How Public is your Private Data

8/9/2019 How Public is your Private Data

1/27

1

UMASS BOSTON - COLLEGE OF MANAGEMENT

MSIS 613: INFORMATION SECURITYProf. Ramakrishna Ayyagari

Information Security Project

Title:How private is your public data?An Analysis of the impact of Social Media on Employment and

Information Policy.

Team Members:

Bipin VaddiAlexandrine Policar

Apostolos Koutropoulos

December 12, 2007


2/27

Abstract

The rise of the term "Web 2.0" and its associated hype in technology circles refers to theperceived next generation of the Internet, largely focusing on the new wave of Internetcollaboration technologies and concepts such as the video sharing site, YouTube, and theexplosion of weblogs, social-networking sites, mash-ups and wikis. Web 2.0 technologiesemphasize online collaboration and sharing content, most of which is user-generated.

The explosion in popularity of social computing has dramatically changed the way weuse the Internet, on a personal level and increasingly, from a business perspective. The numberof organizations using corporate blogs to disseminate key messages, networking from their desksby using sites such as LinkedIn, or wikis for sharing knowledge has increased significantly.

During our research, we have found out that several companies like BMW, Shell Motors,IBM, General Motors and British Airways are using social media and podcasting technologies toreach out to rapidly expanding consumers, but also make it interactive and get some feedbackdirectly from the consumers.

As the phenomenon continues to grow, the benefits and opportunities for businesses also

grow through business networking, marketing campaigns or simply putting a human face to thecompany. However, the risks of sensitive information leaking via these channels will expandwith wider business adoption. Several companies have already had their fingers burnt because ofsensitive information being leaked onto the internet through social networking websites andblogs. Apple Insider website, published details about unreleased products, code-named Asteroidand Q97 in 2004, much before the official announcement, causing bad PR. Google fired anexecutive Mark Jen less than a month after joining the company because of the candid commentshe made on his personal blog about Google. Ellen Simonetti was sacked from Delta Airlinesafter posting images of herself in her Delta uniform on her personal blog.

The examination of these cases brings us to ponder about the security vs. privacy issue.Several questions like what is the limit of privacy?, Are we getting scrutinized in the name of

security?, What should the companys policy be with consideration to personal blogs?, Isntreading an employees personal blog and their MySpace page, an intrusion of privacy?, Isthere no freedom of speech?. We took up researching more about these topics, after we couldnot get any clear answer for any of these questions.

In the following sections, we have studied companies belonging to different sectors,different kind of policies they enforce upon their employees and how beneficial or harmful theWeb 2.0 concept if to the modern business world.

2


3/27

Table of Contents

3


4/27

Introduction

Today we live in an increasingly connected world. Information about us is now availableon the internet for anyone to see, utilize like marketer do, and be judged by this information.We can do things today that were unfathomable just ten-fifteen years ago at the dawn of the

internet. The internet is accessible twenty-four-seven either though high speed internetconnections, public and private access points and through cellular networks. Forms of personalexpression, such as a bumper sticker on your car, a lapel pin supporting breast cancer research,or a letter to the editor now have digital counterparts. The only difference is that before onlypeople in close proximity to you could see what causes you supported, what music you liked andother such information. Now, anyone with an internet connection and a search engine can findout the exact same information about you, anywhere in the world.

Many of our peers, and even more of the younger generation, have accounts on popularnetworking sites such as Facebook, MySpace and LinkedIn. More have personal websites, blogs,podcasts and videocasts. Just to put things into perspective, there are over 50 Million blogs todate (Sifry, 2006), over 200 Million MySpace users (MySpace, 2007), over 39 Million Facebook

users (wiki answers, 2007) and over 5.5 Million LinkedIn users (Rosenbush, 2006). Even moreseem to be part of one forum, community of practice or user group of one form or another. Most,if not all of the data on these sites is indexed, stored and catalogued and is searchable throughinternet search engines. What we do online is there for all to see, however there is a cultural andgenerational divide in this increasingly digital and connected world.

When creating a profile on Facebook, many of our generation think that the service isquite useful because we can reconnect with long lost friends and family much more easily thanconventional email. Email addresses may change, but your profile will always be there, unlessyou unsubscribe. Services such as these have great utility, such as developing your professionalnetwork, helping you find a job, or helping you find like minded individuals to share a hobby orrally for a cause. They do however also have unintended consequences.

In a Harvard Business Review Case titled we googled you (Coutu, 2007), we follow thestory of an ambitious graduate that wants to work for a multinational in China. She has localknowledge, speaks the language, and her father is friends with someone high up in the company.In the old days, before the wealth of information online, this would have been a slam dunk. Inour case however this turned out to not be the case. The Human Resources director googled herand discovered, among other things, her social networking profile and letters-to-the-editor thatshe had written many years ago. This gave her cause for concern and her employment at thatcompany was in jeopardy.

Our system of employment-at-will sometimes makes it rather difficult to express ourviews both online and offline. A letter to the editor may find itself on the newspapers site for allto see and your job may (or may not) suffer from it. Speechless: The erosion of free expression

in the American workplace by Bruce Barry provides us with a number of situations where peoplegot reprimanded or fired for activities that they undertake when not in the workplace bothdigital and real-world activities.

One interesting example is the example of Heather Armstrong who got fired for writing,from time to time, about work related matters on her personal blog which was called dooce.(Barry 2006: 171-172) She wrote critical things about co-workers, things that might come outwhen you are talking to your friend about work, and about that one (or two) annoying coworkers.Even though she was writing about these individuals anonymously, the higher executives of the

4


5/27

company found out about the blog and fired her even though the actions undertaken were on herown time, and she did not name names. (Armstrong, 2007) As a postscript to this story, herblogs name was converted to a verb that means To be fired from you job because of thecontents of your weblog. (Urban Dictionary, 2007) As classmate Robert Schultz proved, youdont even have to blog about your company to get fired. He was fired from his job because he

was using company resources, on his own time not company time to check some personalemail. (Koutropoulos, 2007) This led us to look at acceptable use policies, and other companypolicies that govern employee behavior both on and off work.

Taking into consideration all of the above, our team decided to analyze this phenomenonand determine how private your public data is, and how this affects your job or employability.Furthermore we will look at what both employees and employers can and cannot do on the jobbased on a survey of privacy, employment and accountability laws.

Online Presence and Perceptions of our Peers

One of the first steps we wanted to take as a team was to gauge what are the usage

behaviors for our peers, other people that surround our lives, such as friends, families, and theirclose circle of friends and families. We aimed to find out what sort of social networkingactivities they participate in, how active their online lives are, if they are part of any communitiesof practice such as online forums, and so on. If our peers have active online lives, as wesuspected they did, did they perform some of these tasks at work, using work resources? Finallywe wanted to find out what their perceptions were about employee monitoring at work, and howtheir online lives affect their present and future employability.

We first looked at the levels of participation on Social Networking sites such as thepopular MySpace and Facebook. We started off with these types of sites because they havecertain standard types of questions that they ask, such as what are you favorite movies? that isadded to your online profile for your friends (and the rest of the world) to see. In this instance

the users of such services are revealing something about themselves, but not very much. Thisinformation may be useful to a marketing team with high-powered data farms. It is usefulinformation to data mine and have targeted advertising sent to you, but at first glance it does notalways give away that much information about you. Generally speaking, this type of informationis not the type of information that may cost you your present, or a future job, but it has thepotential to, as we saw in the We Googled You case. Our survey indicates that the greatmajority, 83%, of the people who took the survey have at least one account with a SocialNetworking site such as MySpace. Out of the users that had accounts, the top three sites wereMySpace, LinkedIn and Facebook.

Secondly, we looked at the level of participation on other forms of Internet mediacommunication such as blogs, wikis, forums, podcasts and photo-sharing services. This area was

of particular interest because of the ability to post almost anything. Compared to socialnetworking sites where information is more structured, such as your favorite movies, blogs havethe ability to show off your command level of a language, your views on hot button issues, suchas politics and religion, and topics that are more irreverent such as what you did last weekend.Podcasts and video podcasts are just extensions of blogs where one can express themselvescreatively, and photo sharing services can say something about you based on what types ofphotos you post online. Our survey results indicate that the great majority of our survey takers(73%) have membership in one or more types of online communication service. The top

5


6/27

categories were chat services like MSN, Yahoo! And AIM (35%), and Photo sharing serviceslike Flickr (25%). Another 24% of people had some sort of blogging site membership in theform of a personal blog, a website, a podcast, or regular contributions to YouTube. Finally, peer-to-peer services like GNUtella and Bittorent rounded off the remainder of the results with 10%.

These types of free form expression, through text, spoken word or video recording, can

be used to share your views and day-to-day happenings with friends, family, and likemindedindividuals, but increasingly employers are looking at these forms of expression andcommunication as yet another way to evaluate potential candidates, and another way to let go ofemployees that they want to let go, for reasons both related and unrelated to the contents of theironline lives. In a sense, your public online life is a sort of Meyers Briggs Type Indicator test, forthose that have the patience to wade through all of your public data. Should corporations beallowed to do this?

Our survey results indicate that most people do not blog, or post information incommunities of practice about work related topics. We also found that most of the people thattook the survey (74%) believe that employers should not monitor employee email or onlineactivities. Since the question was a bit vague, our team interpreted this result as employers

should not monitor employee computer use while on the job, and should not monitor theemployees online habits when they are off the clock. When asked about whether the surveytakers believed that ones activities on his or her spare time affected their employment, the greatmajority (68%) responded that what they do on their spare time does not impact theiremployability. Through our research though, we found out otherwise.

Finally, we wanted to see how many employees had to sign a computing acceptable useagreement as a precondition to getting hired by their particular employer. Last summer when oneof out team members was job hunting, he found out that as a precondition to employment heneeded to sign an acceptable use policy. Our survey results reveal a mixed picture. Most peopledid not have to fill out an acceptable use policy (37%). The minority of respondents (28%) had tosign an acceptable use policy. The scary statistic is that 35% of the respondents did not know ifthey were under some sort of acceptable use agreement, which means that they may be requiredto be mindful of their usage of work resources and they do not know it.

The Letter of the Law

Introduction

With the information world becoming a global village where interested parties are willingto sell and/or buy on the black market ones personal data such as email address, phone numbers,credit cards and also corporate data such as IPs address, customers mailing address, accountnumbers, and the list goes on, privacy issues has become one of the hottest topics in information

security of this flat technology world. Many organizations are collecting, swapping and sellingpersonal information as a commodity as mentioned in the Harvard Business Review case titledThe Dark Side Of Customer Analytics (Davenport, 2007) where a health insurance companypartners with a grocery store that possessed sophisticated data about their customers using theloyalty card. As a result the health insurance is able to use the data provided with or without thecustomers consent to identify correlations between grocery purchases and insurance claimsusing analytics and designing specific programs paste on a pattern based approach. As in thisfictional case many consumers and individuals are looking to governments to developing laws

6


7/27

and regulations to protect their privacy and to define the scope of an organizations legal andethical responsibilities.

As individuals we elect to trade some aspects of personal freedom for social order. AsJean-Jacques Rousseau explains in The Social Contract or Principles Of Political Rights (1972),the rules the members of a society create to balance the right of the individual for self-

determination with the needs of the whole are called laws. Laws are rules adopted fordetermining expected behavior in modern society and are needed when individuals choose not tofollow social norms and carry the sanction of a governing authority. Since the beginning ofinformation security in early 1970, the USA has been the leader in developing and implementingnew laws and regulations to protect individual and organizations.

Such private and public laws are established to prevent the misuse and exploitation ofinformation, to protect the privacy and confidentiality of patients private and health data, toprotect children against online predators, sex offenders and child abuse, to regulate publicallytraded, private, governmental, non-profit companies, to minimize liabilities and reduce risks andlosses from electronic and physical threats and legal actions, to prohibit criminal intents of mis-authorization and damage of protected computers and data, to enforce the rights of employees

and employers, to protect employees against discrimination in workplace, to make corporationmore accountable and enforce compliance and social responsibilities. Table 1 shows a list ofsome Key U.S laws of interest to information security professionals. These laws such as theFederal Privacy act of 1974, the Electronic Communications Privacy Act of 1986, the ComputerSecurity Act of 1986, the Sarbanes-Oxley Act of 2002, the Family Educational Rights andPrivacy Act (FERPA) of 1974, the Health Information Portability and Accountability Act(HIPAA) of 1996, affect the individual in the workplace and regulate the structure andadministration of government agencies and their relationship with citizens, employees, and othergovernment local and international. Our intent in the following paragraphs is to present somerelevant legislations and regulations concerning the management of information in anorganization, explore the purpose of these laws and what are the enforcement proceduresavailable. We focus on pertinent and important legislations and regulations relevant toinformation security and group the laws into three categories such as accountability laws andcorporate responsibility, privacy laws and employment laws.

Table1: Key U.S Laws Of Interest To Information Security Professionals

Act Subject Date Web Resource

Location

Description

Computer Fraud andAbuse Act (also knownas Fraud and RelatedActivity in Connection

with Computers (18U.S.C. 1030)

Threats toComputers

1986(amended1994, 1996and 2001)

www.usdoj.gov/criminal/cybercrime/1030_new.html

Defines and formalizeslaws to counter threatsfrom computer-relatedacts and offenses

Federal Privacy Act of1974

Privacy 1974 http://www.usdoj.gov/oip/privstat.htm

Governs federal agencyuse of personalinformation

Gramm-Leach-BilleyAct of 1999 (GLBA) orFinancial Services

Banking 1999 http://www.ftc.gov/privacy/privacyinitiatives/glbact.html

Focuses on facilitatingaffiliation among banks,insurance, and securities

7


8/27

Modernization Act firms; it has significantimpact on the privacy ofpersonal informationused by these industries

Health InsurancePortability and

Accountability Act

Health careprivacy

1996 www.hhs.gov/ocr/hipaa/ Regulates health care,storage, and

transmission ofsensitive personalinformation

ElectronicCommunicationsPrivacy Act of 1986(ECMA) Title 47

Communications andPrivacy

1986 http://www.cpsr.org/issues/privacy/ecpa86

Prohibits the reading ofinformation in transitand in storage afterreceipt

The Sarbanes-OxleyAct of 2002

CorporateAccountability

2002 http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm

Defines firmsaccountability andcorporateresponsibilities.

The FamilyEducational Rights andPrivacy Act of 1974(FERPA)

Education 1974 http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Protects the privacy ofstudent educationrecords. The law appliesto all schools thatreceive funds under anapplicable program ofthe U.S. Department ofEducation.

National InformationInfrastructureProtection Act of 1996

CriminalIntent

1996 http://policyworks.gov/policydocs/14.pdf

Categorizes crimesbased on defendantsauthority to accesscomputer and criminalintent.

Accountability Laws: Corporate Accountability and Social Responsibility

Accountability laws are laws that hold companies liable when they violate federal andstate regulations. When securities laws apply, a business may face a maze of legal and regulatoryburdens. If they are violated, a business and its principals may face substantial civil, financial,social, administrative, and even criminal sanctions. Because of increased enforcement efforts bystate and federal agencies and continuing enforcement efforts by the SEC, it is imperative thatbusinesses try to conform to established regulations and stay compliant in order to avoidsubstantial penalties. One of the US laws that defines what a company can and cannot do iscalled the Sarbannes-Oxley Act. According to Wikipedia, the Sarbanes-Oxley Act of 2002, alsoknown as the Public Company Accounting Reform and Investor Protection Act of 2002 wassigned into law on July 30, 2002 in response to a number of major corporate and accountingscandals including those affecting Enron, Tyco International, Peregrine Systems and WorldCom.

8


9/27

These scandals resulted in a decline of public trust in accounting and reporting practices. Bushsigned it into law, stating it included the most far-reaching reforms of American businesspractices since the time of Franklin D. Roosevelt. (wikipedia, 2007)

The Sarbanes Oxley-Act is a set of complex regulations that is considered to be one ofthe most important business reform acts since 1934. The Act combines bills that were drafted by

Senator Paul Sarbanes and Congressman Michael Oxley designed to enforce corporateaccountability and responsibility. Congress quickly enacted the bill to restore confidence incorporate America, where a plunging stock market, increased corporate fraud and numerousaccounting scandals, not to mention record breaking bankruptcies, have had a negative impact onthe economy. The Act has granted the SEC increased regulatory control, lengthened the statuteof limitations and imposed greater criminal and compensatory punishment on executives andcompanies that do not comply. The law, enacted in 2002 created an oversight body for auditfirms, stiffened penalties for fraud, and required auditors to certify that firms have adoptedadequate internal controls such as adoption of difficult and complex password to prevent fraud.Security experts have long recommended that computer users choose hard-to-break passwordsand change them frequently in order to frustrate hackers. Now, those recommendations are being

newly forced on millions of U.S. workers in the name of preventing financial fraud under theSarbanes-Oxley corporate-reform act.

For example and according to Computerworld (May 22, 2006), Kodak Imaging NetworkInc., an online photo-sharing service once known as Ofoto, has agreed to pay $26,331 inpenalties for violating the federal CAN-SPAM Act. The Federal Trade Commission charged thatthe company violated the law by sending 2 million messages that didn't provide a physical postaladdress or a means of opting out of receiving future e-mail. Because of increase in crime,companies are more vigilant nowadays in protecting their most important assets which isinformation. Some of the companies even take drastic measures to protect their assets andresources by not allowing employees to access the internet while at work. That means that peoplewere able to connect only on the company intranet site.

Privacy Laws

Privacy deals with the degree of control that an entity, whether a person or organization,has over information about itself. With the widespread of internet users and the emergence ofmore sophisticated hackers, consumers and customers preferred doing business with companiesthat can keep their personal information private. In response to the pressure for privacyprotection, the numbers of laws and regulations addressing an individuals right to privacy hasgrown tremendously in the past five years or so. It must be understood, however, that privacy inthis context in not an absolute freedom from observation, but rather is a more precise state ofbeing free from unsanctioned intrusion. To better understand this rapidly evolving issue, wewill talk about two of the most relevant privacy laws namely the HIPAA and FERPA. Thoseprivacy acts regulate the government in the protection of individual privacy. TheFederalPrivacy Act of 1974was created to insure that government agencies protect the privacy ofindividuals and businesses information and to hold those agencies responsible in any portion of

9


10/27

this information is released without permission. However some agencies like the Congress, theComptroller General, the credit agencies and certain courts orders, are exempted from some ofthe regulations so they can perform their duties.

TheHealth Insurance Portability and Accountability Act of 1996 (HIPAA) also known asthe Kennedy-Kassebaum Act, is an attempt to protect confidentiality and security of health care

data by establishing and enforcing standards and by standardizing electronic data interchange.HIPAA impacts all health care organizations including doctors practice, health clinics, lifeinsurers, and universities, as well as organizations which have self-insured employee healthprograms. Organizations that fail to comply with HIPAA law can pay penalties of up to$250,000 and ten years imprisonment for knowingly misusing client information. The privacystandards of HIPAA severely restrict the dissemination and distribution of private healthinformation without documented consent. The standards provide patients the right to know whohas access to their information and who has accessed it.

Another important privacy law used more in education is theFamily Educational Rightsand Privacy Actof 1974 (FERPA) that set forth requirements regarding the privacy of studentrecords. FERPA also known as the Buckley Amendment governs release of education records

maintained by an educational institution and access to the records so that the student is affordedcertain rights to privacy. The law applies to elementary, secondary and postsecondary institutionspublic and private that received funds from the federal government under any programadministered by the U.S. Secretary of Education. Furthermore, FERPA protects the educationrecords of persons who are or have been in attendance at education institutions.

Student education records are official and confidential documents protected by FERPA,one of the nations strongest privacy protection laws. It defines education records as all recordsthat schools or education agencies maintain about students. FERPA gives parents the right toreview and confirm the accuracy of education records. These rights transfer to the student whenthe student turns eighteen years old or attends a postsecondary institution. At this time, thestudent is designated as an eligible student and holds the same rights as his or her parent heldwith respect to education records. This and other United States privacy laws ensure thatinformation about citizens collected by schools and government agencies can be released onlyfor specific and legally defined purposes. Since enacting FERPA in 1974, Congress hasstrengthened privacy safeguards of education records through this law, refining and clarifyingfamily rights and agency responsibilities to protect those rights.

For example the University of Massachusetts uses all or nothing for FERPA privacyrequests. Students or former students may request that all information be blocked under theauspices of FERPA. Some schools allow students to block fields from display but this is not partof FERPA. With the exception of narrowly-defined health and safety reasons, a FERPA blockmeans that the University cannot acknowledge the students existence or attendance. Studentsrequesting a FERPA block use a form and must have a personal discussion about the block withthe Registrar of their School prior to implementation. However even though students mayrequest block on their records but some law enforcement agencies according to the law can stillhave access. In a survey conducted in March 2004 by the American Association of CollegiateRegistrars and Admissions Officers (AACRAO), the company wants its membership to learnmore about how institutions comply with the federal Family Educational Rights and Privacy Act(FERPA). The survey was answered by 560 educational institutions and the results presented inTable 2 below can be stated as follow:

10


11/27

- Compliance with FERPA is a major concern for colleges and they devote seriousattention to the effort.

- Forty percent of institutions do not have a student directory.- Law enforcement agencies made improper requests for non-directory student information

to 31.2 percent of responding institutions during the past year.

- Sixty-six percent of institutions do not release their entire student directory to outsideparties.- Compliance by colleges with the voter registration requirements of the Higher Education

Act of 1965 is inconsistent.- About 8 percent of institutions indicate willingness to contribute their student directory to

an outside party for youth voter mobilization.

Table 2: Survey Resulted of FERPA on March 2004 by AACOORP

If you have a student directory, what data elements does it include?Percent Data Element

100.0 Name77.2 On-campus telephone

73.3 On-campus address

65.7 Email

59.8 Permanent Address

50.8 Permanent telephone number

45.3 Major/field of study

22.8 Photograph

15.3 Date of birth

5.7 Place of birth

At any time in the past year, has your institution been asked to release NON-DIRECTORYinformation to law enforcement agencies or representatives?

Yes, and we

complied

Yes, and we

did not comply

No

Agents hadsubpoena orcourt order

367 10 169

Agents hadno subpoenaor court order

27 111 305

Institutions that do not comply by the FERPA regulations can still get away with itbecause of the complexity of the complaint procedure. A complaint filed under FERPA incomprised of three steps; firstly specific allegations of fact giving reasonable cause to believethat a violation of the Act or this part has occurred; and secondly the Office investigates eachtimely complaint to determine whether the educational agency or institution has failed to complywith the provisions of the Act or this part; lastly, a timely complaint is defined as an allegation ofa violation of the Act that is submitted to the Office within 180 days of the date of the alleged

11


12/27

violation or of the date that the complainant knew or reasonably should have known of thealleged violation.

Employment Laws

Employment is considered a key element in full citizenship and provides a sense offulfillment and self-worth. The role of regulatory policy in workforce is to protect wages,benefits, pensions, safety, and health. The U.S. Department of Labor (DOL) is the institution thatgoverns laws and regulations in the workplace. As state on the DOL web site DOL iscommitted to providing its customers - Americas employers, workers, job seekers, and retirees -with clear and easy-to-access information on how to comply with federal employment laws. Thisinformation is often referred to as compliance assistance, which is a cornerstone of theDepartments efforts to protect the wages, health benefits, retirement security, employmentrights, safety, and health of Americas workforce. The Employment Standards Administration(ESA) develops and administers employment acts to protect the American worker and its family

against discrimination, exploitation, abuse, trade, loss of work, and so on. Two of the acts are theFair Labor Standards Act (FLSA) and the Family and Medical Leave Act (FMLA).The Fair Labor Standards Act (FLSA) prescribes wages and hours ofworkand defines

the minimum wage and overtime pay standards as well as recordkeeping and child laborstandards for most private and public employment, including work conducted in the home. Theminimum wage is set for $6.55 per hour effective July 24, 2008; and $7.25 per hour effectiveJuly 24, 2009. Youths under 20 years of age may be paid a minimum wage of not less than$4.25 an hour during the first 90 consecutive calendar days of employment with an employer.Although the Act does not place a limit on the total hours which may be worked by an employeewho is at least 16 years old, it does require that covered employees, unless otherwise exempt, bepaid not less than one and one half times their regular rates of pay for all hours worked in excessof 40 in a workweek. In addition, the FLSA sets forth special rules for working out of the home.

The Family and Medical Leave Act (FMLA): This act requires employers of 50 or moreemployees and all public agencies to provide up to 12 weeks of unpaid, job protected leave toeligible employees for the birth and care of a child, for placement with the employee of a childfor adoption or foster care, or for the serious illness of the employee or an immediate familymember. The Family and Medical Leave Act requires employers to provide job-protected leave,but little is known about how these leave rights operate in practice or how they interact withother normative systems to construct the meaning of leave. Research shows that leave rightsremain embedded within institutionalized conceptions of work, gender, and disability that shapeworkers' perceptions, preferences, and choices about mobilizing their rights. However, workerscan draw on law as a culture discourse to challenge these assumptions, to build coalitions, and torenegotiate the meaning of leave.

Since 1962, the US has recognized in its public policies that workers who lose their jobsdue to international trade and investment should be specially assisted and compensated for theireconomic losses because the general populace benefits at their expense from a governmentpolicy favoring open trade. Trade displaced workers under the Trade Adjustment Assistance(TAA) program receive unemployment benefits for an extended period (up to two years of tradereadjustment allowances while engaged in job training), tuition assistance, health benefits, and

12


13/27

relocation subsidies. In conjunction with counseling, support services and job placementassistance provided through a network of 1900 one-stop career centers operated under theWorkforce Investment Act, this package of services is intended to help trade displaced workersadjust to their job loss by gaining new skills and employment at decent wages. In FY2004, about150,000 workers were certified eligible to receive TAA benefits, and about 90,000 started to

received income support and training services. But the TAA program disappoints in partbecause of its narrow coverage and cumbersome certification process and in part because it doesnot offer the option of a rapid return to work while mitigating wage losses. Policymakers mustrecognize, however, that developing and sustaining a quality TAA programs requires a long-termfinancial commitment and the support of partnerships among the various stakeholders includingbusinesses, employers, consumers and their families, labor representatives and public educationinstitutions as well as the various agencies within the government. They must explore ways touse their policy levers to create laws and regulations to protect the American workforce.

Balance Between Rights & Responsibilities

Introduction

There is a fine balance between employee and employer rights and responsibilities. Onthe one hand employers need to be able to keep the organization running and make sure that theirresources are not misappropriated. These resources may be employee time, company equipmentor company bandwidth. This is a measure that keeps the company protected from externalthreats such as lawsuits, viruses and attacks, and keeps the company in line with national lawsand regulations. Keeping tabs on how employees utilize these resources may be the best way ofensuring regulatory compliance and streamlining of resources. Conversely, employees have theresponsibility to not abuse work resources for their own benefit, such as using company time and

resources to run your own business on the side.On the subject of looking up an employees digital life may be a cheap way of conducting

a background check on potential hires. Some organizations require background checks asprerequisites to employment. Of course the caveat is that these organizations that require abackground check generally let the employee know that they will be subjected to such a checkand it will be part of the employment process. When employers check a potential employeesdigital life, throughgooglingthem for instance, without letting them know and basing anemployment decision on this, they may be breaking the law.

Employee Rights and Responsibilities

When it comes to employees rights and free speech, it is appropriate to say that ingeneral we have none due to our system of employment at will. If someone work in a unionizedenvironment or works for a government agency or contractor, then you have some rights when itcomes to exercising your right to free speech. As Bruce Barry, author ofSpeechless (2007)wrote, if you work for the government you have rights, except when you dont. If you work in anemployment at will, corporate, environment you dont have rights, except when you do. This isquite vague, and deservedly so. It has been pointed out in Speechless, that court rulings on the

13


14/27

subject of free speech in or about the workplace is an employees and employers nightmare, buta lawyers dream.

In laymans terms, free speech guarantees you that the government wont impede yourright to free speech. However, just because I have the right to say what I wish, doesnt mean thatI can or should. I wouldnt for instance go up to a police officer and say that there is a bomb in

the next building over, when in fact there is not. There would be severe repercussions if I did. Inthe workplace, similar responsibilities exist. You have the right to free speech, and you can blogabout any topic you want on your blog, or your MySpace account, but there are responsiblelimits. Just like you shouldnt keep your password on a post-it note on your monitor, youshouldnt post your passwords of company trade secrets on your blog.

Another example is if you are a software developer and you determine that yourcompanys product has a critical flaw that allows remote execution of code. An appropriateresponse should be to bring it to the attention of the developer team, if they dont do anythingabout it, bring it up with a superior, and if they are indifferent as well you may be out of options.You may take the law into your own hands and become an anonymous grey hat hacker andexpose the vulnerabilities somewhere on the internet, however if it is traced back to you, there is

a high probability that your job may be in danger.An excellent example of work related blogging and its effects on the corporation andconfusion it creates with the corporate staff is the Harvard Business Review caseA Blogger inthe Midst(Suit, 2003). In this case an employee of the company was both a blessing and apotential landmine for the company. Her blog showed her enthusiasm about the product that hercompany was selling and as a result sales had actually increased! There were also some potentialpitfalls, such as the questioning on whether or not the company should be doing business with aparticular hospital due to ethical considerations which could cause the company to lose sales.

Finally, from a product announcement point of view not only did her blog steal theCEOs thunder during the announcement of the new product, it also could be consideredcorporate theft since she did not ask for permission to share internal information with the rest ofthe world. It is the bloggers right to speak their mind, but it is also their responsibility to lookout for at least some of the company interests, such as the loss of intellectual property. Anotherconsideration is that if her blog were private and only a few people had access to it, theinformation she imparted could be considered insider trading, and she, her audience and maybethe company may have been in legal hot waters.

Employer Rights and Responsibilities

Employers as a group, be they corporate, academic or not-for-profit, haveresponsibilities, and stemming from those responsibilities they have rights to enforce them. At athirty thousand feet view, employers have the responsibility to be compliant with local, state andfederal regulations, they need to protect their resources from external threats such as viruses,spam, spyware and hackers, and they need protect their resources from misuse or abuse such ashaving employees steal office supplies or run their own business from their office. Anotherexample where an employer has a responsibility is in the protection of the employee while on thepremises. Most of these responsibilities overlap with one another. In the recent Forrester groupresearch publishing we see that most of these are on the minds of companies and their securityprofessionals (2007).

14


15/27

There are many examples of these types of responsibilities that employers have. Onesuch example is the example schools and agencies in Massachusetts that work with childrenoften require their employees to undergo criminal background checks. Another example we sawin the case ofA Blogger in our Midst(Suitt, 2003) where an unofficial company blogger ispotentially leaking out company secrets through her blogging. This may be innocuous, but it may

not. Competitors may get a hold of the information and cause trouble for the company, or federalregulators may come down on the company that employs the blogger because this sort ofinformation leak may be considered insider trading.

In the research conducted by Forrester, and in our own research, we see some interestingnumbers and some interesting findings as well. We see that Web 2.0 has engendered muchconcern over the security of Web 2.0 applications and that organizations today are notprepared to deal with these threats. This is evidenced by the lack of consistent policies, riskawareness, and adequate user training. (Forrester, 2007) This to our team is quite amazingbecause the events detailed inA Blogger in our Midsttook place in 2003, and it is now 2007.Four years have passed, but appropriate policies, training and awareness have not beenmainstreamed.

The Forrester research tells us that Web 2.0 utilization increases consumption ofbandwidth, and decreases employee productivity, so a company takes, at minimum, a double hitdue to the internet habits of their employees. They lose bandwidth, which isnt always cheap,they lose employee productivity, and they probably risk company information leaking outthrough blogs, wikis, and social networking sites. Our own survey shows that around 70% of therespondents use work resources to browse the internet. The Forrester survey tells us that 71% ofrespondents (IT managers) indicate that anywhere from 15% to 50% of the bandwidth isconsumed for non business related activities, activities which we have highlighted in a previoussection. Fourteen percent of IT managers indicate that 50% or more of their bandwidth in theircompany is consumed for non work resources. These numbers are quite staggering if you are anemployer.

This type of non business use can lead to problems for the organization. Forrester quotesthat the data leakage is a major concern for companies, but viruses, malware and Trojanscollectively are a major issue. 46% of the organizations surveyed said that they had spent morethan $25,000 in the previous fiscal year to cleanup malware on their company computers. Thesecosts break down to approximately $15-$30 per user per year in cleanup costs. (2007)

Given all these responsibilities that employers have, they have certain rights to enforcethem. These types of enforcements come in different packages. Some enforcement comes in theform of agreements that employees sign before becoming employed at the company. Theseagreements identify the terms of use of company resources. If employees are caught abusing theresources they can get fired or at least reprimanded. Since our form of employment in the US istermed employment at willwhich means that you can be fired and laid off for no reason at all,most companies have some sort of procedure in place in order to avoid lawsuits.

A lot of our friends and classmates surveyed felt quite strongly that the company shouldnot monitor your online activities and use while you are at work. Our interpretation of that is thatthey do not want big brother to be monitoring every single thing they do. The truth is that acompany has every right to monitor and regulate their resources, whether employees like it ornot, because they are liable for the use of those resources.

The Forrester research findings tell us some good news on this front. Most companiesranked loss of productivity and non-business use of bandwidth very low on their potential

15


16/27

business issues. This seems to indicate that they dont really care what you do so long as its notillegal and you are doing your job. What companies are concerned with are loss of confidentialand sensitive data, malware infections (because as we saw they are quite costly), andinappropriate content coming into (or being disseminated from) the organization because it is apotential liability. To boil things down, in the workplace, the employer can monitor general

communications to make sure that their network is safe and meeting regulatory standards. Whatthey cannot do is to single people out, and reprimand, for a specific type of behavior when othersare engaging in the same type of behavior. If some sort of impropriety is suspected, they canmonitor individuals, but they need to document the process in order to stay within regulatorycompliance.

Finally, there is the issue of monitoring employees when they are off the clock, orgoogling an employee before you hire them. As mentioned earlier, googling someone is a freeway to do a background check on someone, assuming you dont have a generic name such asJohn Smith. Employers andemployees can get a wealth of information about each other and itcan provide good additional material to talk about during an interview. This way you are seeingwhat an employee is passionate about, and how much of a fit they will be in your organization,

and the same is true for employees. They can see what other people say about the organization,what their potential managers and coworkers are interested in, and what they do, and decide ifthat is the place for them.

Of course, this kind of information can be misused, or misinterpreted as we had seen inthe case ofWe Googled You (Coutu, 2007). Employers may chose to not hire someone becausethey dont share their particular beliefs, be they in government, religion, or sports. This of courseis illegal, but if someone really doesnt want to hire you for one reason or another, even if youhave a resume and work experience that makes you a perfect candidate, they can find a perfectlylegit reason not to hire you. As a way of protecting the firm, and its employees, the company hasthe right to view your public data, such as your twitter, facebook, and myspace accounts, and gothrough and read your blog or shared RSS feeds. What an employer does not have the right to dois to refuse you the job because of your personal beliefs, race, gender, sexual orientation andother non-discrimination criteria.

Comparison of Different Organizations

Introduction

In todays interconnected world, where the importance of technology is ever-increasing,every corporation needs a well thought out and worded IT security policy and use policy. Threatsto the integrity and reliability of data exist from within the enterprise as much as from the outsideof it. In some cases, internal threats are often more perceived as dangerous, rather than the

outside ones. Threats can exist in the form of hackers, competitors and foreign governmentsacross different industries. External threats are often easy to detect due to increasingtechnological advances like firewalls, IDS systems being used in the corporations, but internalthreats are far more damaging to the corporation, since it is much harder to find and isolate.

Information security is a business issue, not just a technology issue. The reasonorganizations want to protect information should be for sound business purposes. Corporateknowledge and data are arguably the most important assets of any organization. Corporationsmust ensure the confidentiality, integrity and availability of their data.

16


17/27

In this day and age, when Web 2.0 is on the rise, we find people increasingly ondifferent websites and collaboration techniques like MySpace, Twitter, Facebook, Friendster,Linked-In, personal blogs, Mashups, Wikis. Social networking is here to stay and in thesecommunities, an initial set of founders sends out messages inviting members of their ownpersonal networks to join the site. New members repeat the process, growing the total number of

members and links in the network. Sites then offer features such as automatic address bookupdates, viewable profiles, the ability to form new links through "introduction services," andother forms of online social connections. Social networks can also be organized around businessconnections, as in the case of LinkedIn.

The explosion in the popularity of social networking websites and technologies hasdramatically changed the way; we use the internet, on a personal as well as a businessperspective. Since every person has the right of freedom of speech, where do the corporationsdecide to draw a line becomes an interesting premise. There have increasing cases of mis-useof these technologies.

Employees are clearly accessing these sites a lot not only is the amount of lost workinghours a major concern in terms of productivity, but it stands to reason that the risk of accidental

disclosure of information is increased by the significant amount of time accessing these sites.Over the next few sub-sections, we will take a look at the different use policies been enforced indifferent types of organizations.

Academia

Our survey (Koutropoulos, A. 2007), includes users from public and private universities,colleges, and community colleges. We started looking around for use policy agreements andstarted our research from the use policy of UMass (University of Massachusetts. 2007).TheAcceptable use policy summary is provided on the website of the university and is provided togive the students, faculty and staff, a look the universitys data and computing policies,guidelines, standards and procedures. The general statement of the policy sums it all up insaying, The university expects all members of the community to use the computing andinformation technology resources in a responsible manner, respecting public trust through whichthese resources have been provided, the rights and privacy of others, the integrity of facilities andcontrols (Acceptable Use Summary, 2005)

With increasing dependence on computing and enterprise applications, universities acrossthe globe are increasingly more and more vulnerable to security breaches and data misuse bytheir students and staff. In 2005, UMass Boston introduced enterprise application from PeopleSoft, integrating their students registration and records systems with HR and financesapplications, and hence had to revamp their use policies accordingly. The technology helped theuniversity to develop, deploy, maintain, and upgrade its applications. People Soft helps theuniversity centrally manage, monitor, and adapt business process solutions to accelerate returnon investment and lower total cost of ownership. The security policy became all the moreprominent because of this new application.

The University has business relationships with various outside companies and businesspartners. These relationships may require that these outside entities obtain information aboutUniversity community members or that the university provides data files containing that

17


18/27

information. Information may not be provided to outside entities or individuals unless a verifiedbusiness relationship exists. In most cases, University ID numbers (e.g., student or employee id)or social security numbers (e.g., SSN) should not be provided to external entities (Copyrightresponse procedure, 2005). We have seen that this has been included in almost all theuniversities, including North Eastern, BU, Bentley and Harvard.

Many recent examples of data theft have surfaced in the last few months. Since the newenterprise applications have been introduced, the University ID gives an all access pass to thestudent, he/she can browse their student records, grades, billing information, SSN andbiographical data, Address and financial aid information and student email. If anyone can elsebreach into their account, then a lot of damage can be done. Students are also not prevented fromaccessing social networking sites like Facebook. Most of the students who have signed up forthis site have displayed their university student email address on their profile. If someone knowsyour university id, then they can reset your password for student email application and enter thesystem. There have been incidents where people from outside of the university call and ask forstudent email list, so that they can target their marketing or send out email spam. People callmasquerading to be from US Army trying to recruit students to enroll into the army and most of

the times, when the helpdesk presses them to reveal their identity, the truth unfolds.Some of the more recent problems include the crackdown on students using universitiesto download and distribute copyrighted material. For those accustomed to downloading at will,that means if you are caught digitally downloading music, your school Internet service could besuspended for a week, a month, a year or for as long as you live on campus. From Boston toBerkeley, new rules for punishing college students who use campus computer networks toillegally download music, movies or games carry some pretty harsh penalties... (MTV,2007).Notices were sent to the university officials of about 60 universities around the U.S and alsoalmost all the students were given a chance to settle the case and avoid a lawsuit by making apayment of up to $6,000. It'll scare people. They'll realize, 'I'm not invisible,' " Muneeb Malik,19, a junior biology major. (Oroville Mercury-Register, 2007)

Abuse of the networks or of computers at other sites connected to the University'scomputers or networks by authorized users are treated as abuse of computing resources at theUniversity was a recent addition to the use policy, with ever increasing cases of students andstaff increasingly using the university computers and broadband connections to download illegalfiles, including music and movies. RIAA has been filing cases against universities around thecountry. UMass has come out with procedures for responding to notifications of copyrightviolation. (Copyright response procedure, 2005)

Universities are getting increasingly aware of the fact that the resources can be used forillegal use. They are more prone to law-suits being filed against them and hence the additionalprecaution. Most of the universities have similar use policies and do follow the standard, wherethey make it to point to accentuate the fact that the university has a policy in place for taking careof certain laws and rules are in place to take care of the same. IT security policy will soon banthe use of all p2p activities on campus, to prevent any further damaging chance of a lawsuit.

In July, the University of Kansas announced an even stricter one-strike policy forinfringers on its campus-wide ResNet site, replacing the former three-strike rule covering not justmusic, but any illegally downloaded material, including movies, games and software. UMassAmherst ranked sixth for illegal downloads and according to the Boston Globe, by February oflast year, UMass/Amherst was hit with 897 copyright-infringement complaints, up from 365 theprevious year. (Boston Globe, 2007)

18


19/27

University of Massachusetts has several policies in place to take care of different aspects.They have Academic policies, Data and computing policies and guidelines, Responsible/Acceptable use of computing and data resources, Record management, retention and dispositionstandards, and other university-wide procedures like procedures for preservation of and responseto demands for electronically stored information.

Social networking sites like MySpace and Facebook have been restricted for use at publicterminals like the student kiosks on campus of UMass Boston, because the amount of time thestudents were spending browsing these sites. That is the case in Harvard and MIT as well, theydo not let students use social networking sites on the kiosks, but that is the only restriction,students free to post any information, run their own blogs and can access them from computerson campus. This is very different from other industries like government offices, private andcorporate sector.

Government

The U.S government is very much aware of the security risk arising from the increasingpopularity and usage of the social network sites. In fact, let us start off with the fact that US-CERT (US computer emergency readiness team) has a special tip called Cyber Security TipST06-003, (NCAS, 2007) which encourages people to be very cautionary and safe on the socialnetworking sites.

In May 2007, a memo sent out by General B.B.Bell, Commander of U.S forces, outlinedthe new guidelines that would block sites like MySpace, YouTube, Hi5, Friendster, live365 andblackplanet. The reasons were both disclosure of information as well as to prevent the use ofexcess bandwidth. Photo sharing websites were also banned from use; soldiers who used to posttheir photos online from Iraq could no longer do that.

The US government is funding research into social networking sites and how to gatherand store personal data published on them, according to the New Scientist magazine. At the same

time, US lawmakers are attempting to force the social networking sites themselves to control theamount and kind of information that people, particularly children, can put on the sites. Accordingto an article published in The Register, it claims The New Scientist discovered that ARDA(Advanced Research Development Agency), credited in a footnote with part-funding the researchpaper, is a branch of the National Security Agency, the US government body responsible forsurveillance and code breaking. (The Register, 2007)

The US Congress is attempting to limit the ways in which young people use the sites inorder to protect young people and children. The Energy and Commerce subcommittee has justfinished a series of hearings on pornography and plans to issue legislation to protect childrenonline. The plans will contain some measures to force social network sites to protect its users,said US press reports.

Before you jump to the conclusion that US government and all government agencies areagainst the social networking scenario, then you are heading in the wrong direction. Manygovernment agencies appreciate the fact that web 2.0 can be used to the benefit the firm. As longas some rules are followed, the Web2.0 is very much encouraged.

David C. Wyld, professor of management at Southeastern Louisiana University, andauthor of a recent report, The Blogging Revolution: Government in the Age of Web 2.0,shared his advice with government executives in the audience on how best to get startedblogging in the Web 2.0 era and these are three most important of them (Wyld, 2007) :

19


20/27

1. Define yourself and your purpose2. Do it yourself3. Dont give too much information

Government agencies are moving well beyond the experimentation stage in adaptingonline social networking tools to advance internal collaboration and in reaching out to citizens.Efforts by the Centers for Disease Control, the Environmental Protection Agency, NASA and theintelligence community were among a number of working examples attracting public and privatesector interest in Web 2.0 technologies.

Centre for Disease Control, highlighted the various ways CDC is reaching out to thepublic using social networking and communications methods techniques. eCards, Podcasts,Virtual World and Social Networks are all encouraged.

They are not opposed to the collaborative technology but they want to use the technologyfor the betterment of the firm and this line gets blurred with revealing too much informationonline about self and also about the company you are working for. This could be potentially

damaging. There have increasing number of cases, where employees have written some unsavoryfacts about their place of work on their MySpace bulletin pages, or posted a note on Facebook orwrote something on their personal blog.

There are several lawmakers interested in banning the use of social networking sites fromuniversities, schools and government agencies all together. Their argument is that because of theease of information and photos of people on these websites, it has become easier for predators tosteal information and infringe on privacy. Federal Trade commission has recently launched aninvestigation on MySpace and Facebook to make sure that they are not violating any privacylaws because of their advertising strategy. "MySpace and Facebook are like the digital dataequivalent of Fort Knox for Madison Avenue marketers," he said. "It is a kind of one-stop datashop for marketers. They know your interests, your politics and what movies you like. It is amuch richer array of content that marketers simply should not have automatic access to."(Computer World, 2007)

Certain government agencies like the CDC, EPA are leaning towards implementingcollaborative technologies, but not very comfortable with the fact that the person posts his/herpersonal information to a very great detail for everyone to view. They also oppose anyinformation regarding their work place to be posted online.

Private Sector: Finance

Many corporations, in the private sector have talked up blogs when the concept of web2.0 had become prominent enough to ignore. They really believed in blogs being an importantand enduring phenomenon, until recently more and more cases have been exposed, whereemployees have been writing about their place of employment, style of management, flaws aboutthe companies operational activities and venting out frustrations at work on their personal blogs.There have several cases of people shooting video clips of their places at work and posting themon Youtube.com and also writing up notes and comments about their co-workers on MySpace.Anything posted on the web, can be looked up by almost everyone around the world.

20


21/27

Financial companies like are often very particular about the web sites their employeesvisit. Chase credit card services division even monitors all employee email and does not allowthe worker to use any web based email services like Gmail and hotmail. They also are againstinstant messaging services like yahoo messenger, which are not very secure. They have alldeveloped their own chat client which can be only launched from an authorized computer on the

intranet of the company or can be launched from an authorized VPN connection. Financialcompany workers often deal with sensitive data like SSNs and other biographic informationwhich if posted or leaked online due to a fraudulent employee or just by mistake, it can causedamage to the companys reputation. The upper management justifies their strict use policy andemployee monitoring stating the very same fact. In the finance industry, especially personalbanking, investment banking, mortgage business, and credit services are very stringent about thepolicy enforced on their employees.

The essential conflict of workspace monitoring lies in the fact that though the employersmonitor their employees to make sure they do not cause damage to the company, they could atthe same time take advantage of their power and that could easily be termed as employee policy.A 2005 survey by the American Management Association found that three-fourths of employers

monitor their employees' web site visits in order to prevent inappropriate surfing. And 65% usesoftware to block connections to web sites deemed off limits for employees. About a third trackkeystrokes and time spent at the keyboard. Just over half of employers review and retainelectronic mail messages. Over 80% of employers disclose their monitoring practices toemployees. And most employers have established policies governing Internet use, including e-mail use (84%) and personal Internet use (81%). (Privacy rights, 2007)

According to the CIO magazine, a poll of CIOs has revealed that almost 50 percent of thecompanies monitor their entire workforce, and around 20 percent of them monitor them on aregular basis. This increasing trend can actually be noted from the fact that, sales of employee-monitoring software are worth about $140 million a year, a return to the vendor of only a fewdollars per covered employee: on average, only about $5.25 per monitored employee per year

Web-sense is an employee monitoring enterprise software which looks at what theemployees browse and also monitors all their email has revealed its clients list on their website.They include financial firms like American Express, Morgan Stanley Venture Partners, Crosspoint Venture Partners, Salomon Smith barney and Goldman Sachs. (TheStreet.com, 2007)

These companies, including Fidelity investments make sure that the employee is toldabout the electronic monitoring policy, notify workers annually, and monitoring type andfrequency, method and use of information. The companys employee conduct policy shouldtherefore already cover unacceptable online behavior. Beyond that, respect employees' rights totheir own opinions, and have your legal counsel make sure that your corporate policy does notviolate these rights. Upper management should understand that overstepping the legal groundsnot only will get the company into embarrassing court cases that will be PR disasters no matterthe outcome, it will also drive the criticisms underground, onto anonymous blogs and discussionforums, and might drive some of the companys best employees out the door in the process.

Chase, which is one of the leaders in the finance industry has realized the importance ofWeb 2.0 in this digital age and signed up with FaceBook as one of their 12 major partners in theadvertising world. They have an official FaceBook page as well and encourage their employeesto visit their website, all designed for encouraging camaraderie among Chase employees. Theydo realize that as long as the liberty is not abused by the employees and not damaging to theirbusiness, Web 2.0 concept is here to stay and can prove to be extremely productive.

21


22/27

Private Sector: IT

An increasing number of companies in the IT industry have been adapting to social

networking concept. They believe in using the Web 2.0 technology to Streamlining collaborationwithin and beyond the enterprise, Accelerating search and information retrieval, Capturingknowledge assets and facilitating knowledge transfer, Speeding application development anddeployment and Communicating with stakeholders in new ways.

IBM has been an innovator in the industry for a very long time and they were one of themajor companies to have made a stride in the field of Web 2.0 as well. On January 22nd, 2007they released a new product called Lotus Connections. It wraps five social networkingtechnologies up into one integrated package. "While social computing software is perceived asbeing at the fringe of most large businesses, it's actually moving to the center fastbecause it'sabout how the next generation of employees communicate, and create and share ideas," saysFranks Gens, senior vice-president for research at tech market research IDC. (Business week,

2007) The IBM package basically involves the possibility to set up multiple profiles, where theemployees can post information about their expertise and common activities. Google encouragestheir employees to use blogs to communicate as well as Picasa web communities to sharepictures. IT security auditing firms like Cap Gemini and KPMG (Ethics point, 2007) have beenvery reluctant on this end. Their auditing business is strictly against advising their clientele to notencourage social networking policies in the company. There is no general trend in the directionthe IT industry is positioned in this regard, but as long as the companys name is not mentionedand anything damaging not included in the blogs, the firms seem to not have a problem with theconcept of social engineering. It becomes increasingly difficult to monitor employees blogs andsift through loads of information using a content management system and hence most of thecompanies make the employees sign an acceptable user policy when they are hired.

Encouraging personal blogs is as paternalistic as prohibiting them. And counselingemployees on matters of taste and discretion, or asking them to pre-clear content with you, isinsulting and overstepping. Telling employees they can't blog on company time is redundant andoffensive -- terms of employment should already cover this.

Increasingly, most companies, especially technology driven firms, have unofficial blogsbecause; they want customer feedback as well as interact more directly with them. Blogs arepersonal and casual. Most business communications are not. Blogs (like other corporatewebsites) are more likely to attract potential recruits, alumni, competitors, potential allies and themedia than customers. Because of all these concerns, more and more companies have anunofficial blog and also have blogs, user groups on their intranet to avoid external dataleakage or PR disasters when anything damaging gets posted.

Google, Oracle, SAP, IBM and Microsoft all have unofficial blogs, because they believethat reading blogs and interacting with other likeminded employees can be a useful source ofinformation, education, creative and customer intelligence. Without due focus on the blogcontent and the direction of the threads or forums, blogs can be an increasing waste of time.IBM, has monitored blogs and administrators who make sure the correct topic is in the rightforum, so that they it has direction and is truly collaborative and productive.

22


23/27

Conclusion

Ourpublic data, data that we post about ourselves on our blogs, social network pages,and on our podcast, is very muchpublic data in the sense that millions of people online have

access to it and can use it for any number of purposes. Some purposes may be innocuous such asadvertising; other purposes may be more nefarious, such as identity theft. Some data that we poston our online profiles may be someone elsesprivate data that we are makingpublic.Additionally, some of our data we want to havepublic for our friends or peers, data such asopinions our opinions on labor conditions in China or who should be the next president of theUnited States. We dont however want present or future employers to prejudge us on ouropinions, or illegally not hire us (or reprimand us if we are already on the job) due to our viewson certain issues, our group affiliations or likes and dislikes.

What it comes down to is a fine balance between what an employees rights are and whatan employers responsibilities are, and in the middle of that seesaw is how yourpublic data ishandled. If yourpublic data goes through your employers network or uses your employers

infrastructure in any way, then the employer is responsible for what is posted, and therefore mustregulate it in some form. Usually this regulation comes in the form of an Acceptable UsageAgreement. This data, since it poses a liability, or is proprietary in nature, the company has theright to take some corrective action if thepublic data you are trying to share can get the companyin trouble.

On the other hand, if yourpublic data reaches the Internet without going through acorporate network, and doesnt divulge corporate secrets, yourpublic data is still quitepublic.Companies can prejudge you, if they stay within the legal limitations of Equal Employmentstatutes, and can refuse to hire your, or fire you for your views, again if they stay within legallimitations. Some, how have been fired for theirpublic views, have brought on lawsuits againsttheir employers under the provision offreedom of speech, however there is no clear cut right and

wrong in these cases. As Bruce Barry in Speechless puts it, in the public sector youve got free-speech rights, except when you dont, and in the private sector youve havent got free-speechrights, except when you do. (2007)

In the end, the arena of web 2.0, technology evolution, how employees interact with it,and how employers perceive or receive this interaction is quite new. There are some clear cutrights and wrongs, and dos and donts, but there is quite a large gray area in-between of whatoccurs and how people react to it. In the end a good policy for employees is to not postsomething about themselves that they may later regret, and for employers to take pro-active stepsto protect their assets while at the same time educating their employees on potential pitfalls ofemerging technologies, how it affects them and the company. It is important for all parties toacknowledge thatpublic data ispublic, and that there is no pretense that yourpublic data is

private, unless otherwise stated.

23


24/27

Bibliography

Answers.com. How many members does Facebook have?Retrieved November 20, 2007, fromhttp://wiki.answers.com/Q/How_many_members_does_Facebook_have

Acceptable Use Summary. Retrieved November 2007, fromhttp://media.umassp.edu/massedu/policy/AcceptableUseSummary.pdf

Heather B. Armstrong, "About this Site", dooce, undated, http://www.dooce.com/about.htmlRetrieved: November 15, 2007

Austin, R. D., & Darby, C. A. R. (2003). The myth of secure computing. Harvard Business review,81(6), 120-7. Retrieved November 13, 2007 from Business Source Premier database.http://web.ebscohost.com/ehost/detail?vid=1&hid=9&sid=03ee3b4b-b323-40fc-8594-0bb8125940d5%40sessionmgr9

Boston Globe, Retrieved November 2007 fromhttp://www.boston.com/business/technology/articles/2007/03/07/record_industry_cracks_down_on_illegal_file_swaps/

Business Week, Retrieved November 30, 2007 fromhttp://www.businessweek.com/technology/content/jan2007/tc20070122_532199.htm

Blog Herald. Blog Count for July: 70 million blogs. Retrieved November 20, 2007, fromhttp://www.blogherald.com/2005/07/19/blog-count-for-july-70-million-blogs/

Computerworld, MySpace, Facebook ad plans violate privacy, groups tell FTC, retrieved November2007 from http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9046738

Cohen, D., Kelley, M., & Scheinfeldt, T. (2007). Digital Campus Podcast Episode 15: "ExposingYourself?". James Madison University Center for History and New Media`: DigitalCampus.tv.Retrieved November 10, 2007 from http://www.digitalcampus.tv

Coutu, D., Palfrey, Jr., John G., Joerres, J. A., Boyd, D. M., & Fertik, M. (2007). We Googled You.Harvard Business review, 85(6), 37-9. Retrieved November 15, 2007 from Business SourcePremier database. http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=24997947&site=ehost-live

Copyright response procedure, (2005), Retrieved November 2007, fromhttp://media.umassp.edu/massedu/policy/CopyrightResponseProcedure.pdf

Cyberjournalist.net. (2006). How many blogs are there? 50 million and counting. Retrieved November

20, 2007, from http://www.cyberjournalist.net/news/003674.php

David C.Wyld, The Blogging Revolution: Government in the Age of Web 2.0, Retrieved November2007 from http://www.businessofgovernment.org/pdfs/WyldReportBlog.pdf

Davenport, T. H., Harris, J. G., Jones, G. L., Lemon, K. N., Norton, D., & McCallister, M. B. (2007).The dark side of customer analytics. Harvard Business review, 85(5), 38-9.

Duke University. Employee Manual. Retrieved November 15, 2007, fromhttp://www.hr.duke.edu/policies/index.html

24
http://wiki.answers.com/Q/How_many_members_does_Facebook_havehttp://media.umassp.edu/massedu/policy/AcceptableUseSummary.pdfhttp://web.ebscohost.com/ehost/detail?vid=1&hid=9&sid=03ee3b4b-b323-40fc-8594-0bb8125940d5@sessionmgr9http://web.ebscohost.com/ehost/detail?vid=1&hid=9&sid=03ee3b4b-b323-40fc-8594-0bb8125940d5@sessionmgr9http://www.boston.com/business/technology/articles/2007/03/07/record_industry_cracks_down_on_illegal_file_swaps/http://www.boston.com/business/technology/articles/2007/03/07/record_industry_cracks_down_on_illegal_file_swaps/http://www.businessweek.com/technology/content/jan2007/tc20070122_532199.htmhttp://www.blogherald.com/2005/07/19/blog-count-for-july-70-million-blogs/http://www.blogherald.com/2005/07/19/blog-count-for-july-70-million-blogs/http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9046738http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9046738http://www.digitalcampus.tv/http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=24997947&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=24997947&site=ehost-livehttp://media.umassp.edu/massedu/policy/CopyrightResponseProcedure.pdfhttp://www.cyberjournalist.net/news/003674.phphttp://www.businessofgovernment.org/pdfs/WyldReportBlog.pdfhttp://www.hr.duke.edu/policies/index.htmlhttp://wiki.answers.com/Q/How_many_members_does_Facebook_havehttp://media.umassp.edu/massedu/policy/AcceptableUseSummary.pdfhttp://web.ebscohost.com/ehost/detail?vid=1&hid=9&sid=03ee3b4b-b323-40fc-8594-0bb8125940d5@sessionmgr9http://web.ebscohost.com/ehost/detail?vid=1&hid=9&sid=03ee3b4b-b323-40fc-8594-0bb8125940d5@sessionmgr9http://www.boston.com/business/technology/articles/2007/03/07/record_industry_cracks_down_on_illegal_file_swaps/http://www.boston.com/business/technology/articles/2007/03/07/record_industry_cracks_down_on_illegal_file_swaps/http://www.businessweek.com/technology/content/jan2007/tc20070122_532199.htmhttp://www.blogherald.com/2005/07/19/blog-count-for-july-70-million-blogs/http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9046738http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9046738http://www.digitalcampus.tv/http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=24997947&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=24997947&site=ehost-livehttp://media.umassp.edu/massedu/policy/CopyrightResponseProcedure.pdfhttp://www.cyberjournalist.net/news/003674.phphttp://www.businessofgovernment.org/pdfs/WyldReportBlog.pdfhttp://www.hr.duke.edu/policies/index.html


25/27

Ethicspoint, 2007 retrieved November 2007 fromhttps://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=11093&nav=page1

Farley, S. (2000). Internet Acceptable Use Policies: Navigating the Management, Legal and TechnicalIssues. Information Systems Security, 9(3), 46-6. Retrieved November 10, 2007 from BusinessSource Premier database.http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=3302298&site=ehost-live

Feldman, J. (2004). Lockdown Limits. Network Computing, 15(18), 18-1. Retrieved November 15,2007 from Business Source Premier database.http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=14538917&site=ehost-live

Feldman, J. (June 25, 2001). It's Not About The Technology. NetworkComputing, p.37. Retrieved November 15, 2007, from Academic OneFile via Gale:http://find.galegroup.com/itx/start.do?prodId=AONE

Fertell, D. (2003). How to verify if employees are Really, Truly Working. Bank Technology News,16(6), 47-1/3. Retrieved November 15, 2007 from Business Source Premier database.http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?

direct=true&db=buh&AN=9982161&site=ehost-live

Flowers, B. F. & Rakes, G. C. (2000).Journal of Research on Computing in Education, 32(3), 351-15.

Forrester Consulting. (2007). Internet Risk Management in the Web 2.0 World(Industry.SecureComputing.com: Forrester Consulting. Retrieved November 19, 2007 fromhttp://www.securecomputing.com/webform.cfm?id=204

Foster, E. (1999). "sneak wrap" may be a good way of defining the maze of online policies. InfoWorld,21(3), 73-1/2. Retrieved November 15, 2007 from Business Source Premier database.http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=2106362&site=ehost-live

Holter, E. & Newfangled Webfactory. (2007). How Many Blogs are there?Retrieved November 20,2007, from http://www.newfangled.com/how_many_blogs_are_there

Kaptein, M. (2004). Business Codes of Multinational Firms. What do they say?". Journal of BusinessEthics, 50(1), 13.

Kaptein, M. & Schwartz, M. (2007). The Effectiveness of Business Codes: A critical Examination ofExisting Studies in the Development of an Integrated Research ModelNo. ERS-2007-030-ORG)Retrieved November 15, 2007 from Business Source Premier database

Keeping low employee productivity at bay with an internet acceptable use policy.(2002). PA Times, ,13. Retrieved November 15, 2007 from Business Source Premier database.http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=6673613&site=ehost-live

Kent, S. (2005). Policing the home office. Employers Law, 16-2. Retrieved November 13, 2007 fromBusiness Source Premier database. http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=16503798&site=ehost-live

Koutropoulos, A. (2007). MSIS613 Class Notes for September 5, 2007

25
https://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=11093&nav=page1http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=3302298&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=3302298&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=3302298&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=14538917&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=14538917&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=14538917&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=14538917&site=ehost-livehttp://find.galegroup.com/itx/start.do?prodId=AONEhttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=9982161&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=9982161&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=9982161&site=ehost-livehttp://www.securecomputing.com/webform.cfm?id=204http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=2106362&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=2106362&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=2106362&site=ehost-livehttp://www.newfangled.com/how_many_blogs_are_therehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=6673613&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=6673613&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=6673613&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=16503798&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=16503798&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=16503798&site=ehost-livehttps://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=11093&nav=page1http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=3302298&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=3302298&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=14538917&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=14538917&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=14538917&site=ehost-livehttp://find.galegroup.com/itx/start.do?prodId=AONEhttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=9982161&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=9982161&site=ehost-livehttp://www.securecomputing.com/webform.cfm?id=204http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=2106362&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=2106362&site=ehost-livehttp://www.newfangled.com/how_many_blogs_are_therehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=6673613&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=6673613&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=16503798&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=16503798&site=ehost-livehttp://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=16503798&site=ehost-live


26/27

Koutropoulos, A. (2007). MSIS613: Internet Privacy Survey. SurveyMonkey.com. Retrieved November30, 2007 from http://www.SurveyMonkey.com

Langin, D. J. (2005). Employer liability for employee use of peer-to-peer technology. Journal ofInternet Law, 9(5), 17-4.

McNamara, P. (2005). Net Buzz. Network World, 55(19), 54-1/2. Retrieved November 15, 2007 fromBusiness Source Premier database. http://temp8.cc.

Documents

How Public is your Private Data