surveillance, electronic communications technologies and regulation

Surveillance, electronic communications & regulation 305

Surveillance, electroniccommunications technologies

and regulation

Patricia Findlay and Alan McKinlay

The literature on workplace electronic surveillance isdominated by abstract theoretical discussions, while thelimited empirical study of surveillance has been confined tomanufacturing. This paper offers a corrective firstly by locatingsurveillance in its legal context, and secondly by consideringsurveillant practices in complex, professional and high-valueorganisational settings.

IntroductionThere can be no doubt that the convergence of computer and telecommunications tech-nologies has opened up new possibilities for, amongst others, the surveillance ofworkers, consumers and citizens. More than this, surveillance theory argues that thesesurveillance possibilities also offer unprecedented opportunities to centralise personaldata, permitting ever more extensive and intimate monitoring of all aspects of sociallife. In the workplace, the combination of electronic and peer surveillance has, arguesSewell (1998), ushered in a new era of ‘chimerical control’ that has raised employees’self-control to new heights. Not the least problematic aspect of surveillance theory or‘Panopticism’ is its implicit technological determinism (Green, 1999). Much of the dis-cussion of the ‘electronic panopticon’ turns upon an elision of the surveillant capabil-ities of IT systems and the reality. This is a fatal slip that renders surveillance theorycapable only of projecting the limit cases of technological monitoring as the norm.Resistance is futile or, much worse, counter-productive; the law is depicted either asweighted overwhelmingly in favour of surveillance or its constraints as ineffective.Seldom does surveillance theory ask what purpose, if any, monitoring, recording andarchiving data may serve. We shall argue that legal constraints are real and signifi-cantly affect employer choices about how surveillance actually operates and that, in practice, employee monitoring seldom achieves the extent, depth or continuity

❏ Patricia Findlay is Senior Lecturer in Organisation Studies at the School of Management, Universityof Edinburgh. Alan McKinlay is Professor of Management in the Department of Management, Uni-versity of St Andrews. Correspondence should be addressed to Patricia Findlay, School of Manage-ment, University of Edinburgh, William Robertson Building, 50 George Square, Edinburgh, EH8 9JY;Tel: 0131 650 3815; Email: [email protected]

© Blackwell Publishing Ltd. 2003, 9600 Garsington Road, Oxford OX4 2DQ, UK and 350 Main St., Malden, MA 02148, USA.

Industrial Relations Journal 34:4ISSN 0019-8692

portrayed by ‘panopticism’. Nor is electronic surveillance necessarily contrary to theinterests of employees. Mason et al. (2002) point to the ability of work groups to appro-priate surveillance technologies in order to make them a disclosure mechanism thatconfirmed throughput and enhanced the employees’ bargaining position. More thanthis, an underlying assumption behind surveillant technologies is that work and mea-surement is an individual activity. Finding ways around the audits of individual workflows can be both an appropriation of the technology and an insistence on the collec-tive nature of work. Above all, however, the limited empirical research in the area ofsurveillance and privacy in the workplace suggests that employees accept technolo-gies recording performance as routine and legitimate, except where they encroach intopersonal privacy (Stanton and Weiss, 2000). We begin by reviewing the developmentof UK and European law regulating employment, surveillance and worker privacy.The legal uncertainty about the balance between surveillance and privacy is one of themajor constraints upon the routine use of intensive employee monitoring. Legal con-siderations are, however, not the only brake upon management surveillance. Weexamine the organisational factors shaping the use of surveillant technologies in the second section. In particular, we argue that the extent and depth of surveillance iscontingent upon the organisational position of the information security function andits relationship with other key areas, notably law and personnel.

Surveillance, privacy and the lawEmployers can lay claim to several justifications for their use of electronic surveil-lance. Fundamentally, employers regard control of the workplace as their prerogative,including the right to protect and control their property, and the right to supervise andmanage employee performance in terms of productivity, quality, training, and therecording of customer interactions (Oliver, 2002). In addition, legal considerationshave served both to drive electronic surveillance and to constrain its adoption andimplementation. Surveillance and monitoring of employees and systems are stimu-lated by legal as well as business drivers (Scott and Dodd, 2001). There are two keyelements. Firstly, the use of electronic technologies exposes employers to a range ofcommercial and contractual liabilities: as agents of the organisation, employees mayunintentionally form contracts via email; confidential information or trade secrets maybe revealed during electronic communication; intellectual property rights may beinfringed unwittingly; employee action may expose the employer to liability fordefamation; and employees may engage in criminal activities using email and theinternet (Sanderson, 2000). Secondly, electronic communications are no different fromany other form of communication in terms of their potential employment law conse-quences: the conduct of organisational members includes their viewing, forwardingor displaying material on the internet, and their exchanges with others via email. Con-cerns over conduct in general and particularly conduct which is potentially harassing,discriminatory or victimising, may arise from the use of electronic communicationstechnologies. One important indicator of increasing employer awareness of the poten-tial of electronic surveillance in meeting their diverse legal obligations is the markedincrease in the volume of disciplinary actions triggered by workplace monitoring(Hockey and Smith, 2002).

The law has developed in ways designed to limit both the form and the extent towhich employers can use electronic surveillance. At the heart of the tension betweenemployers’ rights and restrictions under the law is the conflict between employers’property rights and the privacy rights of other organisational members, particularlyemployees. Whilst privacy rights are notoriously difficult to define, legal definitionsof privacy have included rights to privacy of the person or body; of private behav-iour; and of personal communications and personal data. All of these rights can beinfringed by surveillant technologies in the workplace. Infringement is more likelywhere employee monitoring is covert and continuous and where it may reveal personal information about employees’ private lives. More specifically, surveillance

306 Industrial Relations Journal © Blackwell Publishing Ltd. 2003.

systems that can collect collateral personal information, however unintentionally,increase the possibility of infringement of employee privacy rights.

The workplace can be considered as a wholly public domain in which any notionof personal privacy is irrelevant and where employers’ property rights predominate.Developments in the nature of work and organisation are, however, blurring theboundary between work and home, between public and private. It is becoming moredifficult to distinguish clear and unambiguous boundaries between work and privatelife as people work longer hours, work from home on computers owned by theiremployer, and work on call (Ford, 2002). Many legal systems now view individualsas having privacy rights even in public or semi-public environments. Under the Euro-pean Convention of Human Rights Article 8 (1) everyone has the right to respect forhis private and family life, home and correspondence. Since the 1992 Niemitz1 deci-sion, the European Court of Human Rights has recognised that this right to privacyextends to the workplace (Ford, 2002; Oliver, 2002). The protection of employeeprivacy need not necessarily be negative for employer interests: maintaining employeeprivacy can contribute to individual self-esteem and the development of high-trustworkplace relations.

Different jurisdictions have responded in distinct ways to the dilemmas posed bythe tension between employer surveillance and employee privacy. There are three pos-sibilities. First, that property rights assume priority; secondly, that privacy rights arefundamental rights that cannot be waived or varied; lastly, that a balance be struckbetween privacy and property rights. The final possibility requires that a fair balancebe struck between the purposes of surveillance and the protection of worker privacy,dignity and autonomy. For the British Trades Union Congress (TUC), proportionalityrequires that surveillance should meet a legitimate aim, be necessary to meet that aim,and be the least harmful means in terms of workers’ rights.2 The practical implicationsof proportionality remain contested. In general, the US legal system has gone furthestin upholding property rights: invasions of privacy have been assessed in terms of thereasonableness of the employer’s action rather than proportionality. French law, bycontrast, attaches much greater weight to privacy rights. The fundamental premise ofFrench law is that workers retain all of their private rights in the workplace and thatthese can be infringed only in extreme cases: ‘that management is exercising a privatepower is a reason for controlling it, not leaving it free from regulation’ (Ford, 2002:143). In Britain, current legal approaches to protecting privacy and hence restrictingemployer surveillance are both EU and domestically derived. The result is complex,contradictory, and contested. The European Convention on Human Rights provisionson privacy right, incorporated in British law in the Human Rights Act 1988 (HRA),provide the core of employee protection. These protections are only afforded directlyto public employees but are extended to all workers indirectly through the interpre-tation both of statutory concepts (for instance, reasonableness in terms of unfair dismissal) and common law concepts (most notably, the implied duty of trust and con-fidence between employer and employee).

The European Court of Human Rights (ECHR) occupies a paradoxical position onprivacy. In Niemitz the Court endorsed the role and significance of privacy consider-ations to working life. In Halford3, however, the Court’s ruling suggested that theextent of employee privacy can be determined largely by the employer. Here, theECHR held that monitoring private telephone calls was an invasion of privacy, despitetaking place on the employer’s premises, in the employer’s time, and on their equip-ment. Crucially, the Court considered that the failure to inform Halford that her callsmight be monitored created a ‘reasonable expectation of privacy’, which was then vio-lated, breaching her Article 8 (1) rights. Perversely, however, this suggests that anemployee’s expectation of privacy can be reduced where the employer issues anappropriate warning. Employers, therefore, can shape expectations of privacy through

© Blackwell Publishing Ltd. 2003. Surveillance, electronic communications & regulation 307

1 Niemitz v Germany (1992), EHRR 97.2 www.TUC.Org.uk/law.3 Halford v United Kingdom (1997), 24 EHRR 523.

contractual provisions and organisational policies. Logically, the more workers aresubject to intrusive surveillance, the more difficult it is for them to assert a reasonableexpectation of privacy (Ford, 2002). Ultimately, this approach prioritises managerialprerogative over privacy rights. Yet it is unacceptable to allow individual employersto define the scope of employee privacy rights, leaving them dependent upon the localbalance of power rather than as rights which are fundamental and inalienable. In oneimportant respect, however, the consequences of the Niemitz and Halford decisionsare clear: employers must become more open about surveillance and monitoring,either because Article 8 (1) required the provision of information on when and whysurveillance will take place (Niemitz) or in order to counter employee expectations ofprivacy (Halford).

The interpretation of privacy rights in Britain under the HRA remains unclear. Additional ‘confusing and contradictory’ legislation and regulation has increased this uncertainty according to business representatives (Low, 2001). The Regulation ofInvestigatory Powers Act 2000 (implementing the 1997 Telecommunications Data Pro-tection Directive) extends civil liability to include the interception of electronic com-munication and represents a powerful restriction on employers’ monitoring of emailcommunications and internet use. But interception may be free from liability whereboth parties to any communication have consented to interception, or where the inter-ceptor has a reasonable belief that such consent exists. Much will turn upon the judicial interpretation of what constitutes ‘reasonable belief’.

The protection of worker privacy contained in RIPA, however qualified, has beencountered by successful employer lobbying. RIPA has been supplemented by theTelecommunications (Lawful Business Practice) (Interception of Communications)Regulations 2000. These Regulations permit monitoring and recording to establishfacts relevant to the business: to record transactions; to ascertain work standards; to prevent or detect crime; and to protect the integrity of communications systemsagainst viruses or unauthorised use, where the definition of ‘unauthorised’ is left tothe employer. Monitoring alone is permitted to determine whether communicationsare relevant to the business. Such monitoring can be conducted without employeeconsent or knowledge—employers are only obliged to make ‘all reasonable efforts’ toinform system users that interceptions are possible. In theory, the Regulations barelylimit employer monitoring, they prioritise business interests above privacy and fail topolice the use of collateral personal information (Oliver, 2002). For the TUC, the Reg-ulations breach the rights to privacy guaranteed under the HRA.4 Further, propor-tionality is not valid in assessing the lawfulness of an interception. At the very least,the Regulations are in clear conflict with the HRA leaving employers and trade unionsuncertain about the practical implications for labour relations (CIPD, 2002).

The Data Protection Act (DPA) 1998 further complicates the complex legal and bar-gaining issues surrounding surveillance and privacy. Recorded information collectedwhen employers’ intercept communications may be covered by the DPA. The Act andits associated Code of Practice on Workplace Monitoring, currently in draft form, willoffer significant protections of employee privacy rights and constrain employers in theoperation of surveillance and recording systems. The draft Code of Practice aims ‘tostrike a balance between workers’ legitimate right to respect for his or her private lifeand an employer’s legitimate need to run its business’ (Foggo, 2002). The DPA dealswith the processing of personal data, broadly defined, and specifies the circumstancesin which such personal data can be lawfully processed.

Personal data must be processed fairly and lawfully, for specified and limited pur-poses, and not in a manner incompatible with those purposes; personal data must beaccurate; its processing must be adequate, relevant and not excessive; it must be keptfor no longer than necessary; it must be secure and processed in accordance with the data subject’s rights. The DPA distinguishes between personal data, which can beprocessed if the data subject has given consent or if the processing is essential to fulfil


4 www.tuc.org.uk/law

legal requirements, and sensitive personal data—ethnic origin, political opinion, reli-gious belief, sexual life, union membership, health and criminal offences—whichrequire explicit consent before processing. The definition of consent remains open butthe Act must be interpreted in line with Data Protection Directive 95/46/EC whichprecludes employers from relying on implied or vague indications of consent. Indi-viduals must also have a real choice and suffer no detriment from refusing consent.The proportionality necessary to legitimate employer surveillance under the DPA iscloser to the HRA than the Lawful Business Practice (LBP) Regulations. It remains tobe seen how courts interpret the DPA in practice. The DPA affords some genuine pro-tection for workers, whilst recognising that employer monitoring may be justified forspecific reasons. The draft Code urges employers to use the least intrusive means ofmonitoring: for instance, targeted not blanket monitoring and traffic rather thancontent e-mail monitoring. The draft Code also encourages the prevention rather thandetection of internet misuse and prevents employers from retaining and using collat-eral information. Opening private e-mail is discouraged, even where an employer pro-hibits personal use of e-mail. All monitoring practices should be the subject of animpact assessment. Lastly, employers are encouraged to be as open as possible withemployees on workplace surveillance policies. Yet the continuing complexity of theissues and interests raised by the debate on workplace surveillance is evident from theprotracted development of the Draft Code which is now in its seventh version. Thedraft Code has not yet clarified key questions: notably, no distinction is made betweenwhat is legally required and what is good practice or even what is simply suggestedpractice.

Ambiguities in European and British law have left three critical areas unclear. First,whether privacy rights can be legitimately contracted out, either explicitly or by impli-cation (Oliver, 2002). Much employment legislation specifically excludes the possibil-ity of contracting out employee rights or protections (Morris, 2001). Yet there is a rolefor employee consent to an intrusion of privacy rights in Britain. In the employmentrelationship, it is unclear if employees can be offered acceptable alternatives to consentto privacy intrusion (Finkin, 1996). Second, the DPA ascribes great importance to pro-portionality. Yet, as Ford argues, the traditional stance of British courts has ‘givenalmost absolute priority to management prerogative and almost no recognition toworkers’ private interests’ (2002: 148). This would relegate worker privacy to just onefactor in any evaluation of employer practices, rather than as a set of fundamentalrights to be protected: ‘a right which is just one weight in utilitarian scales is hardly aright at all’ (Ford, 2002: 145). Thirdly, given the extent of legal uncertainty, neitheremployers nor employees are clear about their entitlements. Case law remains rela-tively sparse. In exceptional cases, employers act to the full extent of their perceivedlegal powers under the LBP Regulations. More commonly, as we shall see, employershave adopted a cautious approach to workplace surveillance that falls far short of fullydeploying the surveillant possibilities of available technologies (IDS, 2001a,b). Bothemployers’ bodies and the TUC have advised their members to pursue general prin-ciples of openness, consent, consultation, designation of private spaces, and propor-tionality in written codes of practice. Above all, these principles should be legitimatedby formal contractual consent.

In all of this, it is important to stress that many employers will not wish to push thelimits of legal protection in relation to surveillance and monitoring, not least becauseof the lack of legal certainty in this area. Similarly, in many circumstances, employeeswill not seek or rely on legal remedies in response to their employers’ surveillanceactivities. Surveillance and privacy remain surprisingly marginal issues in union bar-gaining agendas. The association of surveillance activities with employers’ propertyrights makes this an awkward issue for conventional bargaining. Logically, employeeprivacy should be based upon collective rights and responsibilities rather than sub-stantive individual rights. That is, employer monitoring and worker privacy could bemanaged through the collective processes of consultation and bargaining. Against this,however, the extent of collective protection will reflect union bargaining strength.Moreover, a floor of substantive individual rights will still be required to protect


employees who are either not unionised or have limited collective strength. Similarly,Ford concludes that, ‘collective mechanisms offer the best, or perhaps more accurately,the better, mechanism for resolving the acute and difficult conflicts between the manyand various worker and management interests involved across diverse workingarrangements: the alternative individual rights model, which involves either translat-ing those conflicts into the legal arena or pretending they do not exist because of whatis notionally agreed in the contract, will always face acute difficulties of legitimation’(Ford, 2002: 155). A distinct advantage of defining privacy rights and approaches tomonitoring as part of a bargaining agenda is that there are areas where employer mon-itoring will be endorsed by employees and unions: to provide employee security, pro-tection from harassment and discrimination, or to support training. To understandmonitoring as a proper focus for collective bargaining will permit more flexible localsolutions than those arrived at by legal regulation alone.

MethodsThe empirical material was collected between September 2001 and November 2002.This research was part of a study of the interaction of cyber crime, the law and infor-mation security systems in public and private sector organisations across Europe,including police and judicial systems. We also interviewed European consulting andsoftware houses specialising in security and surveillance systems and services. Theresearch focused on organisations deploying sophisticated computerised systems toprocess high volumes of complex and confidential or commercially sensitive infor-mation. Such organisations had both the capability and the motivation to developextensive information security policies and practices. Here we report on three casestudies of how surveillant technology was utilised: from the banking and insurance(Agora), pharmaceutical (Pharma) and telecommunications (Telecom) sectors. Allthree are British subsidiaries of major multinational corporations. In each case,between four and six interviews were conducted with respondents responsible fororganisational strategy, and for installing and developing security systems. All inter-views lasted between one and two hours. In two cases—pharmaceuticals and tele-communications—formal interviews were complemented by extended periods of non-participant observation. Given both the novelty of employee surveillance as anorganisational and collective bargaining issue and the commercial sensitivity of infor-mation security breaches, in-depth interviews were the only viable research method.Further, we draw on extensive interviews with British trade unions—includingAMICUS, UNIFI, Connect and UNISON—as well as the TUC.

Surveillance in organisational contexts

We have a clear line in the sand but we’re not quite sure where that line is. (Agora, IT SecurityManager).

The most powerful legitimation of employer surveillance is to guard the organisationagainst crime, fraud, theft, and to protect the integrity of business-critical informationsystems. Paradoxically, the ideological importance of cyber crime in legitimising sur-veillance is at odds with the relatively low importance ascribed to system security inpractice. There are no reliable time-series data estimating the extent, or changingnature, of cyber crime. Even if official statistics were collected considerable difficultiesremain in standardising definitions of what constitutes criminal activities. Interna-tional standards remain extremely rudimentary. This, in turn, poses serious questionsfor criminal justice systems oriented to physical rather than virtual crime. Hackers, forinstance, are most commonly accused and prosecuted for trespass or possession ofunauthorised access devices: ‘they are prosecuted for their presence, virtual though itmay be. The judicial system is protecting us not from the actions of hackers, but fromthe presence, or possibility of the presence, of hackers’ (Thomas, 2000: 21). Further,


given the commercial sensitivity of cyber crime, chronic under-reporting will remaininherent (Wall, 2001).

The loosening of hierarchical controls and a shift towards localised cross-functionalproblem-solving forms of work organisation has been paralleled with the aggressivedelegitimisation of bureaucratic rules and procedures. It is precisely the erosion of thebureaucratic form and the radical incompleteness of the emergent post-bureaucraticorganisation that opens up new and unexpected, unregulated spaces in the organisa-tion. Similarly, as organisations decentralise, so accountability becomes localised. Themelding of bureaucratic and post-bureaucratic forms of organisation have rendered‘contemporary organizational life much more messy, much more complex . . . : messylabyrinthine organizational life, expressing, (re)producing as well as catering formessy, labyrinthine life’ (Lippens, 2001: 321). Nor is this insight confined to academicspeculation. The surveillance possibilities of new technologies are compromised asthey are installed in organisations that are stripping out bureaucratic controls:

Fraud is a big problem and likely to get bigger . . . companies are retooling their operations andusing new computer software and re-engineering their processes. In theory, companies end up withimproved monitoring because they have massive data warehouses. In practice, it doesn’t workbecause companies have gone too far in some cases and removed barriers to fraud by removingcontrols (Audit Commission, 2001: 24, 13).

Despite the critical importance of information systems and the extensive reporting ofthe rise in cyber crime, information security remains a secondary function. Systemcontrol, monitoring routine log-file traffic and installing security upgrades are typi-cally low status tasks allocated a low priority in control systems and, typically, per-formed by relatively junior staff (Taylor, 1999). Input controls are extremely labourintensive and reserved for high value and high-risk processes (Plavsic et al., 1999).

The technological potentiality of extending and deepening the scope of surveillancedoes not necessarily imply deployment. The cost and benefits of surveillance may beunknown to managers. Similarly, conflicting interpretations of what surveillancewould mean in practice varies between managerial levels and functions. Organisa-tional politics and contradictory professional discourses, then, are critical mediatingfactors in establishing the meaning and acceptable limits of surveillance in practice.Nor is this an issue restricted to the internet. The widespread use of intranets has alsoblurred the line between ‘work’ and ‘non-work’ and opened new types of social spacesinimical to managerial monitoring and control. Discipline and control is inherentlyambiguous in such electronic spaces. Even participating in fora sanctioned by theorganisation such as newsgroups can be interpreted as a disciplinary offence by linemanagement. Newsgroups formed around technical issues inevitably develop aninformal dimension in that participants compare managerial practices in their parts ofthe organisation. Callaghan (2002) describes the experience of a software and ITcompany, CoreTech, in developing its intranet system. From being a system originallydesigned to be marginal to core business processes, the intranet became the source ofthe latest, definitive version of a document or database. The centrality and ubiquityof the intranet increased the demands that it be managed as a critical piece of busi-ness infrastructure. Accordingly, CoreTech shifted towards a much more controlledintranet environment in which all web documents and links to electronic newsgroupshad to comply with centrally authorised design protocols and be subject to centralreview. The firm’s information management policy conflicted with sections—particu-larly software developers—of the workforce’s expectations of unlimited and uncon-trolled access to the intranet. In CoreTech the rapid increase in the importance of theintranet as a medium for broadcast, communication, and as a work repository high-lighted the inherent difficulties of monitoring and evaluating knowledge work inwhich there are few distinct tasks to measure (Alvesson, 2001). For management, thenewsgroups were not just informal, but unregulated. It was impossible for manage-ment to know whether an individual was working or not, far less inspect the value ofparticipation in a newsgroup. This difficulty was particularly acute with softwaredevelopers who would flit in and out of newsgroups, eavesdropping on the conver-


sations, while waiting on their machine to complete a parallel task: ‘work’ and ‘non-work’ co-existed simultaneously and unknowably.

Selling security—‘Netwatch’Surveillance software can do little to monitor inherently ambiguous exchanges in thenew social spaces opened up by the internet and intranets. Blanket, covert and con-tinuous monitoring of content rather than traffic may be illegal and is certainlyresource intensive. Surveillance software is marketed as a complement to other formsof system protection such as firewalls and, potentially, as a method of improvingsystem and employee efficiency. ‘Netwatch’ is typical of such systems.

The first level audits the network for the existence of specific software, identifiesrogue programmes and allows a comparison of licences and usage. The organisationcan then judge whether to reduce or increase the number of licences it purchases. Thesystem also permits the organisation to monitor an individual’s web usage: frequency,duration, and destination. The system is ‘impregnable and inescapable’ (Interview,Sales Executive, Netwatch). The legal constraints, that employees must consent toselective, random monitoring, need not be a significant barrier to effective surveil-lance. For ‘Netwatch’, indeed, periodic reminders to the workforce that surveillancesoftware is used typically results in ‘spikes’ in network speed as employees refrainfrom illicit or informally sanctioned net surfing. The main route for such software toenter organisations is initially through IT directors who purchase ‘Netwatch’ for thelimited purpose of eliminating inappropriate web material from their system. Morethan this, however, the profiles generated by ‘Netwatch’ allow comparisons betweenindividuals and teams or by transaction type in terms of their use of a range of soft-ware systems and how this affects productivity and quality. As the following quotesfrom the ‘Netwatch’ Managing Director indicate, ‘it provides a real-time window ontohow the business process ticks’. This capability was recognised independently by cor-porate clients, fed back to ‘Netwatch’, and then sold as a benefit of the software. Ulti-mately, ‘Netwatch’ offers companies an increased capability ‘to monitor and control,hardware, software and wetware’. Above all, ‘Netwatch’ offers a deterrent against anda means of controlling low-level ‘cyber-slacking’. ‘It’s a drip, drip, drip loss of timethat can become a flood’.

The ability to identify when an individual or group are taking the piss at work. There’s not thatmany routine jobs that require internet access. But many employers want to provide internet andemail access as an unofficial perk. Then IT departments report that they are losing bandwidthcapacity, that viruses are being imported and that computers and parts of networks have crashedas a result of this ‘perk’. Organisations are struggling to take back control (Interview, ‘Netwatch’,Marketing Director).

The realities of surveillanceOrganisations are seldom, if ever, designed around aspirations of maximum securityand surveillance. Organisations have to balance security and surveillance with systemfunctionality, compliance with legal codes, and consistency with organisational prac-tices. The interaction of security, functionality and wider organisational constraints isapparent in our three case studies: Agora, Pharma, and Telecom.

Agora

Agora is a major European insurance firm, specialising in personal insurance andsavings with minor interests in personal banking. The long-term and confidentialnature of the business and the highly-regulated environment resulted in a formidableand proactive internal audit capability. In general, however, intensive electronic surveillance tends to be ad hoc rather than routine or incident specific. A series of


mergers over the past 15 years have resulted in complex, fragmented IT systems,including ‘legacy’ systems that have to be maintained because of the long-term natureof Agora’s core personal and domestic insurance business. The IT function’s key taskis to develop the coherence of the system and to respond to the demands of the busi-ness. IT is a cost centre with its budgets derived from business divisions and projects.The Information Security manager coordinates information strategy, including thefirm’s security infrastructure. He described his security expertise as ‘broad rather thandeep’. The Information Security function was small in terms of personnel, three full-time core staff in an organisation with 4,500 employees. Below this core of dedicatedsecurity staff, a series of local IT system administrators oversee operational issues witha security dimension: access controls, mail systems, firewalls. Information security andelectronic monitoring report to the internal audit function. Security has only indirectaccess to executive and to operational management. This negotiated role necessitateda ‘gentle’ politics of persuasion, a campaign to increase executive awareness of risk asa lever to increase the information security budget and levels of electronic monitor-ing. An important limit on the development of Information Security was the indiffer-ence of operational and strategic management to security issues: ‘I’m just a poor, lonelyInformation Security Manager in a commercial entity that always prioritises systemfunctionality over system security’ (Interview, Information Security Manager, Agora).Company policy on employee use of email and the web developed as part of a com-prehensive review of security. This review was not triggered by routine organisationaldecision-making processes.

There are various things that we monitor constantly. . . . Certain types of activities as automaticallylogged or alerted, other things are simply caught. One of the things that we are most interested inmonitoring is file transfer traffic. That could be anything (Interview, Information Security Manager,Agora).

The increased importance of information security and the development of a formalsurveillance policy in Agora was triggered by the detection of an attempted fraud bya firewall. This was the limit to IT Security’s autonomy. Of itself, technical surveillancewas insufficient to result in the employee being disciplined. Rather, extensive nego-tiations between IT, HR and company lawyers continued for over three weeks.

It took my breath away. We know which computer this is happening from; we know what’s hap-pening; we’ve got physical evidence logged through our monitoring software. Legally, we werewarned, it potentially wasn’t enough. We needed absolutely gas-tight evidence. So we sat andwatched the file transfer traffic, waited for it to happen, phoned up the Personnel Department whileit was actually going on. They went and switched off the computer and escorted the person off thepremises. Then we went back and examined what was visible on the computer, the whole thingwas kind of built up into a piece of evidence (Interview, Agora, Audit Manager).

Agora has a written Code of Practice regarding accessing or transmitting inappropri-ate material on company communication system and individual responsibilities formaintaining system integrity. This Code was drafted exclusively by management andwas not subject to consultation.

We formally recognise UNIFI but totally ignore them in practice. I wrote the procedure and deliv-ered it to HR. HR may have shown it to the union if they felt kind or remembered, but the unionwasn’t consulted before, during, or after (Interview, Agora, IT Security Director).

Pharma

The deployment of surveillant technologies is constrained not just by the law and bythe organisational location of the information security function but also by an organ-isation’s embedded corporate and IT strategies. Pharma is a global pharmaceuticalcompany which pursues a strategy of accelerating the drug development processthrough the innovative use of information and communication technologies (McKinlay, 2002). In the vital research and development, marketing and business plan-ning areas, there is no union presence. Union representation is confined to manufac-


turing, a marginal activity in a corporation driven by development and marketingexecutives. There are no alternative employee voice mechanisms, save for extremelyweak proxies such as annual opinion surveys and irregular local ‘town hall’ meetingsled by executives. There are no standing corporate committees dedicated to surveil-lance, disclosure, and ethics. Such issues are subsumed within or derived from the cor-poration’s HR philosophy and are the exclusive concern of management with noindependent or guaranteed employee representation. There is, however, an estab-lished HR philosophy and practices that prioritise teamworking, trust and individualautonomy. The Pharma experience suggests that, irrespective of legal constraints orthe extent of trade union representation, organisations may assess surveillant tech-nologies in terms of their impact on organisational culture. In Pharma, the Informa-tion Security team was located in the Information Systems (IS) function. IS was acorporate function, charged to development projects as a service. Information Secu-rity was purely a system function without any personnel or legal capability and onlyminimal, ad hoc transactions with these organisational functions. Information securitywas visible in the organisation through symbolic interventions such as physically pad-locking all laptops and the introduction of issuing fresh, impersonal, non-mnenomicpasswords weekly. Forgotten passwords resulted in the individual, however senior,personally visiting the Information Security office, inconveniently located behind themanufacturing plant.

Security has to be visible—people have to be prodded—but surveillance has to be invisible, peoplehave to almost know that it’s there (Interview, Pharma, European Information Security Manager).

Security was explicitly traded off with maintaining or extending the functionality andopenness of Pharma’s internal networked systems with increased surveillance.

Even if it was technically possible—and it’s not—we would not want to operate as net cops. Thatwas the trend but the cost was enormous and growing, but we still could not assure [headquarters]that we had significantly reduced the risk of a significant incident or loss of vital information. Everyprognosis we made was based on a corporate apocalypse. That simply was not credible. And theexpense was ferocious. To fully protect our systems we would have to break the law. For all thesereasons, we lost some political credibility and had to pull back from a net cop role (Interview,Pharma, Project X, Information Systems Manager).

The result was a ‘hard shell, soft centre’ security system based on strong technical bar-riers to external intrusion with layered but limited access controls inside the majorityof the corporation’s information systems. In complex, multinational organisationsthere are major technical limits to effective, continuous surveillance of electronic trafficin the long-run. Monitoring systems only automatically register origin and destina-tion and keyword searches are of limited practical value, particularly if several lan-guages are used. The sheer volume of email traffic also places limits on monitoringarchive deposits. In 2001, Pharma reduced its on-line storage of email traffic fromninety days to two months; tape back-ups are much less easily searched and areretained for one year. This technical limitation makes the development of robust pro-files of individuals, particular professional groups, regions, or specific relationshipswith suppliers or clients, all but impossible in a commercial organisation.

The organisational role of Information Security is also crucial in determining the util-isation of surveillant technologies at different locations across the organisation. A keyargument of surveillance theory is that monitoring technologies are increasinglymodular and linked and that they are self-perpetuating: that surveillance becomes amundane, ubiquitous and inescapable fact of everyday life (Lyon, 2002). On the con-trary, the surveillance potential of technologies is mediated by organisational politics anddoes not follow its own developmental logic. In Pharma, the distance of the InformationSecurity function from the sharp end of the drug development process limited its polit-ical influence. For the drug development teams, security was not only a cost for a pre-ventative, intangible service but also a cost over which project managers had no control.Security was doubly marginalised. Security managers were acutely aware of theirlimited influence in the organisation and pursued an explicit, if private, strategy to buildtheir political influence at the strategic level. The vehicle for this was to initiate an annual


survey of security awareness and practices at the operational level. For security man-agers, this process would identify key operational gaps in information security and sur-veillance for corporate executives. In turn, this would increase corporate pressure onoperational management to enhance routine surveillance processes. This was an inher-ently risky strategy. At most, this strategy could deliver an enhanced role for informa-tion security but at the cost of deepening its structurally determined adversarialrelationship with operational management. At the very least, the reach of surveillanttechnologies will be negotiated through complex organisational structures and evalu-ated against perceptions of risk not just to information security but to notions of organ-isational culture antithetical to all but the most essential forms of control.

We do have some enormously safe domains for intensely sensitive traffic, but that tends to be com-mercial rather than product traffic. The whole organisation is based on an ethos of a free socialmarket in ideas. In a research environment there is always a tension between complete freedom ofinformation and ‘need to know’ (Interview, Information Security Manager, Pharma Europe).

Telecom

Behind much of surveillance theory lies the assumption that organisations have a ‘willto monitor’, an inherent tendency to scrutinise employee behaviour as minutely astechnology permits. The experience of Telecom suggests that, to the contrary, thedeployment of electronic surveillance is not immanent in organisations but a responseto internal and external threats to critical information infrastructure. The profile ofinformation security and surveillance in Telecom was raised by the company’s expe-rience of a powerful virus attack—‘Code Red’—in 1998. ‘Code Red’ threatened todisable an extensive area of the company’s information infrastructure. The extent ofthis attack and the potential cost of lost business and repairing essential systems raisedthe awareness of the vital importance of information security at board level. This inci-dent alerted Telecom to its limited control over its information systems. Before 1998,for example, there was no comprehensive database and mailing system tagging allservers and computers inside the company. That is, in an emergency there was nocentral system that captured security levels across the organisation or was capable ofissuing an electronic warning to all users. From 1998 Information Security has had astrategic voice inside Telecom. The company’s Board of Directors assumed collectiveresponsibility for ensuring the firm’s security and the integrity of system infrastruc-ture. Information security is allocated a budget directly from board level rather thannegotiating with functional or project managers liable to treat security as an overhead.The combination of strategic support and an independent budget has significantlyenhanced the political influence of the information security function inside Telecom.Surveillance was triggered neither because it was technically feasible nor by a man-agerial project to increase employee monitoring, but to enhance system security.

At operational level, information security enhanced its profile by conducting a com-prehensive systems’ audit and periodic risk assessments for business units. The Secu-rity team monitor firewall incidents, file transfers, and provide risk assessment ofsoftware upgrades. Accepting responsibility for maintaining the security and integrityof local systems was written into the employment contracts of individual employees.Failure to install a critical software ‘patch’, for instance, within a specified period,usually 48 hours or less, or the introduction of a virus into Telecom’s systems, eveninadvertently, was sufficient grounds for the company to initiate a formal disciplinarywarning. The scope of this clause went further than the company’s general policy onsurveillance. Telecom’s code of practice was based on five principles: openness,consent, consultation, private spaces, and proportionality. The code of practice wasnegotiated and co-authored with the trade unions, a process that symbolised thecompany’s acceptance of the necessary role of representation in this ambiguous legalarea. Telecom accepted that personal use of email and net access was inevitable. Nodefinite times, such as breaks, were authorised for such personal usage, nor did thecode specify an acceptable total number of hours per week, month, or quarter. Implic-


itly, the extent of personal use was to be defined through local negotiation: ‘personaluse . . . should not interfere with the workload of an individual, and should be keptto a reasonable amount’ (Telecom, Code of Practice, 2002). Telecom’s Information Secu-rity Officer reflected upon the tension between the technical possibilities of surveillanttechnologies, the resource implications and the legal constraints upon their extensiveusage:

We’re not out there to monitor people. And that’s the problem. If I was given free rein to go outthere and find organised crime on the internet I could do it, but I’d break a lot of laws doing it. I’dhave to accumulate huge amounts of data to find out who’s doing what. Find out who is runningencryption software; why they’re running encryption software. You’d need to go outside thecompany: access personal accounts and various Internet Service Providers. Once you’ve identifiedone [criminal] you know what to look for. Then you can look for similar patterns of log-ons (Inter-view, Telecom, Information Security Officer).

Surveillant technologies do have the potential not just for identifying individualbreaches of company rules but also to develop profiles of computer usage for differ-ent categories of employee. In Foucault’s terms, the technology can be used to developan extensive normalising gaze. The reality, however, is that this gaze is necessarilymediated by organisational, resource, and legal factors.

The main conduit for the introduction of surveillant technologies is a specialist infor-mation security function. The location of this function and its access to executive deci-sion-makers will determine its degree of autonomy and political influence. Experienceof a breach in system security is the trigger for the enhancement of the surveillancefunction inside the organisation. The location of the information security function inthe organisational structure was critical in determining its power and autonomy. Allthree organisations had formal written policies outlining surveillance practices andthe limits to the organisation’s rights to breach individual privacy. In each case, how-ever, codes of practice were derived from an assumed, and unquestioned, priority ofproperty rights and managerial prerogative. No organisation provided similar policyguidelines based on the presumption of the fundamental right of individual privacy.

Despite extensive trade union involvement in drafting two of the three organisa-tion’s codes of practice, there was no evidence of an independent union strategy toestablish new systems of governance that reflected the potential for electronic moni-toring. This is not surprising given that there are no robust, external benchmarks—national or sectoral standards—for best practice in terms of surveillance, disclosure,and individual or collective employee representation. Our interviews with a range oftrade unions suggest that surveillance has not entered the domain of collective bar-gaining at the level of formal agreements. Rather, surveillance and disclosure remainsan emergent issue in which the scope and depth of joint regulation of surveillancepractices is settled at the enterprise level. Union recognition is a necessary but not suf-ficient condition of joint regulation of surveillance. In non-union firms surveillance isregarded exclusively as a managerial prerogative, tempered by corporate HR philoso-phies and practices. In both unionised and non-unionised organisations employeeprivacy was not treated as a fundamental right to be protected by all parties. Workerprivacy did not feature explicitly in organisational policies about surveillance prac-tices. This accords with the findings of most commercial surveys that suggest that theoverwhelming majority of British firms have clear guidelines specifying the level ofdiscipline to be meted out for specific elements of the organisation’s surveillancepolicy (see, for example, KLegal, 2002). In practice, the full possibilities of surveillanttechnologies were not utilised: routine surveillance remained well within legal boundsand organisational norms. When incidents or individuals were under investigation thepractices of the information security function were limited by the well-defined rolesof HR and legal professionals.

ConclusionOmniscience serves no organisational purpose. In organisations, surveillance is pri-marily a technical function focused on system integrity and protection and only sec-


ondarily about personnel. In practice, surveillance is not covert, universal and con-tinuous. Rather, the available survey and case study evidence, limited as it is, suggeststhat surveillance is formally covert, but subject to oversight by other organisational professionals; local, targeted and intensive. Intensive surveillance is tied to specificinvestigations, incidents and individuals. The greater the intensity of surveillance, thegreater its ephemerality. Routine organisation-wide surveillance concentrates uponsystems and traffic rather than content. There are compelling practical reasons for this.The narrow technical possibilities of employee monitoring cannot be considered separately from their organisational context. Quite apart from legal, ethical and organ-isational issues, information security teams have neither the resources necessary norsufficient political influence to accumulate and classify the sheer volume of data generated by surveillant software into new performance measures to be used by oper-ational managements. Electronic data is only unobtrusive if the information it relaysis accepted as objective. This is not necessarily the case: employees can—and do—challenge the objectivity and purpose of performance data on individuals and workgroups. Surveillance and privacy at work remains a complex area in which the fun-damental rights of property and the worker both overlap and clash. Conflicting lawsand codes of practice reflect not just the contrasting philosophical assumptions of dif-ferent legal systems but also the inherently ambiguous relationship between propertyand privacy rights in the contemporary workplace. The law will not resolve thistension but establish the ground for the emergence of a new dimension in collectivebargaining. The alternatives to collective bargaining are weak forms of governancethat balance surveillance and privacy through consultation, not negotiation, or man-agerial unilateralism.

Acknowledgements

The views expressed here are those of the authors and do not represent the officialpolicy of any organisation. Alan McKinlay wishes to acknowledge the assistance ofElli Brock, Jiorgos Kritsotakis, and other members of the European Union’s CTOSEteam.

References

Alvesson, M. (2001), ‘Knowledge Work: Ambiguity, Image and Identity’, Human Relations, 54, 7,863–886.

Audit Commission (2001), ‘Your Business @ Risk—An Update of IT Abuse’ (London, HMSO).Callaghan, J. (2002), Inside Intranets and Extranets: Knowledge Management and the Struggle for

Power (London, Palgrave).CIPD (2002), ‘Frequently Asked Questions—Communications, Surveillance and Privacy at

Work’, www.cipd.co.uk/pknnetworks/emplaw/site.newfaq, 20 August.Finkin, M. (1996), ‘Employee Privacy, American Values and the Law’, Chi-Kent Law Review, 221.Foggo, C. (2002), ‘Draft Code on Monitoring E-Mail and Internet Use at Work’, Information

Technology Briefing, August.Ford, M. (2002), ‘Two Conceptions of Worker Privacy’, Industrial Law Journal, 31, 2, 135–155.Green, S. (1999), ‘A Plague on the Panopticon: Surveillance and Power in the Global Informa-

tion Economy’, Information, Communication & Society, 2, 1, 26–44.Hockey, A. and M. Smith (2002), ‘Cyberliability—Oh What a Tangled Web we Weave’, Computer

Fraud and Security, 7.IDS (2001a), www.incomesdata.co.uk/pressrel, 27 June.IDS (2001b), ‘Employment Law Supplement—Employee Privacy in the Workplace’, Supplement

6, Series 2, May.KLegal (2002), ‘E-Surveillance—The Facts and Figures’ (London).Lippens, R. (2001), ‘Rethinking Organizational Crime and Organizational Criminology’, Crime,

Law and Social Change, 35, 319–331.Low, S. (2001), Monitoring in the Workplace (London, British Chambers of Commerce).Lyon, D. (2002), ‘Everyday Surveillance: Personal Data and Social Classifications’, Information,

Communication & Society, 5, 2, 242–257.


McKinlay, A. (2002), ‘The Limits of Knowledge Management’, New Technology, Work and Employ-ment, 17, 2, 76–88.

Mason, D., G. Button, G. Lankshear and S. Coates (2002), ‘Getting Real about Surveillance andPrivacy at Work’, in S. Woolgar (ed.), Virtual Society? Technology, Cyberbole, Reality (Oxford,Oxford University Press).

Morris, G. (2001), ‘Fundamental Rights: Exclusion by Agreement’, Industrial Law Journal, 30, 1,49–71.

Oliver, H. (2002), ‘Email and Internet Monitoring in the Workplace: Information Privacy andContracting-Out’, Industrial Law Journal, 31, 4, 321–352.

Plavsic, A., T. Dippel and S. Hussain (1999), ‘IT Facilitating Fraud’, International Review of Law,Computers and Technology, 13, 2, 193–209.

Sanderson, M. (2000), ‘Big Brother’s Day at the Office’, Computer Fraud and Security, 12.Scott, K. and A. Dodd (2001), ‘Practice: The Right to Privacy and the Regulation of Investigatory

Powers Act 2000’, ELA Briefing, 8, 3.Sewell, G. (1998), ‘The Discipline of Teams: The Control of Team-Based Industrial Work through

Electronic and Peer Surveillance’, Administrative Science Quarterly, 43, 397–428.Stanton, J. and E. Weiss (2000), ‘Electronic Monitoring in their Own Words: An Exploratory Study

of Employees’ Experiences with New Types of Surveillance’, Computers in Human Behaviour,16, 423–440.

Taylor, P. (1999), Hackers: Crime in the Digital Sublime (London, Routledge).Thomas, D. (2000), ‘Criminality on the Electronic Frontier: Corporality and the Judicial

Construction of the Hacker’, in D. Thomas and B. Loader (eds), Cybercrime: Law Enforcement,Security and Surveillance in the Information Age (London, Routledge).

Wall, D. (2001), ‘Cybercrimes and the Internet’, in D. Wall (ed.), Crime and the Internet (London,Routledge).


surveillance, electronic communications technologies and regulation

Documents