Security has a bit of a dark side. When people are given power over other people there often seems to be the urge to abuse that power. We have previously covered the scandal in which a school used webcams on school-issued laptops to spy on students. At the time the school reported that the system was only to be used when a laptop is reported stolen. However the case went to court and many details came to light including that allegedly over 400 pictures and screenshots were taken of the alleged victim including some while he was sleeping, as well as email correspondence between the school officials who had access to the monitoring system in which one describes it as a small soap opera and the other replying “I know, I love it”.
When the school implemented the system I am pretty sure employee entertainment was not one of the goals on the agenda. The original goal, that is a system to track the laptop should it be stolen, was a noble cause; however, the allure of spying quickly took over.
This is a situation that can happen in any environment where monitoring takes place; whoever is tasked with monitoring will at one time or another fight the urge to abuse the power he has been given. In the UK there was quite an uproar due to 1500 CCTV cameras deployed to monitor traffic and apparently with good reason as there were instances when people took photographs of these cameras pointing inside buildings rather than facing the streets they should have been monitoring.
One thing is certain, if one decided to implement a monitoring system then the responsibility lies with them to ensure as much as possible that such monitoring is not going to be abused – but how can this be achieved? The easiest way is by using segregation of duties. Just like in old war movies where in order for someone to fire nuclear missiles the system required two people to turn two keys simultaneously, access to monitored information should not be possible without the involvement of two or more people. This can be achieved by, for example, having a setup in which the data captured is encrypted and sent for archiving to an administrator who has no access to the decryption key, whilst the person who can decrypt it doesn’t have access to the data directly and needs to go through the administrator. A procedure can then be implemented regarding how these people need to interact to gaze upon what was captured.
In cases where segregation of tasks is not possible it is important to at least have a good audit log showing who and when accessed what parts of the monitored data. If the person responsible for archiving monitored data knows that he himself is being monitored it might be a good deterrent for any temptation to abuse the data at hand.
In most cases, monitoring is always a hot issue; when used in an organization it can lead to hostility or at least some measure of a drop in staff morale. In most cases this should be quite manageable especially if the users are told the reasons behind it. That however would change if someone abuses the system and such abuse would come to light, so it’s always a good idea to prevent this from happening and ensuring that such abuse never takes place.