Ubiquitous Monitoring on the Horizon

In January I wrote The Revolution Will Be Monitored. Today I read Careful, the Boss Is Watching:

Recently, software vendor Ascentive LLC installed its new BeAware employee monitoring application on all the PCs at one of its new corporate clients. The corporation notified its employees that their Web surfing habits -- as well as their email, instant messaging, and application usage -- were now being monitored and recorded.

"Internet usage at the corporation dropped by 90 percent almost overnight," recalls Adam Schran, CEO of Ascentive. "As soon as employees knew they were being monitored, they changed their behavior."


Wow, what a bandwidth saver. Who needs to upgrade the T-3 when you actually take measures to enforce your stated security policy? The story continues:

While tools for tracking employee network usage have been available for years, emerging products such as BeAware take monitoring to a whole new level. The new BeAware 6.7 lets managers track workers' activity not only on the network or in the browser, but also in email, chatrooms, applications, and shared files. And at any unannounced moment, a manager can capture an employee's screen, read it, and even record it for posterity.

Such exhaustive monitoring may seem a bit draconian to the uninitiated, but analysts and vendors all say the use of such "Big Brother" software can make a drastic impact on productivity and security. In a recent study by AOL and Salary.com, 44.7 percent of workers cited personal Internet use as their top distraction at work. A Gallup poll conducted in 2005 indicated that the average employee spends more than 75 minutes a day using office computers for non-business purposes.

Once employees know their activities are being monitored, however, their personal computer use is quickly curtailed, Schran observes.


This reminds me of an event that happened when I was working the night shift at the AFCERT in 1999. We had witnessed a rash of attacks against vulnerable Microsoft Front Page installations. Around 2 or 3 am I noticed someone altering the Web site of an Air Force base in Florida. Looking at the source IP it looked like it might belong to someone who worked on base. I managed to tie a home telephone number to the IP and I called, asking if so-and-so was currently modifying the af.mil Web site. I remember a surprised lady answering the phone and asking, "So you can see what I'm doing right now?"

I have never been a fan of monitoring network traffic to reduce what .mil and .gov call "fraud, waste, and abuse." You won't read recommendations for using Network Security Monitoring to intercept questionable Web surfing, for example. However, this story is another data point for my prediction that we are moving to a workplace where everything is monitored, all the time.

If you try to implement this sort of activity, you better be sure to have an ironclad policy and support from your legal staff. I would call this level of invasion of privacy a wiretap.

Comments

Unknown said…
Of course, in an effort to improve productivity, some companies can really alienate and piss off their employees such that they leave or become more unhappy at work, which drags productivity back down.

I do like monitoring because I prefer to have data than not have it, but I certainly don't like to use it except in very extreme cases. But to scare employees who don't do much online anyway? That can be very damaging internally.

I think monitoring will continue towards the route of monitoring everything it can, but I really think it needs to be only used when absolutely necessary, otherwise it shouldn't be abused or used by managers to leverage against their "average" employees.

To put it bluntly, as a technology worker, I would be more happy in an environment that treated me like a professional adult 8 hours of my life every day as opposed to an immature child assumed to be guilty where I can breathe outside the accepted norm without fear of being regulated or watched. It's not that I'm doing bad things at work with my computer and access...I just don't like it.

So, while I do like monitoring, I also really dislike it because it can so easily be misused. People just want to live and do their things...and I'd leave a draconian organization to join a less draconian one any year, if given the opportunity.
Anonymous said…
If I had tools like this a few years back, I maybe could have done something about a user who used his work PC to send out photos of himself engaging in child prostitution services abroad.

Legal & Compliance told me that email server logs were not enough to get him fired, there had to be evidence of him actually sending the photos. Couldnt go to the cops since the activity occurred outside his country of residence and so his activity was not technically criminal.

I sure do wish I could treat everyone as a responsible adult, but I've seen far too much evidence to the contrary so I'm all in favor of strong appropriate usage policies and the tools to enforce them and detect violations.
Anonymous said…
Lovervamp,

Those that protest the most usually have the most to hide. Employees that don't break the rules shouldn't have anything to worry about, should they.

Any environment that had staff that acted as professional adults 8 hours a day as opposed to immature children wouldn't need monitoring would it?

The story says it all, "internet usage dropped almost 90% overnight". I wonder how much of that usage drop was legitimate?

People should realize that they are paid to perform work and all they should expect at work are the tools and information to do it. Personal stuff should be done at home.

I think that a separate recreational network chould be set up for personal stuff at breaks and so on, but time spent on them should be monitored, of course.
Anonymous said…
Mr. Lewis,

Excuse me? There's so much in your comment that make me cringe and fear for the future, but I'm going to settle for a single remark for now

"Those that protest the most usually have the most to hide."

Please point me to research supporting your claim.
Unknown said…
If I want to lounge in a park and have two choices available, one of which is openly monitored (as per signs disclosing such activity posted around the park) and another park that is not monitored, I wonder which one people will feel more relaxed in, and thus enjoy more (as is part of the purpose of a park)?

Is it because they have something to hide? Sometimes, sure, but for me, certainly not.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics