Before we get into the nitty gritty of technology and ethics, lets get this out of the way. In the US, if you use a computer or mobile device that was issued to you by your employer, they own that device, and in some way, they own every bit of data that comes and goes across that device. This is important, both as a legal reality, and as something to remember for your own career.
OK, with that out of the way, let’s talk about what happens on those devices, and why.
In September, I saw a demonstration of Nuix Adaptive Security at their User Conference, and there was something about it that stuck in the back of my mind. Not the technology necessarily, but something about it seemed off to me. Then, I also came across this article – What Your Office Knows About You,
Again, the article lays out the basic facts about just how much surveillance may be going on in your workplace, but I felt like it was leaving something out. I just couldn’t put my finger on it. I was then reminded of this niggling thought when I saw someone link this Nuix video on YouTube. It’s similar to the demonstration I saw at their User Conference, and if you want to really understand how much you are, potentially, being monitored at work, go ahead and take a look.
What you see there is something that many companies have in place, it’s not just Nuix who sell this type of security monitoring software. If it seems like I am picking on them, I am, but only because I saw their demo, not the other companies. But, there are other ones that do similar things. This post is not meant to single them out, at all.
Here we have a list of websites, extremist websites in the example above, and every time someone using a company computer browses to one of those sites, an alarm goes off, and it starts taking screenshots of what is happening.
There’s not much to argue about there. Surely if an employee is visiting extremist, even racist sites, on the company network, we’d want to know about that and take action. We have an obligation to detect if someone is leaking corporate or customer data and would want to have a way to monitor for that. That’s all good. It’s also a really good reason to think very, very carefully about what kinds of things you do on a company device.
But I also want you to pay attention to the part where he shows you where the list of sites is kept, and setup.
Now, what do I think is missing from all of this? I think what we are missing is the “who”. Who is it that is setting this up, what kind of information are they gathering, and how are they using it?
These tools are very powerful. Used correctly, they can help prevent data breaches, keep the workplace free of harassment, and provide evidence of illegal activities. That’s why the exist, and why we want them to exist.
What happens if they aren’t used correctly, though?
What happens if a company decides to start logging visits to the Employee Assistance Program website, and take screenshots of what someone may be looking for? Or banking websites? Healthcare websites? What happens when a company has screenshots of what symptoms you may have looked up on WebMD? Or if you went online to schedule an appointment with a specialist? What happens if they log keystrokes and now have your login and password for various websites? Because many of them have the technology to do exactly that.
So, if the company is gathering up all this information, again I have to ask. Do you trust the people running it? Do you trust the organization as a whole with that much information about you? Are you comfortable knowing that they could be monitoring your data, your movements, everything they can gather about you, without telling you about it?
In essence, we get back to that age-old question. Who’s watching the watchers? How do we know they aren’t using these very powerful tools for less than honorable purposes? For example, it’s illegal for an organization to fire someone for taking a leave of absence, or over a medical issue, or even getting pregnant. But what if the company knew about that potential before it even happened through your internet traffic and keystrokes, and fired them ahead of time? How would you prove discrimination?
Or, in a less top-down example, how do we know the people running the security tools won’t use it to spy on co-workers and their personal lives?
We really don’t.
As I once told the CEO of the small office where I had my first IT job about network security, you can either learn all of this yourself, or you can trust me to do it. Those really are your choices.
If you’re in management and making these kinds of investments, I hope you have people you can trust, and a solid system in place to prevent this data from getting hacked.
If you work anywhere, for anyone, maybe keep that personal stuff away from any workplace devices. They know enough about you, there’s no reason to provide them with more.