Problem solve Get help with specific problems with your technologies, process and projects.

Remote webcam security surveillance: Invasion of privacy?

Using remote webcam security surveillance to check the whereabouts of stolen laptops might seem like a good idea, but is it an invasion of privacy? In this expert response, Ernie Hayden discusses the best ways to maintain privacy and keep laptops safe.

We recently installed a software program on our company's client PCs that uses a built-in webcam to monitor the laptop's whereabouts. However, we haven't notified employees for fear of seeming like Big Brother. Given the recent uproar about the use of such technology, should we reconsider our usage policy and/or our use of the technology in general?

First, I'd like to compliment you on your level of concern. Even though privacy in the U.S. is, unfortunately, not as large an issue as in the European Union or Canada, it is still a worthy consideration in your role as a security manager.

Before you reconsider your policy on using remote webcam surveillance, you may want to answer the following questions:

  • Does your appropriate use policy explicitly state that employees should have no expectation of privacy when using corporate information technology assets? If so, you may have some protection; if not, you definitely may have a concern requiring immediate action. At a minimum, you may want to add this caveat to your policy as soon as possible; by making sure employees realize that any work done on a corporate computer or IT resource is not private, it can help to avoid future concerns.

  • Have you discussed your concern with your legal and human resources departments? It may be a useful action to ensure they are in the loop should any questions from employees or the media surface. At least you can have a common plan for response.

  • Is there any way to technically block the camera or turn off the monitoring software? If so, you may want to turn it off until you get a more solid understanding of HR's, legal's and management's opinions for the use of this technology.

  • With your appropriate use policy, did the employees sign that they have received the policy and are aware of its existence? If they did, and if the policy notes that there should not be any expectation of privacy, this may buy you some time until any actions are required.

If the only reason you have the cameras is to monitor the whereabouts of the laptop, you may want to consider some other technologies such as a LoJack for laptops-style "phone home" tracking system –- just in case you need to turn the cameras off. However, if the cameras are also used for videoconferencing, etc., then you may be able to write a privacy statement into the videoconferencing policy, but still implement a rule prohibiting express use of the camera to spy on the actions of the employees or laptop users.

For more information:

  • Has social networking changed data privacy forever? Watch Hugh Thompson and Adam Shostack face off in this video.
  • Learn more about employee privacy for HIPAA compliance.
This was last published in February 2010

Dig Deeper on Information security policies, procedures and guidelines