A Pennsylvania school district is under fire, and facing a potential class-action lawsuit related to allegations that it spied on students in their homes using school-issued laptops. Organizations have a right, and sometimes even an obligation, to monitor activity on their computers or network, but the ethics involved are often hazy.
The Lower Merion School District may have felt it had a right to monitor activity on the Macbooks because the notebooks were issued by the school. If the allegations in the case against the district are valid, though, it would seem that the school district unilaterally overstepped its bounds as educators into parenting, and also crossed some legal boundaries by monitoring without notice or consent.
Doug Taylor, director of educational marketing for Spectorsoft, a leading vendor of PC and Internet monitoring software, explains “Today, many schools are adopting 1:1 laptop programs where students are assigned a laptop which is owned by the school, but that they are allowed to bring home for schoolwork. Monitoring the PC and Internet activities of these machines is vital to make sure students are not using them in an inappropriate manner such as downloading potential malware, or illegal copyrighted material such as songs, or cyber-bulling others.”
“Both filtering and monitoring are required by CIPA (Childhood Internet Protection Act) in order to protect students while on campus or away from the school network and district filtering servers. Monitoring and filtering of Internet activities is also a typical part of a school’s written and signed Acceptable Use Policy” continued Taylor.
Is it right for an employer, or parent to monitor a PC? That is an ethical issue that is subject to individual interpretation. Some would call it a responsibility. Others would call it an invasion of privacy.
For IT administrators, the first question to consider is “do you know what your employees are doing online?” The second question is “do you have a right or obligation to know what your employees are doing online?”
For business networks, monitoring of PC and network activity is a practical means to increase employee productivity, protect the company from legal liability for inappropriate or malicious activities, and provide an efficient and cost-effective system for complying with various regulatory requirements. Monitoring can also automate proactive efforts to protect employees from various forms of harassment or unfair treatment in the workplace.
The challenge for IT administrators is to implement a monitoring program that protects the company, achieves compliance, and guards against harassment of employees, while being respectful of the individual privacy rights of the employees who are being monitored.
The first step in establishing this respect is to have a written Acceptable Use Policy (AUP) that employees must read and sign, agreeing to abide by its contents. That AUP will define specifically what users are allowed or not allowed to do using company-owned PCs and Internet resources. The AUP should also specify what the consequences of non-compliance are, or how violations will be handled, and it should stipulate that the company retains the right to monitor any and all communications and network activity.
Without first providing some guidelines for acceptable behavior, and notifying users that monitoring may be used to observe activity and enforce the established policies, any attempts to monitor computer usage could be considered a breach of privacy.
In many cases there is no specific legislation addressing the monitoring of communications and network activity on a company network. Employees have attempted to use the Fourth Amendment of the United States Constitution to argue against monitoring–claiming the monitoring to be a violation of privacy that amounts to illegal search and seizure without cause. However, the courts have generally sided with employers, stating that the employer owns the equipment and resources being used and they have a right to monitor both for employee productivity and to guard against theft and fraud.
That long-standing support from the legal system is being challenged, though, in the Supreme Court of the United States. The fact that officers in the Ontario, CA police department were explicitly given permission to use department-issued equipment for personal communications may be argued to include an implied right of privacy. A decision in favor of the police officers by the Supreme Court could have repercussions for compliance efforts and employee monitoring throughout the country.
Spectorsoft recognizes the potential legal and ethical concerns. Taylor notes “SpectorSoft products cannot turn on or specifically record a webcam, nor do they record audio or audio chat such as VoIP. Recording such communications may violate both federal and state laws and statutes.”
IT administrators are faced with the challenge of finding the right balance. Organizations have to maintain employee productivity, protect against legal liability, and meet compliance requirements, but conduct monitoring activities in an ethical way that doesn’t cross the line from monitoring to spying.