Employers on track to get more nosey with employees' social media lives

Filed Under: Facebook, Featured, Google, Law & order, Privacy, Social networks, Twitter, Vulnerability

Employer spying, courtesy of ShutterstockBy 2015, 60 percent of employers are likely to be eavesdropping on our social media selves to make sure our e-blabbing isn't poking security holes into their outfits, Gartner says.

According to Gartner's predictions, published on Tuesday in a report entitled "Conduct Digital Surveillance Ethically and Legally: 2012 Update", employers that are now only monitoring their brands and their marketing are going to broaden their foci to include tracking employees' social media doings as part of security monitoring.

As it is, Gartner says, less than 10 percent of organizations are currently monitoring their employees' social media activities as part of security monitoring. Instead, they're keeping an eye on security around internal infrastructure.

The cloud's going to change that, as will the Bring Your Own Device culture and the popular use of iGadgets in the workplace. As organizations' data migrate onto these technologies, security's got to follow, Gartner says.

Here's how Andrew Walls, research vice president of Gartner, put it in a press release:

Security monitoring and surveillance must follow enterprise information assets and work processes into whichever technical environments are used by employees to execute work. Given that employees with legitimate access to enterprise information assets are involved in most security violations, security monitoring must focus on employee actions and behavior wherever the employees pursue business-related interactions on digital systems. In other words, the development of effective security intelligence and control depends on the ability to capture and analyze user actions that take place inside and outside of the enterprise IT environment.

There certainly seems to be no shortage of internet usage monitoring tools, performing a simple Google search results in pages of products.

Social media blackboard, courtesy of ShutterstockBut here's the rub: how does an organization:

  1. Sift through the huge volume of irrelevant social media material to find actual threats;
  2. Keep its security staff from becoming creepy, voyeuristic stalkers; and
  3. Avoid breaking privacy laws (which, mind you, differ from state to state and country to country)?

Here's what Wall says:

While automated, covert monitoring of computer use by staff suspected of serious policy violations can produce hard evidence of inappropriate or illegal behaviors, and guide management response, it might also violate privacy laws. In addition, user awareness of focused monitoring can be a deterrent for illicit behavior, but surveillance activities may be seen as a violation of legislation, regulations, policies or cultural expectations. There are also various laws in multiple countries that restrict the legality of interception of communications or covert monitoring of human activity.

Beyond that, how are employees going to feel about all this monitoring?

My guess is they're going to start paying a lot more attention to privacy controls in social media, as well as the intricacies of what's legal for their employers to do.

If you're curious to know whether your employer can covertly and legally sift through your activity, say, by reading your encrypted email messages, a good resource is the Privacy Rights Clearinghouse's fact sheet on workplace privacy and employee monitoring.

As far as whether or not we can be fired over what we post on social media sites, the PRC says it depends on your employer's policies and your state's law.

A few helpful snippets from PRC on that matter:

Many companies have social media policies that limit what you can and cannot post on social networking sites about your employer. A website called Compliance Building has a database of social media policies for hundreds of companies. You should ask your supervisor or human resources department what the policy is for your company.

Some states, including California, Colorado, Connecticut, North Dakota and New York, have laws that prohibit employers from disciplining an employee based on off-duty activity on social networking sites, unless the activity can be shown to damage the company in some way. In general, posts that are work-related have the potential to cause the company damage.

"There is no federal law that we are aware of that an employer is breaking by monitoring employees on social networking sites. In fact, employers can even hire third-party companies to monitor online employee activity for them.

True that. In fact, as the PRC points out, in March 2010 a company called Teneros launched the "Social Sentry" service to track online activity of employees across social networking sites.

Interestingly enough, that service isn't available anymore. That might have something to do with cultural expectations about privacy.

Those expectations are reflected in some of the headlines that greeted Social Sentry's release: "Sayonara, Social Sentry: Bosses Can Spy for Free With Web Tools", "Teneros Blows a Chill over Social Networks", and "Big Brother is Indeed Watching You: The Spy Side of Social".

I would feel sorry for privacy-deprived employees, but you guys are, evidently, security poison.

CIO logoIt's like CIO reported on Wednesday: at Infosecurity London last month, attendees rated employees scarier when it comes to security than hackers, consultants, third parties, or domestic or foreign government agencies.

In other words, 71 percent of 300 polled attendees said that the people creeping around their own hallways were their biggest data breach threats. Bigger than domestic or foreign government agencies, bigger than Anonymous.

Network security risks from employees are pretty easy to grasp - employees could open a malware-containing email, act carelessly with company trade secrets or intellectual property, or bring insecure devices into the workplace.

Likewise, employees on social media can give away trade secrets or simply act like unprofessional idiots and thereby embarrass their employers. They can also click on scams in Facebook.

Should employers monitor their employees' social media use? It's hard to say no, given the potential security risks of social media.

But as we move toward workplaces with ever more pervasive surveillance, I'd suggest that organizations take the time to study the privacy laws. Those laws continue to evolve. You might be within your rights today but seen as a leering Big Brother tomorrow.

Social media blackboard and employer spying, courtesy of Shutterstock.

, , , , , , ,

You might like

11 Responses to Employers on track to get more nosey with employees' social media lives

  1. Steve · 688 days ago

    Employers are now trying to manage the private lives of employees they have no right poking their noses into. The human rights act grants us all the right to a private life and employer paranoia means they are sticking their noses in where it does not belong.

    If Facebook is a security risk for employers to get malware from then why not just block access to it from work systems? This whole thing is leading to a massive slide towards a level of spying on individuals Orwell would be shocked about.

  2. Randy · 688 days ago

    In the end, it is everybody's responsibility to carefully consider what they post in public. Posting on Facebook is just like writing your thoughts on a T-shirt and wearing it to work.

    • Dan · 688 days ago

      No, it isn't at all. If you have your privacy levels set appropriately it is more like having a conversation with a group of friends. Last I checked, employers have no right to interfere with this kind of personal activity.

  3. Matt · 688 days ago

    "If you have your privacy levels set appropriately..."

    We've all seen that privacy settings are not dependable. If it's on the internet, assume ANYBODY can see it. Remember, www = World Wide Web. What anybody does with what was posted is fair game.

  4. mick_slick · 688 days ago

    My opinion may not be popular, but it's mine sooo...I fully agree the employer has no right to snoop into my private life, whether by creeping my FB if I'm to dense enough not to know how to set my privacy, nor should they be able to 'demand' me to friend them or give them my PW (which is a violation of T&C) Doesn't give the employer much faith in my integrity if I pick and choose what rules to violate does it? Having said that, I don't think employees should be wasting the company's time on FB or texting friends at work unless it is part of the job description. Keep it above board at work and the problem solves itself.

  5. Topol · 688 days ago

    Matt,

    If your line of reasoning was valid, then one could successfully argue that because someone's security controls are poor, breaking into their (computer, website, wall safe, child's nursery) is a legitimate act. If an individual takes steps to limit what they post, then it could be considered a privileged conversation and if an employer took steps to see what they post, it would be a privacy violation. The quality of the controls is irrelevant, the INTENT of individual and the INTENT of the employer are relevant. Again, arguing about the judgement or lack thereof when it comes to what is posted isn't relevant. If someone attempts to make their communications private, then an employer is violating personal privacy when they try to read it and making comments in private is very different from making them in public.

    • Matt · 687 days ago

      Topol,

      I agree with what you say regarding legitimacy and intent. It would be fantastic if the world actually worked this way. My point is, do not post things that you prefer others not to see. Whether they gain access legitimately or illegally, they gained access and can make whatever judgements they like. If a prospective employer does not like what they see, you may not get the job. Here judgement is relevant.

    • UrVAITGuy · 687 days ago

      Granted I agree with you that a lack of security does not justify anyone to hack the account of a person if said person is careless with their passwords or do not manage their privacy controls. But people suck. And it WILL still happen. Imagine if you went out drinking with your friends and, in your inebriated state, you (INSERT EMBARRASSING MOMENT HERE), who's fault is it if suddenly you find pictures of that posted all over Facebook? Hell, forget Facebook. How about if its on the television or in the local papers? Or gossiped around the water cooler on Monday at the office? News reporters do this all the time.
      The point I'm making is: You must always be aware of your conduct and behavior, wherever you are, whether online or offline, because the world is not truly private in any sense, and you WILL be judged, whether you like it or not. Yes it sucks, but that's the way it is.

  6. Richard · 687 days ago

    This basically come's down to trying to control people in every aspect of their life.

  7. Shiny317 · 686 days ago

    as the late great Bill Hicks would say "you are free.... to do as we tell you"

  8. Don · 565 days ago

    If your at work and it's there computers then i don't see a problum But no way would i give my password or friend someone as part of my job.They can kms. They have no right to our privet lifes....BTW I no my spelling sucks, But you get the point

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.