back to article Logging and monitoring can be a form of bullying, and make for lousy infosec

Many information security practices use surveillance of users' activities. Logging, monitoring, observability – call it what you will, we have built a digital panopticon for our colleagues at work, and it's time to rethink this approach. The flaws of surveillance-based infosec are already appreciated. The European Court of …

  1. Marty McFly Silver badge
    Holmes

    Sorted!

    Staff are still able to do their job, but without getting access to information they don't need. "We've made it easy for our staff to not get hold of this data, and then they can't accidentally or deliberately leak it,"

    So we will be applying the 'Principle of Least Privilege' then. Got it.

    1. Stuart Castle Silver badge

      Re: Sorted!

      Re : "So we will be applying the 'Principle of Least Privilege' then. Got it."

      A good principle in security.

      When I was a newbie, amongst some of my friends, it was the done thing to brag about how many systems you administer, or how powerful they are I suppose it was a bit like a geekier version of boasting about how powerful your car is.

      Even before I was aware it was a good principle to have security wise, as long as I had (or could request) the rights to administer the systems I could demonstrate I needed to administer, I was happy. For me, it was an arse covering exercise. If a system I had little or no access to was hacked, there was a lower chance I could be blamed.

      I also thought it good practice for the company. If my account was compromised, the damage the hacker could do was limited.

    2. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    "We need to treat our colleagues as colleagues, not subjects or prisoners," says Lily Ryan. "Human dignity needs to factor more into our decisions."

    No. Just no. Most of the userbase here are mouth-breathers who, in days of old, used their CDROM trays to hold their coffee cups. Maybe Ms Ryan works around high-minded, intelligent users, but the users here need a lot more guidance and protection than that.

    As to "excessive monitoring", the neat trick is that you don't HAVE to monitor excessively, but you do have to occasionally fuel the mythos that you ARE monitoring excessively. Don't squash those rumors of "I know you can see everything I do", just kind of grunt and nod your head slightly but non-commitally.

    As to "bullying" - please. We've got Russians killing innocent people in real life, and these folks are trying to equate keeping our systems (and, by extension, our users) safe with "bullying". Give me a break. What a load of tosh. We're all in IT, most of us were ACTUALLY bullied as kids because we were nerds and bookworms.

    1. My-Handle

      "As to "bullying" - please."

      There exists more than one form of bullying.

      I, personally, was bullied at school for being a socially inept nerd. I have also been bullied at work. The situations look very different, and both can have a very real effect on one's health.

    2. iron Silver badge

      Proving the premise of the article in the second comment, well done!

      1. Anonymous Coward
        Anonymous Coward

        Thank you. It took about 3 years before I realized we in IT had such an ability, even though we had no such capability. Thank you, Hollywood, for instilling the fear in their little hearts with all your super hi-tech movies like Sneakers and The Matrix. Far be it from me to crush that fantasy world for my users...

    3. John Brown (no body) Silver badge

      "We're all in IT, most of us were ACTUALLY bullied as kids because we were nerds and bookworms."

      That sounds rather like a bully justifying their actions to me.

      1. Anonymous Coward
        Anonymous Coward

        Hardly. Just an observation that real physical and mental bullying is not the same as your activities being tracked as part of your job. If the job exists in that type of environment, go get a job somewhere else, don't sit around bellyaching "Oh, they're bullying me by watching me" and expect the rest of us to give a shit that a full grown adult can't manage their life better than that.

        1. John 104

          @AC

          "Hardly. Just an observation that real physical and mental bullying is not the same as your activities being tracked as part of your job. If the job exists in that type of environment, go get a job somewhere else, don't sit around bellyaching "Oh, they're bullying me by watching me" and expect the rest of us to give a shit that a full grown adult can't manage their life better than that."

          Right you are. This article/study/whatever, is a bunch of horse shit and the people who think this way are obviously not functional adults. At the end of the day, you are at your job to do your job. If your employer wants to monitor what goes on on THEIR equipment, that is their prerogative. If you don't like it, then quit and get a job someplace else.

          This is right up there with idiotic statements like "words are violence." No, words are words. They may hurt your feelings, but they aren't violent and the bottom line is that anyone who believes that nonsense is immature and needs a solid dose of reality.

          1. veti Silver badge

            Horse, to use your own words, shit.

            A quick Google for "right to privacy at work" shows that even in the USA, employers don't simply have carte blanche to spy on their employees however and wherever they like, no matter whose equipment they're using. And in most other developed countries, there are significantly stronger protections.

            If you don't like it, then quit and go to work someplace with less focus on individual "rights".

            1. Marty McFly Silver badge
              Coffee/keyboard

              "A quick Google for "right to privacy....."

              Oh, the irony of that statement!

          2. My-Handle

            "the bottom line is that anyone who believes that nonsense is immature and needs a solid dose of reality."

            This is a really dangerous viewpoint. Words can be more harmful than physical violence. I personally know of a few cases of people who have been driven to suicide as a result of nothing but words. Even in less extreme examples, bad managers can use words to hold the threat of firing over your head (justified or not), which can cause a huge level of stress and the associated negative health consequences. Statements like "go get a job somewhere else" belie exactly how difficult it can be for some people to change jobs. Unless you are extremely lucky, changing jobs can be a very difficult (sometimes impossible) process.

            There's a solid dose of reality for you.

            1. John 104

              @My-Handle

              I'm not denying any of the realities of bad management and stresses that words can cause people. However, these actions are still not violence, even though they can lead to unfortunate consequences and may be the CAUSE of violence.

              From Websters:

              violence

              Behavior or treatment in which physical force is exerted for the purpose of causing damage or injury.

              Explain to me how 'words' meet this definition? No amount of swearing, or tirades will ever equate to a physical damage. Ever. (I suppose high decibel loudspeakers could damage but that's not what we are talking about here...)

              Refusal to accept the most basic definition of a word or twisting its meaning to suit your (proverbial your) feelings is part of the problem. It is ignorant at best, disingenuous on the average and intended to elicit an emotional response to further some talking point or agenda. And I still maintain that it is an immature approach to dealing with whatever problem a person might be facing. The world doesn't care about your feelings. Sorry, leave that to your spouse, friends, and family. It may sound harsh, but the world is a harsh place. The sooner people move past sillyness such as the above, the better for their long term well being.

              1. John Brown (no body) Silver badge

                I think you are missing the flip-side of physical bullying. The mental after effects of it. The fear it may happen again. That's the aim of physical bullying. It puts you in a state of mental fear, even if the bully doesn't realise that. That physical bullying is an "incident" and it's over, even if the mental after effects aren't. Constant low level bullying, 8 hours a day, 5 days a week, due to constant monitoring and distrust, threats of being fired from superiors etc has a similar or even worse effect by instilling fear in the victim. Fear and power is the aim of the bully. Violence is only one tool in their arsenal.

          3. bombastic bob Silver badge
            Stop

            Your reaction to the article itself suggests to me that you did not understand the perspective from which it was written. So I shall explain: It is human nature to react to fear by trying to control things. This becomes problematic when it turns into an authoritarian surveillance environment. The fear comes from lack of trust, and those subjected the surveillance instinctively realize they're not trusted. This causes OTHER unintended consequences, because of human nature.

            In short, nobody with a sane mind wants to live in a communist or fascist country with a KBG-like secret police constantly monitoring you, unless they're in positions of power (in which case they have OTHER issues that are somewhat psychotic in my bombastic opinion). Similarly nobody would want to WORK in such an environment either.

            A good working environment requires a high level of trust and low stress. Good employees are usually the direct result. It's amazing how high expectations (in both directions) makes everyone work better, on average of course (there are always exceptions, though I expect them to be few and far between).

            1. John 104

              @Bombastic

              I agree, a good working environment does require a high level of trust and low stress. But you are still there to work. And if you are in an environment that doesn't suit your personality due to whatever, then move on. No one in the western world is forced to work anywhere.

      2. bombastic bob Silver badge
        Devil

        and some of us learned martial arts, and then the bullies left us alone... (except for the passive-aggressive ones in real life, who just insist on imposing their will yet 'are not bullying' because it is passive-aggressive which is why they are SO irritating)

        A good IRL example of a passive-aggressive bully: the discourteous "it is my right" smoker

    4. Anonymous Coward
      Anonymous Coward

      If you're dumb enough to look at stuff you shouldn't be watching in the workplace, expect consequences.

      Recently demonstrated by a certain ex-member of parliament.

      I know for a fact that traffic on my work laptop is monitored extensively; both in terms of files sent in-and-out; and chat messages logged. Of course, using such monitoring to investigate an individual requires reasonable grounds for investigation to be raised.

      A third party regulator requested all our logs pertaining to a particular subject; which were duly compiled; and ran to literally hundreds of thousands of lines of text to say nothing of supporting documentation. When told that the regulator decided on a different line of investigation.

    5. bombastic bob Silver badge
      Stop

      bullying takes many forms. the WORST form involves actual violence. The most IRRITATING form (In My Bombastic Opinion) is "passive aggressive". In all cases it is one person or group of people unethically imposing their will to control others in some manner. it is the CONTROL part that is at the center of it.

      The article brought up many things that I was rapidly nodding my head in the vertical direction over. Fear leads to CONTROL by those in authority, like a knee jerk reaction. It is the LACK of trust that drives it. It is also the WRONG direction to take, since imposing KGB-like surveillance is ONLY going to anger nearly everyone who is subjected to it and create unnecessary stress in the work place (or wherever it is implemented),. And, ii motivates people to "just circumvent".

      (maybe that's why we like reading about Simon the BOFH, who regularly "bullies them back")

    6. bombastic bob Silver badge
      Thumb Down

      Most of the userbase here are mouth-breathers who, ...

      Running through my mind at the moment is a mental picture of "someone" giving you a deviated septum so that you, too, can be a "mouth breather"...

      (somehow in my rapid scan of this post I had missed that particular detail)

      1. Anonymous Coward
        Anonymous Coward

        I work in Manufacturing. We have lots of ex-cons, ex-druggies, high-school dropouts and general flunkies here. God bless'em for working for a living (or parole), but they can sure tear up a device in no time flat. Without surveillance, the equipment damage would always be blamed on either Ida Know or Nawt Mee.

        So your earlier points about surveillance being a result of lack of trust are true, but perhaps painted with a different shade of reasoning than "just because we can". Sometimes we don't trust them because we can't.

  3. Pascal Monett Silver badge
    Mushroom

    Surveillance and bullying

    This is not a new tendancy.

    A few decades ago, when I was a newbie accountant before freeing myself from that morass to become a programmer, I was called upon by an acquaintance to evaluate which accountage package would be interesting for said friend's gym club.

    To make a long story short, we went to an official presentation of a well-known accounting package of the time, where we spent over 90 minutes listening to how the application could log down to the keystroke of the employees that were supposed to be working.

    That was around Y2K.

    I'm glad I'm in programming now, because if you come tell me I'm not hitting the keyboard enough in a given amount of time, I will tell you to fuck right off and do the job in my place if you think you can do better.

    Such practices are odious and humiliating and leave no place for intelligent thought - they reduce the human being to a robot that is just supposed to peck the keys sufficiently per minute.

    No wonder that beancounters are such soulless individuals - because don't tell me that today's accounting suites are not doing it when they have a million times the resources a PC had back in the day.

    1. My-Handle

      Re: Surveillance and bullying

      That kind of surveillance can actually backfire rather spectacularly.

      One colleague I had in a previous role was generally hailed by management as being the golden boy. He was completing jobs at almost double the rate of the next two high-performers. We couldn't work out how he was doing it.

      Until all the jobs he "completed" started coming back for further work. Turns out he wasn't completing them at all, he was just closing them and moving them on. The team was marked on how many jobs were closed, there was no metric for the quality or type of work done. Even after it came to light he wasn't pulled up on it, because after all he was closing a lot of jobs.

      1. amanfromMars 1 Silver badge

        Re: A much bigger problem for surveillance and more than just bullying

        Until all the jobs he "completed" started coming back for further work. Turns out he wasn't completing them at all, he was just closing them and moving them on. The team was marked on how many jobs were closed, there was no metric for the quality or type of work done. Even after it came to light he wasn't pulled up on it, because after all he was closing a lot of jobs. .... My-Handle

        Parliament and sitting Cabinet Office government is filled to overflowing with such shysters, My-Handle.

        And now that is coming around to election time again, they're promising to deliver the stars and have everyone feeling hunky dory again ..... yet again ...... for the umpteenth time.

        It's quite amazing that their election manifestos are not presented in court as evidence of wilful fraud and collegiate malpractice endangering national security ..... which itself also gravely reflects very badly on the level of intelligence in the Law and Security and Secret Intelligence Services which appear to take their lead and instructions from them.

        How crazy is that? Lunatics in charge of the asylum and spreading bedlam. Tell us it is not true and we can agree to disagree.

        1. My-Handle

          Re: A much bigger problem for surveillance and more than just bullying

          I do wish that there was some kind of mechanism to hold politicians to their election promises, some form of redress for wilfully ignoring them. I've got no idea what form that should take though.

          1. Pascal Monett Silver badge

            Theoretically, there is : they stop getting elected.

            Vastly insufficient for me.

            1. My-Handle

              Only works as long as the alternatives don't also abuse the system in the same way. That's likely one of the reasons why politicians rarely call others out on abandoning their election promises - because they're likely doing the same.

              I was musing on whether some kind of public court case could be made for something like misrepresentation. If a politician gets elected and makes no effort to fulfil an election promise, or makes a token effort but fails to fulfil a promise that should have been reasonably achievable, they should be reprimanded (a non-token fine or similar) and banned from politics for a set period. One of the functions of the judiciary is supposed to be to provide a check against the political branch of government... it just rarely works that way.

          2. bombastic bob Silver badge
            Trollface

            Re: A much bigger problem for surveillance and more than just bullying

            how about a giant foot (or 16 ton weight) coming down from the sky while playing the Liberty Bell March?

        2. Alex Stuart

          Re: A much bigger problem for surveillance and more than just bullying

          Good bot

      2. Kabukiwookie

        Re: Surveillance and bullying

        We had something similar in one of the support roles I worked in.

        We had one team queue where all support tickets were logged and once an engineer had time to pick up a new ticket, they'd pick up a new ticket.

        Some of those were easy pieces of work, but most were medium to quite difficult.

        One of the 'team'-mates, was constantly monitoring the ticket queue and as soon as he saw a simple ticket come in, he'd pull it into his own queue. This meant that he constantly had the highest ticket closure rate, which was the only metric that was checked on at the time.

        Needless to say, this individual was nor very popular with the rest of the team. I believe thos guy still works as a manager now at the same company, probably still abusing other staff with his 'work ethics' now that he's in a position of some power.

      3. Alan Brown Silver badge

        Re: Surveillance and bullying

        Manglement love this kind of worker, customers hate them

    2. hoola Silver badge

      Re: Surveillance and bullying

      The point is here that in the past, the monitoring or surveillance was overt. It needed real people actually prowling around looking at what was going on. If you go back in time then there would have been people with whips or clubs doing the enforcing.

      Just because this is now all done in software does not make it any more acceptable. There is far to much monitoring and surveillance now in general society and with so much remote working there are companies and people out there that believe it is their right to monitor covertly.

      There will always be edge cases BUT those existed before and the people in those situations will know that the monitoring is happening. Just monitoring because it is easy is completely wrong and shows a completely lack of trust for the employees. If managers are not capable of manging workloads based on outcome or results then there is clearly something wrong.

      1. Pascal Monett Silver badge

        Re: there is clearly something wrong

        There is.

        There is a very small portion of all people holding a managerial position that are actually capable of managing.

        Most of them are just capable of barking orders and complaining when results don't follow.

        That is not managing.

        Managing includes knowing what you are managing, understanding the constraints and being intelligent enough to imagine ways to improve the situation in a meaningful manner. Planning skills are a good bonus.

        That is why there are so few actual Managers.

        1. bombastic bob Silver badge
          Devil

          Re: there is clearly something wrong

          The best middle managers just solve problems. And when they are doing a good job, upper management is always trying to sack them because their position is no longer needed...

          Seriously though in the military the division officers who were good were the ones who ran paperwork and got things signed and approved so we could do our jobs (as opposed to insisting on taking charge and walking everyone through every step). My division on the sub (Reactor Controls division) had more paperwork and approval requirements than any other. So junior officers were "trained" by us, essentially. Sorta like being Black Adder in the episodes I remember seeing a long time ago...

          The only things a good manager should have to say: "How is it going?" "What can I do to help?"

    3. bombastic bob Silver badge
      Thumb Up

      Re: Surveillance and bullying

      Such practices are odious and humiliating and leave no place for intelligent thought - they reduce the human being to a robot that is just supposed to peck the keys sufficiently per minute.

      'Odious' - there's a word I haven't seen in a while.. Oh, and for the rest of what you wrote, point well made.

      (cost accountants presentng 'cost per keystroke' analysis - that'd make for snooze-fest meetings)

  4. amanfromMars 1 Silver badge

    The slippery slope to nowhere good or great or worthwhile going ......

    Once a system needs to depend upon the truth and/or contrary opinions being hidden deemed a dangerous secret and veiled threat to national security to not be freely shared but censored or monitored and mentored, is that system in inevitable increasingly rapid freefall terminal decline.

    Here is a worrying extremely current tale of such a harbinger which you know to be true ....... Panicked CNN Guest Wonders "How We're Going To Control The Channels Of Communications In This Country"

    1. John 104

      Re: The slippery slope to nowhere good or great or worthwhile going ......

      The hysteria around Musk buying Twitter is SO discouraging. A guy promises to reduce or remove censorship and people freak out because they are afraid a dissenting opinion might get out there. And the hilarity of it is, when Bezos bought Washington Post, no one batted an eye because the paper is in line with the left media machine.

      1. Throatwarbler Mangrove Silver badge
        Facepalm

        Re: The slippery slope to nowhere good or great or worthwhile going ......

        "A guy promises to reduce or remove censorship"

        Indeed. Would you like to buy this bridge? I have the deed and everything!

  5. Anonymous Coward
    Big Brother

    Big Brother

    Surveillance in business was never about security, that was just an excuse.

    Surveillance was all about how hard you were working for the company. It was, in part, an enhanced version of the old time clock to track your lunches, coffee breaks, and even bathroom breaks. But it also allows tracking your computer activity, not for security as much as for unproductive time. Are you watching videos? listening to a podcast? Chatting with friends? Taking a nap? Looking for a better job? If you are, management knows (and has a record of it).

    Somebody, somewhere, will be caught by surveillance doing something insecure or even nefarious. And then everybody, everywhere, will use it as a justification for continued surveillance.

    1. My-Handle

      Re: Big Brother

      I agree, that's definitely the mentality of the companies that use it.

      Some of the better companies I have worked for take a different attitude. As long as you're getting your work done, don't take the piss and don't do anything unprofessional, they really don't care if you're taking 50 breaks an hour or watching videos while you work. It makes for a fairly relaxed workplace and, amazingly, stuff does actually get done.

      1. bombastic bob Silver badge
        Devil

        Re: Big Brother

        It makes for a fairly relaxed workplace and, amazingly, stuff does actually get done.

        True. this works well for engineering and IT, for the most part. Unfortunately not well for assembly lines. Context is important. But yeah if your job is that of a robot, I suppose you might end up being treated like one...

    2. Cederic Silver badge

      Re: Big Brother

      Further to this, logging and monitoring is not surveillance. It's definitely not bullying.

      It's also not going to catch me watching videos, listening to a podcast, chatting with friends, taking a nap or looking for a better job. I don't use company computers for any of those (except the mandatory training videos).

      If someone wants to use logging and monitoring to draw conclusions regarding my work ethic then they're ignorant and can be ignored. If they want to use those tools to assure compliance with the law and regulator expectations then they're protecting me, as I now have audit logs that I did not put the company at undue risk.

      Tracking computer activity isn't surveillance, and isn't bullying. As you suggest it's attempting to measure productivity, and while that's fraught with data interpretation challenges things like call handle times, the number of systems used and the delay waiting for information can help identify the improvements that can make someone happier at work.

      Is automated analysis of outbound email to prevent data loss surveillance? No, it's a necessary data protection measure. Is recording of telephone calls by the Treasury trading desk surveillance? I'm not sure, but the regulator demands it. Is using a work laptop's built in camera to watch someone in their own home surveillance? Barely; it's an illegal invasion of privacy.

      There's a thought. Invite your 16 year old to shag their partner in front of your work laptop. They'll be doing it out of sight anyway, and this way if someone's recording, you can prosecute them for creating child pornography. That'll get it stopped.

  6. NapTime ForTruth
    Meh

    Not just for bullying anymore...

    Surveillance of any kind in the corporate (and more often, governmental) world is also a beard worn to satisfy, e.g., auditors, banks, insurers, investors, etc. "We did have an incident, but we caught it all on surveillance and were able to share that with the appropriate authorities and experts...[blah-blah-blah]...appropriately minimizing damage and accelerating [whatever]."

    It's a bit the institutional equivalent of leaning back with your feet on the desk because "compiling".

    1. John Brown (no body) Silver badge

      Re: Not just for bullying anymore...

      Sounds like that idea originated in the United Suers of America.

  7. yetanotheraoc Silver badge

    does not follow

    Spot the syllogism: Surveillance is wrong = True. Bullying is wrong = True. Therefore, surveillance is bullying. ???

    People have definitely been trained to expect over-surveillance. One user was explaining to another user that "the database knows everything". I explained that the application doesn't know how long they take to complete an individual task because it doesn't take a timestamp when they start, only when they finish. (And anyway they do many tasks outside the application even while it's open.) Still not sure they believe me.

    1. My-Handle

      Re: does not follow

      The irony here is that the false syllogism here is one entirely created by you.

      Surveillance isn't bullying by virtue of them both being wrong. That logic would mean that everything that is Wrong is by nature the same thing. Pickled onion ice cream is wrong, but it is also not surveillance (to use reductio ad absurdum).

      Surveillance is bullying because, in this context, people in power are using it to infringe on the rights of those who work for them.

  8. CoffeeBlackest

    "Logging and monitoring could* be a form of bullying"...

    Yikes...then filling out forms could be a form* of bullying too. Or anything any individual doesn't like is a form of bullying, like you wearing a yellow shirt for instance. Yea those instances are even further out there then the previous mentions, but they're on that same line of thought (if you can call it that). There definitely are lines we shouldn't cross, and finding those lines and setting those lines should happen (and they will change over time based on our current relative culture etc...). But we may have better things to do then trying to please every person on earth, then again, maybe we don't.

  9. Anonymous Coward
    Anonymous Coward

    "Surveillance is mostly used to find a scapegoat after the fact. It's for reinforcing the existing power structures, not creating systemic change." Yes, obviously this is the point - security is used to stop unwanted change. Not everyone is down for systemic change/revolution comrade!

  10. Stuart Castle Silver badge

    I've always thought Logging and Monitoring was an important part of decent infosec, but not the only one. It might help you detect an intrusion, react to it after it's happened, and might help you track down the perp, but won't prevent it. A bit like CCTV might let you see someone being mugged (although probably not unless you happen to be watching the camera just at the moment it's happening, or some AI detects the act correctly and flags it to a human), but by the time you've got cops to the area to investigate, the mugger has likely long gone, with the CCTV perhaps helping to identify the mugger (assuming they weren't wearing some sort of head covering).

    For decent infosec, you need up to date software, from a manufacturer who is actively fixing bugs. You need to do your utmost to properly test that software. You need to lock down any systems (user accounts, software, OS and hardware) you use as far as you can without a serious negative impact on productivity, as well as to enforce proper password security and discipline on the users. Logging and monitoring should only be used to determine the success of all that, and take action if despite all that, a hacker still gets through

  11. Anonymous Coward
    Anonymous Coward

    Insider threat is more nuanced than yes/no to monitoring

    As someone who’s worked on dedicated insider threat teams for large organisations before, I’ve got mixed feelings on this article.

    Justin really should have included some details around scope of user event logging and what he considers excessive rather than keeping it intentionally vague. Logging of user activity is a fundamental part of maintaining the security of your environment, and the devil is in the details when it comes to “too far” which the article sadly lacks. It’s a far cry from logging workstation activity, and DLP events, compared to always-on microphone and webcam tracking software. Employees deserve privacy and respect, which means conversations about the scope of corporate device monitoring are sorely needed which can break the issue down, not articles which broad-brush it as “monitoring can feel like bullying so let’s not do it”. That’s not how you deal with risk.

    Normally love your work Justin, but this isn’t quite it.

    1. jpwarren

      Re: Insider threat is more nuanced than yes/no to monitoring

      Thanks for reading it!

      Dr Michalak says, near the end of the article in the "do this instead" section: "Have you been transparent with people about what is being done and why it's required, and do the people you want to monitor consider it to be reasonable, or excessive?"

      That's all I'm arguing for. Talk to people about what your plans are and explain it so they're part of the solution. Don't just sit in an ivory tower and impose your will on people. I don't say "never monitor anything". I say with great power comes great responsibility.

      1. canthinkofagoodname

        Re: Insider threat is more nuanced than yes/no to monitoring

        Appreciate the clarification :)

        Before reading any further, I would like to state emphatically that I am (personally) whole-heartedly against UBM as a matter of principle (privacy, healthy workplace etc.). Professionally however...

        For me, the main point of confusion was (to my eye) the conflation between L&M (typically system focussed, traditional infosec rather than the broad-church of "Cyber") and UBM (very much people focussed). It's an important distinction to make, particularly for folks that are not tech inclined or lack the industry experience necessary to understand the difference.

        Even with that distinction in mind, not all UBM solutions are equally evil; some are quite benign. I have seen UBM solutions that monitor pretty much everything you do (time in certain apps, websites visited, give managers remote view access to your desktop etc.) (pretty nasty); I've also seen solutions whose sole purpose is to remind you to take a break when you've been at your desk for longer than 1hr. Hardly on the same level.

        The context in which this applies matters too; would something like the nasty UBM solution above really be considered unreasonable or viewed as a form of bullying in the context of Highly Classified Gov networks? Or an R&D environment for a Defence Prime for example? At what point does the user's perspective matter more or less than the sensitivity of the system or information they work with?

        It's also easy to focus on the negative aspects of these solutions (privacy invasion, lack of trust etc.); for Insider Threat, Hunt, even IR teams, these solutions can be invaluable. Most folks would rather catch the threat early and limit the damage, rather than be stuck investigating the fall-out.

        To reiterate, personally I am on board with what you're saying in the article, but professionally I think there are valid use cases for these solutions, and sometimes (here come the down votes haha) that means giving your users feelings on the matter a lower weighting.

      2. Anonymous Coward
        Anonymous Coward

        Re: Insider threat is more nuanced than yes/no to monitoring

        OP here, Thanks Justin - definitely agree with the transparency and candour with end users and that any sort of monitoring has actual outcomes which match up to information security (particularly if the monitoring is being sold to the organisation as a “cyber” tool). If there’s no trust in the process and the position of IT security teams, then the whole thing falls apart.

      3. amanfromMars 1 Silver badge

        Re: Insider threat is more nuanced than yes/no to monitoring

        That's all I'm arguing for. Talk to people about what your plans are and explain it so they're part of the solution. Don't just sit in an ivory tower and impose your will on people. I don't say "never monitor anything". I say with great power comes great responsibility. ...... jpwarren

        And, jpwarren, whenever there is no solution for you to have any meaningful part to play in their plans, what do expect will be the explosive outcome, for it will be at least revolutionary and diligently troublesome whenever anyone/anything thinks the following unilateral type actions will not deservedly result in fundamentally radical change? ........ The World Order Has Changed... Here's What It Means For Your Net Worth

        Times and spaces have changed and nothing today in this era of 0days is ever going back to way things were being run yesterday ..... for the exclusive benefit of an unworthy choice few. To think otherwise is to be not thinking at all and to know practically nothing about virtually everything that is presently confronting you on multiple fronts. And that makes one a soft target and easy prey to that and those in the know.

  12. benry

    Spot on

    I wish more businesses would take an inward glance at what they're doing and how they're treating staff. I've had the misfortune of working at a couple of places where the monitoring was over the top and absolutely would be considered bullying.

  13. Anonymous Coward
    Anonymous Coward

    Being surveilled at work is normal

    Dont like it? See ya!

    Paranoia makes for good security

    Trust no one. Everybody lies.

    Try living near Canary Wharf in east London - the most surveilled piece of real estate in Europe!

  14. Anonymous Coward
    Anonymous Coward

    Somebody is confusing their hurt feelings and "offended" nature with the needs of the business.

    Sorry to disappoint you. The rest of us have been warning you kids that the concerns for "your feelings" ended at high school, at the very latest.

    The world. does. not. care.

    1. My-Handle

      I agree, it doesn't.

      Do you think it should?

      Caring doesn't necessarily have to mean bending over backwards to not offend every nitwit who's looking for a reason to be offended. But it should mean conducting yourself (or any enterprise you might control) in a manner that is considerate others' welfare. It takes a little forethought, but surprisingly little effort.

  15. scubaal

    Yes and no

    Hmm,

    I think the issue is *excessive* monitoring and logging.

    Having spent many decades in the public sector I can tell you that we have a 'duty of care' to all employees.

    That includes making sure they are in a safe workspace.

    Which is why we log web access and make sure everyone knows we do.

    Yes - Im talking porn.

    Every year a couple of public servants are sacked for acessing porn in the workspace.

    If we didnt log/review that and action it *other* employees would (rightly) complain about their work environment.

    Heck - a UK MP just resigned for porn in the workspace.

    So logging to ensure approrpriate/ethical/legal use of work resources - yes.

    Continuous spying on all activities - no.

    I would also add that any user-speific investigation has to be signed off in writing at an extremely high level and is undertaken in confidence, to protect the IT folks from being pressured by random exec to 'take a look at X'.

  16. amanfromMars 1 Silver badge

    Welcome to Our Worlds Say the Spiders to the Flies and the Scorpions to the Frogs/Logs to Spooks*:-)

    One must always be super careful if tasking oneself, and especially so if being tasked on behalf and at the behest of relatively anonymous A.N.Others, whenever surveilling anything, in whatever form in any matter, unusually strange and gloriously entangled/odd and complex discovered/uncovered/thought/imagined to be communicating and freely sharing extremely sensitive, above top secret type information and advanced intelligence with multiple nodes and myriad intermingled internetworking chunnels in those work, rest and play spaces of the Live Operational Virtual Environment because ...

    To be in any way effective in mentoring what you will be monitoring there, and which you will know/should know, for you have previously seen how very easily it has been simply done, is going to have a real physical effect and create an almighty presence on Earth, does require that you fully enter and immerse yourselves in those new worlds being monitored by that and those not in any position of surveillance command and remote virtual control of that which they will encounter and have to successfully counter in order to make any discernible impact.

    * ...... https://en.wikipedia.org/wiki/Log_Lady

  17. Great Southern Land

    There's a difference.....

    .... Between Monitoring and Surveliiance.

    I used to work for a Government Department, where unauthorised access to client records was punishable by dismissal, if you were lucky, and criminal prosecution if you were not. It was well known that the department was logging all access to client records, and this was enough for the majority of the 20,000+ staff to do the right thing. This is MONITORING.

    SURVEILLANCE (and potentially BULLYING) is when the system reports how often your computer is idle, how often the screen is locked, how many phone calls you made or answered today, how many forms you processed, etc..... and when the results of the report are used to justify disciplinary action against the worker. The worker usually has no access to the report data, won't necessarily remember a day's work 1-2 weeks ago, and if he/she is called in to the manager's office, the onus is usually on the worker to explain the discrepancies, not the manager/organisation. It cannot be assumed that poor results on their own mean a poor worker, but all too often that's what management assumes.

  18. wayneinuk

    It seems to me that we need an element of monitoring right at the top i.e. in the Houses of Parliament, even on BYOD's!! It might safe some jobs!

    1. amanfromMars 1 Silver badge

      What the Holy FCUK ??????

      I have been told although it is difficult to believe, and it would be nice if it can be categorically confirmed, that the bods in the Houses of Parliament have some sort of unholy agreement with that and those who really should know better, that has them specifically exempt from Security and Secret Intelligence Service surveillance/monitoring.

      I cannot quickly think of anywhere anywhere else more likely to thoroughly abuse and misuse the opportunities that such an arrangement would present.

      Of course, maybe Parliamentarians are falsely led to believe such an exemption is afforded to them and thus are they at the mercy of those services and masters which are presumed to protect them whenever they choose to falter and abuse the national trust.

      However, if that be the case, I’m not at all impressed by what they be doing with anything they may know of others nesting in Parliament with secrets and indiscretions to hide.

      In all honesty, IT is all in a Quandary and a bit of a Bugger's Muddle.

      1. amanfromMars 1 Silver badge

        Re: What the Holy FCUK ??????

        I have been told although it is difficult to believe, and it would be nice if it can be categorically confirmed, that the bods in the Houses of Parliament have some sort of unholy agreement with that and those who really should know better, that has them specifically exempt from Security and Secret Intelligence Service surveillance/monitoring.

        Hmmmm? That statement, and I have assumed that there are a least a few El Reg commentators who would certainly know for sure, has remained too long here unanswered. It is a simple enough question though requiring a clear enough Yes or No or Sometimes Occasionally or Occasionally Often answer, so it does have one a’pondering and a’wondering.

        Is it supposed to be sort of a Top Secret State Secret expected covered by the Non-Disclosure Agreement perpetuated by the likes of an Official Secrets Act?

  19. andy gibson

    "Does watching staff 24x7 really make things more secure?

    No, according to a researcher at a major UK university, who asked not to be identified."

    I'm always wary of people with something to say, but too embarrassed to put their name to their work or their opinion.

  20. LittleBobTable

    I always have it in the back of my mind that managers are an "overhead" - an administration cost that is applied to anything produced. If all the workers went on holiday for a day: nothing is produced that day. If a manager goes on holiday for a day: all/most of the work gets done.

    I have found that a good manager normally works in reverse of what is thought of as a manager: If I have a problem that's stopping me from progressing, it's their job to sort it out so I can do my job. That should be their aim: to make you as productive as possible.

    Timesheets are my pain. Whenever I ask why, "for reporting" is always the response. So I estimate how long something takes then I record time against my estimate. If it takes longer than my estimate - am I late or was my estimate wrong?

  21. Sherrie Ludwig

    Work system spying?

    If you are afraid of the work laptop you took home seeing and hearing all you do, could basic tidying-up be your friend? Once you have completed the work, close the laptop, and put it back in a well-padded carrying case. Preferably in a safe, out-of-the-way corner of your abode, to keep it from damage. Hard to spy when the inside of a bag is the view, and hard to hear anything short of explosions from a very well padded bag (add more, like your paper files near the mic, just to be extra "protective"}. Just protecting the employer's asset, sir.

  22. Antron Argaiv Silver badge
    Black Helicopters

    Work laptop spying?

    Most folks I know have a piece of paper over their camera when not actively conferencing. I have never been asked to remove mine, but if that did happen, I would refuse.

    Otherwise, I assume everything I type or view is being logged, and I'm fine with that. It is their laptop after all.

    When WFH, I have a second system for personal use, and a dedicated room for work, so none of my personal conversations are audible to the work machine (whose microphone is muted when not in use).

  23. Anonymous Coward
    Anonymous Coward

    I asked a top manager about staff surveillance

    When COVID was in full swing and we were firmly established working from home, I asked one of the top managers in our dept, he looks after around 200 staff. He said, "Any manager or company who thinks staff surveillance is the answer is terrified of their own worth. If you have to spy on your own staff then you're either a very lousy manager or working for a very lousy company full of lousy people. I don't see any to that here and I don't think it has any place in our company. We have to trust staff to work on their own, we're all adults and can be trusted and if it fails then we have HR and guidelines to help resolve it as it could some other unrelated issues going on. For example someone is in a domestic abuse situation and they can't work properly, then we need to help them on that, not spy and abuse them more. Short answer is no spy software on my watch."

  24. tiggity Silver badge

    I'm all in favour of logging / monitoring of what I do at work

    e.g.

    a) web sites I visit, including malware scans

    b) Internal machines I attempt to access

    c) Emails

    d) Port opening / access

    a - I'm only going to look at work related sites on my work machine, but logging useful as e.g. say I web search for information, and click through to a result that looks fine but turns out to be a malware site then automated scan has a chance of catching that (plus the logging will show an "innocent" visit to malware page)

    b - If I have somehow got zero day malware on my machine it might do all sorts of things to infect the network, pull down extra malware, communicate etc (so linking to a and d also potentially). So logging this sort of thing useful for malware spotting

    c - text content only to be human inspected if a valid reason as often contains confidential data, but definitely automated malware scans of email as a must have as even if you are super careful nothing to prevent A N Other sending you a nasty.

    What is not appropriate is e.g.

    logging of all keystrokes (amount of typing / wpm <> amount of work, lots of software dev / design work is "thinking time", many a bug hunt involves very little typing, e.g. lots of code inspection, the main typing is just opening a file, lots of page down as read it, open another file etc. )

    my camera activated without me knowing it (privacy, not just me - in a WFH scenario may be another family member walking past or doing something they don't want seen by all and sundry e.g. breastfeeding )

    recording when my PC is "sleeping" during working hours (a bit like the typing thing - thinking time does not mean typing or any interaction with PC, so a sleeping PC does not equate to no work - indeed to avoid pointless teams "pinging" locking the computer often the only way to get a bit of peace and quiet to contemplate a problem without interruption)

  25. trindflo Silver badge
    Big Brother

    Rearrange this paragraph and it answers itself

    The European Court of Justice (ECJ) recently found that mass surveillance of the population was an unjustified intrusion into privacy, even when the goal is to combat serious crime. Why, then, do we consider it reasonable to implement invasive surveillance to address the flawed computer systems we choose to use?

    We consider it reasonable to implement invasive surveillance *because* courts found that mass surveillance of the population was an unjustified intrusion into privacy.

    If our government can't get away with doing it themselves, they can look the other way then purchase the forbidden fruit from private aggregators.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like