The ethics of Internet Access Monitoring... 1

[ecline]

Thought this would be an interesting subject to toss out for other's feedback (especially in light of some of the responses I saw to 5150's thread on email "snooping"...)

My company, as many others, makes a point of monitoring user's access to resources on the internet. In light of current legal precedents, it falls perfectly within a company's rights to monitor the use of their company-owned computing resources. However, as the one who "monitors the monitor," I always have the distasteful feeling that accompanies finding out things you didn't want to know about people... :-(

Any thoughts on the ethics and perceived need to monitor employees activities on the internet?

(Sitting back now to see where this goes... B-) )

 

[edfair]

Dislike the ethics of having to do it. Best to tell new users up front that you have to monitor it and explain what you can figure out. So if they are involved in unethical or illegal activities the company equipment isn't the stuff to use. And then you use embarassing questions to let them know what you have seen and keep bringing it up until they change their ways. Ed Fair
efair@atlnet.com

Any advice I give is my best judgement based on my interpretation of the facts you supply.

Help increase my knowledge by providing some feedback, good or bad, on any advice I have given.

 

[sleipnir214]

I both agree and disagree with edfair.

Provided the employees are made aware of:[ul][li]the fact that monitoring takes place[/li][li]what activity the company monitors[/li][li]what activity is banned by the company[/li][li]the consequences of violating company internet use policy, and[/li][li]your specific orders to report certain classes of inappropriate activity[/li][/ul]

Then your ethical obligation is clear -- you are acting as an agent of the company to report infractions of the company's internet use policies.

However, in order fulfill your ethical obligation to protect yourself, I would not take edfair's advice of asking offenders embarassing questions. I would make sure that a written policy exists that specifies how and to whom you report your findings and deal with it through channels. I would try very hard to make it policy that you do not confront any offending employee at all, unless that employee is your subordinate. You should not be a policy enforcement agent -- you should be a policy reporting agent. ______________________________________________________________________
Never forget that we are
made of the stuff of stars

 

[CajunCenturion]

I agree with sleipner214 that the policy should be clear and consise. And I further agree that your role as the monitor is one of reporting, rather then enforcing.

What I think becomes the interesting question is the subjective standards that you apply when deciding what to report, and what not to report.

Consider the following two cases:

1. You catch an employee purusing an inappropriate site. Now you know this employee to be a slacker, and in general, not pulling his/her own weight in the office. Do you report the incident?

2. You catch your best friend pursuing the same site. Do you quitely talk to your friend over a beer after hours, or do you report the incident? Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[MartijnM]

Agree with most of what's been said so far. As to CajunCenturion last post (but also as a general 'rule') I would even suggest that reporting needs to be done as anonymously as is technically possible though still effective.

Monitoring, in my experience, becomes a lot less hot to handle when the results are dealt with in a generalized fashion.

For example, when inappropriate use takes place, one might consider to:

1) block access to whatever site the incident related to

and

2) send out a memo to everyone (not just the culprit) about the incident and the company's policies regarding internet use.

This way, no embarrassing questions will have to be raised or answered, and whoever feels addressed is likely to be more prudent after a warning like that. It will also increase awareness (with all employees, not just the ones you 'caught') about the policy and subsequent monitoring activities.

It's no problem at all to set up monitoring/reporting in such a way that the identities of users are protected, while still providing the employer with a clear picture of what's happening. Whoever does the reporting will likely also feel less apprehensive towards his or her responsibility if it doesn't involve being able to see who's doing what.

Of course, if repeated and consistent abuse takes place from the same machine or ip-address, one could still resolve that identifier to a real person and take appropriate action.

As always,
Martijn Middelplaats
martijn@middelplaats.net

 

[attrofy]

One of the things that brought this into perspective for my own conscience is to consider why it is you are monitoring activity.

Think about this: If you caught a customer sneaking a hand across the counter and helping himself to the till drawer, what would you feel obligated to do???

Probably report it, if not act heroic right on the spot.

Now, considering that an employee is on the clock, on company equipment, and excessively surfing the net, where does the difference lie?? He is being paid to perform a job, not check on personal matters. In essencs, he is reahing his hand into the till.

Now, what about abuse?? The lines aren't quite so cut and dried.

What if a customer is walking around some area of the building they don't have "clearance" to walk, or is in an "employee only" area? What if they are behaving inappropriately towards other customers (cursing, causing a scene); towards property (graffitti, vandalism, etc); or towards customers equipment or products???

Again, where does the difference lie if it is an employee in the above examples. Just because something is inappropriate behavior at one company, doesn't mean it is inappropriate at another. So if employees agree to follow certain company policy, then they have to be bound by all policies. It isn't your position to decide for the company which infractions to act upon, and which ones to overlook. You have to provide the management the proper reports for them to decide what to do. What is really the difference between an employee going where he is unauthorized or lacks clearance physically, or ether-ly???? If Joe Receptionist is not allowed into a board meeting, then why would he be allowed to access the CEO's financial files? If he isn't allowed access to "peek" at these files, then why should it be acceptable to allow him a "peek" at public domain files - if that is against company policy? So if you caught him "brute forcing" the presidents spread sheet programs, what would you feel obligated to do??? Now how is that different than abusing internet policy? An infraction of company policy is an infraction. Again, where do you hjave the authority to decide which infractions are more important than others??? What if you are wrong?? Then whose butt is on the line??

One more thought, how "obligated" would you feel to report "hacker" activity?? Even if the only access has been to publicly avaiable information? Seems to be a bit of a stretch to compare the two? Then consider this - what harm could a hacker do??? Pretty obvious. What harm could Joe Receptionist do just abusing web access privelages??? It depends. What is Joe looking at. Is there anything from his activities that could cause the company money if he were exposed, or if his actions could be misconceived by anyone either inside or outside the company? Could a lawsuit stem from his activities? Even if the answer is no, what happens when Bob the Accountant thinks it is ok for him to do as he pleases because Joe the Receptionist can???

Just some thoughts to try and put it all in perspective. The right thing isn't always easy, but it is usually the best thing. And as an IT professional, all that is entrusted within your scope of responsibilities, weighs equally on the company you represent. Infractions aren't supposed to be yours to resolve, reporting it is. Allowing admin to filter it and resolve it is their job, not yours. How do you know that outside abuse is more important than internal???

Hope this makes it easier to do the right thing. Probably not, but it helps to hear that the right thing is what your supposed to do.

Russell

 

[johnny99]

I think that monitoring what people do on the internet is wrong.
In our company our firewalls log everything going in and out, but we don't track our own users.

The only person in our company that can make us in IT pull anything out of the firewall logs to track what a person has been doing on the internet is out CEO and he has to do it in writing (an email from him is ok)
This is by order from our CIO.

We analyse our firewall logs on a daily basis and we also track everything that could be a security problem, but we don't track down what our users is doing.

When they keep on starting IRC on their computer we contact them.

We also don't have any blocks in our firewall regarding users access to the internet any more. I got management to drop it 2 years ago because we spend a lot of time keeping the "legal list" up-to-date all the time.

If someone doesn't want to spend their time in the company working it realy doesn't matter if they don't work because they browse around the internet, read a book or something else. This is not a security or IT problem but a management problem.

/johnny

 

[MartijnM]

/johnny,

Good point. Can't see anything wrong with a policy like that. I do feel however that it is not by definition wrong to monitor and/or record what employees are doing on the internet if that's what the company decides.

I agree that it is somewhat irrelevant how employees choose to waste their company's time and money; if they don't want to work, they probably won't. On the other hand, if they were frequently found reading a book, placing personal calls all the time, or were seen staring out of the window 4 hours a day, I doubt this would not be noticed and appropriately addressed. Just because browsing the net is less conspicuous does not eliminate the employer's responsibility and right to monitor that particular choice of leisurely activities....
Martijn Middelplaats
CCDA, CCNA, MCSA, MCSE
martijn@middelplaats.net