)  But there's something to be said for those of us who "keep it separated" and how our work benefits from it.

   
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
6/20/2014 | 12:25:45 PM
Gesture
The idea of a gesture switching us between personal and professional data profiles has me excited, as I struggle already to differentiate between the two sometimes. 

It's also gratifying to read someething where the future isn't doom and gloom or some 1984 scenario where no person's privacy is sacred. Nicely done. 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
6/20/2014 | 12:59:31 PM
Re: Security vs Privacy vs Performance
 I would like to challenge the idea that we can fully separate our personal and professional use of technology.

I wholeheartedly aggree with that point, Dave. We can't fully separate our personal and professional use of technology and as we move into the IoT the distinction will become even more blurred.  
dmelnick
100%
0%
dmelnick,
User Rank: Author
6/20/2014 | 1:28:03 PM
Re: Security vs Privacy vs Performance
Chrisitanabryant,

I think we are closer in position than it may appear. I agree in the need for separation. A clean barrier. But I believe that we can architect that barrier logically. In fact, I believe the idea of physical bariers may become increasingly problematic in a cloud based, multi-device world. Our interface (UI) tech may increasingly become personally owned. People currently dont expect work to provide their clothes, and someday soon we may bring our own UI to work and just using the work computing power, applications and data to perform our tasks. In this world, we must seek an architecture to safegaurd privacy. I believe a whole software privacy market is in its infancy and will ultimately develop the tools and techniques to enable our privacy amidst work and other computing demands.
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
6/20/2014 | 1:35:55 PM
Re: Security vs Privacy vs Performance
@dmelnick

Exciting times :-)  Can't wait to see how that architecture is going to look, and then quickly identifying the exploits so we can make it better.

Look forward to your next article, David.  This is an area I have great interest in.

Cheers!
hunterpj
100%
0%
hunterpj,
User Rank: Strategist
6/20/2014 | 3:47:50 PM
Some US Law Already Exists But Protection is Limited
The Electronic Communications Privacy Act ("ECPA") prohibits employers from listening to employees' personal telephone conversations or voicemail messages in the workplace, whether the calls are made or received on a work telephone or an employee's personal cell phone. An employer also is potentially liable under the ECPA if he or she deletes or prevents an employee's access to voicemail messages. 

Seems like the the precedence is well established, except:

Employers can also generally monitor employee's phone calls for quality control purposes. They are supposed to cease monitoring once they are aware that the call is personal, though. If there is a policy in place against personal calls, however, the employer can listen to enough of the call to determine that it is personal, and the employee may still face disciplinary action for the personal call even if the employer didn't listen to the entire call.

Some states, such as California, require that all parties to a monitored phone conversation receive notice about the monitoring. If your state has such a law, your employer is required to inform you if they plan to monitor your phone calls.

Most of the latest technologies are not specifially detailed.

So a person is entitled to some privacy at work, but have far fewer privacy rights at work than they do in their personal life.
dmelnick
50%
50%
dmelnick,
User Rank: Author
6/20/2014 | 4:27:48 PM
Re: Some US Law Already Exists But Protection is Limited
Great point Hunterpi,

I think its fascinating that we have specifically protected phone communications, but left email wide open and unprotected. I think this is largely law playing catch up to technology. For example, is skype subject to any safegaurds? Still interesting that employers can listen to your voicemail but with a clean Acceptable Use Policy, they can read all your email. 
hunterpj
100%
0%
hunterpj,
User Rank: Strategist
6/20/2014 | 4:43:19 PM
So true...
So true...

The ECPA has been criticized for failing to protect all communications and consumer records, mainly because the law is so outdated and out of touch with how people share, store, and use information nowadays. For instance, under the ECPA it is relatively easy for a government agency to demand that service providers hand over personal consumer data that has been stored on their servers.

For instance, email that is stored on a third party's server for more than 180 days is considered by the law to be abandoned (amazing), and all that is required to obtain the content of the emails by a law enforcement agency, is a written statement certifying that the information is relevant to an investigation, without judical review. Yet in a patent lawsuit ever piece of electronic communication in your posession including archived backups can be frozen by subpoena and subject to future review for applicibility to the case.

Obviously, the ECPA needs a major overhaul. Just imagine the furor that will be created as every congressman, agency, and lobbyist jockey to put their 2-cents in. And of course any new law will the ultimately play out in the courts as there will be challenges and counter challenges as we have seen with current ECPA.

 



Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.