Employee monitoring - has Big Brother arrived?

The subject of Employee Monitoring is currently at the forefront of my mind as I polish up my notes on for a talk on this subject at a CISO dinner tonight at the London Capital Club. I’ve been thinking deeply about this issue for a long time. Not that I’m any kind of dangerous radical or extreme conservative. In fact I’ve always aimed to strike a healthy balance between the interests of the individual and the needs of an increasingly heavily regulated business community. And I know I’m not the only one thinking about these issues. A few years ago I aired a few comments on the breakdown of the boundary between business and personal lifestyles in Computer Weekly and was immediately contacted by Dr Peter Skyte, leader of Amicus, the top white collar union. I was impressed to be able to discuss some of these issues with a union leader with a good understanding of IT. Too often we associate trade unions with the Industrial Age, but they also have an important role to play in the new Information Age.

Things were much simpler in the old Industrial Age workplace when every aspect of business life was standardised, separated and synchronised. Employees did business in a dedicated building during set hours. Outside of that it was no concern of your employer how you spent your time. Now it’s all mixed up. People simply grab the nearest communication channel to conduct personal or business transactions at any time, any place, anywhere. You can’t easily separate business and private activity. But we do have to monitor and archive the communications activity on our business networks for three good reasons. Firstly, to keep out any bad content that might be damaging or illegal. Secondly, to detect and immediately stop any unauthorised access or leakage of confidential information. And thirdly, to meet the increasingly demanding legal and compliance requirements, which might for example require all customer communications and staff emails to be reconstructed many years hence.

Technology is not a constraint these days. The devices available today are extremely powerful and easy to install. You can buy a tiny box called netReplay from Chronicle Solutions, plug it in to your network and it will immediately begin scanning and recording the web traffic and emails of tens of thousands of users. The real issue is not capturing the information but figuring out just what is sensible to record and how best to manage the process. No responsible organisation wants to snoop on their employees’ behaviour. In fact you can’t do this without also complying with a raft of complex and occasionally contradictory legislation concerning human rights, privacy, data protection and communications interception. Just keeping up with this legislation and framing the “acceptable use” policies is starting to become a full-time job in itself. The real problem today is not keeping up with the mass of communications coming into and out of the organisation, it’s controlling the policemen and securing the monitoring equipment. Because anyone can now play Big Brother at work if they want to.