When private information and business concerns collide

IDG News Service — Wed, 08 Jul 2009 11:05:52 -0400

I often advise IT professionals of the need to step up to working with their companies as strategic advisers around technology-related issues. This means helping business folk understand the strategic and practical implications of new technologies — and recommending policies that make sense in light of what technology makes possible.

That's particularly true when it comes to technologies such as social networking and communications. Together with the ongoing blurring of personal-professional boundaries, these technologies can raise interesting challenges for corporate policies.

Here's an example: What rights, if any, does a company have over employee identities? I'm talking about things like personal photographs online at social networking sites, and geographic whereabouts as revealed by cell phone and online mapping databases.

Is it acceptable for an HR department, for example, to check to see if an employee with alcohol issues frequented a bar over the weekend? (Read on for why this is a harder question than it seems.)

Or take the case of a man I met recently, who worked for a U.S. government agency that oversees procurement and regulation in a particular area. (This is not an agency that's involved in homeland defense, or espionage, or anything overtly "sensitive.")

The agency explicitly forbade this guy from launching a Facebook page, or posting photos of himself, or any identifying details of his family, including whereabouts, online anywhere — even if the photos were purely private and had nothing to do with his official duties.

The reason? Folks under his agency's regulation, or who hoped to sell to his agency, might see the photos, figure out where he lived, engineer a chance meeting — in line at a local Starbucks, for example — and thereby manage to gain influence for their organizations. Because the agency was required to be strictly neutral, in-person meetings (however unofficial) would be perceived as favoring one organization over another.

The key point, again, is that there were no overarching issues of national security at stake — the agency required employees to give up certain rights simply to ensure it could do its job more effectively.

Or take the issue of location-tracking, which I highlighted above. As most techies know, cell phone companies can provide up-to-the-minute information about a cell phone customer's physical whereabouts. The same is true for certain online applications, such as Google's Latitude, which tracks location via GPS.

If the employer provides the phone — or mobile application -- to that person, what right does it have to that information?

That's a question nobody seems to be addressing at present — and that IT professionals would do well to raise with their organizations' legal teams. It's even unclear under which circumstances this information must be provided to state, local and federal governments. The Electronic Frontier Foundation and the American Civil Liberties Union have filed a lawsuit against the Justice Department aimed (in part) at forcing clarification of these issues.

The bottom line? Social networking and communications technologies generate a host of ethical dilemmas — and IT folks need to be ahead of the curve when it comes to advising their organizations about the policy challenges they pose.

Johnson is president and senior founding partner at Nemertes Research, an independent technology research firm. She can be reached at johna@nemertes.com.