The majority of technology workers have probably at one time or another treated their office computers as a personal file cabinet. It is an accepted practice to store personal addresses, correspondence and e-mail messages on office PCs. Increasingly, this leads to conflicts, such as when an employee is dismissed or when personal files come under the scrutiny for legal or security reasons. This raises new questions for the information-age workplace: What privacy can employees claim after using office equipment for personal purposes with implied consent? Who owns the personal data stored on their office computers? And what rights do departing workers have to retrieve the accumulation of personal information? The technological choices for information privacy and security are different for an individual as compared with that of a corporation. Corporations are increasingly finding it difficult to adopt a standard policy that would meet both the employees' need for privacy as well as corporate requirements for safeguarding information. Employees are resisting information security procedures because it conflicts with their own sense of what is necessary to preserve a space where they can retain their individuality. Though legal counsel will always take the position that all information that pulses through corporate networks is subject to the company's oversight, actual practices are different. Personal computers now come equipped with enormous disk filing capacity, plus removable disks. It is increasingly common to find office equipment with disk space that is equivalent to storing 200 million pages of text! Having that much space is an open invitation for saving resumes, documents that may someday offer an alibi, valuable data to be used to get a head start on the next job, information about hobbies and community activities, data about prospective relationships and copies of e-mail that may be viewed in a different light when examined years later. If security personnel or their legal advisers wish to check up on the contents of an individual's disk space, they will not only encounter displeasure but also be confronted with the infeasibility of conducting such an examination thoroughly and for an affordable expense. Therefore, the only solution available in most cases is drastic, thus giving rise to hostility. The conflicts between personal and corporate access to information on PCs will only get worse. New network services, such as those presently pursued by Microsoft's .Net and others, will remove control from an individual's private data storage to central computer utilities. The new offerings shift the power over computing from the desktop to data centers, where surveillance of information can be enforced with great efficiency. Employees will see the new solutions as a withdrawal of services they have come to value. They will surely object to the transition by demonstrating that the new arrangements will not satisfy their needs. They will resent the reinstatement of a more rigorous control as unwanted intrusions by totalitarian agents. Management can prevent the rise of intra-organizational conflicts by dealing squarely with the issue of the rights of employees to information privacy. If an employee's computing, software, data access and communication needs are handled exclusively under the control of IT professionals, all assurances of personal privacy will have been eliminated. Access control to information, at the individual file level, will become feasible by equipping security experts with millions of clever software "investigators" who will never sleep and will never overlook anything. There are organizations where such conditions are necessary, such as in National Security organizations or in sensitive banking operations. However, the rest of the approximately 70 million information workers will not tolerate working conditions where every keystroke is subject to instant surveillance. Most of them already enjoy the enormous freedom of reasonably private computing at their workplace and cherish the benefits of freely accessible networking. The remedy is for corporate management to declare what belongs to the corporation and what individuals may be allowed to do, with independently demonstrable proof that personal privacy will never be violated. If the corporation decides to proceed with the implementation of centralized controls, one possible solution to the privacy issue is to allow an individual to receive an allocation of encrypted disk space to which only that employee has access. This would be equivalent to giving to an employee a desk with keys to lock some of the drawers. With regard to private e-mail, such policies may also consider allowing individuals to receive personal e-mail, addressed to that person and not to the corporation. That is equivalent to the prevailing practice allowing the mailroom personnel to deliver sealed letters addressed to employees, if marked as private. I am in favor of addressing the issue as directly and as simply as possible. With the shrinkage of computing devices to the size of a pocketbook and the price of a good chair, I see no reason why an individual should not have access to more than one computing device. Corporate executives should give up their compulsion to impose absolute uniformity on the enforcement of security policies that controls everything. Since the quest for the preservation and protection of an individual's privacy is here to stay, information executives should make it possible for employees to own and operate separate "personal devices." This separation between what is private and what is corporate will make to possible to concentrate on accomplishing what's right without compromise that defeats both. About the author:
Paul A. Strassmann (email@example.com) services as the chief information systems executive started in 1957. Since his "retirement" in 1993, he has continued engagements in matters related to information security.