Privacy and Web history: Is your corporate information actually confidential?
Earlier this year, senior members of the US House Energy and Commerce Committee wrote to broadband Internet providers and other online companies, asking whether they have " tailored, or facilitated the tailoring of, Internet advertising based on consumers' Internet search, surfing, or other use." Although seemingly a consumer issue, this inquiry also raises issues over what is being monitored by corporate users outside of the corporate infrastructure, and whether this will become a legal liability later on if this information is subpoenaed by a court.
Within the enterprise, many companies use end-point scanning technology, Web security gateways, and other tools to view what is stored on and transmitted through their employees' PCs when they are on the corporate network. But remote offices and traveling users may not be required to access the Internet through that network. So company-confidential information may be accessible by outsiders.
Or consider the implications of smartphones with integrated GPS or other location-detection capabilities. "Given that Google Maps can triangulate your location at any given point in time, imagine if I, as a forensic investigator, can use that data to track your movements as part of an investigation or in connection with discovery related to a legal proceeding," says PricewaterhouseCoopers' Burg.
Other risks include the use of external threat-detection services, in which your e-mail and other traffic passes through their services to be scanned for data leaks. Who has access to the results of the scans?
More likely is the risk of naïve user actions, such as sending files to their personal e-mail accounts so that they can work on a project at home, or inadvertently posting confidential information and business contacts on social networks. For example, Google scans all e-mail sent through its Gmail system so that it can target ads, and its beta Chrome browser's terms of service give Google nonexclusive ownership of all content that passes through its browsers. Employees that use Gmail or Chrome could be putting corporate information into an outsider's hands. And LinkedIn, for example, now aggressively promotes a contact-import feature when you log in, making it easy for employees to upload business contacts outside the corporate system.
Gartner's Pescatore asks, "Are you checking up on what your employees are doing with their laptops, even when they are outside of the corporate network? You need to know what your employees are doing when they are online."
One possibility is to insist on a service level agreement from your Internet providers that cover privacy issues. "I want SLAs from my Internet providers that guarantee me that my e-mail isn't going to be compromised. These agreements aren't about uptime, but for the purposes of privacy and security. I want secure and assured services, including the ability to browse and search the Web without having this information recorded on a server somewhere. I don't think a lot of people are doing this right now," says David O'Berry, director of Information Technology Systems and Services for the South Carolina Department of Probation, Parole, and Pardon Services. He blocks access to peer-to-peer file-sharing sites and others that could compromise his network security.
Another solution is to segregate Internet users from those who have access to customer data. "We have taken the stance that if an employee doesn't need the Internet to do his or her job, that computer won't have access of any kind. Those with Web access don't store medical data," says Tony Maro, CIO at HCR Imaging, which processes medical scans and is subject to the strict HIPAA privacy regulations for health care.
Clearly, the legal landscape is shifting with respect to individual computing. But the implications reach far beyond the individual and into corporate IT. Technology managers need to consider these and other regulations and adjust their computing policies to ensure that they can deliver IT services in the shifting landscape.