Date post: | 26-Mar-2016 |
Category: |
Documents |
Upload: | marie-nason |
View: | 222 times |
Download: | 4 times |
White Paper
Internet Privacy Alert A CIO’s Guide to Privacy and Surveillance in a Cyber World
Prepared by:
Marie Nason, Jill Musick, and Mary Razon
Prepared for:
Terry Linkletter
IT 486: Critical Issues in Information Technology
Central Washington University – Spring 2011
1 Internet Privacy Alert
Table of Contents Executive Summary.............................................................................................................................................. 2
Introduction ............................................................................................................................................................ 4
Scope and Methods ............................................................................................................................................... 4
I. Differing International Laws Affect E-Commerce ............................................................................ 5
Multiple Data Protection Laws .................................................................................................................... 5
Solutions to Meet the Challenge .................................................................................................................. 6
Recommendations I ......................................................................................................................................... 9
II. Consumer Data Collection Invades Privacy .................................................................................... 10
Disclosure and Opt Out Agreements - Difficult to Understand and Hard to Find................. 10
Use of Cookie Technology to Record User Activity .......................................................................... 12
Recommendations II .................................................................................................................................... 14
III. Employee Monitoring and Workplace Privacy .......................................................................... 15
Employee Monitoring Then and Now .................................................................................................... 16
Is Employee Monitoring Necessary? ...................................................................................................... 16
Impact of Employee Monitoring .............................................................................................................. 17
Laws Affecting Employee Monitoring and Workplace Privacy ................................................... 19
Methods of Surveillance .............................................................................................................................. 20
Recommendations III ................................................................................................................................... 21
Conclusion............................................................................................................................................................. 22
2 Internet Privacy Alert
Internet Privacy Alert
A CIO ’s Guide to Privacy and Surveillance in a Cyber World
Executive Summary
The purpose of this report is to provide CIOs with the necessary information to
analyze their company’s data privacy, security and surveillance policy effectiveness within
the cyber world in three key areas: international business, consumer data, and employee
monitoring.
Differing International Laws Affect E-Commerce
Differing international laws present a challenge affecting e-commerce, mergers and
acquisitions, and commercial transactions. Companies can meet this challenge by creating
an international data strategy. Steps to develop this strategy include: studying the flow of
information a company is responsible for, including through which countries it passes;
studying any foreign vendors and subsidiaries, including potential mergers or acquisitions,
that may touch this information, and include legal language in contracts to address data
privacy and security; including a plan to ensure that any laws applicable in any of these
countries be followed.
Consumer Data Collection Invades Privacy
Companies are in control of vast amounts of personal information and consumers
are concerned about privacy rights and expect that data to be secure. Opt out agreements
are not easy to follow. The use of cookies to track movement is another concern.
Companies can build trust with their consumers by notifying them, in plain language, how
3 Internet Privacy Alert
their collected data will be used; give consumers a simple way to opt out; and commit to
security and confidentiality of consumer data.
Employee Monitoring and Workplace Privacy
CIOs should be mindful of the impact of employee monitoring on their company and
its employees. This impact can be mitigated by: establishing a transparent security
framework for employee monitoring; obtaining input from the different groups affected by
employee monitoring policies; disclosing monitoring practices to employees;
communicating company ethics and security policies; and respecting each employee’s
privacy when the nature of intercepted information is nonbusiness related.
Conclusion
Addressing privacy concerns in regards to international business, consumer data,
and employee rights is a challenge. The CIO must find ways to adapt as new technology is
implemented and new laws are enacted concerning privacy protection and rights,
especially in these three key areas. A company’s survival in a cyber world depends on
listening to the Internet privacy alert.
4 Internet Privacy Alert
Introduction
To really understand the concept of privacy and ascertain when it is under attack, it
is important to first define the word. Merriam-Webster (2011) defines privacy as the
quality or state of being apart from company or observation or freedom from unauthorized
intrusion. In the advent of the information age, the definition and scope of privacy
expanded from the physical world to the cyber world. Individuals, now more than ever,
feel their privacy is under constant assault from corporations and the government. The CIO
plays an enormous part in dealing with some of these problems and is tasked with making
sure there is a balance between the organization’s agenda and an individual’s right to
privacy.
This paper will serve as a CIO’s guide to ensuring that privacy, security and
surveillance regulations are followed and an individual’s rights are protected as their
organization adapts and implements new technology and new laws are enacted concerning
privacy protection and rights.
Scope and Methods
The scope of this discussion is threefold. Part I focuses on what a CIO should be
aware of in regards to the affects differing international laws have on e-commerce and
doing business with other countries. Part II provides an overview for the CIO of the points
of view concerning the collection of consumer data and privacy rights in the United States.
The two key issues discussed are opting out agreements and cookie technology. Part III
informs the CIO of what issues surround the implementation of employee surveillance in
the workplace and techniques to deal with them.
5 Internet Privacy Alert
Much has been published on all three topics covered in this paper, therefore the
decision was made to cull information from these secondary sources and combine the most
pertinent information for a CIO into one easy reference document. Research included
sources such as books focusing on security and ethics in cyberspace; articles in journals of
law and business ethics; and documents and articles found on the Internet, including the
International Strategy for Cyberspace statement just released by President Barack Obama.
I. Differing International Laws Affect E-Commerce
The subject of international law in regards to data privacy and security is a large
one. This section, however, will focus on international law as it exclusively relates to e-
commerce and its affect on how a company does business. In particular, there is the
problem of meeting the myriad of, and sometimes conflicting, international laws that affect
mergers and acquisitions, and commercial transactions. A company must be prepared for
the event that a case is brought against them in a foreign land, with the accompanying
questions on jurisdiction. It is imperative that companies wishing to purchase, merge or do
business with entities in other countries, evaluate the laws in effect in those countries and
take steps to prepare and protect themselves.
Multiple Data Protection Laws
More than 50 countries have data protection laws that cover privacy protection and
security in the cyber world (Gilbert, 2008). Many of these laws give increased rights to
individuals over the transfer of their personal information (Gilbert, 2008). For instance,
the European Union (EU) Data Directive mandates that member states only allow the
6 Internet Privacy Alert
processing of personal data if the subject of that data gives their express consent (Cain,
2002). Even the act of linking to content on another web site could constitute infringement,
according to the EU’s Data Directive (Masters, 2007). Additional international legislation
includes: Hong Kong’s Electronic Transactions Ordinance of 2000, which covers electronic
records and digital signatures; South Korea’s Basic Law on Electronic Commerce, which
covers digital signatures and all communications; Malaysia’s Digital Signature Act 1998,
which covers digital signatures and electronic records; Singapore’s Electronic Transactions
Act of 1998, which covers digital signatures and electronic records, applying to all
communications; the Philippine’s Electronic Commerce Act of 2000, which covers
electronic signatures and transactions and crimes related to e-commerce; The Electronic
Transactions Order of Brunei, which covers electronic contracts and digital signatures; and
India’s Information Technology Bill of 2000, which covers electronic records, digital
signatures, and crimes related to e-commerce (Basu & Jones, 2005).
Solutions to Meet the Challenge
To meet these challenges companies have various avenues open to them.
Developing an international data strategy is a start toward understanding the complexities
involved in doing business in the cyber world (Nahra, 2006). This can be accomplished by
taking either a single global approach or a plan specific to each country (Nahra, 2006), and
should include the experience and advice of a lawyer versed in international law, especially
as it pertains to e-commerce. The challenge is finding a plan that protects the company, but
at the same time allows business flexibility where the law allows this (Nahra, 2006). It is
quite possible that there may be instances where there is not a means of meeting all the
7 Internet Privacy Alert
requirements for all countries, in which case, it is fortunate that enforcement at this point
in time is relatively low (Nahra, 2006).
Another avenue a company may pursue to meet the challenge of preparing and
protecting themselves is to plan how to allocate liability in the event an inadvertent
mistake is made in developing a compliance program or a complaint is received (Nahra,
2006). There have been cases where companies and their officers have had claims brought
against them in countries where they are not physically located (Masters, 2007).
Indemnification and limits on liability provisions can be included in any contracts for
mergers or acquisitions (Gilbert, 2008). A cushion of available funds to cover obligations
can be set aside (Gilbert, 2008). Insurance policies specific to losses as a result of a breach
of security or misuse of data also exist (Gilbert, 2008). These Cyber-risk policies fill the gap
that traditional policies do not cover, but the policies available vary as to the scope of
coverage so it behooves a company to do careful research before purchasing (Masters,
2007). While it is possible to include warranties and liability provisions in any contracts for
mergers and acquisitions, this only protects a company from this particular exposure
(Masters, 2007). Protecting a company through a cushion fund or insurance is an
expensive solution and it is particularly difficult to find insurance companies who have
Cyber risk policies available (Masters, 2007).
A final, and evolving, avenue for a company is the creation of a global legal
framework that addresses data privacy and security. The obvious advantage is that a
company would no longer have to contend with varying and conflicting international laws.
There would be one law of the land, so to speak. Methods to accomplish this have been
postulated. One proposes taking the Safe Harbor framework, a compromise to the EU Data
8 Internet Privacy Alert
Directive negotiated by the United States (US) but not acceptable to other countries, and
using it as a starting point for a new International Safe Harbor (Cline, 2006). This
alternative would not address the issue of privacy as a human right because this would
most likely make a consensus among countries unlikely (Cline, 2006). Negotiations would
start with those countries with laws on data privacy and security in place and would be
negotiated within the World Trade Organization, not the United Nations (Cline, 2006). It
would be based on the top ten privacy principles from each of the negotiating countries and
countries would have the choice of recognizing compliance of the laws for individual
companies or entire countries (Cline, 2006). In addition, the countries would have the
flexibility of enforcement through the processes employed by the World Trade
Organization governing body (Cline, 2006). A second proposes developing norms for
acceptable behavior in cyberspace as a guide to the development of policies and
partnerships (Obama, 2011). This method would not necessitate any rewriting of
international law, nor would existing international norms become obsolete (Obama, 2011).
However, because of the uniqueness of cyberspace, there would need to be a consensus of
how to apply these norms of behavior in this arena (Obama, 2011). Of particular concern to
the CIO of a company dealing with international laws and e-commerce, is the section of the
proposal detailing the policy priorities in regards to Internet governance. To promote an
Internet governance that meets the needs of all Internet users, the US will: (1) prioritize
openness and innovation on the Internet, (2) preserve global network security and
stability, including the domain name system (DNS), and (3) promote and enhance multi-
stakeholder venues for the discussion of Internet governance issues (Obama, 2011). While
9 Internet Privacy Alert
these proposed methods are laudable, there is no guarantee that either will come to
fruition.
Recommendations I
The avenue of a global legal framework is evolving and not yet in existence,
therefore its choice as a solution for a CIO at this point in time is not tenable. The avenue to
protect a company against international claims with a cushion fund or insurance policy is
plausible, but expensive, providing a Cyber-risk policy can be found. The recommendation
made here is to create an international data strategy. The first step in developing this
strategy is to study the flow of information a company is responsible for. This means not
only where it starts and ends up, but through which countries it passes (Nahra, 2006). The
next step is to study any vendors and subsidiaries that may touch this information (Nahra,
2006). Included in this step are any plans for mergers or acquisitions. It must be part of the
strategy to study a possible target’s practices and privacy policies, especially important if
the target resides in another country (Gilbert, 2008). Any written agreements engaged in
with these targets should address data privacy and security specifically and should include
a warranty that no claim has been made against the target company and that they have
complied with all applicable laws (Gilbert, 2008). The third step is to include a plan to
ensure that any laws applicable in any of these countries be followed (Nahra, 2006). The
international data strategy must be reassessed at least once a year to account for changes
in business operations, vendors and laws (Nahra, 2006).
10 Internet Privacy Alert
II. Consumer Data Collection Invades Privacy
Most consumers are not aware of the information being stored about them until
there is a breech that becomes public knowledge (Spinello, 2006). As data storage costs
have decreased, more and more consumer data is being stored. Companies are in control of
vast amounts of personal information and consumers expect that data to be secure. The US
position historically has been that businesses self-regulate how they use this information
(Spinello, 2006). This has led consumers to become increasingly concerned about privacy
rights. Some of the causes for this concern are included in this section, along with potential
solutions.
Disclosure and Opt Out Agreements - Difficult to Understand and Hard to Find
Consumers currently must opt out of information sharing by the online providers
they do business with. This is not a straightforward process. Most consumers do not want
to read a multiple page privacy document when purchasing something online. Online
purchasing is supposed to be a quick and convenient experience.
JCPenney.com uses web beacons to track usage, which is used in focusing
advertising (JCPenney, 2011). They utilize a Privacy Policy that includes an explanation on
how to opt out of tracking (JCPenney, 2001). The consumer must request a list of the third
party companies that JCPenney uses to track movement online. Consumers must then go to
those individual sites if they wish to opt out. This is a very cumbersome and confusing
process for the user and is typical of most privacy policies. Figure 1 is an excerpt from the
JCPenney.com Privacy Policy on opting out which illustrates the fact that the onus is on the
consumer to protect their information.
11 Internet Privacy Alert
Figure 1. Opt out instructions from the JCPenney.com Privacy Policy.
Legislation is in the process of development to help consumers gain control over
their data. One bill, introduced by Senators John Kerry and John McCain, is the Privacy Bill
of Rights Act (Newman, 2011). Language in this bill includes clear notification that the
ability to opt out is available (Newman, 2011). Sensitive information that could cause harm
if disclosed to the public cannot be shared unless a company obtains a user’s consent to opt
in (Newman, 2011). This bill would also prevent companies from collecting information
that is not necessary to deliver or improve service (Newman, 2011).
An additional provision of the Privacy Bill of Rights Act stipulates that consumers
cannot sue for privacy violations (Newman, 2011). Only the Federal Trade Commission or
state attorney would have the authority to sue (Newman, 2011). Consumer privacy groups
are opposed to this provision and feel the act does not go far enough to protect consumers
(Newman, 2011).
The basic tenants of a privacy policy are notice and choice (Spinello, 2006).
Consumers want to have a choice in what data is collected and how it is used (Spinello,
If you prefer that we:
NOT share information about you with any of the companies outside the JCPenney Family that we have authorized to contact you regarding their products or services, or
NOT share your JCPenney credit account history information with affiliated companies within the JCPenney Family
Please let us know by:
writing to us at J.C. Penney Corporation, Inc., P.O. Box 10001, Dallas, TX 75301-7311, Attention: Corporate Customer Relations,
calling us at 1-800-204-3334, or email us at [email protected]
12 Internet Privacy Alert
2006). If every company followed some simple guidelines, such as asking for permission
before selling identifiable personal data to another organization, this would give
consumers a clear and simple choice and legislation would possibly not be necessary.
Another option would be to use technology and code to protect consumer privacy.
When using Platform for Privacy Preferences Project (P3P) the user can define preferences
in their browser that are compared to the websites visited (Spinello, 2006). P3P will only
allow users to provide their personal data at sites consistent with their preferences
(Spinello, 2006). A user would receive a warning if entering a website that collected more
information than he or she was willing to provide (Spinello, 2006). This would help
empower consumers to make informed choices (Spinello, 2006). Websites and browsers
would have to adopt these standards for this solution to work.
Use of Cookie Technology to Record User Activity
Any website can track any online activity. A website can follow a person from site to
site, identifying all the pages visited and what is done there (Miller, 2008). This mimics
following a person to the store and taking pictures of everything they do (Miller, 2008).
Cookies are used to accomplish this and are automatically installed on the user’s computer
hard drive (Miller, 2008). This activity takes place without a user’s knowledge or
permission (Miller, 2008).
Cookies help companies market products to the consumer, usually a harmless
purpose. Advertising is presented that focuses on consumer interests (Miller, 2008). If this
were the only use for the information, there would likely be no cause for concern. However,
the information gathered could be combined with other stored information (Miller, 2008).
13 Internet Privacy Alert
Governments or other entities could use this information to create a data profile about a
person (Miller, 2008).
Companies value this kind of information. It allows them to “predict consumer
preferences and behavior” (Spinello, 2006, p.149). However, what if a consumer does not
want their activity tracked? Most consumers do not know what actions to take to regain
control over their personal information.
Legislation is being introduced that would allow users to block companies from
collecting information about their online movements. Senator Jay Rockefeller presented the
Do-Not-Track Online Act of 2011 on May 9, 2011 (Lefkow, 2011). This Act would give
consumers a straightforward way to indicate whether they wanted to have personal
information collected by online service providers (Lefkow, 2011). The Federal Trade
Commission would be required to implement mechanisms for allowing this option for
consumers (Lefkow, 2011). This is similar to legislation introduced by Representative
Jackie Speier on February 11, 2011 called the Do Not Track Me Online Act of 2011 (Lefkow,
2011).
These bills have not become law yet and may not make it into law. It is clear that
consumers are interested in their right to protect their data and its use. Laws are one way
consumers can speak up, but they may prove hard to implement. Consumers would have to
negotiate with every website seeking their information (Spinello, 2006). This would
become time-consuming and a burden for both parties (Spinello, 2006). If privacy is
important to consumers, those in the industry can recognize this and work to earn their
confidence.
14 Internet Privacy Alert
Companies have the option to regulate themselves to avoid government-imposed
regulations. A commitment to security and confidentiality may mean higher prices. Those
who care about privacy may be willing to pay a premium for more protection. This could
actually convince those reluctant to enter the online market to join if privacy is guaranteed.
Recommendations II
Consumers are increasingly voicing their concerns regarding privacy rights and the
protection of their data. They do not feel in control of how their information is used. Opt
out agreements are not easily understood and although consumers can manage cookies
through their browser, most do not know how. It is imperative that corporations
understand these concerns and take steps to address them. The lack of action has created a
cry for legislation to force companies to give consumers some rights.
Corporations can take action to help with these concerns. One basic notion is notice
and choice. Simple steps that notify the customer about how a company uses their data
would let the consumer make a more informed decision. Next, give consumers a simple
way to opt out. A consumer doing business with a company may or may not want to have
information shared with others. Consumers do not read multi-page privacy agreements to
find out they must send a letter or email to everyone with whom the company has shared
data. Give consumers a clear and simple choice.
A lack of trust exists between consumers and corporations regarding the safety of
their personal information. Committing to security and confidentiality may require
additional resources, but consumers are interested in this protection and may be willing to
pay for this necessity. There are many reluctant to join the online market because of these
15 Internet Privacy Alert
concerns. Eliminating these perceptions by giving consumers some control may actually
open up the market to those hesitant consumers.
III. Employee Monitoring and Workplace Privacy
Employee monitoring and surveillance is becoming the subject of much media
attention as some employees view it as an invasion of their privacy. Employers justify their
methods as necessary to protect intellectual property, monitor employee performance, and
manage productivity. It also aids employers in avoiding liability for certain employee
behaviors. This conflict has prompted the discussion as to where the line should be drawn
between justifiable monitoring and invasion of an individual’s privacy.
Even though employee monitoring is deemed necessary for employers, companies
that choose to implement these kinds of technologies must be mindful of its effect on
employee morale. Richard Hunter, a privacy analyst at Gartner Incorporated, said that,
"CIOs must measure expected benefits against potential problems" (James, 2004). In order
to find a common ground for both employers and employees, this section will explore the
reasoning behind employer access to the work-related and personal information of their
employees. It will discuss what methods of surveillance are implemented and how it affects
both parties. Furthermore, it will touch on what legislation addresses workplace privacy
concerns. This section will conclude with solutions and recommendations that may help
the CIO understand that the human aspect of this issue is important to the effectiveness of
employee monitoring.
16 Internet Privacy Alert
Employee Monitoring Then and Now
Employee advocacy groups have been fighting for employees’ workplace privacy in
increasing measure, which may lead us to believe that employee-monitoring practices have
just recently been introduced, when in fact they have been around for decades. The
differences between then and now are the methods used, availability of technology, and the
amount of information collected (Kizza, 2010, p. 148).
Employers have always been very much aware of how employee performances
affect the company’s bottom line. Before high tech surveillance equipment and software
were available, companies implemented various methods to monitor their employees
(Kizza, 2010, p. 148). During the early years, employee monitoring relied heavily on
intensive use of human resources and one-on-one monitoring. The development of new
technology slowly lessened this dependency. Companies are now implementing advanced
tracking systems that replace the visible eyes of managers with invisible eyes of monitoring
software and equipment. Employers believe that such monitoring technologies are more
accurate because of the absence of human biases and opinions (Crampton & Mishra, 1998).
Is Employee Monitoring Necessary?
Information is considered to be the most valuable asset a company can have. As the
use of technology increased in the workplace, so has the possibility of “intrusion into the
systems, theft of business information, fraudulent use of information and other forms of
information loss or damage” (Stanton, The Visible Employee, 2006, p. 1). The CIO can
implement all the necessary precautions and use the most advanced security procedures,
but without a responsible employee to monitor the system, these safety measures can be
17 Internet Privacy Alert
rendered useless. Employees are a vital part of the success of these security procedures,
but then, they themselves require monitoring to prevent certain wrongdoings.
The advent of technology in the workplace has created some personnel issues, such
as cyberloafing, wherein employees use valuable company time and resources to browse
the Internet for personal purposes (Mujtaba, 2003). This unnecessary and unproductive
use of company time and resources can be prevented by implementing employee
monitoring measures.
Just as the company is trying to protect their rights and property, as well as their
third party users such us shareholders and customers, employees are voicing their
concerns about the possibility of the mishandling of their private information.
Another issue raised is the lack of privacy at work. Employees feel that they have the
right to privacy at work, and the use of employee monitoring techniques is an invasion of
their privacy. By being monitored constantly, employees feel scrutinized and are not able to
perform well because of constant fear of surveillance.
Impact of Employee Monitoring
In order for CIOs to provide an effective solution, it is necessary to be mindful of the
impact of employee monitoring to their company and its employees. As mentioned earlier,
the human aspect of employee monitoring is slowly being replaced by the use of advanced
data collecting technologies, thus eliminating human biases and judgment that can be
clouded by human emotions and politics. Evaluations are based more on quantitative data
from computer systems that can be further analyzed, which may be an advantage for
employees (Crampton & Mishra, 1998). Employee monitoring also provides employee
18 Internet Privacy Alert
location flexibility, since employers can check on employees in various work locations
(Crampton & Mishra, 1998). Another advantage for employees is computer-based
feedback, which has proven to be more effective than face-to-face evaluation (Crampton &
Mishra, 1998), because they now have the ability to review their own performance through
data collected without prejudice.
Employee monitoring can also have a negative affect employees, both
psychologically and physically. Employees feel that too much monitoring creates
unnecessary stress and lack of self-esteem (Crampton & Mishra, 1998). Constant fear of job
loss results to lack of interest, which that translates to poor performance. Physical
manifestations such as headaches and stomach problems result in missing work, thus
increasing medical expenses (Crampton & Mishra, 1998). Another issue is that employee
evaluations based solely on quantitative measurements from computer systems may not be
the best representation of their performances, because behavior and quality of work are
just some of the things that cannot be quantified (Crampton & Mishra, 1998).
Employers have long defended their actions by explaining that employee
monitoring is not implemented to hurt employees but to help increase overall efficiency
(Kizza, 2010, p. 153). The thought is that employees who are aware of being monitored are
more likely to increase their productivity and become more responsible with the use of
their time. In addition to production increase, employee monitoring can help employers
lessen their risk of future liabilities caused by improper use of company resources (Kizza,
2010, p. 153). Just as it is necessary for employees to have objective evaluations, it is
important for employers to have access to quantitative data in order to determine the
effectiveness of their business strategies (Kizza, 2010, p. 153). However advantageous
19 Internet Privacy Alert
these reasons may seem, the effect of such monitoring creates adverse working conditions
for employees and in the end, this may defeat the purpose of implementing such measures
(Kizza, 2010, p. 153).
Laws Affecting Employee Monitoring and Workplace Privacy
In the United States, Americans are given the right to keep certain information
private, but with constant monitoring, employees feel that employers are crossing that line
(Crampton & Mishra, 1998). Employees have turned to the government to seek legal
protection, but unfortunately found that they have less legal rights than they thought
(Schulman). The 1986 Electronic Communications Privacy Act (ECPA), which “prohibits
unauthorized interception of various electronic communications, including email”
(Schulman), was thought to be the answer to protecting employees from monitoring.
However, this law has several exceptions. The most relevant exceptions to workplace
privacy are the “Consent of a Party to the Communication Exception” and the “Provider
Exception”, which grant providers of communication, such as employers, the right to
intercept communications as long as there is a legitimate business reason (Electronic
Surveillance in Communications Networks). Employees are left without an alternative,
since under United States federal law employers have every legal right to intercept “work
related use of telephone, email, and other computer-generated communications if certain
conditions have been met” (Thomas, 2005). In Europe, by contrast, employees’ privacy is
protected by Article 8 of the European Convention for the Protection of Human Rights and
Fundamental Freedoms, which states that “everyone has the right to respect for his private
and family life, his home and his correspondence” (Lasprogata, King, & Pillay, 2004). The
20 Internet Privacy Alert
term “private and family life” is interpreted by the European Court of Human Rights to
“include the workplace and extends protection of privacy in correspondence from it”
(Lasprogata, King, & Pillay, 2004).
Methods of Surveillance
Because of the variety of exploits used to steal information from companies, a multi-
layered security framework should be employed. There are various monitoring
technologies available for implementation today (Weckert, 2005, p. 7).
Some of the more established methods are:
• phone tapping
• voicemail recording
• CCTV’s
• video monitoring
Some of the newer methods include:
• computer software monitoring such as email, web tracking, content filtering
and blocking
• remote freeze and lock up
• key-loggers
• screen capture programs
• application usage trackers
Some companies would go even further by using GPS or tagging employee badges
with RFID, methods capable of tracking the exact location of their employees (James,
2004).
21 Internet Privacy Alert
Employee monitoring has resulted in a massive collection of employee data, placed
in the hands of the employers. Unfortunately, employers are not always clear with how
they use and store this kind of information. Most employees are not even aware what data
is being collected. Without transparency and full disclosure, employees are constantly in
fear that these records may be compromised or worse, be used against them in the future.
Recommendations III
While employee monitoring can create ethical issues and business problems, there
are solutions that can help solve this dilemma. Establishment of a transparent security
framework that involves and benefits not just employers, but employees, is an important
step for a CIO to take. In order to have an effective security policy and infrastructure in
place, it is vital to have active participation from the different groups affected by it, namely:
employees, company leaders and IT experts (Stanton, Human Risks in Computer Security,
2006). Input from each group is critical to make sure all sides are heard, and directives are
created fairly.
If an employer decides that employee monitoring is necessary, employees have the
right to know that they are being monitored and what is being monitored. Employers
should effectively communicate their ethics and security policies and integrate them
through ethics training and self-regulatory programs. Furthermore, it is important to
respect each individual’s privacy when the nature of intercepted information is
nonbusiness related. In return, employees must be mindful of the use of company time and
resources for nonbusiness related activities so that productivity, efficiency, and
information security are not compromised. The CIO must also be willing to share what is
22 Internet Privacy Alert
discovered through surveillance and be open to inquiries and possible backlash from
employees.
Conclusion
Addressing privacy concerns in regards to international business, consumer data,
and employee rights is a challenge. The CIO must find ways to adapt as new technology is
implemented and new laws are enacted concerning privacy protection and rights,
especially in these three key areas. A guide to this adaption includes:
Development of an international data strategy through the study of the company’s flow
of information; the study of vendors and subsidiaries; assurance that applicable laws
are followed in countries where doing business; and annual reassessment of the
strategy.
Notification to the consumer in plain language of how a company uses their data; giving
consumers a simple way to opt out; and commitment to security and confidentiality of
consumer data.
Establishment of a transparent security framework for employee monitoring;
obtainment of input from the different groups affected by employee monitoring
policies; disclosure to employees of monitoring practices; communication of company
ethics and security policies; and respect for each employee’s privacy when the nature of
intercepted information is non business related.
A company’s survival in a cyber world depends on listening to the Internet privacy alert.
23 Internet Privacy Alert
References
Basu, S., Jones, R., (2005). Indian Information and Technology Act 2000: Review of the
Regulatory Powers under the Act. International Review of Law Computers &
Technology, 19 (2), 209-230.
Cain, R. (2002). Global Privacy Concerns and Regulation – Is the United States a World
Apart? International Review of Law Computers & Technology, 16 (1), 23-34.
Crampton, S. M., & Mishra, J. M. (1998). Employee monitoring: privacy in the workplace?
SAM Advanced Management Journal. Electronic Surveillance in Communications
Networks. (n.d.). Retrieved May 25, 2011, from US Department of Justice Computer
Crime & Intellectual Property Section:
http://www.justice.gov/criminal/cybercrime/ssmanual/04ssma.html
Gilbert, F. (2008). Is Your Due Diligence Checklist Obsolete? Understanding How
Information Privacy and Security Affects Corporate and Commercial Transactions.
The Computer & Internet Lawyer, 25 (10), 13-18.
James, G. (2004, March 1). Can't Hide Your Prying Eyes. Retrieved May 21, 2011, from
Computer World:
http://www.computerworld.com/s/article/90518/Can_t_Hide_Your_Prying_Eyes
J. C. Penney Corporation, Inc. (2011, April 5). Privacy policy. Retrieved May 28, 2011 from
http://www.jcpenney.com/jcp/CustomerServiceSub.aspx?CatTyp=CSR&CatID=124
90&cmResetCat=True&CmCatId=homepage&mscssid=69d3ee29b8c3a4e838be2be
cf3256eb5axMnVNoVza3WxMnVNoVza3o200B9B2A297EB9334BC7CB4B089BE83
EA34A1115019
Kizza, J. (2010). Ethical and Social Issues in the Information Age. London: Springer.
24 Internet Privacy Alert
Lasprogata, G., King, N. J., & Pillay, S. (2004). Regulation of Electronic Employee Monitoring:
Identifying Fundamental Principles of Employee Privacy through a Comparative
Study of Data Privacy Legislation in the European Union, United States and Canada.
Stanford Technology Law Review, 12.
Lefkow, C. (2011, May 9). US Politicians Push for 'Do Not Track' Internet Laws. Retrieved
May 27, 2011 from
http://www.nzherald.co.nz/connect/news/article.cfm?c_id=1501833&objectid=10
724402
Masters, L. (2007). Insuring Coverage Along the Information Superhighway. The Computer
& Internet Lawyer, 24 (11), 1-14.
Merriam-Webster, Inc. (2011). Privacy. Retrieved May 15, 2011 from
http://www.merriam-webster.com/dictionary/privacy
Miller, M. (2008). Is it safe? Protecting Your Computer, Your Business, and Yourself Online.
Indianapolis, IN: Que.
Mujtaba, B. (2003). Ethical Implications of Employee Monitoring:. Journal of Applied
Management and Entrepreneurship.
Nahra, K. (2006). A Privacy and Security Compliance Checklist for the Internet Era. Journal
of Internet Law, 9 (12), 11-18.
Newman, J. (2011, April 13). Kerry-McCain privacy bill: What you need to know. Retrieved
May 28, 2011 from
http://www.pcworld.com/article/225039/kerrymccain_privacy_bill_what_you_nee
d_to_know.html
25 Internet Privacy Alert
Obama, B. (2011). International Strategy for Cyberspace. Prosperity, Security, and
Openness in a Networked World.
Schulman, M. (n.d.). Little Brother is Watching You. Retrieved May 18, 2011, from Santa
Clara University: http://www.scu.edu/ethics/publications/iie/v9n2/brother.html
Speier, J. (2011, February 11). Speier Introduces Consumer Privacy Package. Retrieved May
27, 2011 from https://speier.house.gov/index.cfm?sectionid=48&itemid=683
Spinello, R. A. (2006). Cyberethics: Morality and Law in Cyberspace. Sudbury, MA: Jones and
Bartlett.
Stanton, J. (2006, June). Human Risks in Computer Security. Retrieved May 26, 2011, from
mThink:
http://mthink.com/sites/default/files/legacy/midmarket/content/pdf/mms2_2_10
_wp_syracuseuniv_stanton.pdf
Stanton, J. (2006). The Visible Employee. Medford: Information Today.
Thomas, R. (2005, March 18). Issues to Consider When Implementing an Employee
Monitoring Program. Retrieved May 27, 2011, from Tech Republic:
http://www.techrepublic.com/article/issues-to-consider-when-implementing-an-
employee-monitoring-program/5615878
Weckert, J. (2005). Electronic Monitoring in the Workplace: Controversies and Solutions.
Hershey: Idea Group Inc.