Thursday, September 17, 2009

Course Discussion: Snooping Bosses

This is a blog post concerning the content of this article for my participation of a course in English at Karlstad University.

My first impressions from this article are heavily weighted since I studied Information Security this summer. Since companies are responsible for what their employees say and do, if not in court then still in the eye of the public, especially in such branches as security or medicine, obviously they must keep an eye on what these people do. Monitoring e-mail or web use shouldn’t be a foreign and scary concept; it’s no more unnatural than that your big brother keeps an eye on you to keep you from stealing apples because he knows he’ll get the blame.

We live in a society with constantly increasing access to information. Radio, TV, Internet and cell phones. It would be very naïve to think that we can reach all this information without simultaneously letting it reach us. Connecting to the Internet doesn’t just mean that you can access it, but also that it can access you. Similarly, not only can the employer access the employee’s blog, but the other way around.

The issue here isn’t privacy, I think. Things like mailing sensitive information or uploading stupid drunk pictures clearly associating to the company logo are obviously harmful to the company and should be monitored and punished.

The issue instead might be, ironically, information. Someone not informed of what information is sensitive might very well mail it. Someone not thinking of that millions can access his photobucket album might not consider the harm in publishing the pictures there. But does that make it ok? The Information Security course taught me that the company has a legal responsibility to inform employees of things like these, but it is very vague to what degree. Handing out papers is enough in most cases, and then it’s on the employee if he hasn’t read it. How often do we dismiss bureaucratic papers, like license agreements, because “they’re so boring” or “they all say the same thing”? And how many of those papers could we reasonably be expected to read?

And the issue is even more difficult. Should an employee get to call in sick when he isn’t, once in a while? How often is once in a while? Would you respect a boss who lets it go every time? Or just once? Is it too harsh to never give a warning, but just fire the person? These aren’t exact sciences with exact answers; it’s judgment, morals, respect and responsibility. Should your co-worker tell your spouse that you're cheating? Does it matter if he discovers it by accidentally walking into a room, or accidentally opening your e-mail? The same old things, with new technology.

The one thing I do know is that it scares me to let people see and know my weaknesses, and that’s, to me, what privacy is very much about. The freedom of doing stupid things without anyone pointing and telling you how stupid it was. An instinct to keep secret the things that could harm us. And instincts, are they outdated remnants of an uninformed past, or the very core of being human?

I wonder though... I imagine privacy means different things if you ask an American, a Swede and a Japanese.


Kristin said...

First of all, this whole thing is A LOT less scary in Sweden, where catching an employee surfing porn at work is not a valid reason for giving him the sack.

When it comes to monitoring what you do on the internet, it depends on the company. A small company with, say, 10 employees will most likely not bother. They do not have the time or resources to read your e-mail. They might sift for child pornography, but that's it.

When it comes to bigger companies, I have a personal experience. ABB are very clear about what they are doing. For every piece of "legally important information" that you receive, you will sign an official document saying that you have read that piece of information.

Personally, I think that there is a very clear line that defines what is and isn't the bosses business. Monitoring a cellphone is perhaps reasonable if you run a security company, but otherwise I think it is going too far.

Of course, anyone with some knowledge of technology might be smart enough to leave his company phone at home, and forward the calls to his private one.

And a manager or CEO is expected to be able to take a joke or two on his behalf. Once again this is not a problem in Sweden. But I can definitely see some good applications of these possibilities though. Proving that someone is being sexually harassed, for example. Oh, my comment got way too long, sry!

Riklurt said...

The situation is really quite different in America than in Sweden. In the US, your rights to privacy very much end after you go outside your own house, while they are ridiculously well-respected as long as you are inside.

When you're using the company's stuff, you're "on their property" and hence, by American reasoning, they have as much right to monitor you as you have a right to monitor a complete stranger in your house. Which, you know, kind of makes sense.

But it's still scary.

Yeonni said...

Yeah this is what I meant about old problems and new technology; the boss being able to take a joke and so on. And if you have a work phone and a private phone, and the work one is monitored, it makes perfect sense right? Too many people use their work phones for both.

Alex said...

This is interesting, monitoring is a direct conflict with the "victim"s (I say victim, cause I'm against monitoring and it suits my description of it all) privacy and you can really see the differences between US and the rest of the world in this.
Here in Europe, monitoring (emails, internet usage, phoneusage etc) without proper information beforehand is actually against the european court of human rights. Most countries in Europe has their own privacy laws to reflect this.

I know here in Norway, privacy and especially computer security & privacy is taken very seriously.
We have our own department for computer privacy, which creates rules that every employer has to follow.

Since I work with computer science at government level, I know alot about this...We have all the means to access employees mail, internet history, file history etc, but if we use any of these means, we're legally "screwed". (Though its a nice way to update your mp3 collection =p )

I think alot of this is very "black & white". Lets say I get the job done in 50% of the time my colleague would, but I also spend some of the time reading the news online, or doing non-work stuff (like reading a blog). Does this make me a worse employee than my colleague?
Ultimately we should be evaluated on getting the job done, not the process itself, provided you at least made an effort.

Of course its a problem if an employee slacks off 100%, but that would also be reflected in his work (or lack of), not in some snoopy program that shows how much he/she spent on YouTube.

Gawd what a long post this was, sry =) Oh and my phone is both work and private xD

Kristin said...

Privacy laws in Sweden have always been in conflict with the principle of publicity (offentlighetsprincipen). This week the news has been talking about how they have found out that someone has been changing some politicians' articles on wikipedia. Facts like previous involvement with the extreme right and wild parties, and indeed drug use, has been erased. So how did they discover this? Did they trace the IP number? That would indicate that the IP numbers of the Swedish government are public, which I find kind of... naive.

Ps. Check out these two courses at Högskolan Dalarna: DT1017 and DT3007

Alex said...

In all fairness though, Wikipedia is probably the worst place ever to field your political views, since its an 'opensource' article-platform. Anyone can edit stuff there.

Wikipedia is also a service hosted on someones private server, which means they have every right to log IP's of both visitors and contributors (and believe me, they do). Actually I think I read somewhere that an IP address is not considered personal, as long as its not linked to other personal data.
As for the government, and most firms, they probably have only a couple static outside IP's that are translated (NAT'ed) to their local VLAN (like 192.x.x.x or 10.x.x.x are good examples of) and
to trace something like that would mean to go through local firewall/proxy logs. Even then you're pretty much screwed if the firm uses DHCP with a short lease time, if you wanna find you exactly what PC the articles were changed on =)

My conclusion to a long "geeky" mail, its more secure to do evil internet stuff @ work than @ home ;)

Kristin said...

Heh, my English neighbour has put a piece of tape over the built-in web camera in his laptop "basically because of 1984"