More on privacy, the workplace & social network software

Unless you have been living under a rock you will have heard about the sites called Facebook, or MySpace, and their professional cousin LinkedIn, you might even remember their predecessors Friendster. These sites are basically social network software/service (SNS) where you connect with other people and share information.

Today I read a great article by Cory Doctorow in Information Week about how the growth of Facebook within the workplace will eventually kill Facebook. Why?

It’s socially awkward to refuse to add someone to your friends list — but removing someone from your friend-list is practically a declaration of war. The least-awkward way to get back to a friends list with nothing but friends on it is to reboot: create a new identity on a new system and send out some invites (of course, chances are at least one of those invites will go to someone who’ll groan and wonder why we’re dumb enough to think that we’re pals).

Basically we will all run from these services as our workplace joins in so this example does not happen:

Here’s one of boyd’s examples, a true story: a young woman, an elementary school teacher, joins Friendster after some of her Burning Man buddies send her an invite. All is well until her students sign up and notice that all the friends in her profile are sunburnt, drug-addled techno-pagans whose own profiles are adorned with digital photos of their painted genitals flapping over the Playa. The teacher inveigles her friends to clean up their profiles, and all is well again until her boss, the school principal, signs up to the service and demands to be added to her friends list. The fact that she doesn’t like her boss doesn’t really matter: in the social world of Friendster and its progeny, it’s perfectly valid to demand to be “friended” in an explicit fashion that most of us left behind in the fourth grade. Now that her boss is on her friends list, our teacher-friend’s buddies naturally assume that she is one of the tribe and begin to send her lascivious Friendster-grams, inviting her to all sorts of dirty funtimes.

In the article Cory links to several really good pieces. Such as a Times article on how Facebook is using all of the data it collects about us to help targeted advertising. One part in particular scared me a bit:

He suggested that internet-users could no longer expect to remain anonymous online, but could control only the amount of information about them that is available on the web.

Cory also references Danah Boyd article (her stuff is truly amazing if you have not read any of it do so) on Facebook and Privacy. Her conclusion has some great advice, emphasis mine.

Yes, people reveal personal stuff to a website. They know that they revealed that information but they still have an assumption about how it is to be presented and the ways that make them comfortable and the things that make them go ick. This is really about context, context, context. As i’ve said before, there’s no way that people can comfortably negotiate all contexts at all time. They could retreat and go into hyper private mode but what kind of life is that? People choose to make risks based on what they assume the architectural affordances and norms of a space to be. I think that asking people to retreat into paranoia is completely unreasonable. Instead, i think we need to find ways of providing reasonable levels of protection and comfort, recognizing that there are always risks when you are still breathing.

Danah also lists her reason why she feels people “friend” each other on SNS:-

1. Because they are actual friends
2. To be nice to people that you barely know (like the folks in your class)
3. To keep face with people that they know but don’t care for
4. As a way of acknowledging someone you think is interesting
5. To look cool because that link has status
6. (MySpace) To keep up with someone’s blog posts, bulletins or other such bits
7. (MySpace) To circumnavigate the “private” problem that you were forced to use cuz of your parents
8. As a substitute for bookmarking or favoriting
9. Cuz it’s easier to say yes than no if you’re not sure

Some final thoughts.

First I really hope Facebook, and the other services, don’t “misplace” all of our data like the little event in the UK.

Lastly I can see a whole “HR” mess brewing to resolve a SNS disagreement between workers!

Privacy of personal data

I haven’t written about data privacy in a while but I could not help it. The “little” issue in the UK in the last couple of days has brought the topic back up. The UK Taxman has “misplaced” 2 CDs full of personal and banking details of about 25 million people. To make matters worse the data includes almost every child in the country.

Names, addresses, dates of birth, employment and bank details all went missing when two CDs containing the information were mislaid.

Alistair Darling told the House of Commons that the discs containing the highly sensitive information failed to arrive after they were sent in the ordinary internal mail between government departments.

But what there is more!

The Chancellor admitted that HMRC had made the same mistake on several occasions in the past six months.

Given most HR/Payroll systems have the same sort of data, it might be a good time to check a few things.

  • Who stores the backup tapes
  • Are the contents of the backup tapes encrypted
  • How are the backup tapes transported between your site and where they are stored
  • How secure is storage at both of these locations
  • Who in the IT department has access to the HR/Payroll system and do they really need to

Last thing you want is for all of your employee data to fall into the wrong hands.

Is privacy a C level concern?

Privacy of your employee and customer data should be one of the top priorities of any board for any organisation. However sometimes C level exec’s are more interested in things right in front of them, like this quarters sales or the new product introduction.

To get them to pay attention you sometimes need to be a bit smart at getting the issue on table. James Governor points to a post by Michelle Dennedy from where she lists 10 tips from Scott McNealy. As Michelle says, I don’t “recommend anyone tries these at home, but they are pretty funny to imagine” the next C level meeting afterwards.

Top 10 Ways to Make Privacy a CEO-Level Concern

10. Show him his daughter’s MySpace page
9. Tell him the external auditors lost his personal data (on a laptop)
8. Install a hum generator in his handset
7. Pre-text his phone list– okay maybe not such a great idea
6. Update his Wikipedia posting
5. Publish his recent Netflix orders (assuming your CEO would be embarrassed)
4. Tell him you lost the corporate archives
3. Re-route his security camera to YouTube
2. Remove sticky notes, with his passwords, from his computer screen
1. Spend $1,000 to do a security check on him

Social Engineering

I found this very disturbing article from Techmemeorandum about using social engineering to compromise an organisations security defences, the troubling part about this example was how easily the defences were breached. As seen in this quote they had 75% success rate allowing them access to a vast number of systems in the target organisation.

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

The troubling part in this example is the USB thumb drives in question are very popular in organisations as productivity devices.

The keys to your data

It has been a while since I tapped out a post on security and privacy but today I read several posts that got me inspired again.

Bruce Schneier (thanks for Kim Cameron for the pointer) picked up on the two sets of stolen keys for the Sydney train system that allowed the thieves access to all trainings on the City Rail network. Now the inspiring portion. I read the story and thought how funny, Bruce saw a completely different take global secrets. Now after reading Bruce’s item on global secrets I can now see correlation back in the HR/Payroll space (personally I find this cool how ideas build on each other but that could just be me).

A global secret for all of the non technical readers is a secret that once known either allows you access to everything and you either have or you don’t. Kind of security talk for you are either “in” or “out”. For obvious reasons they are bad, but you would be surprised how often they are used. For example how many people use the same password everywhere, this is your own personal global secret, once the password is compromised then everything is compromised.

Now within an HR/Payroll space this gets interesting. Now I don’t want to scare anyone but you need to beware of the security landscape for your core HR/Payroll system. Is there a global secret for your core system? Do you use your own personal global secret for the access to the core system? Now taking this further what about your IT department. Do they operate with a global secret for the database or your application? Maybe you should ask.

Another item that got me pumped was Kim Cameron’s experience with being tracked by his bluetooth phone! During a recent conference a series of scanning devices installed in the presentation rooms as an experiment to track conference participants. While Kim seemed a little miffed he understood where they were coming from and was in fact used as an example during one of the last sessions where on a presentation slide mapped his movements during the conference, including when he ducked out to take a phone call.

Now that is scary! But apparently easy to do, the average IT geek could probably hack together such a system in your office without you knowing. Where does that leave the company and you from a privacy point of view, what sort of industrial issues could it create if not properly managed.

Privacy and the government

There seems to be a growing concern within Australian around privacy and technology. Yesterday the Australian IT had a couple of articles quoting Gartner research fellow Richard Hunter and Special Minister of State Eric Abetz both calling for greater oversight and review on storage and usage of personal data.

In the first article Richard Hunter quotes the ChoicePoint issues earlier in the year as an example of a growing list of privacy invasions taking place all over the globe. Richard claims “… privacy is about your ability to control how you are perceived by people who make decisions about you, based on information they hold” and that until our laws catch up with the technological advances we are going to have a very uncomfortable time.

The second article discusses calls by Eric Abetz for a review of our current privacy laws some of which date from 1988, is required to ensure coverage due to new technology allow interactions with government departments. Eric is calling for the review on the back of additional data matching programs currently being rolled out by the government.

Both of these articles, along with the others that have come before, have a profound impact on HR professionals and the associated technology providers. The EU has had data privacy legislation for many years now, with Australia just introducing our privacy legislation in the last couple.

Complete HRIS or ERP packages that allow very sophisticated data matching and mining abilities and these tools are being used to make generic decisions about people within an organisation. For example identification of employees who might be at risk of leaving and then creating retention strategies around the specific attributions of the employees fails into the category discussed by Richard of making decisions based on the information you hold on that person. Is this an invasion of privacy? Any data that is stored needs to be properly protected, an internal security breech is bad enough let alone an external one. This brings into question the security around the different ASP HRMS vendors in the marketplace today. Given that many of the largest technology providers have all been hit by hackers, are the vendors who store your employee data secure, did you even ask before you signed the contract? Or what about your backup tapes go missing, like what has recently happened to Citigroup, who is liable you the courier?

All of these examples have an impact on people’s privacy, however caution is needed not the “throw the baby out with the bath water” and overreact we just need to take the time too work through the different scenarios to ensure that our employees privacy is kept secure.

Corporate surveillance

I have blogged about this before, now it seems that it mainstream news organisations are picking up on the trend. Why is this important? Because two things will now happen, firstly some oversight will take place to ensure that privacy and security of these services is satisfactory, and there will be more growth in the industry and vendors like RefSure will expand.

Of course as long as the balance between data and privacy is kept right. On an issue like this the first time a background checking vendor drops the ball I can see the whole industry being shutdown.

(Thanks to Trevor Cook for the pointer.)

Workplace Surveillance

Last week ComputerWorld published an interesting article on the new Workplace Surveillance Bill with some fairly major concerns being raised by the Australian Privacy Federation. One quote that stuck out in my mind was:-

“A major concern, from a privacy point of view, is as long as employers meet visibility requirements it is open slather – as long as the surveillance is overt, not covert, there is no requirement to justify the surveillance as reasonable or necessary. There is no requirement for the storage or from preventing the boss from misusing material gained from overt surveillance, as well as no right of access for workers to see the material. …

I will be keeping a watch on the progress.

Can I have some private time?

Following up on my posts from last week around workplace privacy. I was reading a similar post from Michael Fitzgibbon (Thoughts from a Management Lawyer) on the whole issue of Workplace Privacy in the US.

Of interest were the statistics which while are US centric I have a feeling probably would transpose fairly well to any industrialised nation.

Employees need to realise what they do does have an impact on their employer and as such the employer might have an interest in these activities. However on the flip side is that employers need to also realise that employees have the right to privacy.

Personally I do not see any need for human reading of emails, there are enough tools out there to track what is going through the ether and stop the viruses and inappropriate attachments (there is even a patent registered on the automated detection of pornographic images). Systems can also track where the emails are going and the amount of network traffic being generated by a specific user on the network. What these tools cannot track or stop is the dissemination of proprietary information, they never will. Both sides of the fence need to come to an understanding, through education, as to what can and can’t be done.

A question does your organisation run specific information/training courses on acceptable use of the internet in the workplace? Probably not, however maybe they should. In the same way as employees have to go through health and safety or sexual harassment training maybe the same needs to be done on the internet?

Privacy in the workplace

A day after NSW banned employers from monitoring emails Victoria and South Australia are looking to do the same thing. Over the last 9 months I have written about these moves here, here, here and here.

This is a really interesting topic that has significant potential to cause all sorts of ER/IR issues within the workplace. If you do business in Australia, make sure you are aware of these changes and how the impact your business.

Interestingly this does have impact on the whole time tracking thing I just posted about.