Q&A: Jeffrey M. Stanton on the Art of Employee Surveillance

By Sheena Mohan  |  Posted 09-11-2006

Jeffrey M. Stanton is no fan of Big Brother. But in his book, The Visible Employee: Using Workplac Monitoring and Surveillance to Protect Information Assets—Without g Employee Privacy or Trust, written with Kathryn Stam (Information Today Inc., 2006), Stanton, an associate professor of information studies at Syracuse University, stresses that digital surveillance is about more than spotting bad behavior. It's about securing a company's data by encouraging positive employee behaviors.

CIO Insight: What's the point of all this employee surveillance?

Stanton: Generally speaking, most companies are trying to reduce risk in one or more domains. There's the risk of employees surfing for pornography and creating a hostile work environment, which could open the firm to lawsuits. There's also the risk of exchanging sensitive information through employee e-mail, and staffers downloading software onto company computers.

Monitoring technologies on employees' computers, or on a company's network, are increasingly common. I would say a majority of U.S. firms with more than 1,000 employees—depending on whose survey you believe—are using some type of Internet monitoring to track what's going over their networks. When we talk about monitoring, we're mainly talking about software that tracks ­employee activities on their computers—such as running Microsoft Excel or Web browsing, but also, to an increasing extent, instant messaging and other methods of communicating with others.

From a security perspective, there are many workplace behaviors, such as employees choosing good passwords, that companies are interested in influencing, but usually don't worry much about. If you can get everyone to choose a good password that's more than eight characters and has numbers and punctuation in it, you actually take an important step toward increasing security. When we interviewed security professionals, we were able to boil down a list of about 94 behaviors a company should be looking out for and influencing, to ensure the positive things that employees can do.

Are there legal limits on the kinds of data companies can collect on their employees?

This was a frequently raised issue in our interviews of managers. In the U.S., there are few legal restrictions on employers with respect to finding things out about employees while they're on the job. Because the companies own the computer equipment and the network over which all these communications take place, there's pretty much no limit on what information can be gathered. This doesn't necessarily mean it's a good idea to gather every possible thing and try to analyze it, but from a legal standpoint, for the most part, it's doable.

That said, it's still a good idea for companies to have some kind of a policy that lets employees know how they're being monitored. It serves as both a warning that helps the employee to regulate his or her behavior and as an additional legal protection to make sure that employees don't mistakenly have an expectation of privacy, for instance, in the e-mails that they send back and forth.

How can employees police themselves and prevent security breaches?

We're used to security in the physical domain, but we need to get those "street smarts" more engrained when it pertains to the electronic domain. We have to know where not to walk at night with our computers.

You see examples of this all the time. Remember the Veterans Administration thing that happened a few months ago? Why would anybody allow an employee to download onto a laptop a set of unencrypted files containing personal data, and then bring that home to a location in a city that's known to have people burglarizing homes? The sequence of poor thinking there is just amazing. But it's all because we don't think about computers yet at that kind of highly evolved stage, the way we think about our physical and personal security.

We all know that cars get stolen, and we have a good way of judging risk. If you drive an old car, you're not quite as worried about it as a $50,000 Mercedes. If you drive a $50,000 Mercedes, you're thinking about where you can safely park. But we're not at that level of thinking with our computers. We don't think about, well, what data do I have on this laptop that, if it did get stolen, would be critically important?