Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Monitoring Technologies Put Developers in an Ethical Hotseat

Monitoring is a technology that can be used for both good and evil. Increasingly though, developers are facing moral dilemmas when asked to build monitoring applications that encroach on their own and their co-workers' privacy. How will you respond?


advertisement
here is great power today in databases, in technologies that gather and organize information, and in global, nearly-instant communications. And today's developers understand and apply these powerful technologies in applications that simplify business processes, provide pertinent and useful intelligence, and improve business agility.

But many companies are starting to use those same powers not only to improve their business processes, but also to gather reams of new information about their employees. Collecting, storing, and analyzing this information gives businesses powerful reach into aspects of their employees' lives that they previously had no power to control.

These new capabilities upset the always-tenuous balance between workers and employers by letting employers peer beyond employees' workplace actions, invading their privacy in often insidious ways. But to activate them, to take full advantage of IT's current and upcoming capabilities, businesses need developers to build these applications. They need collaborators—either developers hoping that the applications they build won't be used against them, developers willing to trade principled action for money, or developers in circumstances where they can't afford to refuse.



Employee "Monitoring"
Last year ZDNet reported on a Proofpoint-sponsored Forrester survey stating that 44 percent of companies read outgoing email. Currently, most of those companies employ human beings to read that email, but automated processes to scan content aren't far behind. To show how fast the trend is spreading, a newer survey from Forrester Consulting (also commissioned and available for free from Proofpoint) last month states that 63 percent plan to monitor outgoing mail. The survey also states that as Instant Messaging becomes more prevalent, those companies plan to monitor IM traffic as well.

Author's Note: For the wary, Proofpoint provides email services, including applications to "ensure compliance with corporate policies and regulations, and defend against leaks of confidential and proprietary information via email," so it's to its advantage to make the threat of proprietary information leaking via electronic communications seem high.

Organizations justify monitoring employee communications by asserting that IM and e-mail are venues by which employees leak sensitive information—and that's not something employees should normally be doing. However, there are good reasons not to allow companies to monitor employee communications indiscriminately. First and foremost, let's call employee "monitoring" what it really is: spying.

Employers are spying on their employees because they don't trust them. And worse, they're not spying only on employees that they suspect of breaking trust and leaking information—they're spying on everyone, because technology lets them do so. Automatic monitoring systems aren't limited to watching a percentage of email or IM traffic—they can simply filter every message. Worse, they can filter both incoming and outgoing messages, meaning they (potentially) can use intelligence techniques to gather personal information about not only their employees, but their customers and business partners as well. Once you begin automating the parsing/filtering of communications for "keywords" or location or any other metric, then it's far simpler, barring any legal restrictions, to simply watch everyone's messages than to limit monitoring only to areas of suspicion. Simply put: Selective monitoring is less efficient and less cost-effective than thorough monitoring. Currently, there are few legal restrictions to provide a reasonable check on the invasiveness of workplace monitoring practices.

RFID, cell-phone tracking, and GPS systems add location-based spying power that promises far greater privacy intrusions than have heretofore been possible.
It's tempting to state unequivocally that upright and honest employees don't leak sensitive information, and that therefore, spying isn't wrong, because it's intended only to catch the "bad guys," who deserve it. But that's not the whole picture. Corporate spying also provides a way to frustrate whistleblowers, preventing them from exposing information that the public should know about. Corporate spying provides employers with advance knowledge about their employees' health, when they talk to their doctors or psychiatrists; their legal affairs, when they communicate with their lawyers; their financial affairs, when they talk to their brokers or accountants; or their personal affairs, when they talk to … anybody.

The courts have, so far, been far friendlier to corporate spying than to government spying. For example, it takes a judge's order for the police to tap your telephone, but taping and listening-in on employees' telephone conversations is commonplace, as you probably all know by the familiar message "This call may be monitored …" The courts have also ruled that companies have the right to read e-mail produced on company equipment or sent via corporate servers. In other words, before the government can tap your telephone they have to produce believable evidence of wrongdoing. But unlike governments, companies, so far, don't need any evidence to spy on you. Worse, there are minimal privacy regulations regarding telephone conversations, but neither the courts nor legislators have applied those same protections to email or other electronic messages. And changing technology is affecting telephone communications. For example, it's quite possible that phone calls made over the Internet (VOIP) may not be subject to even the limited telephone privacy protections afforded by the Omnibus Crime Control and Safe Streets Act of 1968.

Some people feel this trend is only fair; after all, the businesses pay for the equipment, and pay for their employees' services, and therefore have a right to protect their interests for any communications involving that equipment. Unfortunately, that doesn't take some pertinent factors into account. For example, many employees cannot communicate with the outside world when at work except through their employers' communication services. Increasingly, businesses regulate communications devices allowed to enter the workplace (e.g. not letting people use personal laptops, PDAs, or cell phones at work). The combination of limiting employees to the use of company issued and controlled equipment and company-monitored communications means many employees have no access to private communications while at work. In other words, by accepting the business value of controlling employee work-related communications, you also tacitly accept company control over employees' private communications.

Location-Based Information
Spying via e-mail, telephone, and IM is bad enough, but it's about to get far worse. Location-based spying is about to become commonplace. RFID, cell-phone tracking, and GPS systems add location-based spying power that promises far greater privacy intrusions than have heretofore been possible. Organizations can use these technologies to know not only what you say or write, but also where you go. Government organizations and corporations are already discussing the use of RFID-enabled badges that potentially let them track employees' onsite positions, and using GPS-enabled cell-phone tracking technology to monitor their employees' movements' offsite.

Building applications that enable indiscriminate advance spying on employees—simply because technology enables such actions—is wrong.
I'm not against all forms of employee monitoring, location-based or otherwise. For example, I support blocking technologies, which employers use to prevent workers from accessing 900 phone numbers, or surfing inappropriate Web sites; that's an appropriate use of technology. I'm not against location-based tracking when such tracking is essential to the business or essential for safety, such as tracking package-delivery employees, long-distance truckers, or ambulances. I'm not against court-sanctioned spying on employees where evidence exists that they're acting against their employer's business interests.

Employees should be willing to accept certain levels of information gathering related to safety or to business efficiency and security, as long as legislation exists that strictly enforces appropriate business use of that information and that provides employees with access to their records and with information about who within the business requested such access, and when.

But I am against employers using technology to gather personal information about their employees that they otherwise would not know, and then using that information for their own benefit. In other words, I'm against indiscriminate advance spying—fishing for information. What's to prevent a company from discovering, for example, that an employee has cancer, and then finding an excuse to fire them before having to honor their insurance commitment to pay for treatment? Sure, that may be illegal, but it's nearly impossible to prove. Similarly, what's to prevent an employer from firing employees who mention unionization in an e-mail, or attend union meetings? What's to prevent employers from monitoring what you purchase for lunch, how many times you go to the bathroom, where you take your spouse to dinner, or where you went on your vacation? Why is this information your employer's business? It's not.

It's Up to You
Developers would do well to remember that all these new spying technologies have one thing in common: They rely on developers willing to build the applications to gather, analyze, and report on the information. Developers today are in the same ethical situation as the nuclear physicists who developed the atomic bomb, or the chemists who developed mustard gas and sarin, or the biologists who developed weapons-grade anthrax or plague bacilli. They have the knowledge and skills to build products that can be used for good or for evil. Building applications that enable indiscriminate advance spying on employees—simply because technology enables such actions—is wrong. Developers don't have to build the applications, and those who do should realize that they're as responsible for (and just as subject to) the resulting problems as are scientists who develop inhumane weapons.

The U.S. government—at least until the Patriot Act was passed—didn't have the right to spy on private citizens without justifiable reasons and judicial oversight. Employers should not have such powers either. Your private life is not your employer's business.

So, when you're asked to build monitoring applications that you know will be used to spy on employees, just say no. They can't do it without you. Refuse to build such applications until sufficient legal restrictions are in place to limit companies' monitoring capabilities to appropriate business uses. The power is in your hands. Use it wisely.

Tell us what you think! Weigh in on this issue in the 'Talk to the Editors' forum at http://forums.devx.com/showthread.php?p=430693.



   
A. Russell Jones is the Executive Editor of DevX.
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap