To work or to surf? To trust or to control?

Péter Gyöngyösi – software developer

A few days ago I read in the news that Washington DC employees were laid off for visiting an "egregious" number of porn sites from their office computers. The actions of the employees were revealed by an internal investigation with “scandalous” results. In the end, nine notorious surfers were impeached, as a deterrent to the thousands of other employees. As a conclusion to the investigation, the Mayor's office decided to buy content-filtering devices – better late than never.

www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058938&source=rss_topic17

Actually, there is nothing new to this, similar disciplinary proceedings are started somewhere in the world probably every day. What makes the case noteworthy is the debate that unfolds again and again between employers and employees about the monitoring of the employees' actions during work. During our lunchbreak we had heated discussions about what rights we have as employees, and what are we able to control and monitor as security experts.

E-mail secrecy and privacy runs deep in the European law and culture, but it comes without argument that companies have the right to control the traffic on their network. These two rights often collide, and laws and regulations still have to catch up to the challenges of technology.

Therefore, the task of the companies is to make their point clear in this field: to inform their employees in writing about what they are permitted to do on the company's IT infrastructure, and what measures the company is making to control this use. The cited article does not mention whether the office in Washington had any written policies about the Internet use, but if you are caught spending most of your time not working, that is cassus belli anyway.

The politically most correct procedure would be that the companies operate a system where those entitled can access the mail and web traffic of the employee's only with a valid reason, and after informing the employee about the act. Of course, every such case should be thoroughly documented. Naturally, the “valid reasons” should be clearly defined as well, and the continuous monitoring should be performed by automatic content-filtering engines that collect only statistical data.

For example, if the content-filtering engine shows that someone visits 178 pornographic websites a day, then this employee can be impeached if visiting such websites is against the company's policies. However, exactly which pages the employee has visited could be reviewed only if the employee refuses the claims and does not accept the statistics.

As a developer of IT security solutions, our company is often critiqued because our products can be used to create total monitoring. My answer to this is always the same: unregulated chaos does no good to anyone. It is better to permit something than ignore it – even if many people fail to see the difference.