Some Empirical Research on Surveillance

Importance of Codes of Conduct for Irish IS/IT Professionals Practice of Employee Surveillance

This piece of research aimed to establish the relationship between the perception and reality of employee surveillance on the one hand and codes of ethics, or codes of conduct, on the other. (For a more complete discussion of the research, see Collins & Stahl, 2002.) For the purpose of this research, a survey was conducted among 60 IS/IT professionals working in the roles of Managers/ Directors of IS or LAN/Network Administrators within large Irish-based organisations (more than 100 employees ). These respondents were specifically targeted as they play very distinct roles regarding electronic surveillance, one being the custodian of the technology and the other being the policy creator or bearer. Furthermore, we believed that targeting IS professionals from large firms was useful because of a greater likelihood that there would be an established information technology department. In order to ensure that the respondents had some prior experience, professionals were questioned who had three or more years of experience. Forty-five percent of the respondents had been employed as an IS professional for three to four years; 23% of the respondents had worked as an IS professional for five to nine years; and 23% of the respondents worked in the industry for over 10 years . It was hoped that they might have encountered ethical dilemmas surrounding electronic surveillance technologies. In order to allow for diversity in the sample, the type of industry category that was targeted was a mix of private enterprise and public service companies. Seventy-five percent the respondents were from private enterprises , and 25% came from the public service sector.

In order to determine whether surveillance was seen as an ethical problem, we first tried to determine the reality of surveillance in the organisation. Fifty-five percent of the respondents surveyed answered yes to the question, Does your employing organisation use information technology for the purposes of surveil-lance? Forty-three percent answered that they did not use technology to surveille employees. A correlation existed between the company size and the use of electronic surveillance. Fifty-nine percent of those that answered yes were employed in organisations that had more then 500 employees, while 71% of the no responses had between 100 and 500 employees. This finding indicates that the larger the organisation with regard to the number of employees, the more likely it was to use electronic surveillance equipment.

The very nature of the surveillance equipment available means it can be easily concealed and used in a covert fashion. The next question was designed to ascertain whether or not the organisation disclosed its surveillance policy to its employees. Fifty percent of the respondents indicated that employees had been informed of the policy to use information technology as a surveillance tool. Fourteen percent indicated that employees had not been informed, leading one to assume that the surveillance was being done in a covert fashion. Perhaps most interesting was the number of respondents who answered, Don t know. Thirty-six percent of respondents were unaware whether employees had been informed or not.

The most important aspect of our research in the context of this chapter was whether the respondents saw surveillance as an ethical problem. In order to determine the ethical attitudes of Irish IS/IT professionals to electronic surveillance, section one of the questionnaire asked 23 five-point rating statements where the respondents were asked to state their opinion in terms of strongly agree, agree, neither agree nor disagree, disagree, or strongly disagree . The statements were designed to gain an insight into the general attitudes of the respondent to electronic surveillance. The statements were very straightforward with no additional scenario-invoking language. An important starting point was to determine the ethical self-image of the respondents. Seventy-six percent of the sample agreed that they would refuse to work on a project that they would consider to be unethical. This means that Irish IS/IT professionals consider themselves compelled by moral and ethical considerations with regard to their work.

In order to better understand the ethical attitudes that the Irish IS/IT professionals had toward electronic surveillance, they were asked to state their agreement or disagreement to the following statements: It is acceptable for me to use any technology to monitor an employee ; It is acceptable for me to use any technology to monitor an employee s Internet traffic ; and It is acceptable for me to use any technology to monitor an employee s e-mail.

There was a correlation among the answers to these three statements. Those that agreed with one statement agreed with the other two. Sixty-six percent of respondents were in agreement with all three statements. Similarly, those who disagreed with the first statement (24% of respondents) disagreed with the subsequent two statements. The remaining 10% of the population fell into the neither agree nor disagree category.

The questionnaire then attempted to determine ethical attitudes to employees privacy rights within the organisation. Respondents were asked to indicate whether or not they thought that monitoring an employee without his or her knowledge was an invasion of the employee s privacy rights. The findings in this section suggest that IS/IT professionals respect the privacy rights of the employee. Sixty-three percent of respondents indicated that they disagreed that it was acceptable for an organisation to monitor employees without their knowledge. Seventy one percent of the IS professionals were in agreement that electronic surveillance of an employee was not an invasion of privacy rights once the employee had been informed. These responses indicate that Irish IS professionals value the right of employees to privacy within the workplace. They recognise the importance of employee consent with regard to surveillance. Their view changed, however, when presented with the statement, It is acceptable for me to use any technology available to monitor an employee I suspect is causing harm without their knowledge. Having previously demonstrated that IS professionals value and respect employees privacy rights, the responses received to this statement show that the IS professionals surveyed value less the privacy rights of an employee they suspect is doing harm to the company. Ninety percent of respondents indicated that they agreed that they would monitor an employee they suspect is causing harm, without that employee s knowledge. Further questions showed that respondents thought that surveillance in such a case was not only far from being immoral but actually a moral duty. The survey showed that the respondents were, in fact, highly motivated by their perception of duty, which could be interpreted as a strong deontological foundation of their work ethics.

The IS professionals were then presented with an ethical dilemma. They were asked to state their agreement with the following scenario-type statement: You discover that your best friend in the organisation has been accessing inappropriate information on the Web. Being the only person who has access to this information, you would send this information to the appropriate person in the organisation so that your friend could be appropriately disciplined. With no fear of getting caught, the responses varied considerably. Only one respondent strongly agreed with the statement. Six respondents, or 15%, answered that they slightly agreed; 12 slightly disagreed; and four strongly disagreed. Fifteen respondents, or 38%, chose neither to agree nor disagree, and three chose not to respond to the statement at all.

Like all empirical studies, this one is not perfect. The sample size is rather small, and the concentration on one geographical area may limit the universality of the results. Also, we are faced with the questions of whether respondents give those answers that they think the interviewer would like to hear, and whether their statements are reflected by their practical behaviour. Disregarding these problems, the study still gives a strong indication as to the ethical perception of privacy and surveillance matters from the point of view of those people who organise and realise it. The important conclusions for us to draw are that there is no unequivocal view of the ethics of privacy, even by those who are deeply involved in it. While the vast majority of the IS/IT professionals see themselves as ethical persons in the sense that they would refuse to do things they see as unethical, surveillance is not part of these ethical activities. Rather than having an autonomously developed view of the ethical quality of surveillance, they have views that seem to be strongly influenced by external factors. Chief among these factors seems to be the organisational practice. This means that in those organisations where surveillance is practised, the professionals see it as ethically justified, whereas in those companies where it is not done, they would tend to evaluate it as unethical. This leaves us with the conclusion that surveillance is not seen as intrinsically good or bad, but as entirely context-dependent.

Undergraduate Students Attitudes Toward Workplace Monitoring and Surveillance

This study was undertaken to provide some indication of the attitudes of young people towards monitoring and surveillance in the workplace. The research instrument was a questionnaire comprising ten statements concerning the use of closed circuit television (CCTV) in a university building, and nine statements concerning the use of this and other forms of monitoring and surveillance in the workplace. (For a more complete discussion of the results see Prior, 2002.) Respondents were asked to indicate the extent of their agreement using a five-point scale: strongly agree, agree, indifferent, disagree, strongly disagree. The questionnaire was modified for final-year students in 2002 by the addition of questions concerning the forms of surveillance used in their placement organisations and their attitudes towards these.

The questionnaire was administered in two successive years to undergraduate computing students in a UK university. Students in each year of study on a variety of courses (e.g., computer science, software engineering, business information systems) took part voluntarily in the study. Most of these students were on four-year sandwich courses that included an industrial placement year spent in the workplace between the second and final years of study.

A total of 616 students took part in the study over the two-year period, with approximately 100 from years one, two, and the final year of study. The results reported here focus on the responses of the final year students, 90% of whom had undertaken a 48-week industrial placement immediately prior to entering the final year. They had worked for employers from a diverse range of sectors and of varying sizes. Principally based in the UK, they included multinational corporations, small and medium- sized enterprises, and the public sector.

With respect to the use of CCTV in the university building in which most of the students teaching takes place, the majority of students were aware that a CCTV system was in operation; however, apart from a general awareness that it was installed in the computer laboratories, there was some confusion about where else it was located. There was agreement by a majority that it was a good idea to have CCTV coverage in the building; why it should be regarded as such is less clear. The system was originally installed as a measure to help prevent theft of computer equipment. Less than half of the students who responded to the questionnaire thought that it was effective in this respect. Across both years that the survey was conducted, one-quarter of the final-year students thought that equipment was just as likely to get stolen with CCTV in place as without it (and indeed, they were proved correct by several incidents of theft of major pieces of equipment in the spring of 2002). Another quarter of all respondents did not know whether equipment was as likely to get stolen.

There is some evidence that the presence of CCTV helps female students to feel safer and that this feeling lasts throughout their time as undergraduates, while the perception of increased security among male students diminishes after the first year. As many as 63% of all 2002 first-year students agreed that the presence of the CCTV system made them feel safer; by the final year, a similar proportion (60%) of females said they feel safer, while only 30% of male students agreed with this. Thus, it would seem that while female students and first-year male students might be agreeing that CCTV in the building is a good idea because it helps them to feel safer, a much smaller proportion of the other students either feel safer or consider the cameras to be an effective deterrent to theft. Another possible use of the CCTV cameras is to monitor the activities of students and staff in the building. The camera output is not, in fact, currently used for this purpose, but the students were asked whether they thought the university was entitled to monitor their whereabouts and activities. In both years of the survey, around one-third (35%) of final-year students agreed or strongly agreed that the university is entitled to monitor their whereabouts and activities while in the building. About another one-third (37%) disagreed or strongly disagreed with this statement. The remaining 28% were indifferent to the issue or did not know. With respect to the use of CCTV in the workplace, there is overwhelming support among all students (79% of final years in 2002) that it is a good idea for employers to use CCTV as a security aid. When asked whether employers are entitled to use CCTV to monitor their employees activities at work, 36% of final-year students agreed/strongly agreed, a similar proportion to those agreeing that the university is entitled to do so.

The students were asked whether they would object to an employer recording their activities on CCTV while at work. Some 42% of final-year students said they would object; 32% would not object; and 26% were indifferent. They were then asked whether they would want to be able to monitor their own employees by means that include CCTV when they have a managerial position. More than a third (39%) said that they would. The overwhelming majority of all students would want to know if their employer is monitoring their activities, and three-quarters would want access to the tapes. Three- quarters also disagreed/strongly disagreed that it is none of their business what is done with the tapes.

As noted above, final-year students in the 2002 survey were asked about the forms of surveillance used by their placement employer and their attitude towards them. Table 1 summarises the responses. The Used row indicates the percentage of students who identified each form of surveillance as being used by their placement employer, with the actual number of students in brackets. The number of students may not quite represent the number of employers, as occasionally large employers take on more than one placement student; however, the actual number of employers will not be much less than that indicated.

Students are likely to be aware only when the surveillance is not covert and perhaps mainly where there is an explicit policy, or their supervisor has otherwise drawn their attention to it.

Not all of the students who indicated that a form of surveillance was used, expressed an opinion about whether or not it was necessary and if so, whether they minded. But neither did all these respondents tick the don t know/care category that was provided. It is possible that they misinterpreted the survey layout, so it is not safe to assume that all those respondents who did not indicate one of the three options shown in Table 1 did not have an opinion. Even with this proviso, the responses provide some interesting food for thought.

It is not surprising to find that the majority of the employers monitor the use of the Internet and e-mail, and maintain logs of network and/or software use by employees. Nor, perhaps, is it surprising that the majority of students accept this as necessary, whether or not they like it. Monitoring of telephone use is less widespread and also less likely to be accepted as necessary by students. Of the forms of surveillance identified, CCTV is the one with the highest proportion of students accepting it as being necessary and not minding its use. Caution must be exercised in interpreting these responses without further information about the location and purpose of the CCTV systems used by the employers. Follow-up interviews with student volunteers to examine in more depth their experience of surveillance in the workplace are being undertaken as an extension of the work reported here.

Workplace Monitoring in Private and Public Enterprises

This third piece of research described here sets out to examine the privacy perceptions of individuals within both a public sector and a private sector organisation. The private sector organisation in this case was a medium-sized heavy engineering company. The administration of the company was highly computerised with all office staff having unlimited Internet access. Some personal use outside working hours was allowed. There was some monitoring of staff, particularly regarding Internet and computer use. Although all employees had been informed of the monitoring by the distribution of usage policies, some employees were unaware of the monitoring, as they had not read the document fully.

The public sector organisation was a small local authority in the Midlands of England. There was a strong public service and confidentiality culture within the council, which was indicated by the high levels of trust by employees that the council would protect their personal information. Computer and Internet use was closely monitored with all staff being aware of this. This was due to the requirement that the usage document was signed and understood by all staff prior to being permitted access.

The original aim of the research was to discover perceptions of privacy and the influences that information and communication technologies (ICTs) had had on those perceptions through the analysis of the two case studies. The research considered perceptions in a purely qualitative way using a hermeneutic approach, which involved reading between the lines of the dialogue and considering the dialectic, the body language, and the culture and society within which the individual resides. This allowed the researcher to develop a rapport with the individual and to put the participant at ease. In this way, it was anticipated that the participants would more likely be open and honest in their responses to questions, thus providing a greater depth of understanding of the issues.

By considering the hermeneutic circle of understanding, the perceptions of the individuals concerned became so familiar through the analytical process that further understanding would only be possible if more research was to be conducted. Therefore, the phenomenon was considered known within the limitations of the information gathered.

The interpretive interactionist tools of Denzin (1989) were utilised for data collection and analysis that further enhanced the use of the hermeneutic approach by providing a framework closely related to the symbolic interactionism school of social science research. The methodologies used, therefore, can be considered naturalistic in that they are an attempt to develop interpretations grounded in the worlds of lived experience (Denzin, 1989,p . 167).

The use of these techniques and approaches enabled the research to discover the feelings and perceptions of the participants. The research was able to discover individuals perceptions, not only about privacy, but also about a much wider range of issues that had been impacted by the use of ICTs. Comparisons within the study revealed little difference between employees from either organisation in their perceptions of the importance or awareness of privacy and surveillance.

This indicated that there was little in organisational culture that had directly influenced perception at a personal level for each individual, although some operational differences were identified in the permitted use of ICTs, as indicated above.

The selected participants were drawn from a wide range of departments within the organisations and included a random selection of managers, administration staff, and non- clerical employees. Nineteen individuals participated in the study, which involved two semi-structured interviews lasting between thirty and forty-five minutes. Questions were open ended and designed to address a specific issue such as, How important is privacy to you? and How do you feel about workplace surveillance? During the interview, the participants were encouraged to elaborate and discuss the issues in greater depth. Each tape-recorded interview was conducted several weeks apart in order to allow for thinking time and the effect of awareness raising from the interview to be considered.

The issue of surveillance was examined in some depth. The research discovered a lack of concern felt by the participants over the use of CCTV in public places. It doesn t bother me cos I don t think I m being watched any more than anybody else (local council participant). The use of other forms of surveillance, either overt or covert, where its use was seen to be legitimate for crime prevention purposes was also discussed. Where these surveillance technologies could be used for the purposes of information gathering, it was both motivation and consent that was seen to be important rather than the act of surveillance itself. Do anything you like as long as I agree to it, as long as I know you are doing it with permission (local council participant). Surveillance was seen as largely a necessary part of modern society, and many of the participants in the study considered that it was so embedded in society that surveillance was largely accepted as the norm.

This finding was of some concern in that civil liberties issues were not considered important to the participants. The most common response to questions concerning the use of surveillance in public places was, If you are doing nothing wrong, it does not matter (private sector participant), indicating a belief that law abiding citizens have little to worry about from increasing levels of surveillance. Further, the participants appeared to have considerable faith in the intentions of the authorities not to abuse the information gathered and to make efforts to ensure that mistaken identity and other surveillance mistakes were rectified. You rely on trust in those organisations to use the information appropriately it s on trust that they are doing it properly (local council participant). That the participants had no evidence to support or refute this meant that they were accepting of what they had been told rather than having considered the issues and potentials for abuse prior to that acceptance. It appeared that a lack of information and knowledge of the greater implications of societal surveillance was a deciding factor in the participants lack of concern over CCTV and other public surveillance technologies. This lack of information or even possibly biased information had influenced perceptions in the studied individuals. However, the participants were uncomfortable about the use of such technologies and techniques without the knowledge or consent of those who would be surveilled. The problem that was identified within this view was that there was clearly a difficulty in squaring the circle between safety and security on the one hand, and privacy and autonomy on the other. It is impossible to ask a criminal if they mind being surveilled. It is also impossible to ask the permission of every visitor to a shopping centre to allow the use of CCTV in order to be able to observe shoppers as they go about their business.

The issue of workplace monitoring, however, revealed a much less accepting attitude. Many of the participants considered that whilst a certain level of monitoring and surveillance in the workplace was acceptable for the purposes of security and prevention of computer misuse, the use of CCTV was considered unacceptable for performance measuring. In this case, such monitoring was seen as spying and undermining the trust relationship between employer and employee. I would not like to be monitored in the office. I think that would be an invasion of my privacy because I would feel as if somebody was watching over me the whole time (local council participant).

Some level of supervision was considered to be necessary to ensure that work was being completed efficiently and accurately. Further, it was seen as acceptable that there should be monitoring to prevent misuse of company equipment or to prevent theft. I think it s actually right that it should be monitored (private sector participant). The problem seemed to arise when the use of surveillance technologies was perceived to be prying into personal lives, or where the monitoring was done without consent. Informed consent at all levels was the key to acceptability for many of the participants. Privacy was not generally expected within the workplace, but at the same time, there were limits to acceptability that were hard for the participants to define. The limit of acceptability was extended to the personal realm, including family life, personal relationships, and social life outside work. Some participants had heard of companies that had begun to investigate more deeply into the personal lives of employees. This had been undertaken with the idea that it was a way of ensuring that no one was potentially undermining the standing of the business or could be considered a security threat. This level of monitoring and surveillance was considered by the participants to be way beyond acceptable limits for employer monitoring.

Overall, employee monitoring was considered to be acceptable within certain limits. This meant that it should remain within the workspace and be used to prevent abuse or for security reasons. Surveillance should not extend to performance monitoring or personal information gathering, and it should only be conducted with the prior knowledge or preferably consent of those to be monitored.