By Wendy M Grossman
How much latitude should employers have in monitoring employees? The European Court of Human Rights has ruled in the case of Bogdan Mihai Barbulescu, a Romanian engineer who was fired for using Yahoo! Messenger on his work computer to send messages to his fiancee even though his employer had officially banned sending personal messages while at work.
The result: the engineer remains sacked and the court held that it's not unreasonable for an employer to verify that employees are actually working. The key seems to be that the employer must be clear about what the policy is and how it will be enforced.
Concern about the possibilities that the arrival of computer systems would make it possible for employees to be monitored without their knowledge goes back to at least 1990, when the EU's 1992 Ergonomics Directive was being drafted. While the language in that directive seems quaint now, the intent to protect employees from omnipresent hidden surveillance is clear. Clear, and somewhat prescient, since the computing pioneers of the day tended to frame their inventions as personally empowering.
At present, with governments and large companies jockeying for the best position from which to observe us closely on and off the internet, the potential is more widely understood.
As a practical matter, the person who owns and runs a given computer system will always have the means to spy on what people do with it. Your employer's system administrators can read your email (even if they don't want to), as can your ISP's technical support people and anyone who can persuade them to give them copies (such as warrant-equipped law enforcement). This is why the ongoing fight, part of the consultation on the draft Investigatory Powers Bill, over encryption is so important. Encryption, well implemented, is the one thing that can protect the words you write from outside snoopers.
However, encryption would not have helped Barbulescu because the "metadata" would have given him away. This is the email header data, which includes the name and address of both sender and receiver, the time, and some details of the route the message took. Even if Barbulescu's employer could not have read the content, he could still have seen the number, length, and frequency of the private messages and inferred the same conclusion.
Let's leave aside the question of whether it's reasonable to expect people to close down their private lives entirely upon entering their workplace. Just as, practically speaking, the employer who owns the system will always be able to see what staff are doing if he wants to, so today in most workplaces employees can avoid that scrutiny by using their own smartphones to complete personal tasks if they wish to.
Things become vastly more complicated when those personal devices are also used for work in "bring-your-own-device" schemes. We're all accustomed to thinking of our phones as private but as soon as you start connecting them to your employer's network the situation changes. Before allowing you to connect to the work network, it's reasonable for your employer to specify what security software you must have installed and how you care for the phone.
Employees should be very careful in that situation to make sure they're not giving their employers rights they didn't intend to. Factors that will affect exactly where the boundary lies will include who actually bought and therefore owns the device; who has the right to decide what software may be installed on it; and what rights the employer has to back up and inspect the contents or monitor usage.
Twenty years ago, when the internet was becoming a commercial medium, early adopters all imagined it would be a force for democracy, like those early computers. Although then, as now, encryption was seen as a vital enabling technology, few of us imagined how centralised the internet would become and therefore how transparent to prying eyes. At present, many of us are trying to find ways to reverse that trend. The risk if we can't is that a relatively few large powers will be able to exercise the kind of control that Barbulescu's employer could. The right to personal autonomy surely matters even to those whose response to discussions of privacy is "I have nothing to hide".
Wendy M. Grossman is a freelance writer and member of the advisory council of the Open Rights Group. www.pelicancrossing.net
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here