Modernizing Authentication — What It Takes to Transform Secure Access
Each new revelation about the National Security Agency (NSA) and its domestic surveillance program heightens concern about possible abuses of government power. So it wasn't surprising when a news item went viral about a New York woman who believed her house was visited by authorities because of Web searches made from her family PC.
But as the facts came out, there was more to the story. The tip that led authorities to investigate the family came not from the NSA, but from the husband’s employer. He had searched for terms related to potential incendiary devices from a workplace computer just before being let go from his job.
The employer in this story discovered the potentially troubling actions because it, like some two-thirds of companies, monitors employee activity online. While surveillance by government agencies like the NSA is still highly controversial, enterprise surveillance of workers’ activities is now commonplace and in most scenarios, perfectly legal.
But crafting and implementing a company-wide monitoring program is more nuanced than just flipping a switch. As the NSA is discovering, there are potential consequences to consider when deciding just how and what to monitor.
Legality of Workplace Surveillance
While this article does not constitute legal advice, companies are generally in safe territory when monitoring or recording any communications using employer-owned equipment. The only specific protection is for employees making personal phone calls. In terms of online activity, employers can legally monitor and record all electronic communications. That includes literally monitoring employees’ computer desktops and archiving all emails sent and received, including “deleted” messages.
That said, the current trend toward BYOD or "Bring Your Own Device" policies in the workplace does create a new wrinkle in companies' legal right to unfettered monitoring. In a BYOD environment where an employee or contractor uses a personally owned device for work purposes, businesses do lose the right to, for example, monitor keystrokes or desktop activity without employee permission.
Still, most corporate monitoring focuses on network activity such as emails, instant messages and website visits. As long as an employee-owned device is using the corporate network, these activities remain subject to legal surveillance.
Surveillance vs. Monitoring
The terms "surveillance" and "monitoring" are used almost interchangeably when talking about workplace spying, for lack of a better word, but the two are different in some important ways.
In a surveillance environment, employees are likely to be watched in realtime. This could include using tools like security cameras, listening in on phone calls and remotely viewing computer desktops. Whereas a workplace which "monitors" activity may use tools less pervasively – keeping archives, for example, of electronic messages or logging visits to unapproved websites.
Both strategies have a place. For example, surveillance of phone calls may be appropriate in a customer service call center. But misapplying a strategy to a workplace environment can have negative consequences.
For example, in a company where employees work independently and are self-directed, active surveillance can undermine trust and discourage the best employees from staying with the company. On the other hand, passive monitoring of employee activity where productivity needs to be focused on a narrow task might allow too much slack to accumulate in employee output.
The temptation to monitor as much as possible is a natural extension of a company’s desire to protect its business and the ease with which modern tools can do so. But there are some hidden dangers in monitoring too much, especially in realtime.
In this day and age many employees mix business and personal activity. For example, sending email to both business and personal contacts. In some companies, these activities are separated through independent email identities, but not always.
Now suppose that in the course of company surveillance, it is revealed that an employee is pregnant or has been diagnosed with a serious medical condition. Knowing this information without the employee having volunteered it can put the company at risk. For example, if there is later a dispute between the employee and company, he or she might point to these factors in potential claims of wrongful dismissal or discrimination. In other words, there can be a risk to a company who "knows too much."
Out in the Open
When law enforcement agencies monitor individuals, they often do so covertly. After all, if targets knew they were being watched, they might not behave badly. Of course, "not behaving badly" is precisely what a company wants from its employees. To help ensure this, organizations needs to be upfront about their monitoring:
- Define what "not behaving badly" means. Clearly worded policies should unambiguously define acceptable and unacceptable online activity on the job.
- Detail the monitoring program in place. Although there is no legal requirement to do so, a company which explains what it monitors and why will both earn the trust of employees and discourage bad behavior.
Workplace Monitoring Software
Major players in corporate monitoring include SpectorSoft, Spytech, SONAR, and Net Spy Pro, among many others in this large market sector. Licensing costs can range from $40 to $300 per employee. Some suites are multi-platform; for example appropriate for businesses with both Windows and Mac machines. Some tools also extend to include mobile devices like smartphones and tablets.
No matter which monitoring suite an organization chooses, its effectiveness ultimately comes down to strategy and transparency. Develop the right monitoring strategy for the workplace and make its policies clear for everyone to whom it applies.
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and Wi-Fi Planet.