Welcome to the SecAware blog

I spy with my beady eye ...

8 Jun 2012

Employer = Insidious insider?

A recent privacy case in New Zealand raises ethical and legal concerns in relation to whether an employer can legitimately snoop on its employees using keyloggers etc. on corporate IT equipment.  Although I have absolutely no knowledge of this case other than that one newspaper report (which may be accurate but is certainly not complete), and I am definitely not a lawyer, forgive me if I consider the privacy, ethics and insider threat aspects that this kind of situation raises in more general terms.

From the employer's perspective, the IT equipment and network are its property, and of course it is likely that employees are using it during normal work hours when they are expected to be working for the employer.  The employer would probably claim ownership of the information on its systems and network, hence using a keylogger to grab a password on an office PC and then rifling through the employee's emails could be deemed legitimate, particularly in a situation in which the employee is being investigated for some reason (i.e. the snooping was justified and legal because there was already probable cause to suspect serious  wrongdoing, particularly some illegal act).  The employer can potentially access the emails on its systems even without the employees' passwords, although the most direct way of gaining access (changing a user's password) would probably tip-off the employee that they were being investigated.   

From the employees' perspective, the content of emails, web sessions and phone calls at work inevitably include private matters that are of no direct concern to the employer.  We all have a reasonable expectation of privacy, even while physically at work during working hours - in exactly the same way that society agrees that it is inappropriate to site CCTV surveillance in toilets, even if there are genuine security concerns.  In such situations, privacy trumps security.  We retain the right to control intimate knowledge of ourselves, forcing others to respect our dignity. 

Ethically, most reasonable people would agree that practices such as keylogging, secretive CCTV or telephone monitoring and bugging are distinctly dubious, rather devious if not wholly unacceptable, since they pry into areas that are considered private and personal.  Information is unlikely to be admissible in court unless it has been properly and fairly obtained, for instance under a court order permitting surveillance as a result of prior evidence of illegality.  Without controls of this nature, society would be firmly in the oppressive realm of 1984 and Big Brother.  

The employer evidently argued that its policies allowed it to snoop in this manner since employees had been informed that their use of the IT facilities was being monitored.  Statements to this effect are commonplace, often repeated in several places such as employment contracts, employment manuals or codes of conduct, security policies, system banner notices, and related security awareness and training materials.  The Privacy Commissioner argued that keylogging was not specifically mentioned and went beyond the implied access right in the corporate policy.  Furthermore, the employer had rifled through old emails, going beyond what it needed to check for the particular situation at hand.   

Take-away lessons from the case include: 
  • The importance of having explicit policies and making sure employees are fully aware of them (the courts may reject or react badly to information obtained in ways that would generally be considered sneaky, underhand or otherwise unethical);
  • The need to make sure that employees investigating possible wrongdoing also respect the policies and laws of the land, for example gathering evidence in a legitimate, forensically sound manner, knowing when to stop probing, and respecting the privacy of people whose information they obtain;
  • Be careful - be very careful about what you say, type or do at work, and don't be surprised if your information is captured, reviewed and used against you, outside the original context.

The final bullet could be considered an insider threat for employees: most of us trust our employers as much as they trust us, but we all know that trust is a fragile control.


No comments:

Post a Comment