Ethics of surveillance
There are two main schools of thought in this area. One side takes what might be characterised as the "Big Brother is watching" stance: the assumption is that people will behave "properly" if they know they are being monitored.
Doug Fowler, president of Spectorsoft, suggested "Internet filters don't solve the problem. They fail to filter out all the bad stuff, and they prevent users from doing completely legitimate tasks by producing far too many false positives."
"Spector [Spectorsoft's monitoring software] doesn't try to stop the user from doing anything. Instead, it records their actions. That places the issue of responsibility directly on the user.
When a child or employee knows their actions may be recorded and viewed at a later point in time, they will be much more likely to avoid inappropriate activity," he adds.
Smith takes a rationalist perspective. "The employer owns the bandwidth and infrastructure--why would they not be able to monitor its usage as long as employees are made aware that they could be monitored?"
Andrys says the Internet use of everyone at WebSpy--including himself--is subject to monitoring, and reports are circulated to senior management.
However, he suggests that live monitoring is more appropriate where you have established that someone is doing the wrong thing, especially in shared environments such as libraries and classrooms. It is not appropriate for ongoing use in a large organisation, he says.
"You need to look at the company and its policies first, and only then consider how employee behaviour fits in with those policies," says Andrys. This process can reveal an absence of policies dealing with particular behaviours.
"It is good business practice to monitor Web access but it must be overtly done and in conjunction with an appropriate Internet use policy. This way everyone understands what is expected of them," he says.
"People may be undecided whether e-mail and web monitoring is OK, but almost 75 percent think monitoring with Web filtering software is acceptable if they know about it beforehand," says Charles Heunemann, managing director of SurfControl Australia, citing a survey conducted by the University of Western Sydney.
Surprisingly, only 52 percent of respondents were unhappy with the idea of e-mails being monitored at work without warning, but it could be dangerous to assume this level of tacit support applied in every workplace.
Many of the people Technology & Business spoke to promoted staff involvement in policy setting. "Employers who do the right thing and involve employees in deciding what is and what isn't acceptable and responsible, and then filter inappropriate material, will have happier workers," says Heunemann.
Barnard recommends organisations step away from any discussion of free speech and the like, and focus instead on resource management. "We will provide you with a tool to manage your Internet use the way you want to manage it," he says.
"We're not about Big Brother tools . . . you've given this facility to your employees [and] in collaboration with your staff you should work out an acceptable Internet policy, and then manage it."
For example, you might permit the use of Internet banking and shopping sites during the lunch break, but forbid downloading MP3 files or watching streaming video at any time of day because of the cost of bandwidth.
He suggests users, managers with budget responsibilities, and human relations specialists should all be involved in the policy-setting process.
Baltimore talks about the "Three Es" of policy management:
- Establishing a policy
- Educating employees about the policy, and
- Enforcing the policy.
By following the Three Es and setting up an effective policy, companies have the potential of saving enormous amounts of money," says Chuawiwat.
A model acceptable use policy developed by Electronic Frontiers Australia can be found online. It is important to note that this document "does not necessarily signify EFA's views about what ought to be 'acceptable use' in workplaces; it simply addresses a range of aspects that should be considered in developing an AUP suitable for a particular workplace."
Jones points out that the PacketShaper can generate an alarm when it detects a policy breach, but it makes more sense to simply control the situation (eg, denying access to an inappropriate Web site): "things just happen, no one need be alerted, it's all under control."
He suggests alerts are appropriate when an event falls outside existing policies so that a new policy can be developed, but some organisations find such situations too confrontational and just buy more bandwidth instead.
Another approach is to limit Web access to those sites on a whitelist enforced by a Web filter or other system component. This can be a viable method where the organisation's Internet access policy disallows private use, but only where it is easy to identify a small number of relevant sites such as those operated by customers and suppliers, industry bodies and government departments.
It is unlikely to be satisfactory if employees have wide-ranging research needs, though this can be overcome by using a combination of whitelists and other filtering or monitoring techniques according to job function.
i think that the cyberbludging special was helpful