Employee Monitoring 274
CWmike writes "Michael Workman, an associate professor at the Florida Institute of Technology's Nathan M. Bisk College of Business, estimates that monitoring responsibilities take up at least 20% of the average IT manager's time. Yet most IT professionals never expected they'd be asked to police their colleagues and co-workers in quite this way. How do they feel about this growing responsibility? Workman says he sees a split among tech workers. Those who specialize in security issues feel that it's a valid part of IT's job. But those who have more of a generalist's role, such as network administrators, often don't like it. Computerworld contributor Tam Harbert found a wide variety of viewpoints from IT managers, ranging from discomfort at having to 'babysit' employees to righteous beliefs about 'protecting the integrity of the system.'"
Panopticon is here to stay (Score:5, Insightful)
Society is growing used to more extensive monitoring overall. We monitor our babies with webcams. The webcams are then used in schools to monitor class rooms and playgrounds. When we grow up, we rename them security cameras and appoint low wage individuals as our watchmen.
In some areas of the world such as the UK, computers are already being used to analyze the images from the security cameras. Storage capacity grows, and data gathered from the image analysis are stored for a lifetime. They can be used to enhance the analysis of your children's children. The ones which protests are considered suspicious with "something to hide". The ruling class are the only ones exempt from monitoring.
In the next step, computers are used to analyse images from private bedrooms and bathrooms. After all, who needs to worry about privacy when it's only a computer watching. It's all about protecting us from the boogey man. Think of the children!
Resistance is futile. You will be monitored.
You have to. (Score:5, Insightful)
"He goes through the logs to see if there's anything in there that needs to be exposed or discussed." Activity related to porn, gambling or hate speech automatically raises red flags, he says.
He once caught an employee who was engaged in criminal activity involving intellectual property that could have resulted in a big financial loss for the company.
Many years ago, I was in the company's server room talking to a buddy and he mentioned that an employee was taking up quite a bit of drive space - with porn. The guy had a problem. All you need is one guy with a problem like that to download some kiddie porn and your business will be shut down and you go to jail - over an employee with a problem. The guy I mentioned was talked to and I think he was asked to resign.
Observers say IT managers can expect to be asked to take on even more monitoring duties, such are reviewing video surveillance, examining text messages, tracking employee location by GPS or listening in on social media.
That's going too far. Come on - a Stalinist company?!?
Larger companies have started to hire third-party firms to monitor what's said about them in the blogosphere and on social media sites, but in many midsize and small companies, this duty could fall to IT.
That's also going too far. It's one thing what an employee does on company time and with company's resources, but they do on their own time - as long as it's legal shouldn't be a company's business.
Waste of time (Score:5, Insightful)
Most frequently I'm asked to look at log files or email and tell employers things that I simply cannot know. I can tell them that an employee didn't log in to their PC until 10am, but I have no way of knowing when they actually arrived at work.
Where do you work? (Score:3, Insightful)
Unless you are working for a fortune 500 company whose image is often worth more than its current product line up, who cares? The only filters I have ever ran at a company I did IT for was for a list of of words that included, Lolita, Child Porn, Underage, No-nude and Preteen. We caught one contractor during the 8 months I worked there and it was his personal laptop, so we contacted the FBI. He was arrested on suspicion and they found enough Child Porn on his home computers that we never heard about him again, I moved before it could be brought to trial.
People surf porn at work that is just going to happen, if there work does not suffer and they are adults it is far more worthwhile to spend time worrying about security which can get you in real trouble.
Employee monitoring is not really new (Score:5, Insightful)
TFA raises a slightly different issue: when one employee is asked to monitor the others. Sysadmins should not be asked to take on the responsibility of watching employees; that is a manager's responsibility. If the manager is not technically competent to monitor computer use, then there is a question of why that person is managing people who use computers for their work -- the manager should be competent with the equipment.
Re:Waste of time... (Score:3, Insightful)
Monitoring other employees computer usage - one of the many non value adding tasks that have found their way into large corporations. It ranks up their with human resource departments!
Not quite. It doesn't have such a negative impact on other people's productivity
Re:Please do (Score:5, Insightful)
Re:Waste of time (Score:3, Insightful)
As I tell my customers when they ask, "You can't fix behavioral issues with technology." If employees want to waste time instead of working, they can surf the web or send chain emails. Take that away, they can play solitaire. Take that away, they can gab around the water cooler or stare into space and day-dream. Blocking porn and gambling sites is probably a good idea for liability purposes, but I can't see that it helps productivity. Most frequently I'm asked to look at log files or email and tell employers things that I simply cannot know. I can tell them that an employee didn't log in to their PC until 10am, but I have no way of knowing when they actually arrived at work.
I don't know, if the banned slashdot I would probably be working on a programming problem. On the other hand if they hadn't banned orgasm.com i'd ......
Re:Know when (Score:4, Insightful)
As an IT Security professional, I need to be acutely aware of the risks the company can expose itself to.
"Those who specialize in security issues feel that it's a valid part of IT's job."
And, we're done here.
Re:As an IT Manager for a small company (Score:5, Insightful)
I consider it my network (and care about it), because of two reasons. First, I'm responsible for maintaining it. So when someone else fucks it up, I have to fix it (at whatever cost, whenever it's needed). Second, because I'm responsible for it, so if it goes down it looks bad upon me (Even if it was someone else's problem). I may be a rare bread in recent times, but I actually care about what I do and the way I am perceived to others (with regards to my work at least). If people can't do work because my network is having problems, that's my fault. So to save myself the potential hassle, I take proactive measures.
I don't consider Facebook dangers. I do consider pages that are linked to by Facebook dangerous. But if I black listed any site that linked to dangerous content, I'd have to take away the entire internet. And I don't consider it my place to tell users what sites are valid for business reasons and those that are not. Some people do use Facebook for actual work (some of us do research on people, so sometimes they do need to visit Facebook, Linkedin, Twitter, etc)...
Productivity does not come with surveillance (Score:5, Insightful)
It comes with a worker's willingness to work for you. If he WANTS to actually work for you instead of just getting paid for spending time at your office, he will work. Else he will do a half assed job, surveillance or not.
If you give your employees freedom and the ability to actually enjoy working for you, they will be much more productive. Because they WANT to be productive. Because they WANT your company to be successful, because that means they can keep that job. Sure, you will always have the ones that slack off, and not putting an eye on them constantly sure gives them an easier way to do that. But their coworkers, the ones that actually want to work for you and do want your company to thrive because it means a good, enjoyable job for them, will quickly identify such slackers and they will do the surveillance for you. Peer pressure can be quite powerful, to the point where your slackers will quickly realize that it's not the boss but the other employees that get angry with him if he's not pulling his weight. Plus, you can do without the investment in cams and surveillance staff. Your workers will do that for you. For free.
It happens (Score:3, Insightful)
It happens, and if it's not done by IT monitoring just gets done elsewhere. The thing that baffles me is that people are surprised when it happens. All that being said they have much stronger laws on privacy in Europe than here in the US and you have to be aware of international laws for such things. You can rack up some pretty serious legal fines or jail time depending on what country your employee is working in, and even more if the data is brought back to the US (as we have horribly weak privacy laws). If your not careful you can readily have violations of HIPAA, SEC rules or SOX as well.
All that being said, when monitoring inevitably comes up, your job is never to say 'no'. If you do that they will simply find someone else and you will have damaged your career. Your job is to ensure that if it has to happen it happens in full compliance with the letter of the law and any special rules that affect your organization. You'd be surprised at the dollar amounts fines start at, it can easily be six figures. After presenting all the legal requirements to perform a given piece of monitoring to your management, don't be surprised if they back off altogether.
Monitoring has it's place, I try to encourage managers to use monitoring tools like a surgeons knife, not a chainsaw. I've known of employee backlash that can cause significant employee relations damages to organizations when tools were used overly broadly. And for crying out loud, if your at work, assume your being monitored and work accordingly. Whether you telecommute or otherwise, you never work in a vacuum.
Re:Please do (Score:2, Insightful)
we pretend to work; they pretend to pay us
Unless our paychecks (and the money we get when we cash them in) are a figment of our collective imagination, there is strong physical evidence that suggest they indeed do pay us. Maybe not in imaginary worlds, but certainly in the real one.
Re:Know when (Score:3, Insightful)
"For example I only talk to people when their porn viewing habits get so strange that it started to expose the company to all sorts of lawsuits."
This thread is worthless without pics!
Re:Waste of time (Score:5, Insightful)
I have a friend whose employer actually encourages him to read
Re:Please do (Score:4, Insightful)
we need a -1 *WHOOOSH* mod
But it's still usually a bad idea (Score:5, Insightful)
When it comes to being employed, though, bosses and managers have always watched their employees to some degree -- that is, of course, the purpose of being the boss.
No, it's not. The purpose of being a boss is to set direction for and co-ordinate those who work under you, so that the individual contributions all advance the overall plans.
There is a certain type of person who does think that being the boss is primarily a power trip/disciplinary role. Such people usually live in middle management in large companies, because they are basically a waste of space. Small companies can't afford to have the dead weight, and large companies won't promote them to a level where they can do any serious damage but usually have too much bureaucracy to effectively detect and fire them.
Trust is a prerequisite for any employment relationship. If you don't trust the people working for you to do what they are supposed to without routine monitoring, then you have bigger problems than whether the monitoring itself is justified. Indeed, one could make a reasonable argument that routine monitoring implies a breakdown in the fundamental trust relationship between employer and employee, which would itself be immediate grounds for a constructive dismissal lawsuit in this country.
I can understand running automated tools to prevent, say, leakage of sensitive data. I can understand running automated tools to scan incoming data for viruses. This sort of thing is, sadly, reasonable for protection and sometimes necessary for legal/regulatory compliance in the modern world. However, it should rarely if ever disrupt an employee going about their business, and no-one else should be directly involved unless a problem is detected.
I can understand general performance monitoring. Recognising staff who do well is valuable. Helping (not attacking) staff who underperform is valuable. Firing staff who underperform and cannot improve is, unfortunately, sometimes necessary. But none of this stuff requires intrusive, minute-by-minute monitoring and recording of the kind we're discussing here.
The only time direct, intrusive monitoring is used should be when there is already a credible level of evidence of serious wrong-doing, and confronting the employee about that wrong-doing directly would prevent proper investigation. And in those circumstances, I tend to ask why the company is letting some next-line-up manager or IT/HR goon do the intrusive work. If it's that serious, the higher-ups should be calling the authorities, or at the very least passing a case file to internal security/legal staff who are required to handle the investigation with suitable discretion and a lot of accountability.
Give the IT Tools to the HR People (Score:3, Insightful)
The average, typical IT tech lacks the "touch" when it comes to employee monitoring. Give the monitoring tools, or reports from such, to the HR guys, whose ultimate responsibility this should be.
Employee monitoring is in the position today where web page creation was 15-20 years ago. It was an "IT Function," because the tools were new and computer-y. Eight million "blink" tags and six hundred thousand animated "under construction" GIFs later, the tools made their way over to the Marketing and Creative Services people, and civilization lurched forward.
Of course, there were always the techs who fancied themselves designers, from whose fingers the tools had to be pried away. I suspect there is more than that many techs who have gotten more than just a little bit comfortable wearing the Big Brother jackboots as well...
Total BS (Score:5, Insightful)
You know, I'm SO sick of the total bullshit line of reasoning that people like you keep giving for gross violations of our privacy, not to mention keeping people like me from doing my job.
Okay, so your company has a policy of not allowing me to browse porn on the Internet, woohoo. Why is it that you jump to the conclusion that the only way to make sure this doesn't happen is to monitor every single web site that I browse? Why can't you just have a policy of, hey, if management has some reason to think that KingSkippus might be up to something, then look for something fishy?
Ponder this. I'm pretty sure that my company also wouldn't like me browsing porn magazines at work. They'd probably get quite irate if, in the middle of the day, I pulled a Hustler out and started flipping through those oh-so-sweet pages. So is the only answer now to have security guards posted at every door to pore through all of my possessions as I come and go, making sure that I have no porn in my physical possessions? I also carry a 4 GB USB drive everywhere I go with some basic troubleshooting tools and electronic copies of documents that I like to have on me at all times. Every time I enter the building, should I be strip searched and, when such a thing is found, every file inspected to make sure that I don't have dirty pictures on it?
No, the whole "We must monitor EVERYTHING!" is just a BS policy made because people like you get off on your power trip.
Legally, it's really simple. You create a policy that says that if you're caught browsing porn on the Internet, you get fired. Managers back it up with action by, when people are caught browsing porn, they fire the person who was doing it. There's no need for stupid ass content filters, treating everyone like they're 13 year olds, to ensure this policy, any more than there's a need for strip searches or searches of all physicial possessions. If a company gets sued--and make no mistake, they will get sued no matter what policy they have--they show the judge the policy and their record of upholding it, and that's that.
I defy you to actually cite these throngs of "all sorts of lawsuits from sexual harrassment to violation of ethics laws," especially the ones where the court found a company liable because they didn't have a content filter in place with people like you watching everything everyone is doing instead of enforcing the policy when violations were reasonably found Big Brother-style. As long as we're talking anecdotally, you know who I've heard does the most browsing of porn on the Internet? High-level management. True story: at the company where I work, most of the executives have been given explicit exemption from our content filters. As for the "ethics laws" joke, discover the wonderful world of "situational ethics" [publicradio.org] and then explain to how you're protecting a company that deliberately puts a clause that says, "From time to time, the firm may waive certain provisions of this Code" in its Code.
The truth of the matter is that my company spends WAY more on content filters and salaries for people to set them up and monitor them, not to mention the cost to the business when they break and the Internet becomes completely unavailable, than it would on bogus lawsuits that would have been brought anyway. The whole "you need content filtering to protect you" is a scam perpetrated by content filtering companies and people like you who would probably lose your job if management figured out the truth and actually cared. (And, more importantly, did their job of dealing with these issues instead of foisting them on the IT group.)
Back in the mid-90s, my boss read an article that explained about how login scripts could be used on Windows 3.11 to do things like delete Solitaire and Minesweeper and replace the desktop background with a forced company standard. The next thing I
Re:Know when (Score:1, Insightful)
Re:Know when (Score:3, Insightful)
So a Slashdotter claims that part of his workload involves being "acutely aware" of all the various kinds of porn out there, and that trolling coworkers files for instances of such constitutes a "valid part" of his job, and you say we're done here?
Come on! This warrants at least one +5 Funny comment.
Well I consider myself lucky and blessed then... (Score:3, Insightful)
They treat us as well paid professionals and expect results from us. We are supposed to deliver on agreed deadlines and we usually do. So, if I read Slashdot from time to time, check the news or chat to my wife here and there for a few minutes, and it does not affect my productivity (i.e. I'm not doing my job to the standard or above expected of me in this company) then no one sees it as a problem.
It's only in rare instances when people don't perform satisfactorily that questions arise how are they spending their time and what is wrong in general (but still no one monitors them even then).
I find this freedom really helps with the moral of the people, the sense of trust in you as individual it provides, and it liberates you to be creative. If you have an issue with this much freedom and could not control yourself and spend ALL your time online playing games and looking at porn, then you probably should be monitored and you most likely would not get though our interview process anyway.
As a matter of fact I don't think I could work for a company that does not treat me as a responsible adult and a professional. Imagine if hospitals monitored their doctors to make sure they are not checking personal email or make sure they are not telling nebulous lies to their patients? It's kind of the same.
Security people... (Score:5, Insightful)
Sorry for the double post, but I did want to say a few more important things.
I don't mean to imply that all IT security people are on power trips. I know a lot of them, and my job has me working with them a lot. Most are fine, upstanding, ethical people. A lot don't like doing what they are mandated to do by their corporate overlords. Most only do so as much as they have to.
But they're a bit like cops, as most cops are fine, upstanding, ethical people. Still, there are a few who really get off on how much access and control they have, and they use it every chance they get. They're the ones who like to brag to me, "Watch how I can access this random Schmo's desktop. See? They don't even know I'm doing it!"
I'm also not pretending like there should be zero interference with the network. I'm painfully aware of the problems that viruses, trojans, worms, phishing scams, etc. pose. The only reason I would ever advocate having a content filter is for that purpose only, blocking sites that are literally dangerous to be accessing, stuff like malware sites. I'm also for virus scanning, as that's a necessary evil as some people still do stupid things and not 100% of security threats can be caught.
What I object to, though, is this philosophy that we have to protect companies from people wasting valuable time or productivity. That's not IT's job, that's management's job. If I want to check my e-mail from work, there's no reason why I shouldn't be able to check my damn e-mail. I also carry a smart phone and an iPad, so you really can't keep from from checking my e-mail anyway. (Or for that matter, goofing off with the many, many games that are available to me. Or for that matter, even--gasp!--browsing porn!)
I'm just sick of companies spending stupid amounts of money to save pennies in productivity and grossly violate people's reasonable expectation of privacy. It's not right, and given the GP's defense of such policies, it sounds like he has already drunk the corporate kool-aid.
Re:Know when (Score:4, Insightful)
putting people to prison for downloading porn, even child porn, what a fucked up society.
Dude, get a grip! (Score:4, Insightful)
No, the whole "We must monitor EVERYTHING!" is just a BS policy made because people like you get off on your power trip.
For some? Sure. There are always going to be petty bureaucrats who enjoy power-trips.
But that's hardly the only reason for that type of policy. Here are a few I know of off the top of my head:
As you may be able to tell, I have been responsible for setting up some such monitoring at my company in the past (though it has since fallen into disuse, largely because we laid off 3/4 of the employees...). Though I have no problem with a certain amount of incidental web browsing, there were people who were spending essentially the entire day streaming video (which clobbers our relatively small pipe), browsing MySpace, or playing Flash games. And yes, a couple who would browse porn. (And then there were the one or two who would download games to install onto their computers which turned out to be viruses. So we'd have to clean their computers and explain that that was bad. And then they'd go and install the same bloody virus-ridden game. Again.) It's one thing to poke around a little—or post on Slashdot—but when there's urgent business that needs doing, and it's not happening because you're goofing off...I mean, yeah, that's an issue for HR, eventually, but it seems to me that it is IT's responsibility to at least take basic, reasonable steps to see that those specific temptations are not available.
Dan Aris
Re:Know when (Score:4, Insightful)
Re:You have to. (Score:5, Insightful)
All you need is one guy with a problem like that to download some kiddie porn and your business will be shut down and you go to jail
I want to challenge this. This has been posted 10+ times in this discussion with nothing to back it up. Why would the activities of an individual in the company result in shutting down the company and sending anyone to jail? That makes no sense.
On a related note: This is how EULAs come to exist. Someone assumes that they might be liable for some action someone else performs. So they try to get around it by making you agree to some big contract that waives liability. Over time the EULA grows, filled with such legal fallacies until it becomes 20 pages of legaleeze. In reality, there never was any liability in the first place.
Re:Know when (Score:1, Insightful)
no file downloads
How do your users view Web pages and associated images if they're not allowed to download files? You sound suspiciously like some IT consultants we have at our office who don't know what in the hell they're doing, but since management knows even less they were able to con them into a consulting contract worth millions.