Executive Briefing
Topic 5 – Information Assurance & Security
Privacy and Employee Monitoring
for the Employee and the Employer
Linda Mellon-Hogan
ISYM 540 – SSII
Current Topics in ISM
August 6, 2009
Privacy and Employee Monitoring for the Employee and the Employer
Executive Summary
Without question, the widespread use of email, the internet and mobile technology has provided privacy issues for both employees and employers. A great majority of technology users do not try to understand how technology exposes their personal information as well as understand that their personal online activity in work can cause HR and other issues for employers. Social networking sites such as Facebook, MySpace, and Twitter are just a few sites that are causing distractions during working hours. The ability to shop online, research online, or instant message while on the clock should be a concern for both employer and employee. Some employers have and are continuing to monitor employees’ activity while at work. Whether it is through the use of smart cards, internet logs or phone logs, or email, employers are trying to get a grasp on the productivity or loss of productivity of their staff. Meanwhile, some employees are crying foul. They feel that their email along with other means of contacting the others outside of the workplace is a privacy issue and not to be monitored by the employer. However, the employer has the responsibility to provide a safe workplace which may include some sort of observation or auditing on the company’s part. This privacy controversy is bound to keep employees and employers at bay. But understanding how search engines, advertisers and social networking sites invade our privacy can possibly aid employers in their efforts to minimize personal computing at the workplace. Also, by understanding data gathering techniques, employers can also use this information when trying to enact a technology usage policy at work.
Information Gathering Techniques
The first thing that online users need to clearly understand is that as far as online privacy rights goes, that they have NONE! Consumers should understand that there is nothing free on the internet. Free services offered by any site on the internet come with a price. The price is your privacy. The question is how can you as a consumer protect yourself online and what are the typical ways in which information gathered. Three typical ways in which data is gathered are cookies, web bugs, and server logs.
Cookies are placed on your computer by web sites that you have visited. The purpose of the cookies is to create file that captures your interest and activity on a particular website. Once that interest is captured by the cookie, the website can refer back to your last visit and offer suggestions to you (Nicolaisen, 2009). For example, when you logon to Ebay and look at several different items, the next time you log on you will see similar items for sale. Hopefully this will influence the online viewer to purchase an item. However, some sites such as banks need to place cookies on your computer and are unable to work without them. Since cookies reside in a area on your pc that is not secure, it is easy for perpetrators to find the information (Nicolaisen, 2009).
Web bugs are another method in which advertisers can gather information. Web -bugs are tiny graphic files that are found in e-mail messages. These tiny files are able to retrieve information and send it to another computer. By embedding themselves in email and web pages, they are able to monitor and transmit information (Laudon & Laudon, 2007, p 142). There is a way to in which to search a suspicious page. For example, view the source code for a web page. In the source code try to see if there are any IMG tags that have the height and width set to 1. If you find that the URL is different than the page that you are visiting, most likely you will have found a web bug Nicolaisen, 2009).
Server logs are essential tools for web hosting operations. Server logs show webmasters what pages on their site have been requested. While this activity seems invasive as it records pertinent information such as IP addresses, browser types and other associated HTTP information, they are a necessary evil. For example, server logs are used to enhance the customer experience as well as act as a tool against malicious software. There are a few other advantages such as giving IT staff the ability to monitor network and server performance (Nociolaisen, 2009). Another important term that employees should understand is behavioral advertising and how it affects one’s privacy.
Behavioral advertising is a method for advertisers to collect and analyze data in order to target potential customers. When ever a person uses a search engine, signs up for a social networking site and shops online they are assisting marketers acquire information that is beneficial to their clients. Employers can explain to their employees how simple behavioral advertising works. For example, explaining the use of cookies by advertisers helps users understand how advertisers are able to come up with product recommendations on their next visit to the site. Another example is when an employee provides an email address to a site. In this case, the email may be used in combination with other data that the web site has purchased from other sites that already have the email address. Now this information gets complied into your profile. Do you want your employees using their business email address for online shopping? Ad network companies which server as intermediaries compile profiles as a means to due business. The ad network company is the entity between the advertisers and the web publishers (www/cdt.org, 2009). Just image how the far reaching capabilities of an ad network with many publishers and advertisers. How can your personal identifiable information (PII) be tracked by ad networks? An example is when a consumer uses a blog. An employee enters their name and location on the blog. How do you know that the blog site is not offering the information to an ad network? If so, the ad network now is able to connect your PII with a person’s cookie. How can you be assured that the ad network is not going to use this information to find out more information about you? Another fact that online users need to be cognizant of is that some internet service providers (ISP) now have agreements with ad networks. The ISP can send the browser activity of their users to the advertising agency for profiling (www.cdt.org, 2009).
Understanding
Why is it important to understand some of the methods that online activity is tracked? For most, the simplicity of the internet does not fully alert the everyday user to understanding possible privacy loss. Do employees know that filling out a form about their health on line does not protect them under U.S. law as does their health information that is in their doctor’s office? Is advertising targeted to your location, worth giving up your privacy? Although the information collected by phone companies is protected by law, other companies who do not fall under this category are not subject to protecting one’s information (www.cdt.org, 2009).
An IT manager may have to implement employee monitoring technology in their IT infrastructure. It is important the employees understand their rights as well as the right of their employer. Employees and employers who are concerned with privacy issues at the workplace should be aware of the different areas in which privacy becomes an issue. For example, are phones and computers monitored and how? Is email and voice mail monitored along with instant messaging? Employers should address the above issues in a policy and inform employees as to the methods that will be used for monitoring. For example a policy could explain that the employer will be using software to detect web surfing habits and email (www.privacy rights.org, 2009).
Management may address employee monitoring and privacy issues in the form a written policy. Since this may be a sensitive area, employers need to address the issues, but also be sensitive to the employee. The National Workrights Institute has some suggestions. These suggestions minimize employee monitoring. First, businesses should make sure that their management is well trained and properly equipped to address employee issues. Next, before implementing monitoring techniques, an in-house assessment should be conducted as to analyze whether or not monitoring is necessary to meet their requirements. Since monitoring can show productivity, employers might directly speak to employees regarding any productivity issues. If monitoring needs to be implemented, companies should try to minimize monitoring as much as possible. One suggestion is to keep monitoring business related communications, not personal communications. Companies can choose to monitor on an event basis. This type of action can help a company minimize employee monitoring. Finally, a company should provide monitoring policies that give proper advance notice as to what type of monitoring will take place and when (Issues & Controversies, 2008).
Conclusion
A laborer may wear protective gear such as steel tipped shoes or safety helmets while on the job. But what does the employee who needs to conduct business electronically have to protect themselves on the job? How can the employer protect him or herself electronically? How can both the employer and employee work together and understand that employee monitoring may be a necessary tool in a business environment. By informing the employee as to how their online activity can compromise their privacy as well as the confidentiality of the company, there is the possibility that both can come to a full understanding of why employee monitoring is necessary. By demonstrating how online activity, email and other devices are able to be tracked and used by advertisers and illegal parties, employees can gain respect as to how the business needs to protect their assets. Managers can conduct workshops relating to online surfing and other technologies that affect privacy and methods to reduce privacy concerns. Discuss how one employee casually blogging to another or another employee downloading screen savers can cause problems for the organization as well as for the employee. Employers need to somehow show employees it is in their best interest both outside and inside of the organization that their online activity is not really private and that they need to understand and accept the organization’s electronic monitoring policies. If the employee can realize how easily their casual web surfing decreases their privacy, they can begin to understand how the business can easily be put at risk by the online activities of employees.
References
Behavioral advertising, (n/a), (2009). Retrieved on August 5, 2009 from http://www.cdt.org/privacy/targeting/
Employee monitoring: is there privacy in the workplace? (n/a), (April 2009). Retrieved on August 6, 2009 from http://www.privacyrights.org/fs/fs7--work.htm
Laudon, K.C. & Laudon, J. P. (2007). Management information systems: managing the digital firm 10th ed. Upper Saddle River: New Jersey, Pearson Prentice Hall
Nicolaisen, N. (April 2009). Privacy and online profiles. Retrieved on July 31, 2009 from Faulkner Information Services.
Suggestions for minimizing employee monitoring (sidebar). (March 21, 2008). Issues & Controversies on File Retrieved on July 31, 2009 from Facts on File News Services, www.2facts.com