back to article Logging and monitoring can be a form of bullying, and make for lousy infosec

Many information security practices use surveillance of users' activities. Logging, monitoring, observability – call it what you will, we have built a digital panopticon for our colleagues at work, and it's time to rethink this approach. The flaws of surveillance-based infosec are already appreciated. The European Court of …

Page:

  1. Marty McFly Silver badge
    Holmes

    Sorted!

    Staff are still able to do their job, but without getting access to information they don't need. "We've made it easy for our staff to not get hold of this data, and then they can't accidentally or deliberately leak it,"

    So we will be applying the 'Principle of Least Privilege' then. Got it.

    1. Stuart Castle Silver badge

      Re: Sorted!

      Re : "So we will be applying the 'Principle of Least Privilege' then. Got it."

      A good principle in security.

      When I was a newbie, amongst some of my friends, it was the done thing to brag about how many systems you administer, or how powerful they are I suppose it was a bit like a geekier version of boasting about how powerful your car is.

      Even before I was aware it was a good principle to have security wise, as long as I had (or could request) the rights to administer the systems I could demonstrate I needed to administer, I was happy. For me, it was an arse covering exercise. If a system I had little or no access to was hacked, there was a lower chance I could be blamed.

      I also thought it good practice for the company. If my account was compromised, the damage the hacker could do was limited.

    2. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    "We need to treat our colleagues as colleagues, not subjects or prisoners," says Lily Ryan. "Human dignity needs to factor more into our decisions."

    No. Just no. Most of the userbase here are mouth-breathers who, in days of old, used their CDROM trays to hold their coffee cups. Maybe Ms Ryan works around high-minded, intelligent users, but the users here need a lot more guidance and protection than that.

    As to "excessive monitoring", the neat trick is that you don't HAVE to monitor excessively, but you do have to occasionally fuel the mythos that you ARE monitoring excessively. Don't squash those rumors of "I know you can see everything I do", just kind of grunt and nod your head slightly but non-commitally.

    As to "bullying" - please. We've got Russians killing innocent people in real life, and these folks are trying to equate keeping our systems (and, by extension, our users) safe with "bullying". Give me a break. What a load of tosh. We're all in IT, most of us were ACTUALLY bullied as kids because we were nerds and bookworms.

    1. My-Handle

      "As to "bullying" - please."

      There exists more than one form of bullying.

      I, personally, was bullied at school for being a socially inept nerd. I have also been bullied at work. The situations look very different, and both can have a very real effect on one's health.

    2. iron

      Proving the premise of the article in the second comment, well done!

      1. Anonymous Coward
        Anonymous Coward

        Thank you. It took about 3 years before I realized we in IT had such an ability, even though we had no such capability. Thank you, Hollywood, for instilling the fear in their little hearts with all your super hi-tech movies like Sneakers and The Matrix. Far be it from me to crush that fantasy world for my users...

    3. John Brown (no body) Silver badge

      "We're all in IT, most of us were ACTUALLY bullied as kids because we were nerds and bookworms."

      That sounds rather like a bully justifying their actions to me.

      1. Anonymous Coward
        Anonymous Coward

        Hardly. Just an observation that real physical and mental bullying is not the same as your activities being tracked as part of your job. If the job exists in that type of environment, go get a job somewhere else, don't sit around bellyaching "Oh, they're bullying me by watching me" and expect the rest of us to give a shit that a full grown adult can't manage their life better than that.

        1. John 104

          @AC

          "Hardly. Just an observation that real physical and mental bullying is not the same as your activities being tracked as part of your job. If the job exists in that type of environment, go get a job somewhere else, don't sit around bellyaching "Oh, they're bullying me by watching me" and expect the rest of us to give a shit that a full grown adult can't manage their life better than that."

          Right you are. This article/study/whatever, is a bunch of horse shit and the people who think this way are obviously not functional adults. At the end of the day, you are at your job to do your job. If your employer wants to monitor what goes on on THEIR equipment, that is their prerogative. If you don't like it, then quit and get a job someplace else.

          This is right up there with idiotic statements like "words are violence." No, words are words. They may hurt your feelings, but they aren't violent and the bottom line is that anyone who believes that nonsense is immature and needs a solid dose of reality.

          1. veti Silver badge

            Horse, to use your own words, shit.

            A quick Google for "right to privacy at work" shows that even in the USA, employers don't simply have carte blanche to spy on their employees however and wherever they like, no matter whose equipment they're using. And in most other developed countries, there are significantly stronger protections.

            If you don't like it, then quit and go to work someplace with less focus on individual "rights".

            1. Marty McFly Silver badge
              Coffee/keyboard

              "A quick Google for "right to privacy....."

              Oh, the irony of that statement!

          2. My-Handle

            "the bottom line is that anyone who believes that nonsense is immature and needs a solid dose of reality."

            This is a really dangerous viewpoint. Words can be more harmful than physical violence. I personally know of a few cases of people who have been driven to suicide as a result of nothing but words. Even in less extreme examples, bad managers can use words to hold the threat of firing over your head (justified or not), which can cause a huge level of stress and the associated negative health consequences. Statements like "go get a job somewhere else" belie exactly how difficult it can be for some people to change jobs. Unless you are extremely lucky, changing jobs can be a very difficult (sometimes impossible) process.

            There's a solid dose of reality for you.

            1. John 104

              @My-Handle

              I'm not denying any of the realities of bad management and stresses that words can cause people. However, these actions are still not violence, even though they can lead to unfortunate consequences and may be the CAUSE of violence.

              From Websters:

              violence

              Behavior or treatment in which physical force is exerted for the purpose of causing damage or injury.

              Explain to me how 'words' meet this definition? No amount of swearing, or tirades will ever equate to a physical damage. Ever. (I suppose high decibel loudspeakers could damage but that's not what we are talking about here...)

              Refusal to accept the most basic definition of a word or twisting its meaning to suit your (proverbial your) feelings is part of the problem. It is ignorant at best, disingenuous on the average and intended to elicit an emotional response to further some talking point or agenda. And I still maintain that it is an immature approach to dealing with whatever problem a person might be facing. The world doesn't care about your feelings. Sorry, leave that to your spouse, friends, and family. It may sound harsh, but the world is a harsh place. The sooner people move past sillyness such as the above, the better for their long term well being.

              1. John Brown (no body) Silver badge

                I think you are missing the flip-side of physical bullying. The mental after effects of it. The fear it may happen again. That's the aim of physical bullying. It puts you in a state of mental fear, even if the bully doesn't realise that. That physical bullying is an "incident" and it's over, even if the mental after effects aren't. Constant low level bullying, 8 hours a day, 5 days a week, due to constant monitoring and distrust, threats of being fired from superiors etc has a similar or even worse effect by instilling fear in the victim. Fear and power is the aim of the bully. Violence is only one tool in their arsenal.

          3. bombastic bob Silver badge
            Stop

            Your reaction to the article itself suggests to me that you did not understand the perspective from which it was written. So I shall explain: It is human nature to react to fear by trying to control things. This becomes problematic when it turns into an authoritarian surveillance environment. The fear comes from lack of trust, and those subjected the surveillance instinctively realize they're not trusted. This causes OTHER unintended consequences, because of human nature.

            In short, nobody with a sane mind wants to live in a communist or fascist country with a KBG-like secret police constantly monitoring you, unless they're in positions of power (in which case they have OTHER issues that are somewhat psychotic in my bombastic opinion). Similarly nobody would want to WORK in such an environment either.

            A good working environment requires a high level of trust and low stress. Good employees are usually the direct result. It's amazing how high expectations (in both directions) makes everyone work better, on average of course (there are always exceptions, though I expect them to be few and far between).

            1. John 104

              @Bombastic

              I agree, a good working environment does require a high level of trust and low stress. But you are still there to work. And if you are in an environment that doesn't suit your personality due to whatever, then move on. No one in the western world is forced to work anywhere.

      2. bombastic bob Silver badge
        Devil

        and some of us learned martial arts, and then the bullies left us alone... (except for the passive-aggressive ones in real life, who just insist on imposing their will yet 'are not bullying' because it is passive-aggressive which is why they are SO irritating)

        A good IRL example of a passive-aggressive bully: the discourteous "it is my right" smoker

    4. Anonymous Coward
      Anonymous Coward

      If you're dumb enough to look at stuff you shouldn't be watching in the workplace, expect consequences.

      Recently demonstrated by a certain ex-member of parliament.

      I know for a fact that traffic on my work laptop is monitored extensively; both in terms of files sent in-and-out; and chat messages logged. Of course, using such monitoring to investigate an individual requires reasonable grounds for investigation to be raised.

      A third party regulator requested all our logs pertaining to a particular subject; which were duly compiled; and ran to literally hundreds of thousands of lines of text to say nothing of supporting documentation. When told that the regulator decided on a different line of investigation.

    5. bombastic bob Silver badge
      Stop

      bullying takes many forms. the WORST form involves actual violence. The most IRRITATING form (In My Bombastic Opinion) is "passive aggressive". In all cases it is one person or group of people unethically imposing their will to control others in some manner. it is the CONTROL part that is at the center of it.

      The article brought up many things that I was rapidly nodding my head in the vertical direction over. Fear leads to CONTROL by those in authority, like a knee jerk reaction. It is the LACK of trust that drives it. It is also the WRONG direction to take, since imposing KGB-like surveillance is ONLY going to anger nearly everyone who is subjected to it and create unnecessary stress in the work place (or wherever it is implemented),. And, ii motivates people to "just circumvent".

      (maybe that's why we like reading about Simon the BOFH, who regularly "bullies them back")

    6. bombastic bob Silver badge
      Thumb Down

      Most of the userbase here are mouth-breathers who, ...

      Running through my mind at the moment is a mental picture of "someone" giving you a deviated septum so that you, too, can be a "mouth breather"...

      (somehow in my rapid scan of this post I had missed that particular detail)

      1. Anonymous Coward
        Anonymous Coward

        I work in Manufacturing. We have lots of ex-cons, ex-druggies, high-school dropouts and general flunkies here. God bless'em for working for a living (or parole), but they can sure tear up a device in no time flat. Without surveillance, the equipment damage would always be blamed on either Ida Know or Nawt Mee.

        So your earlier points about surveillance being a result of lack of trust are true, but perhaps painted with a different shade of reasoning than "just because we can". Sometimes we don't trust them because we can't.

  3. Pascal Monett Silver badge
    Mushroom

    Surveillance and bullying

    This is not a new tendancy.

    A few decades ago, when I was a newbie accountant before freeing myself from that morass to become a programmer, I was called upon by an acquaintance to evaluate which accountage package would be interesting for said friend's gym club.

    To make a long story short, we went to an official presentation of a well-known accounting package of the time, where we spent over 90 minutes listening to how the application could log down to the keystroke of the employees that were supposed to be working.

    That was around Y2K.

    I'm glad I'm in programming now, because if you come tell me I'm not hitting the keyboard enough in a given amount of time, I will tell you to fuck right off and do the job in my place if you think you can do better.

    Such practices are odious and humiliating and leave no place for intelligent thought - they reduce the human being to a robot that is just supposed to peck the keys sufficiently per minute.

    No wonder that beancounters are such soulless individuals - because don't tell me that today's accounting suites are not doing it when they have a million times the resources a PC had back in the day.

    1. My-Handle

      Re: Surveillance and bullying

      That kind of surveillance can actually backfire rather spectacularly.

      One colleague I had in a previous role was generally hailed by management as being the golden boy. He was completing jobs at almost double the rate of the next two high-performers. We couldn't work out how he was doing it.

      Until all the jobs he "completed" started coming back for further work. Turns out he wasn't completing them at all, he was just closing them and moving them on. The team was marked on how many jobs were closed, there was no metric for the quality or type of work done. Even after it came to light he wasn't pulled up on it, because after all he was closing a lot of jobs.

      1. amanfromMars 1 Silver badge

        Re: A much bigger problem for surveillance and more than just bullying

        Until all the jobs he "completed" started coming back for further work. Turns out he wasn't completing them at all, he was just closing them and moving them on. The team was marked on how many jobs were closed, there was no metric for the quality or type of work done. Even after it came to light he wasn't pulled up on it, because after all he was closing a lot of jobs. .... My-Handle

        Parliament and sitting Cabinet Office government is filled to overflowing with such shysters, My-Handle.

        And now that is coming around to election time again, they're promising to deliver the stars and have everyone feeling hunky dory again ..... yet again ...... for the umpteenth time.

        It's quite amazing that their election manifestos are not presented in court as evidence of wilful fraud and collegiate malpractice endangering national security ..... which itself also gravely reflects very badly on the level of intelligence in the Law and Security and Secret Intelligence Services which appear to take their lead and instructions from them.

        How crazy is that? Lunatics in charge of the asylum and spreading bedlam. Tell us it is not true and we can agree to disagree.

        1. My-Handle

          Re: A much bigger problem for surveillance and more than just bullying

          I do wish that there was some kind of mechanism to hold politicians to their election promises, some form of redress for wilfully ignoring them. I've got no idea what form that should take though.

          1. Pascal Monett Silver badge

            Theoretically, there is : they stop getting elected.

            Vastly insufficient for me.

            1. My-Handle

              Only works as long as the alternatives don't also abuse the system in the same way. That's likely one of the reasons why politicians rarely call others out on abandoning their election promises - because they're likely doing the same.

              I was musing on whether some kind of public court case could be made for something like misrepresentation. If a politician gets elected and makes no effort to fulfil an election promise, or makes a token effort but fails to fulfil a promise that should have been reasonably achievable, they should be reprimanded (a non-token fine or similar) and banned from politics for a set period. One of the functions of the judiciary is supposed to be to provide a check against the political branch of government... it just rarely works that way.

          2. bombastic bob Silver badge
            Trollface

            Re: A much bigger problem for surveillance and more than just bullying

            how about a giant foot (or 16 ton weight) coming down from the sky while playing the Liberty Bell March?

        2. Alex Stuart

          Re: A much bigger problem for surveillance and more than just bullying

          Good bot

      2. Kabukiwookie

        Re: Surveillance and bullying

        We had something similar in one of the support roles I worked in.

        We had one team queue where all support tickets were logged and once an engineer had time to pick up a new ticket, they'd pick up a new ticket.

        Some of those were easy pieces of work, but most were medium to quite difficult.

        One of the 'team'-mates, was constantly monitoring the ticket queue and as soon as he saw a simple ticket come in, he'd pull it into his own queue. This meant that he constantly had the highest ticket closure rate, which was the only metric that was checked on at the time.

        Needless to say, this individual was nor very popular with the rest of the team. I believe thos guy still works as a manager now at the same company, probably still abusing other staff with his 'work ethics' now that he's in a position of some power.

      3. Alan Brown Silver badge

        Re: Surveillance and bullying

        Manglement love this kind of worker, customers hate them

    2. hoola Silver badge

      Re: Surveillance and bullying

      The point is here that in the past, the monitoring or surveillance was overt. It needed real people actually prowling around looking at what was going on. If you go back in time then there would have been people with whips or clubs doing the enforcing.

      Just because this is now all done in software does not make it any more acceptable. There is far to much monitoring and surveillance now in general society and with so much remote working there are companies and people out there that believe it is their right to monitor covertly.

      There will always be edge cases BUT those existed before and the people in those situations will know that the monitoring is happening. Just monitoring because it is easy is completely wrong and shows a completely lack of trust for the employees. If managers are not capable of manging workloads based on outcome or results then there is clearly something wrong.

      1. Pascal Monett Silver badge

        Re: there is clearly something wrong

        There is.

        There is a very small portion of all people holding a managerial position that are actually capable of managing.

        Most of them are just capable of barking orders and complaining when results don't follow.

        That is not managing.

        Managing includes knowing what you are managing, understanding the constraints and being intelligent enough to imagine ways to improve the situation in a meaningful manner. Planning skills are a good bonus.

        That is why there are so few actual Managers.

        1. bombastic bob Silver badge
          Devil

          Re: there is clearly something wrong

          The best middle managers just solve problems. And when they are doing a good job, upper management is always trying to sack them because their position is no longer needed...

          Seriously though in the military the division officers who were good were the ones who ran paperwork and got things signed and approved so we could do our jobs (as opposed to insisting on taking charge and walking everyone through every step). My division on the sub (Reactor Controls division) had more paperwork and approval requirements than any other. So junior officers were "trained" by us, essentially. Sorta like being Black Adder in the episodes I remember seeing a long time ago...

          The only things a good manager should have to say: "How is it going?" "What can I do to help?"

    3. bombastic bob Silver badge
      Thumb Up

      Re: Surveillance and bullying

      Such practices are odious and humiliating and leave no place for intelligent thought - they reduce the human being to a robot that is just supposed to peck the keys sufficiently per minute.

      'Odious' - there's a word I haven't seen in a while.. Oh, and for the rest of what you wrote, point well made.

      (cost accountants presentng 'cost per keystroke' analysis - that'd make for snooze-fest meetings)

  4. amanfromMars 1 Silver badge

    The slippery slope to nowhere good or great or worthwhile going ......

    Once a system needs to depend upon the truth and/or contrary opinions being hidden deemed a dangerous secret and veiled threat to national security to not be freely shared but censored or monitored and mentored, is that system in inevitable increasingly rapid freefall terminal decline.

    Here is a worrying extremely current tale of such a harbinger which you know to be true ....... Panicked CNN Guest Wonders "How We're Going To Control The Channels Of Communications In This Country"

    1. John 104

      Re: The slippery slope to nowhere good or great or worthwhile going ......

      The hysteria around Musk buying Twitter is SO discouraging. A guy promises to reduce or remove censorship and people freak out because they are afraid a dissenting opinion might get out there. And the hilarity of it is, when Bezos bought Washington Post, no one batted an eye because the paper is in line with the left media machine.

      1. Throatwarbler Mangrove Silver badge
        Facepalm

        Re: The slippery slope to nowhere good or great or worthwhile going ......

        "A guy promises to reduce or remove censorship"

        Indeed. Would you like to buy this bridge? I have the deed and everything!

  5. Anonymous Coward
    Big Brother

    Big Brother

    Surveillance in business was never about security, that was just an excuse.

    Surveillance was all about how hard you were working for the company. It was, in part, an enhanced version of the old time clock to track your lunches, coffee breaks, and even bathroom breaks. But it also allows tracking your computer activity, not for security as much as for unproductive time. Are you watching videos? listening to a podcast? Chatting with friends? Taking a nap? Looking for a better job? If you are, management knows (and has a record of it).

    Somebody, somewhere, will be caught by surveillance doing something insecure or even nefarious. And then everybody, everywhere, will use it as a justification for continued surveillance.

    1. My-Handle

      Re: Big Brother

      I agree, that's definitely the mentality of the companies that use it.

      Some of the better companies I have worked for take a different attitude. As long as you're getting your work done, don't take the piss and don't do anything unprofessional, they really don't care if you're taking 50 breaks an hour or watching videos while you work. It makes for a fairly relaxed workplace and, amazingly, stuff does actually get done.

      1. bombastic bob Silver badge
        Devil

        Re: Big Brother

        It makes for a fairly relaxed workplace and, amazingly, stuff does actually get done.

        True. this works well for engineering and IT, for the most part. Unfortunately not well for assembly lines. Context is important. But yeah if your job is that of a robot, I suppose you might end up being treated like one...

    2. Cederic Silver badge

      Re: Big Brother

      Further to this, logging and monitoring is not surveillance. It's definitely not bullying.

      It's also not going to catch me watching videos, listening to a podcast, chatting with friends, taking a nap or looking for a better job. I don't use company computers for any of those (except the mandatory training videos).

      If someone wants to use logging and monitoring to draw conclusions regarding my work ethic then they're ignorant and can be ignored. If they want to use those tools to assure compliance with the law and regulator expectations then they're protecting me, as I now have audit logs that I did not put the company at undue risk.

      Tracking computer activity isn't surveillance, and isn't bullying. As you suggest it's attempting to measure productivity, and while that's fraught with data interpretation challenges things like call handle times, the number of systems used and the delay waiting for information can help identify the improvements that can make someone happier at work.

      Is automated analysis of outbound email to prevent data loss surveillance? No, it's a necessary data protection measure. Is recording of telephone calls by the Treasury trading desk surveillance? I'm not sure, but the regulator demands it. Is using a work laptop's built in camera to watch someone in their own home surveillance? Barely; it's an illegal invasion of privacy.

      There's a thought. Invite your 16 year old to shag their partner in front of your work laptop. They'll be doing it out of sight anyway, and this way if someone's recording, you can prosecute them for creating child pornography. That'll get it stopped.

  6. NapTime ForTruth
    Meh

    Not just for bullying anymore...

    Surveillance of any kind in the corporate (and more often, governmental) world is also a beard worn to satisfy, e.g., auditors, banks, insurers, investors, etc. "We did have an incident, but we caught it all on surveillance and were able to share that with the appropriate authorities and experts...[blah-blah-blah]...appropriately minimizing damage and accelerating [whatever]."

    It's a bit the institutional equivalent of leaning back with your feet on the desk because "compiling".

    1. John Brown (no body) Silver badge

      Re: Not just for bullying anymore...

      Sounds like that idea originated in the United Suers of America.

  7. yetanotheraoc Silver badge

    does not follow

    Spot the syllogism: Surveillance is wrong = True. Bullying is wrong = True. Therefore, surveillance is bullying. ???

    People have definitely been trained to expect over-surveillance. One user was explaining to another user that "the database knows everything". I explained that the application doesn't know how long they take to complete an individual task because it doesn't take a timestamp when they start, only when they finish. (And anyway they do many tasks outside the application even while it's open.) Still not sure they believe me.

    1. My-Handle

      Re: does not follow

      The irony here is that the false syllogism here is one entirely created by you.

      Surveillance isn't bullying by virtue of them both being wrong. That logic would mean that everything that is Wrong is by nature the same thing. Pickled onion ice cream is wrong, but it is also not surveillance (to use reductio ad absurdum).

      Surveillance is bullying because, in this context, people in power are using it to infringe on the rights of those who work for them.

  8. CoffeeBlackest

    "Logging and monitoring could* be a form of bullying"...

    Yikes...then filling out forms could be a form* of bullying too. Or anything any individual doesn't like is a form of bullying, like you wearing a yellow shirt for instance. Yea those instances are even further out there then the previous mentions, but they're on that same line of thought (if you can call it that). There definitely are lines we shouldn't cross, and finding those lines and setting those lines should happen (and they will change over time based on our current relative culture etc...). But we may have better things to do then trying to please every person on earth, then again, maybe we don't.

  9. Anonymous Coward
    Anonymous Coward

    "Surveillance is mostly used to find a scapegoat after the fact. It's for reinforcing the existing power structures, not creating systemic change." Yes, obviously this is the point - security is used to stop unwanted change. Not everyone is down for systemic change/revolution comrade!

  10. Stuart Castle Silver badge

    I've always thought Logging and Monitoring was an important part of decent infosec, but not the only one. It might help you detect an intrusion, react to it after it's happened, and might help you track down the perp, but won't prevent it. A bit like CCTV might let you see someone being mugged (although probably not unless you happen to be watching the camera just at the moment it's happening, or some AI detects the act correctly and flags it to a human), but by the time you've got cops to the area to investigate, the mugger has likely long gone, with the CCTV perhaps helping to identify the mugger (assuming they weren't wearing some sort of head covering).

    For decent infosec, you need up to date software, from a manufacturer who is actively fixing bugs. You need to do your utmost to properly test that software. You need to lock down any systems (user accounts, software, OS and hardware) you use as far as you can without a serious negative impact on productivity, as well as to enforce proper password security and discipline on the users. Logging and monitoring should only be used to determine the success of all that, and take action if despite all that, a hacker still gets through

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like