Once you know where your company’s ‘red lines’ are, what measures do you take to keep someone from crossing one? Business Technology’s resident U.S. blogger Keil Hubert looks at a recent US court case and considers all of the things that had to have gone wrong for the alleged wrongdoing to have come to pass.
Some workplace problems can be sorted out with a quiet talking-to. When a sandwich goes missing from the break room refrigerator, you pull the offender aside and explain the company’s stance on theft. Most times, the offender will then slink back to his or her cubicle, too chagrined at having been caught to consider becoming a repeat offender. Those are the easy leadership ‘challenges’.
Other workplace problems are thorny and intractable; they can’t be worked through with just an hour’s earnest discussion – they require many exhausting rounds of metaphorical bludgeoning before everyone involved gets the message that a practice won’t be tolerated. Overstepping ethical boundaries through the misuse of a sensitive technology – especially for the purpose of exploiting a worker – is one of those frustrating, recurring problems that require repeated, disquieting discourse in the executive suite. Decisions must be made and responsibility must be taken to deal with the myriad ways that risky activities will be conducted and controlled.
Leaders tend to shy away from these complicated and sensitive topics because the discussions tend to grow quite uncomfortable. Questions get asked, like ‘why are we even doing this?’ and ‘what’s being done to curtail abuse?’ and ‘whose bloody stupid idea was it to green-light this terrible idea, anyway?’
I’ve been talking a lot about the criticality of employees understanding and abiding by their company’s deliberately stated ethical boundaries. This series has been focused on comprehending the activities that a company is and definitely is not willing to perform in order to protect itself. One critical aspect of this topic arises after a company has drawn its line in the proverbial sand, and has started approving controversial programs: how should the company then react to those rogue employees who knowingly and deliberately overstep the company’s ethical ‘red lines’?
Back on 11th May, Ars Technica’s David Kravets shared the peculiar story of Myrna Arias, a sales executive who is suing her former employer for wrongful termination. According to her lawsuit, Ms Arias’s company mobile was loaded with an application that tracked her physical movements 24/7… and her employer then allegedly used that app to track her movements while she was off the clock and minding her own affairs. The reporter quotes this excerpt from Ms Arias’s suit:
‘After researching the app and speaking with a trainer from [the application], Plaintiff and her co-workers asked whether [the company] would be monitoring their movements while off duty. [The plaintiff’s superior] admitted that employees would be monitored while off duty and bragged that he knew how fast she was driving at specific moments ever since she installed the app on her phone. Plaintiff expressed that she had no problem with the app’s GPS function during work hours, but she objected to the monitoring of her location during non-work hours and complained to [the superior] that this was an invasion of her privacy. She likened the app to a prisoner’s ankle bracelet and informed [the superior] that his actions were illegal. [The superior] replied that she should tolerate the illegal intrusion…’ [emphasis added]
Ah, no. No, she should not. No worker should be required to tolerate illegal activity carried out by his or her employer. So, if Ms Arias’s version of events is accurate , and her superior told her (as she asserted) that she ‘should tolerate the illegal intrusion’, then a civil liberties attorney is probably going to enthusiastically feast on her former employer in court. Bon appétit! That being said, we don’t yet have enough facts to consider this specific case in detail. So, for argument’s sake, let’s examine it as an abstract example.
This case offers us a strong example of what I meant by the crossing of a company’s ethical boundaries. If Ms Arias’s company made the considered, deliberate decision that employee tracking was an acceptable control measure for a threat that they faced, and then approved a program for carrying out that tracking, it’s highly doubtful that the executives would have been so liberal as to allow their line managers to use the employee tracking system for exploitative, abusive, and not-business-related purposes. It seems probable that this case involves a single rogue manager who used a tool for a purpose that it wasn’t intended for, and (thereby) violated the executives’ intent.
Could there be a legitimate business case for a company to continuously track its employees’ movements? Certainly; if an employee was working in a highly-dangerous area (say, a region renown for criminal abductions), then monitoring an employee specifically to detect atypical travel might be an effective way to recognize when a violent crime is in progress. A monitoring tool might also help police to rescue the employee quickly, before they were harmed. In that (admittedly narrow) risk case  employee tracking might be a welcomed, protective, and thoroughly benevolent measure.
Similarly, highly-value personnel might also benefit from 24/7 tracking. An executive or even a top engineer working for a defence business that builds stealth technologies, nuclear weapons, or space vehicles might be a prime target for abduction, extortion, or theft by organized crime or by operatives of a foreign intelligence service. Governments go to great lengths to track and protect top politicians with law enforcement and military assets; it would be reasonable for a private company to leverage its internal security services to protect their most vulnerable or valuable personnel in a similar fashion. Again, this would be a welcome perquisite of the job more than an imposition.
In the former scenario, tracking is implemented specifically to protect the employee; in the latter scenario, it’s intended to protect both the employee and the company. In both examples, though, the employee has a strong positive motivation to accept any inconvenience that might accompany the program. Like the presence of a hulking, armed bodyguard, the tracking program’s existence is designed to deter would-be aggressors. Note that it should be assumed that such monitoring would be carried out deliberately, thoughtfully, and meticulously by the company’s security team… and that it would be subject to very clear control measures meant to balance the privacy of the monitored employees against the company’s business needs.
Looking at the Arias case, there doesn’t seem to be any such justification for the monitoring that she says took place. Ms Arias was a salesperson, not a missile engineer… and she worked in Southern California, not Northern Mexico. There’s no readily apparent business justification to track her movements, either to protect her or to protect the company’s assets.
Further, I can’t imagine a logical business case for tracking where an employee goes or how fast she drives while she’s off duty. Such tracking might make sense for an employee who was operating a company vehicle… while they’re driving it. It might also make some sense to track an employee who is transporting highly dangerous, highly expensive, or highly controversial company materials in their possession… while they have said content in their possession. Those are condition-limited justifications.
Overall, there doesn’t seem to be a plausible business case for a company to meticulously track a simple salesperson, especially after her work day ends. I’m at a loss to see how a company executive would deem such a security measure ‘prudent and necessary’, given how incredibly invasive such tracking could be. It’s far too much risk to accept for too little protection.
For me, the outrageous part of the story is why the employee’s supervisor was allowed to directly track his employee’s movements during their off-hours. During work hours? Sure; I can make a reasonable business case for that. But after work is over? No. A manager’s function is to assign work, provide direction, give feedback, carry out administrative tasks, and otherwise be an escalation resource for the line-level employee, not to be an arbiter of moral virtue like a Puritan inquisitor. In the USA, nothing in a manager’s job description gives them in loco parentis authority over their employee’s private lives. They might disapprove of an employee’s extracurricular activities, but they can’t do jack about it if said activities don’t interfere with the employee’s job performance.
This is why this case intrigues me. If the company deemed such monitoring to be necessary (for whatever compelling business reason), then I’d expect that there would have to have been a deliberate abstraction between those personnel doing the tracking and the tracked employees’ managers. The monitoring team would have been tasked to watch their charges as faceless pawns rather than as specific individuals; a manager would only be informed about a meaningful deviation when it was deemed necessary to protect the employee or the company. All other information about the tracked employee – like who the employee might choose to associate with or where they go – would need to be strictly restricted to the tracking team’s eyes only.
I have a hard time believing that a reasonable executive would ever approve a surveillance plan that had the ability to delve so deeply into employees’ lives without also insisting that comprehensive control measures be implemented to thwart potential abuse. Further, all employees would have to have been made aware that any attempt to misuse the sensitive tracking data would be viewed by the executives as a career-ending offense.
I’d also expect there to be clearly defined policies on the company’s intended conduct, and also on the employee’s protections, before any tracking was allowed to take place. An impartial quality assurance or internal affairs group would need to be constantly observing all parties’ activities to identify attempted misconduct. All of those controls constitute a staggering amount of effort and resources; it would be fiscally foolish and operationally burdensome for any company smaller than, say, Lockheed Martin to even consider deploying such an employee-tracking program.
From the look of the Arias case, the company doesn’t appear to have come anywhere close to those conditions, and they don’t mention any required control measures. To be fair, though, we only have the plaintiff’s accusations – not an accurate analysis of her former employer’s internal security operations. It’s entirely possible that the plaintiff is a hallucinating loon, and that none of the things that she alleged in her complaint ever happened. I’m inclined to let the courts find the truth; I’ll reserve judgment on the accused corporation until all of the facts are in.
It’s implausible to think that there weren’t extensive security controls in place – and that any attempted misuse would be caught immediately It shouldn’t be possible for a manager to misuse tracking data about his employees the way it was described in the court filing unless the company was staggeringly lax, bloody incompetent or that the control measures in place were somehow ineffective, and that one manager chose to circumvent them for nefarious purposes.
That’s why this case appears to be at textbook example of an arrogant manager deliberately misusing a security system to intimidate, harass, and/or abuse a subordinate. I submit that this scenario is not only plausible, but that it’s the most likely explanation for whatever happened. I say that, because that scenario conforms to the Obsidian Rule of Information Security: every technology employed in a company that can be abused inevitably will be abused.  That’s not just one cynical security director’s opinion; it’s an incontrovertible aspect of human nature.
That in turn is why us security people pre-emptively deploy mitigating controls between abuse-able systems and the employees positioned to misuse them. This is why we insist on techniques like two-person accountability, tactics like conducting internal affairs investigations, and demand obedience to heavily regulated written procedures. We don’t do this because we’re angry old codgers with a grudge against the universe; we recognize that the majority of employees are decent and trustworthy people. Rather, we recognize that there are always going to be circumstances arise that warps an otherwise-decent employee’s grasp on right and wrong. The most dependable of employees can come to rationalize why they’re ‘entitled’ to ignore an ethical boundary (usually ‘just the one time’).
These people are the reasons why we security people demand that our companies both create and enforce our sometimes-draconian control measures. It’s why we insist that no one person should be allowed to hold too much of any sort of power. It’s why we insist that everyone be held accountable for his or her actions. We recognize that everyone – ourselves included! – are potentially-corruptible creatures. Anyone can become the baddie du jour, given the right conditions. Therefore, it’s in everyone’s best interests – ours as well – that everyone be regulated by a clearly-defined system of checks and balances.
Looking at the Arias case as it’s presented, I can’t see how her company would have ever allowed such a program to go into production. As an InfoSec professional, I can’t countenance authorizing or operating an employee-tracking program unless it meets the five-fold test:
- Can leadership articulate a plausible and compelling business case for how employee tracking will reasonably mitigate a known critical vulnerability?
- Has company legal declared that the tracking program won’t – if operated as-designed – compromise any of the employees civil or legal rights, or otherwise expose the company to unnecessary litigation?
- Are abstraction measures in place to ensure that no single employee can identify both a tracked subject’s identity and their activities?
- Is the program operated such that an incorruptible oversight entity is always watching the program participants to catch suspected abusers?
- Are all affected employees (trackers and tracked alike) thoroughly educated on their rights and responsibilities, and have they all clearly opted in to the program?
Honestly, if all five of these conditions can’t be met, then a 24/7 employee-tracking program really shouldn’t be considered – let alone implemented. The incentive for someone to misuse his or her access to the program’s highly-sensitive information (say, for harassing a subordinate) is simply far too strong. Abuse is bound to occur. Worse, the public will inevitably find out about it, and that disclosure will tarnish the company’s reputation. The employees will find out about it to, and the company’s betrayal will completely undermine the employees’ trust in management.
I’d like to think that incidents like the one alleged in the Arias suit are rare, and only represent a statistically-insignificant number of businesses. Unfortunately, I’ve been in this industry far too long to believe that. Every technology employed in a company that can be abused inevitably will be abused. That’s one of the fundamental responsibilities of the InfoSec function: we don’t just protect our company from external threats – we also protect our company from itself.
To accomplish that second goal, we have to challenge controversial ideas and programs head-on. We have to force the uncomfortable discussions to happen. We also have to think three steps ahead of potential miscreants at all times. Finally, no matter how unpopular it might be, we have to deploy pre-emptive countermeasures in order to blunt the impact of future wrongdoing. We owe that to our co-workers as well as to our stakeholders.
 And I’m not trying to imply that her version is the correct one; I’ve only read the court filing and accompanying article.
 Which happens more often than you’d expect in international business.
 Other professions have ‘golden rules’… In security, we tend to spend more time on the darker elements of the human condition. It’s an occupational hazard.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.