By Wendy M Grossman

How much latitude should employers have in monitoring employees? The European Court of Human Rights has ruled in the case of Bogdan Mihai Barbulescu, a Romanian engineer who was fired for using Yahoo! Messenger on his work computer to send messages to his fiancee even though his employer had officially banned sending personal messages while at work.

The result: the engineer remains sacked and the court held that it's not unreasonable for an employer to verify that employees are actually working. The key seems to be that the employer must be clear about what the policy is and how it will be enforced.

Concern about the possibilities that the arrival of computer systems would make it possible for employees to be monitored without their knowledge goes back to at least 1990, when the EU's 1992 Ergonomics Directive was being drafted. While the language in that directive seems quaint now, the intent to protect employees from omnipresent hidden surveillance is clear. Clear, and somewhat prescient, since the computing pioneers of the day tended to frame their inventions as personally empowering.

At present, with governments and large companies jockeying for the best position from which to observe us closely on and off the internet, the potential is more widely understood.

As a practical matter, the person who owns and runs a given computer system will always have the means to spy on what people do with it. Your employer's system administrators can read your email (even if they don't want to), as can your ISP's technical support people and anyone who can persuade them to give them copies (such as warrant-equipped law enforcement). This is why the ongoing fight, part of the consultation on the draft Investigatory Powers Bill, over encryption is so important. Encryption, well implemented, is the one thing that can protect the words you write from outside snoopers.

However, encryption would not have helped Barbulescu because the "metadata" would have given him away. This is the email header data, which includes the name and address of both sender and receiver, the time, and some details of the route the message took. Even if Barbulescu's employer could not have read the content, he could still have seen the number, length, and frequency of the private messages and inferred the same conclusion.

Let's leave aside the question of whether it's reasonable to expect people to close down their private lives entirely upon entering their workplace. Just as, practically speaking, the employer who owns the system will always be able to see what staff are doing if he wants to, so today in most workplaces employees can avoid that scrutiny by using their own smartphones to complete personal tasks if they wish to.

Things become vastly more complicated when those personal devices are also used for work in "bring-your-own-device" schemes. We're all accustomed to thinking of our phones as private but as soon as you start connecting them to your employer's network the situation changes. Before allowing you to connect to the work network, it's reasonable for your employer to specify what security software you must have installed and how you care for the phone.

Employees should be very careful in that situation to make sure they're not giving their employers rights they didn't intend to. Factors that will affect exactly where the boundary lies will include who actually bought and therefore owns the device; who has the right to decide what software may be installed on it; and what rights the employer has to back up and inspect the contents or monitor usage.

Twenty years ago, when the internet was becoming a commercial medium, early adopters all imagined it would be a force for democracy, like those early computers. Although then, as now, encryption was seen as a vital enabling technology, few of us imagined how centralised the internet would become and therefore how transparent to prying eyes. At present, many of us are trying to find ways to reverse that trend. The risk if we can't is that a relatively few large powers will be able to exercise the kind of control that Barbulescu's employer could. The right to personal autonomy surely matters even to those whose response to discussions of privacy is "I have nothing to hide".

Wendy M. Grossman is a freelance writer and member of the advisory council of the Open Rights Group.