UMASS BOSTON - COLLEGE OF MANAGEMENT

MSIS 613: INFORMATION SECURITY

Prof. Ramakrishna Ayyagari

Information Security Project

Title: How private is your public data?

An Analysis of the impact of Social Media on Employment and
Information Policy.

Team Members:
Bipin Vaddi
Alexandrine Policar
Apostolos Koutropoulos

December 12, 2007

1
Abstract

The rise of the term "Web 2.0" and its associated hype in technology circles refers to the
perceived next generation of the Internet, largely focusing on the new wave of Internet
collaboration technologies and concepts – such as the video sharing site, YouTube, and the
explosion of weblogs, social-networking sites, mash-ups and wikis. Web 2.0 technologies
emphasize online collaboration and sharing content, most of which is user-generated.
The explosion in popularity of social computing has dramatically changed the way we
use the Internet, on a personal level and increasingly, from a business perspective. The number
of organizations using corporate blogs to disseminate key messages, networking from their desks
by using sites such as LinkedIn, or wikis for sharing knowledge has increased significantly.
During our research, we have found out that several companies like BMW, Shell Motors,
IBM, General Motors and British Airways are using social media and podcasting technologies to
reach out to rapidly expanding consumers, but also make it interactive and get some feedback
directly from the consumers.
As the phenomenon continues to grow, the benefits and opportunities for businesses also
grow – through business networking, marketing campaigns or simply putting a human face to the
company. However, the risks of sensitive information leaking via these channels will expand
with wider business adoption. Several companies have already had their fingers burnt because of
sensitive information being leaked onto the internet through social networking websites and
blogs. Apple Insider website, published details about unreleased products, code-named Asteroid
and Q97 in 2004, much before the official announcement, causing bad PR. Google fired an
executive Mark Jen less than a month after joining the company because of the candid comments
he made on his personal blog about Google. Ellen Simonetti was sacked from Delta Airlines
after posting images of herself in her Delta uniform on her personal blog.
The examination of these cases brings us to ponder about the security vs. privacy issue.
Several questions like “what is the limit of privacy?”, “Are we getting scrutinized in the name of
security?”, “What should the company’s policy be with consideration to personal blogs?”, “Isn’t
reading an employee’s personal blog and their MySpace page, an intrusion of privacy?”, “Is
there no freedom of speech?”. We took up researching more about these topics, after we could
not get any clear answer for any of these questions.
In the following sections, we have studied companies belonging to different sectors,
different kind of policies they enforce upon their employees and how beneficial or harmful the
Web 2.0 concept if to the modern business world.

2
Table of Contents

3
Introduction
Today we live in an increasingly connected world. Information about us is now available
on the internet for anyone to see, utilize – like marketer do, and be judged by this information.
We can do things today that were unfathomable just ten-fifteen years ago at the dawn of the
internet. The internet is accessible twenty-four-seven either though high speed internet
connections, public and private access points and through cellular networks. Forms of personal
expression, such as a bumper sticker on your car, a lapel pin supporting breast cancer research,
or a letter to the editor now have digital counterparts. The only difference is that before only
people in close proximity to you could see what causes you supported, what music you liked and
other such information. Now, anyone with an internet connection and a search engine can find
out the exact same information about you, anywhere in the world.
Many of our peers, and even more of the younger generation, have accounts on popular
networking sites such as Facebook, MySpace and LinkedIn. More have personal websites, blogs,
podcasts and videocasts. Just to put things into perspective, there are over 50 Million blogs to
date (Sifry, 2006), over 200 Million MySpace users (MySpace, 2007), over 39 Million Facebook
users (wiki answers, 2007) and over 5.5 Million LinkedIn users (Rosenbush, 2006). Even more
seem to be part of one forum, community of practice or user group of one form or another. Most,
if not all of the data on these sites is indexed, stored and catalogued and is searchable through
internet search engines. What we do online is there for all to see, however there is a cultural and
generational divide in this increasingly digital and connected world.
When creating a profile on Facebook, many of our generation think that the service is
quite useful because we can reconnect with long lost friends and family much more easily than
conventional email. Email addresses may change, but your profile will always be there, unless
you unsubscribe. Services such as these have great utility, such as developing your professional
network, helping you find a job, or helping you find like minded individuals to share a hobby or
rally for a cause. They do however also have unintended consequences.
In a Harvard Business Review Case titled we googled you (Coutu, 2007), we follow the
story of an ambitious graduate that wants to work for a multinational in China. She has local
knowledge, speaks the language, and her father is friends with someone high up in the company.
In the ‘old days’, before the wealth of information online, this would have been a slam dunk. In
our case however this turned out to not be the case. The Human Resources director googled her
and discovered, among other things, her social networking profile and letters-to-the-editor that
she had written many years ago. This gave her cause for concern and her employment at that
company was in jeopardy.
Our system of employment-at-will sometimes makes it rather difficult to express our
views both online and offline. A letter to the editor may find itself on the newspaper’s site for all
to see and your job may (or may not) suffer from it. Speechless: The erosion of free expression
in the American workplace by Bruce Barry provides us with a number of situations where people
got reprimanded or fired for activities that they undertake when not in the workplace –both
digital and real-world activities.
One interesting example is the example of Heather Armstrong who got fired for writing,
from time to time, about work related matters on her personal blog which was called dooce.
(Barry 2006: 171-172) She wrote critical things about co-workers, things that might come out
when you are talking to your friend about work, and about that one (or two) annoying coworkers.
Even though she was writing about these individuals anonymously, the higher executives of the

4
company found out about the blog and fired her even though the actions undertaken were on her
own time, and she did not name names. (Armstrong, 2007) As a postscript to this story, her
blog’s name was converted to a verb that means “To be fired from you job because of the
contents of your weblog.” (Urban Dictionary, 2007) As classmate Robert Schultz proved, you
don’t even have to blog about your company to get fired. He was fired from his job because he
was using company resources, on his own time – not company time – to check some personal
email. (Koutropoulos, 2007) This led us to look at acceptable use policies, and other company
policies that govern employee behavior both on and off work.
Taking into consideration all of the above, our team decided to analyze this phenomenon
and determine how private your public data is, and how this affects your job or employability.
Furthermore we will look at what both employees and employers can and cannot do on the job
based on a survey of privacy, employment and accountability laws.

Online Presence and Perceptions of our Peers

One of the first steps we wanted to take as a team was to gauge what are the usage
behaviors for our peers, other people that surround our lives, such as friends, families, and their
close circle of friends and families. We aimed to find out what sort of social networking
activities they participate in, how active their online lives are, if they are part of any communities
of practice such as online forums, and so on. If our peers have active online lives, as we
suspected they did, did they perform some of these tasks at work, using work resources? Finally
we wanted to find out what their perceptions were about employee monitoring at work, and how
their online lives affect their present and future employability.
We first looked at the levels of participation on Social Networking sites such as the
popular MySpace and Facebook. We started off with these types of sites because they have
certain standard types of questions that they ask, such as ‘what are you favorite movies?’ that is
added to your online profile for your friends (and the rest of the world) to see. In this instance
the users of such services are revealing something about themselves, but not very much. This
information may be useful to a marketing team with high-powered data farms. It is useful
information to data mine and have targeted advertising sent to you, but at first glance it does not
always give away that much information about you. Generally speaking, this type of information
is not the type of information that may cost you your present, or a future job, but it has the
potential to, as we saw in the ‘We Googled You’ case. Our survey indicates that the great
majority, 83%, of the people who took the survey have at least one account with a Social
Networking site such as MySpace. Out of the users that had accounts, the top three sites were
MySpace, LinkedIn and Facebook.
Secondly, we looked at the level of participation on other forms of Internet media
communication such as blogs, wikis, forums, podcasts and photo-sharing services. This area was
of particular interest because of the ability to post almost anything. Compared to social
networking sites where information is more structured, such as your favorite movies, blogs have
the ability to show off your command level of a language, your views on hot button issues, such
as politics and religion, and topics that are more irreverent such as what you did last weekend.
Podcasts and video podcasts are just extensions of blogs where one can express themselves
creatively, and photo sharing services can say something about you based on what types of
photos you post online. Our survey results indicate that the great majority of our survey takers
(73%) have membership in one or more types of online communication service. The top

5
categories were chat services like MSN, Yahoo! And AIM (35%), and Photo sharing services
like Flickr (25%). Another 24% of people had some sort of blogging site membership in the
form of a personal blog, a website, a podcast, or regular contributions to YouTube. Finally, peer-
to-peer services like GNUtella and Bittorent rounded off the remainder of the results with 10%.
These types of free form expression, through text, spoken word or video recording, can
be used to share your views and day-to-day happenings with friends, family, and likeminded
individuals, but increasingly employers are looking at these forms of expression and
communication as yet another way to evaluate potential candidates, and another way to let go of
employees that they want to let go, for reasons both related and unrelated to the contents of their
online lives. In a sense, your public online life is a sort of Meyers Briggs Type Indicator test, for
those that have the patience to wade through all of your public data. Should corporations be
allowed to do this?
Our survey results indicate that most people do not blog, or post information in
communities of practice about work related topics. We also found that most of the people that
took the survey (74%) believe that employers should not monitor employee email or online
activities. Since the question was a bit vague, our team interpreted this result as ‘employers
should not monitor employee computer use while on the job, and should not monitor the
employee’s online habits when they are off the clock.’ When asked about whether the survey
takers believed that one’s activities on his or her spare time affected their employment, the great
majority (68%) responded that what they do on their spare time does not impact their
employability. Through our research though, we found out otherwise.
Finally, we wanted to see how many employees had to sign a computing acceptable use
agreement as a precondition to getting hired by their particular employer. Last summer when one
of out team members was job hunting, he found out that as a precondition to employment he
needed to sign an acceptable use policy. Our survey results reveal a mixed picture. Most people
did not have to fill out an acceptable use policy (37%). The minority of respondents (28%) had to
sign an acceptable use policy. The scary statistic is that 35% of the respondents did not know if
they were under some sort of acceptable use agreement, which means that they may be required
to be mindful of their usage of work resources and they do not know it.

The Letter of the Law

Introduction

With the information world becoming a global village where interested parties are willing
to sell and/or buy on the black market one’s personal data such as email address, phone numbers,
credit cards and also corporate data such as IP’s address, customers’ mailing address, account
numbers, and the list goes on, privacy issues has become one of the hottest topics in information
security of this flat technology world. Many organizations are collecting, swapping and selling
personal information as a commodity as mentioned in the Harvard Business Review case titled
The Dark Side Of Customer Analytics (Davenport, 2007) where a health insurance company
partners with a grocery store that possessed sophisticated data about their customers using the
loyalty card. As a result the health insurance is able to use the data provided with or without the
customer’s consent to identify correlations between grocery purchases and insurance claims
using analytics and designing specific programs paste on a pattern based approach. As in this
fictional case many consumers and individuals are looking to governments to developing laws

6
and regulations to protect their privacy and to define the scope of an organization’s legal and
ethical responsibilities.
As individuals we elect to trade some aspects of personal freedom for social order. As
Jean-Jacques Rousseau explains in The Social Contract or Principles Of Political Rights (1972),
the rules the members of a society create to balance the right of the individual for self-
determination with the needs of the whole are called “laws”. Laws are rules adopted for
determining expected behavior in modern society and are needed when individuals choose not to
follow social norms and carry the sanction of a governing authority. Since the beginning of
information security in early 1970, the USA has been the leader in developing and implementing
new laws and regulations to protect individual and organizations.
Such private and public laws are established to prevent the misuse and exploitation of
information, to protect the privacy and confidentiality of patients’ private and health data, to
protect children against online predators, sex offenders and child abuse, to regulate publically
traded, private, governmental, non-profit companies, to minimize liabilities and reduce risks and
losses from electronic and physical threats and legal actions, to prohibit criminal intents of mis-
authorization and damage of protected computers and data, to enforce the rights of employees
and employers, to protect employees against discrimination in workplace, to make corporation
more accountable and enforce compliance and social responsibilities. Table 1 shows a list of
some Key U.S laws of interest to information security professionals. These laws such as the
Federal Privacy act of 1974, the Electronic Communications Privacy Act of 1986, the Computer
Security Act of 1986, the Sarbanes-Oxley Act of 2002, the Family Educational Rights and
Privacy Act (FERPA) of 1974, the Health Information Portability and Accountability Act
(HIPAA) of 1996, affect the individual in the workplace and regulate the structure and
administration of government agencies and their relationship with citizens, employees, and other
government local and international. Our intent in the following paragraphs is to present some
relevant legislations and regulations concerning the management of information in an
organization, explore the purpose of these laws and what are the enforcement procedures
available. We focus on pertinent and important legislations and regulations relevant to
information security and group the laws into three categories such as accountability laws and
corporate responsibility, privacy laws and employment laws.

Table1: Key U.S Laws Of Interest To Information Security Professionals

Act Subject Date Web Resource Description

Location
Computer Fraud and Threats to 1986 www.usdoj.gov/criminal/ Defines and formalizes
Abuse Act (also known Computers (amended cybercrime/1030_new.ht laws to counter threats
as Fraud and Related 1994, 1996 ml from computer-related
Activity in Connection and 2001) acts and offenses
with Computers (18
U.S.C. 1030)
Federal Privacy Act of Privacy 1974 http://www.usdoj.gov/oip Governs federal agency
1974 /privstat.htm use of personal
information
Gramm-Leach-Billey Banking 1999 http://www.ftc.gov/privac Focuses on facilitating
Act of 1999 (GLBA) or y/privacyinitiatives/glbact affiliation among banks,
Financial Services .html insurance, and securities

7
 Modernization Act firms; it has significant
impact on the privacy of
personal information
used by these industries
Health Insurance Health care 1996 www.hhs.gov/ocr/hipaa/ Regulates health care,
Portability and privacy storage, and
Accountability Act transmission of
sensitive personal
information
Electronic Communicati 1986 http://www.cpsr.org/issue Prohibits the reading of
Communications ons and s/privacy/ecpa86 information in transit
Privacy Act of 1986 Privacy and in storage after
(ECMA) – Title 47 receipt
The Sarbanes-Oxley Corporate 2002 http://www.sec.gov/divisi Defines firms’
Act of 2002 Accountabilit ons/corpfin/faqs/soxact20 accountability and
y 02.htm corporate
responsibilities.
The Family Education 1974 http://www.ed.gov/policy Protects the privacy of
Educational Rights and /gen/guid/fpco/ferpa/inde student education
Privacy Act of 1974 x.html records. The law applies
(FERPA) to all schools that
receive funds under an
applicable program of
the U.S. Department of
Education.
National Information Criminal 1996 http://policyworks.gov/po Categorizes crimes
Infrastructure Intent licydocs/14.pdf based on defendant’s
Protection Act of 1996 authority to access
computer and criminal
intent.

Accountability Laws: Corporate Accountability and Social Responsibility

Accountability laws are laws that hold companies liable when they violate federal and
state regulations. When securities laws apply, a business may face a maze of legal and regulatory
burdens. If they are violated, a business and its principals may face substantial civil, financial,
social, administrative, and even criminal sanctions. Because of increased enforcement efforts by
state and federal agencies and continuing enforcement efforts by the SEC, it is imperative that
businesses try to conform to established regulations and stay compliant in order to avoid
substantial penalties. One of the US laws that defines what a company can and cannot do is
called the Sarbannes-Oxley Act. According to Wikipedia, the Sarbanes-Oxley Act of 2002, also
known as the Public Company Accounting Reform and Investor Protection Act of 2002 was
signed into law on July 30, 2002 in response to a number of major corporate and accounting
scandals including those affecting Enron, Tyco International, Peregrine Systems and WorldCom.

8
These scandals resulted in a decline of public trust in accounting and reporting practices. Bush
signed it into law, stating it included “the most far-reaching reforms of American business
practices since the time of Franklin D. Roosevelt.” (wikipedia, 2007)
The Sarbanes Oxley-Act is a set of complex regulations that is considered to be one of
the most important business reform acts since 1934. The Act combines bills that were drafted by
Senator Paul Sarbanes and Congressman Michael Oxley designed to enforce corporate
accountability and responsibility. Congress quickly enacted the bill to restore confidence in
corporate America, where a plunging stock market, increased corporate fraud and numerous
accounting scandals, not to mention record breaking bankruptcies, have had a negative impact on
the economy. The Act has granted the SEC increased regulatory control, lengthened the statute
of limitations and imposed greater criminal and compensatory punishment on executives and
companies that do not comply. The law, enacted in 2002 created an oversight body for audit
firms, stiffened penalties for fraud, and required auditors to certify that firms have adopted
adequate “internal controls” such as adoption of difficult and complex password to prevent fraud.
Security experts have long recommended that computer users choose hard-to-break passwords
and change them frequently in order to frustrate hackers. Now, those recommendations are being
newly forced on millions of U.S. workers in the name of preventing financial fraud under the
Sarbanes-Oxley corporate-reform act.

For example and according to Computerworld (May 22, 2006), Kodak Imaging Network
Inc., an online photo-sharing service once known as Ofoto, has agreed to pay $26,331 in
penalties for violating the federal CAN-SPAM Act. The Federal Trade Commission charged that
the company violated the law by sending 2 million messages that didn't provide a physical postal
address or a means of opting out of receiving future e-mail. Because of increase in crime,
companies are more vigilant nowadays in protecting their most important assets which is
information. Some of the companies even take drastic measures to protect their assets and
resources by not allowing employees to access the internet while at work. That means that people
were able to connect only on the company intranet site.

Privacy Laws

Privacy deals with the degree of control that an entity, whether a person or organization,
has over information about itself. With the widespread of internet users and the emergence of
more sophisticated hackers, consumers and customers preferred doing business with companies
that can keep their personal information private. In response to the pressure for privacy
protection, the numbers of laws and regulations addressing an individual’s right to privacy has
grown tremendously in the past five years or so. It must be understood, however, that privacy in
this context in not an absolute freedom from observation, but rather is a more precise “state of
being free from unsanctioned intrusion.” To better understand this rapidly evolving issue, we
will talk about two of the most relevant privacy laws namely the HIPAA and FERPA. Those
privacy acts regulate the government in the protection of individual privacy. The Federal
Privacy Act of 1974 was created to insure that government agencies protect the privacy of
individuals’ and businesses’ information and to hold those agencies responsible in any portion of

9
this information is released without permission. However some agencies like the Congress, the
Comptroller General, the credit agencies and certain courts orders, are exempted from some of
the regulations so they can perform their duties.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) also known as
the Kennedy-Kassebaum Act, is an attempt to protect confidentiality and security of health care
data by establishing and enforcing standards and by standardizing electronic data interchange.
HIPAA impacts all health care organizations including doctors’ practice, health clinics, life
insurers, and universities, as well as organizations which have self-insured employee health
programs. Organizations that fail to comply with HIPAA law can pay penalties of up to
$250,000 and ten years imprisonment for knowingly misusing client information. The privacy
standards of HIPAA severely restrict the dissemination and distribution of private health
information without documented consent. The standards provide patients the right to know who
has access to their information and who has accessed it.
Another important privacy law used more in education is the Family Educational Rights
and Privacy Act of 1974 (FERPA) that set forth requirements regarding the privacy of student
records. FERPA also known as the Buckley Amendment governs release of education records
maintained by an educational institution and access to the records so that the student is afforded
certain rights to privacy. The law applies to elementary, secondary and postsecondary institutions
public and private that received funds from the federal government under any program
administered by the U.S. Secretary of Education. Furthermore, FERPA protects the education
records of persons who are or have been in attendance at education institutions.
Student education records are official and confidential documents protected by FERPA,
one of the nation’s strongest privacy protection laws. It defines education records as all records
that schools or education agencies maintain about students. FERPA gives parents the right to
review and confirm the accuracy of education records. These rights transfer to the student when
the student turns eighteen years old or attends a postsecondary institution. At this time, the
student is designated as an “eligible student” and holds the same rights as his or her parent held
with respect to education records. This and other United States “privacy” laws ensure that
information about citizens collected by schools and government agencies can be released only
for specific and legally defined purposes. Since enacting FERPA in 1974, Congress has
strengthened privacy safeguards of education records through this law, refining and clarifying
family rights and agency responsibilities to protect those rights.
For example the University of Massachusetts uses all or nothing for FERPA privacy
requests. Students or former students may request that all information be blocked under the
auspices of FERPA. Some schools allow students to block fields from display but this is not part
of FERPA. With the exception of narrowly-defined health and safety reasons, a FERPA block
means that the University cannot acknowledge the student’s existence or attendance. Students
requesting a FERPA block use a form and must have a personal discussion about the block with
the Registrar of their School prior to implementation. However even though students may
request block on their records but some law enforcement agencies according to the law can still
have access. In a survey conducted in March 2004 by the American Association of Collegiate
Registrars and Admissions Officers (AACRAO), the company wants its membership to learn
more about how institutions comply with the federal Family Educational Rights and Privacy Act
(FERPA). The survey was answered by 560 educational institutions and the results presented in
Table 2 below can be stated as follow:

10
 - Compliance with FERPA is a major concern for colleges and they devote serious
attention to the effort.
- Forty percent of institutions do not have a student directory.
- Law enforcement agencies made improper requests for non-directory student information
to 31.2 percent of responding institutions during the past year.
- Sixty-six percent of institutions do not release their entire student directory to outside
parties.
- Compliance by colleges with the voter registration requirements of the Higher Education
Act of 1965 is inconsistent.
- About 8 percent of institutions indicate willingness to contribute their student directory to
an outside party for youth voter mobilization.

Table 2: Survey Resulted of FERPA on March 2004 by AACOORP

If you have a student directory, what data elements does it include?

Percent Data Element
100.0 Name
77.2 On-campus telephone
73.3 On-campus address
65.7 Email
59.8 Permanent Address
50.8 Permanent telephone number
45.3 Major/field of study
22.8 Photograph
15.3 Date of birth
5.7 Place of birth

At any time in the past year, has your institution been asked to release NON-DIRECTORY
information to law enforcement agencies or representatives?
Yes, and we Yes, and we No
complied did not comply
Agents had 367 10 169
subpoena or
court order
Agents had 27 111 305
no subpoena
or court order

Institutions that do not comply by the FERPA regulations can still get away with it
because of the complexity of the complaint procedure. A complaint filed under FERPA in
comprised of three steps; firstly specific allegations of fact giving reasonable cause to believe
that a violation of the Act or this part has occurred; and secondly the Office investigates each
timely complaint to determine whether the educational agency or institution has failed to comply
with the provisions of the Act or this part; lastly, a timely complaint is defined as an allegation of
a violation of the Act that is submitted to the Office within 180 days of the date of the alleged

11
violation or of the date that the complainant knew or reasonably should have known of the
alleged violation.

Employment Laws

Employment is considered a key element in full citizenship and provides a sense of

fulfillment and self-worth. The role of regulatory policy in workforce is to protect wages,
benefits, pensions, safety, and health. The U.S. Department of Labor (DOL) is the institution that
governs laws and regulations in the workplace. As state on the DOL web site “DOL is
committed to providing its customers - America’s employers, workers, job seekers, and retirees -
with clear and easy-to-access information on how to comply with federal employment laws. This
information is often referred to as “compliance assistance,” which is a cornerstone of the
Department’s efforts to protect the wages, health benefits, retirement security, employment
rights, safety, and health of America’s workforce.” The Employment Standards Administration
(ESA) develops and administers employment acts to protect the American worker and its family
against discrimination, exploitation, abuse, trade, loss of work, and so on. Two of the acts are the
Fair Labor Standards Act (FLSA) and the Family and Medical Leave Act (FMLA).
The Fair Labor Standards Act (FLSA) prescribes wages and hours of work and defines
the minimum wage and overtime pay standards as well as recordkeeping and child labor
standards for most private and public employment, including work conducted in the home. The
minimum wage is set for $6.55 per hour effective July 24, 2008; and $7.25 per hour effective
July 24, 2009. Youths under 20 years of age may be paid a minimum wage of not less than
$4.25 an hour during the first 90 consecutive calendar days of employment with an employer.
Although the Act does not place a limit on the total hours which may be worked by an employee
who is at least 16 years old, it does require that covered employees, unless otherwise exempt, be
paid not less than one and one half times their regular rates of pay for all hours worked in excess
of 40 in a workweek. In addition, the FLSA sets forth special rules for working out of the home.
The Family and Medical Leave Act (FMLA): This act requires “employers of 50 or more
employees and all public agencies to provide up to 12 weeks of unpaid, job protected leave to
eligible employees for the birth and care of a child, for placement with the employee of a child
for adoption or foster care, or for the serious illness of the employee or an immediate family
member.” The Family and Medical Leave Act requires employers to provide job-protected leave,
but little is known about how these leave rights operate in practice or how they interact with
other normative systems to construct the meaning of leave. Research shows that leave rights
remain embedded within institutionalized conceptions of work, gender, and disability that shape
workers' perceptions, preferences, and choices about mobilizing their rights. However, workers
can draw on law as a culture discourse to challenge these assumptions, to build coalitions, and to
renegotiate the meaning of leave.

Since 1962, the US has recognized in its public policies that workers who lose their jobs
due to international trade and investment should be specially assisted and compensated for their
economic losses because the general populace benefits at their expense from a government
policy favoring open trade. Trade displaced workers under the Trade Adjustment Assistance
(TAA) program receive unemployment benefits for an extended period (up to two years of trade
readjustment allowances while engaged in job training), tuition assistance, health benefits, and

12
relocation subsidies. In conjunction with counseling, support services and job placement
assistance provided through a network of 1900 one-stop career centers operated under the
Workforce Investment Act, this package of services is intended to help trade displaced workers
adjust to their job loss by gaining new skills and employment at decent wages. In FY2004, about
150,000 workers were certified eligible to receive TAA benefits, and about 90,000 started to
received income support and training services. But the TAA program disappoints in part
because of its narrow coverage and cumbersome certification process and in part because it does
not offer the option of a rapid return to work while mitigating wage losses. Policymakers must
recognize, however, that developing and sustaining a quality TAA programs requires a long-term
financial commitment and the support of partnerships among the various stakeholders including
businesses, employers, consumers and their families, labor representatives and public education
institutions as well as the various agencies within the government. They must explore ways to
use their policy levers to create laws and regulations to protect the American workforce.

Balance Between Rights & Responsibilities

Introduction

There is a fine balance between employee and employer rights and responsibilities. On
the one hand employers need to be able to keep the organization running and make sure that their
resources are not misappropriated. These resources may be employee time, company equipment
or company bandwidth. This is a measure that keeps the company protected from external
threats such as lawsuits, viruses and attacks, and keeps the company in line with national laws
and regulations. Keeping tabs on how employees utilize these resources may be the best way of
ensuring regulatory compliance and streamlining of resources. Conversely, employees have the
responsibility to not abuse work resources for their own benefit, such as using company time and
resources to run your own business on the side.
On the subject of looking up an employee’s digital life may be a cheap way of conducting
a background check on potential hires. Some organizations require background checks as
prerequisites to employment. Of course the caveat is that these organizations that require a
background check generally let the employee know that they will be subjected to such a check
and it will be part of the employment process. When employers check a potential employee’s
digital life, through googling them for instance, without letting them know and basing an
employment decision on this, they may be breaking the law.

Employee Rights and Responsibilities

When it comes to employee’s rights and free speech, it is appropriate to say that in
general we have none due to our system of employment at will. If someone work in a unionized
environment or works for a government agency or contractor, then you have some rights when it
comes to exercising your right to free speech. As Bruce Barry, author of Speechless (2007)
wrote, if you work for the government you have rights, except when you don’t. If you work in an
employment at will, corporate, environment you don’t have rights, except when you do. This is
quite vague, and deservedly so. It has been pointed out in Speechless, that court rulings on the

13
subject of free speech in or about the workplace is an employees and employer’s nightmare, but
a lawyer’s dream.
In layman’s terms, free speech guarantees you that the government won’t impede your
right to free speech. However, just because I have the right to say what I wish, doesn’t mean that
I can or should. I wouldn’t for instance go up to a police officer and say that there is a bomb in
the next building over, when in fact there is not. There would be severe repercussions if I did. In
the workplace, similar responsibilities exist. You have the right to free speech, and you can blog
about any topic you want on your blog, or your MySpace account, but there are responsible
limits. Just like you shouldn’t keep your password on a post-it note on your monitor, you
shouldn’t post your passwords of company trade secrets on your blog.
Another example is if you are a software developer and you determine that your
company’s product has a critical flaw that allows remote execution of code. An appropriate
response should be to bring it to the attention of the developer team, if they don’t do anything
about it, bring it up with a superior, and if they are indifferent as well you may be out of options.
You may take the law into your own hands and become an anonymous grey hat hacker and
expose the vulnerabilities somewhere on the internet, however if it is traced back to you, there is
a high probability that your job may be in danger.
An excellent example of work related blogging and its effects on the corporation and
confusion it creates with the corporate staff is the Harvard Business Review case A Blogger in
the Midst (Suit, 2003). In this case an employee of the company was both a blessing and a
potential landmine for the company. Her blog showed her enthusiasm about the product that her
company was selling and as a result sales had actually increased! There were also some potential
pitfalls, such as the questioning on whether or not the company should be doing business with a
particular hospital due to ethical considerations which could cause the company to lose sales.
Finally, from a product announcement point of view not only did her blog steal the
CEO’s thunder during the announcement of the new product, it also could be considered
corporate theft since she did not ask for permission to share internal information with the rest of
the world. It is the blogger’s right to speak their mind, but it is also their responsibility to look
out for at least some of the company interests, such as the loss of intellectual property. Another
consideration is that if her blog were private and only a few people had access to it, the
information she imparted could be considered insider trading, and she, her audience and maybe
the company may have been in legal hot waters.

Employer Rights and Responsibilities

Employers as a group, be they corporate, academic or not-for-profit, have

responsibilities, and stemming from those responsibilities they have rights to enforce them. At a
thirty thousand feet view, employers have the responsibility to be compliant with local, state and
federal regulations, they need to protect their resources from external threats such as viruses,
spam, spyware and hackers, and they need protect their resources from misuse or abuse such as
having employees steal office supplies or run their own business from their office. Another
example where an employer has a responsibility is in the protection of the employee while on the
premises. Most of these responsibilities overlap with one another. In the recent Forrester group
research publishing we see that most of these are on the minds of companies and their security
professionals (2007).

14
 There are many examples of these types of responsibilities that employers have. One
such example is the example schools and agencies in Massachusetts that work with children
often require their employees to undergo criminal background checks. Another example we saw
in the case of A Blogger in our Midst (Suitt, 2003) where an unofficial company blogger is
potentially leaking out company secrets through her blogging. This may be innocuous, but it may
not. Competitors may get a hold of the information and cause trouble for the company, or federal
regulators may come down on the company that employs the blogger because this sort of
information leak may be considered insider trading.
In the research conducted by Forrester, and in our own research, we see some interesting
numbers and some interesting findings as well. We see that Web 2.0 has “engendered much
concern over the security of Web 2.0 applications” and that “organizations today are not
prepared to deal with these threats. This is evidenced by the lack of consistent policies, risk
awareness, and adequate user training.” (Forrester, 2007) This to our team is quite amazing
because the events detailed in A Blogger in our Midst took place in 2003, and it is now 2007.
Four years have passed, but appropriate policies, training and awareness have not been
mainstreamed.
The Forrester research tells us that Web 2.0 utilization increases consumption of
bandwidth, and decreases employee productivity, so a company takes, at minimum, a double hit
due to the internet habits of their employees. They lose bandwidth, which isn’t always cheap,
they lose employee productivity, and they probably risk company information leaking out
through blogs, wikis, and social networking sites. Our own survey shows that around 70% of the
respondents use work resources to browse the internet. The Forrester survey tells us that 71% of
respondents (IT managers) indicate that anywhere from 15% to 50% of the bandwidth is
consumed for non business related activities, activities which we have highlighted in a previous
section. Fourteen percent of IT managers indicate that 50% or more of their bandwidth in their
company is consumed for non work resources. These numbers are quite staggering if you are an
employer.
This type of non business use can lead to problems for the organization. Forrester quotes
that the data leakage is a major concern for companies, but viruses, malware and Trojans
collectively are a major issue. 46% of the organizations surveyed said that they had spent more
than $25,000 in the previous fiscal year to cleanup malware on their company computers. These
costs break down to approximately $15-$30 per user per year in cleanup costs. (2007)
Given all these responsibilities that employers have, they have certain rights to enforce
them. These types of enforcements come in different packages. Some enforcement comes in the
form of agreements that employees sign before becoming employed at the company. These
agreements identify the terms of use of company resources. If employees are caught abusing the
resources they can get fired or at least reprimanded. Since our form of employment in the US is
termed employment at will which means that you can be fired and laid off for no reason at all,
most companies have some sort of procedure in place in order to avoid lawsuits.
A lot of our friends and classmates surveyed felt quite strongly that the company should
not monitor your online activities and use while you are at work. Our interpretation of that is that
they do not want big brother to be monitoring every single thing they do. The truth is that a
company has every right to monitor and regulate their resources, whether employees like it or
not, because they are liable for the use of those resources.
The Forrester research findings tell us some good news on this front. Most companies
ranked loss of productivity and non-business use of bandwidth very low on their ‘potential

15
business issues.’ This seems to indicate that they don’t really care what you do so long as it’s not
illegal and you are doing your job. What companies are concerned with are loss of confidential
and sensitive data, malware infections (because as we saw they are quite costly), and
inappropriate content coming into (or being disseminated from) the organization because it is a
potential liability. To boil things down, in the workplace, the employer can monitor general
communications to make sure that their network is safe and meeting regulatory standards. What
they cannot do is to single people out, and reprimand, for a specific type of behavior when others
are engaging in the same type of behavior. If some sort of impropriety is suspected, they can
monitor individuals, but they need to document the process in order to stay within regulatory
compliance.
Finally, there is the issue of monitoring employees when they are off the clock, or
googling an employee before you hire them. As mentioned earlier, googling someone is a free
way to do a background check on someone, assuming you don’t have a generic name such as
John Smith. Employers and employees can get a wealth of information about each other and it
can provide good additional material to talk about during an interview. This way you are seeing
what an employee is passionate about, and how much of a fit they will be in your organization,
and the same is true for employees. They can see what other people say about the organization,
what their potential managers and coworkers are interested in, and what they do, and decide if
that is the place for them.
Of course, this kind of information can be misused, or misinterpreted as we had seen in
the case of We Googled You (Coutu, 2007). Employers may chose to not hire someone because
they don’t share their particular beliefs, be they in government, religion, or sports. This of course
is illegal, but if someone really doesn’t want to hire you for one reason or another, even if you
have a resume and work experience that makes you a perfect candidate, they can find a perfectly
legit reason not to hire you. As a way of protecting the firm, and its employees, the company has
the right to view your public data, such as your twitter, facebook, and myspace accounts, and go
through and read your blog or shared RSS feeds. What an employer does not have the right to do
is to refuse you the job because of your personal beliefs, race, gender, sexual orientation and
other non-discrimination criteria.

Comparison of Different Organizations

Introduction

In today’s interconnected world, where the importance of technology is ever-increasing,

every corporation needs a well thought out and worded IT security policy and use policy. Threats
to the integrity and reliability of data exist from within the enterprise as much as from the outside
of it. In some cases, internal threats are often more perceived as dangerous, rather than the
outside ones. Threats can exist in the form of hackers, competitors and foreign governments
across different industries. External threats are often easy to detect due to increasing
technological advances like firewalls, IDS systems being used in the corporations, but internal
threats are far more damaging to the corporation, since it is much harder to find and isolate.
Information security is a business issue, not just a technology issue. The reason
organizations want to protect information should be for sound business purposes. Corporate
knowledge and data are arguably the most important assets of any organization. Corporations
must ensure the confidentiality, integrity and availability of their data.

16
 In this day and age, when “Web 2.0” is on the rise, we find people increasingly on
different websites and collaboration techniques like MySpace, Twitter, Facebook, Friendster,
Linked-In, personal blogs, Mashups, Wikis. Social networking is here to stay and in these
communities, an initial set of founders sends out messages inviting members of their own
personal networks to join the site. New members repeat the process, growing the total number of
members and links in the network. Sites then offer features such as automatic address book
updates, viewable profiles, the ability to form new links through "introduction services," and
other forms of online social connections. Social networks can also be organized around business
connections, as in the case of LinkedIn.
The explosion in the popularity of social networking websites and technologies has
dramatically changed the way; we use the internet, on a personal as well as a business
perspective. Since every person has the right of freedom of speech, where do the corporations
decide to draw a line becomes an interesting premise. There have increasing cases of “mis-use”
of these technologies.
Employees are clearly accessing these sites a lot – not only is the amount of lost working
hours a major concern in terms of productivity, but it stands to reason that the risk of accidental
disclosure of information is increased by the significant amount of time accessing these sites.
Over the next few sub-sections, we will take a look at the different use policies been enforced in
different types of organizations.

Academia

Our survey (Koutropoulos, A. 2007), includes users from public and private universities,
colleges, and community colleges. We started looking around for use policy agreements and
started our research from the use policy of UMass (University of Massachusetts. 2007).The
Acceptable use policy summary is provided on the website of the university and is provided to
give the students, faculty and staff, a look the university’s data and computing policies,
guidelines, standards and procedures. The general statement of the policy sums it all up in
saying,” The university expects all members of the community to use the computing and
information technology resources in a responsible manner, respecting public trust through which
these resources have been provided, the rights and privacy of others, the integrity of facilities and
controls” (Acceptable Use Summary, 2005)
With increasing dependence on computing and enterprise applications, universities across
the globe are increasingly more and more vulnerable to security breaches and data misuse by
their students and staff. In 2005, UMass Boston introduced enterprise application from People
Soft, integrating their student’s registration and records systems with HR and finances
applications, and hence had to revamp their use policies accordingly. The technology helped the
university to develop, deploy, maintain, and upgrade its applications. People Soft helps the
university centrally manage, monitor, and adapt business process solutions to accelerate return
on investment and lower total cost of ownership. The security policy became all the more
prominent because of this new application.

“The University has business relationships with various outside companies and business
partners. These relationships may require that these outside entities obtain information about
University community members or that the university provides data files containing that

17
information. Information may not be provided to outside entities or individuals unless a verified
business relationship exists. In most cases, University ID numbers (e.g., student or employee id)
or social security numbers (e.g., SSN) should not be provided to external entities” (Copyright
response procedure, 2005). We have seen that this has been included in almost all the
universities, including North Eastern, BU, Bentley and Harvard.
Many recent examples of data theft have surfaced in the last few months. Since the new
enterprise applications have been introduced, the University ID gives an all access pass to the
student, he/she can browse their student records, grades, billing information, SSN and
biographical data, Address and financial aid information and student email. If anyone can else
breach into their account, then a lot of damage can be done. Students are also not prevented from
accessing social networking sites like Facebook. Most of the students who have signed up for
this site have displayed their university student email address on their profile. If someone knows
your university id, then they can reset your password for student email application and enter the
system. There have been incidents where people from outside of the university call and ask for
student email list, so that they can target their marketing or send out email spam. People call
masquerading to be from US Army trying to recruit students to enroll into the army and most of
the times, when the helpdesk presses them to reveal their identity, the truth unfolds.
Some of the more recent problems include the crackdown on students using universities
to download and distribute copyrighted material. “For those accustomed to downloading at will,
that means if you are caught digitally downloading music, your school Internet service could be
suspended for a week, a month, a year — or for as long as you live on campus. From Boston to
Berkeley, new rules for punishing college students who use campus computer networks to
illegally download music, movies or games carry some pretty harsh penalties...” (MTV,2007).
Notices were sent to the university officials of about 60 universities around the U.S and also
almost all the students were given a chance to settle the case and avoid a lawsuit by making a
payment of up to $6,000. It'll scare people. They'll realize, 'I'm not invisible,' " Muneeb Malik,
19, a junior biology major. (Oroville Mercury-Register, 2007)
“Abuse of the networks or of computers at other sites connected to the University's
computers or networks by authorized users are treated as abuse of computing resources at the
University” was a recent addition to the use policy, with ever increasing cases of students and
staff increasingly using the university computers and broadband connections to download illegal
files, including music and movies. RIAA has been filing cases against universities around the
country. UMass has come out with “procedures for responding to notifications of copyright
violation.” (Copyright response procedure, 2005)
Universities are getting increasingly aware of the fact that the resources can be used for
illegal use. They are more prone to law-suits being filed against them and hence the additional
precaution. Most of the universities have similar use policies and do follow the standard, where
they make it to point to accentuate the fact that the university has a policy in place for taking care
of certain laws and rules are in place to take care of the same. IT security policy will soon ban
the use of all p2p activities on campus, to prevent any further damaging chance of a lawsuit.
In July, the University of Kansas announced an even stricter one-strike policy for
infringers on its campus-wide ResNet site, replacing the former three-strike rule covering not just
music, but any illegally downloaded material, including movies, games and software. UMass
Amherst ranked sixth for illegal downloads and according to the Boston Globe, by February of
last year, UMass/Amherst was hit with 897 copyright-infringement complaints, up from 365 the
previous year. (Boston Globe, 2007)

18
 University of Massachusetts has several policies in place to take care of different aspects.
They have Academic policies, Data and computing policies and guidelines, Responsible/
Acceptable use of computing and data resources, Record management, retention and disposition
standards, and other university-wide procedures like procedures for preservation of and response
to demands for electronically stored information.
Social networking sites like MySpace and Facebook have been restricted for use at public
terminals like the student kiosks on campus of UMass Boston, because the amount of time the
students were spending browsing these sites. That is the case in Harvard and MIT as well, they
do not let students use social networking sites on the kiosks, but that is the only restriction,
students free to post any information, run their own blogs and can access them from computers
on campus. This is very different from other industries like government offices, private and
corporate sector.

Government

The U.S government is very much aware of the security risk arising from the increasing
popularity and usage of the social network sites. In fact, let us start off with the fact that US-
CERT (US computer emergency readiness team) has a special tip called Cyber Security Tip
ST06-003, (NCAS, 2007) which encourages people to be very cautionary and safe on the social
networking sites.
In May 2007, a memo sent out by General B.B.Bell, Commander of U.S forces, outlined
the new guidelines that would block sites like MySpace, YouTube, Hi5, Friendster, live365 and
blackplanet. The reasons were both disclosure of information as well as to prevent the use of
excess bandwidth. Photo sharing websites were also banned from use; soldiers who used to post
their photos online from Iraq could no longer do that.
The US government is funding research into social networking sites and how to gather
and store personal data published on them, according to the New Scientist magazine. At the same
time, US lawmakers are attempting to force the social networking sites themselves to control the
amount and kind of information that people, particularly children, can put on the sites. According
to an article published in The Register, it claims “The New Scientist discovered that ARDA
(Advanced Research Development Agency), credited in a footnote with part-funding the research
paper, is a branch of the National Security Agency, the US government body responsible for
surveillance and code breaking.” (The Register, 2007)
The US Congress is attempting to limit the ways in which young people use the sites in
order to protect young people and children. The Energy and Commerce subcommittee has just
finished a series of hearings on pornography and plans to issue legislation to protect children
online. The plans will contain some measures to force social network sites to protect its users,
said US press reports.
Before you jump to the conclusion that US government and all government agencies are
against the social networking scenario, then you are heading in the wrong direction. Many
government agencies appreciate the fact that web 2.0 can be used to the benefit the firm. As long
as some rules are followed, the Web2.0 is very much encouraged.
David C. Wyld, professor of management at Southeastern Louisiana University, and
author of a recent report, “The Blogging Revolution: Government in the Age of Web 2.0,”
shared his advice with government executives in the audience on how best to get started
blogging in the Web 2.0 era and these are three most important of them (Wyld, 2007) :

19
 1. Define yourself and your purpose
2. Do it yourself
3. Don’t give too much information

Government agencies are moving well beyond the experimentation stage in adapting
online social networking tools to advance internal collaboration and in reaching out to citizens.
Efforts by the Centers for Disease Control, the Environmental Protection Agency, NASA and the
intelligence community were among a number of working examples attracting public and private
sector interest in Web 2.0 technologies.
Centre for Disease Control, highlighted the various ways CDC is reaching out to the
public using social networking and communications methods techniques. eCards, Podcasts,
Virtual World and Social Networks are all encouraged.
They are not opposed to the collaborative technology but they want to use the technology
for the betterment of the firm and this line gets blurred with revealing too much information
online about self and also about the company you are working for. This could be potentially
damaging. There have increasing number of cases, where employees have written some unsavory
facts about their place of work on their MySpace bulletin pages, or posted a note on Facebook or
wrote something on their personal blog.
There are several lawmakers interested in banning the use of social networking sites from
universities, schools and government agencies all together. Their argument is that because of the
ease of information and photos of people on these websites, it has become easier for predators to
steal information and infringe on privacy. Federal Trade commission has recently launched an
investigation on MySpace and Facebook to make sure that they are not violating any privacy
laws because of their advertising strategy. "MySpace and Facebook are like the digital data
equivalent of Fort Knox for Madison Avenue marketers," he said. "It is a kind of one-stop data
shop for marketers. They know your interests, your politics and what movies you like. It is a
much richer array of content that marketers simply should not have automatic access to."
(Computer World, 2007)
Certain government agencies like the CDC, EPA are leaning towards implementing
collaborative technologies, but not very comfortable with the fact that the person posts his/her
personal information to a very great detail for everyone to view. They also oppose any
information regarding their work place to be posted online.

Private Sector: Finance

Many corporations, in the private sector have talked up blogs when the concept of web
2.0 had become prominent enough to ignore. They really believed in blogs being an important
and enduring phenomenon, until recently more and more cases have been exposed, where
employees have been writing about their place of employment, style of management, flaws about
the companies operational activities and venting out frustrations at work on their personal blogs.
There have several cases of people shooting video clips of their places at work and posting them
on Youtube.com and also writing up notes and comments about their co-workers on MySpace.
Anything posted on the web, can be looked up by almost everyone around the world.

20
 Financial companies like are often very particular about the web sites their employees
visit. Chase credit card services division even monitors all employee email and does not allow
the worker to use any web based email services like Gmail and hotmail. They also are against
instant messaging services like yahoo messenger, which are not very secure. They have all
developed their own chat client which can be only launched from an authorized computer on the
intranet of the company or can be launched from an authorized VPN connection. Financial
company workers often deal with sensitive data like SSNs and other biographic information
which if posted or leaked online due to a fraudulent employee or just by mistake, it can cause
damage to the company’s reputation. The upper management justifies their strict use policy and
employee monitoring stating the very same fact. In the finance industry, especially personal
banking, investment banking, mortgage business, and credit services are very stringent about the
policy enforced on their employees.
The essential conflict of workspace monitoring lies in the fact that though the employers
monitor their employees to make sure they do not cause damage to the company, they could at
the same time take advantage of their power and that could easily be termed as employee policy.
“A 2005 survey by the American Management Association found that three-fourths of employers
monitor their employees' web site visits in order to prevent inappropriate surfing. And 65% use
software to block connections to web sites deemed off limits for employees. About a third track
keystrokes and time spent at the keyboard. Just over half of employers review and retain
electronic mail messages. Over 80% of employers disclose their monitoring practices to
employees. And most employers have established policies governing Internet use, including e-
mail use (84%) and personal Internet use (81%).” (Privacy rights, 2007)
According to the CIO magazine, a poll of CIOs has revealed that almost 50 percent of the
companies monitor their entire workforce, and around 20 percent of them monitor them on a
regular basis. This increasing trend can actually be noted from the fact that, sales of employee-
monitoring software are worth about $140 million a year, a return to the vendor of only a few
dollars per covered employee: on average, only about $5.25 per monitored employee per year
Web-sense is an employee monitoring enterprise software which looks at what the
employees browse and also monitors all their email has revealed its clients list on their website.
They include financial firms like American Express, Morgan Stanley Venture Partners, Cross
point Venture Partners, Salomon Smith barney and Goldman Sachs. (TheStreet.com, 2007)
These companies, including Fidelity investments make sure that the employee is told
about the electronic monitoring policy, notify workers annually, and monitoring type and
frequency, method and use of information. The company’s employee conduct policy should
therefore already cover unacceptable online behavior. Beyond that, respect employees' rights to
their own opinions, and have your legal counsel make sure that your corporate policy does not
violate these rights. Upper management should understand that overstepping the legal grounds
not only will get the company into embarrassing court cases that will be PR disasters no matter
the outcome, it will also drive the criticisms underground, onto anonymous blogs and discussion
forums, and might drive some of the company’s best employees out the door in the process.
Chase, which is one of the leaders in the finance industry has realized the importance of
Web 2.0 in this digital age and signed up with FaceBook as one of their 12 major partners in the
advertising world. They have an official FaceBook page as well and encourage their employees
to visit their website, all designed for encouraging camaraderie among Chase employees. They
do realize that as long as the liberty is not abused by the employees and not damaging to their
business, Web 2.0 concept is here to stay and can prove to be extremely productive.

21
Private Sector: IT

An increasing number of companies in the IT industry have been adapting to social

networking concept. They believe in using the Web 2.0 technology to Streamlining collaboration
within and beyond the enterprise, Accelerating search and information retrieval, Capturing
knowledge assets and facilitating knowledge transfer, Speeding application development and
deployment and Communicating with stakeholders in new ways.
IBM has been an innovator in the industry for a very long time and they were one of the
major companies to have made a stride in the field of Web 2.0 as well. On January 22nd, 2007
they released a new product called Lotus Connections. It wraps five social networking
technologies up into one integrated package. "While social computing software is perceived as
being at the fringe of most large businesses, it's actually moving to the center fast—because it's
about how the next generation of employees communicate, and create and share ideas," says
Franks Gens, senior vice-president for research at tech market research IDC. (Business week,
2007)
The IBM package basically involves the possibility to set up multiple profiles, where the
employees can post information about their expertise and common activities. Google encourages
their employees to use blogs to communicate as well as Picasa web communities to share
pictures. IT security auditing firms like Cap Gemini and KPMG (Ethics point, 2007) have been
very reluctant on this end. Their auditing business is strictly against advising their clientele to not
encourage social networking policies in the company. There is no general trend in the direction
the IT industry is positioned in this regard, but as long as the company’s name is not mentioned
and anything damaging not included in the blogs, the firms seem to not have a problem with the
concept of social engineering. It becomes increasingly difficult to monitor employee’s blogs and
sift through loads of information using a content management system and hence most of the
companies make the employees sign an acceptable user policy when they are hired.
Encouraging personal blogs is as paternalistic as prohibiting them. And counseling
employees on matters of taste and discretion, or asking them to pre-clear content with you, is
insulting and overstepping. Telling employees they can't blog on company time is redundant and
offensive -- terms of employment should already cover this.
Increasingly, most companies, especially technology driven firms, have unofficial blogs
because; they want customer feedback as well as interact more directly with them. Blogs are
personal and casual. Most business communications are not. Blogs (like other corporate
websites) are more likely to attract potential recruits, alumni, competitors, potential allies and the
media than customers. Because of all these concerns, more and more companies have an
“unofficial” blog and also have blogs, user groups on their intranet – to avoid external data
leakage or PR disasters when anything damaging gets posted.
Google, Oracle, SAP, IBM and Microsoft all have unofficial blogs, because they believe
that reading blogs and interacting with other likeminded employees can be a useful source of
information, education, creative and customer intelligence. Without due focus on the blog
content and the direction of the threads or forums, blogs can be an increasing waste of time.
IBM, has monitored blogs and administrators who make sure the correct topic is in the right
forum, so that they it has direction and is truly collaborative and productive.

22
Conclusion
Our public data, data that we post about ourselves on our blogs, social network pages,
and on our podcast, is very much public data in the sense that millions of people online have
access to it and can use it for any number of purposes. Some purposes may be innocuous such as
advertising; other purposes may be more nefarious, such as identity theft. Some data that we post
on our online profiles may be someone else’s private data that we are making public.
Additionally, some of our data we want to have public for our friends or peers, data such as
opinions our opinions on labor conditions in China or who should be the next president of the
United States. We don’t however want present or future employers to prejudge us on our
opinions, or illegally not hire us (or reprimand us if we are already on the job) due to our views
on certain issues, our group affiliations or likes and dislikes.
What it comes down to is a fine balance between what an employee’s rights are and what
an employer’s responsibilities are, and in the middle of that seesaw is how your public data is
handled. If your public data goes through your employer’s network or uses your employer’s
infrastructure in any way, then the employer is responsible for what is posted, and therefore must
regulate it in some form. Usually this regulation comes in the form of an Acceptable Usage
Agreement. This data, since it poses a liability, or is proprietary in nature, the company has the
right to take some corrective action if the public data you are trying to share can get the company
in trouble.
On the other hand, if your public data reaches the Internet without going through a
corporate network, and doesn’t divulge corporate secrets, your public data is still quite public.
Companies can prejudge you, if they stay within the legal limitations of Equal Employment
statutes, and can refuse to hire your, or fire you for your views, again if they stay within legal
limitations. Some, how have been fired for their public views, have brought on lawsuits against
their employers under the provision of freedom of speech, however there is no clear cut right and
wrong in these cases. As Bruce Barry in Speechless puts it, in the public sector you’ve got free-
speech rights, except when you don’t, and in the private sector you’ve haven’t got free-speech
rights, except when you do. (2007)
In the end, the arena of web 2.0, technology evolution, how employees interact with it,
and how employers perceive or receive this interaction is quite new. There are some clear cut
rights and wrongs, and dos and don’ts, but there is quite a large gray area in-between of what
occurs and how people react to it. In the end a good policy for employees is to not post
something about themselves that they may later regret, and for employers to take pro-active steps
to protect their assets while at the same time educating their employees on potential pitfalls of
emerging technologies, how it affects them and the company. It is important for all parties to
acknowledge that public data is public, and that there is no pretense that your public data is
private, unless otherwise stated.

23
 Bibliography
Answers.com. How many members does Facebook have? Retrieved November 20, 2007, from
http://wiki.answers.com/Q/How_many_members_does_Facebook_have

Acceptable Use Summary. Retrieved November 2007, from

http://media.umassp.edu/massedu/policy/AcceptableUseSummary.pdf

Heather B. Armstrong, "About this Site", dooce, undated, http://www.dooce.com/about.html

Retrieved: November 15, 2007

Austin, R. D., & Darby, C. A. R. (2003). The myth of secure computing. Harvard Business review,
81(6), 120-7. Retrieved November 13, 2007 from Business Source Premier database.
http://web.ebscohost.com/ehost/detail?vid=1&hid=9&sid=03ee3b4b-b323-40fc-8594-
0bb8125940d5%40sessionmgr9

Boston Globe, Retrieved November 2007 from

http://www.boston.com/business/technology/articles/2007/03/07/record_industry_cracks_down_
on_illegal_file_swaps/

Business Week, Retrieved November 30, 2007 from

http://www.businessweek.com/technology/content/jan2007/tc20070122_532199.htm

Blog Herald. Blog Count for July: 70 million blogs. Retrieved November 20, 2007, from
http://www.blogherald.com/2005/07/19/blog-count-for-july-70-million-blogs/

Computerworld, “MySpace, Facebook ad plans violate privacy, groups tell FTC”, retrieved November
2007 from http://www.computerworld.com/action/article.do?
command=viewArticleBasic&articleId=9046738

Cohen, D., Kelley, M., & Scheinfeldt, T. (2007). Digital Campus Podcast Episode 15: "Exposing
Yourself?". James Madison University Center for History and New Media`: DigitalCampus.tv.
Retrieved November 10, 2007 from http://www.digitalcampus.tv

Coutu, D., Palfrey, Jr., John G., Joerres, J. A., Boyd, D. M., & Fertik, M. (2007). We Googled You.
Harvard Business review, 85(6), 37-9. Retrieved November 15, 2007 from Business Source
Premier database. http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?
direct=true&db=buh&AN=24997947&site=ehost-live

Copyright response procedure, (2005), Retrieved November 2007, from

http://media.umassp.edu/massedu/policy/CopyrightResponseProcedure.pdf

Cyberjournalist.net. (2006). How many blogs are there? 50 million and counting. Retrieved November
20, 2007, from http://www.cyberjournalist.net/news/003674.php

David C.Wyld, “The Blogging Revolution: Government in the Age of Web 2.0”, Retrieved November
2007 from http://www.businessofgovernment.org/pdfs/WyldReportBlog.pdf

Davenport, T. H., Harris, J. G., Jones, G. L., Lemon, K. N., Norton, D., & McCallister, M. B. (2007).
The dark side of customer analytics. Harvard Business review, 85(5), 38-9.

Duke University. Employee Manual. Retrieved November 15, 2007, from

http://www.hr.duke.edu/policies/index.html

24
Ethicspoint, 2007 retrieved November 2007 from
https://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=11093&nav=page1

Farley, S. (2000). Internet Acceptable Use Policies: Navigating the Management, Legal and Technical
Issues. Information Systems Security, 9(3), 46-6. Retrieved November 10, 2007 from Business
Source Premier database. http://temp8.cc.umb.edu/login?
url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=3302298&site=ehost-live

Feldman, J. (2004). Lockdown Limits. Network Computing, 15(18), 18-1. Retrieved November 15,
2007 from Business Source Premier database. http://temp8.cc.umb.edu/login?
url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=14538917&site=ehost-
live

Feldman, J. (June 25, 2001). It's Not About The Technology. Network
Computing, p.37. Retrieved November 15, 2007, from Academic OneFile via Gale:
http://find.galegroup.com/itx/start.do?prodId=AONE

Fertell, D. (2003). How to verify if employees are Really, Truly Working. Bank Technology News,
16(6), 47-1/3. Retrieved November 15, 2007 from Business Source Premier database.
http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?
direct=true&db=buh&AN=9982161&site=ehost-live

Flowers, B. F. & Rakes, G. C. (2000). Journal of Research on Computing in Education, 32(3), 351-15.

Forrester Consulting. (2007). Internet Risk Management in the Web 2.0 World (Industry.
SecureComputing.com: Forrester Consulting. Retrieved November 19, 2007 from
http://www.securecomputing.com/webform.cfm?id=204

Foster, E. (1999). "sneak wrap" may be a good way of defining the maze of online policies. InfoWorld,
21(3), 73-1/2. Retrieved November 15, 2007 from Business Source Premier database.
http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?
direct=true&db=buh&AN=2106362&site=ehost-live

Holter, E. & Newfangled Webfactory. (2007). How Many Blogs are there? Retrieved November 20,
2007, from http://www.newfangled.com/how_many_blogs_are_there

Kaptein, M. (2004). Business Codes of Multinational Firms. What do they say?". Journal of Business
Ethics, 50(1), 13.

Kaptein, M. & Schwartz, M. (2007). The Effectiveness of Business Codes: A critical Examination of
Existing Studies in the Development of an Integrated Research Model No. ERS-2007-030-ORG)
Retrieved November 15, 2007 from Business Source Premier database

Keeping low employee productivity at bay with an internet acceptable use policy.(2002). PA Times, ,
13. Retrieved November 15, 2007 from Business Source Premier database.
http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?
direct=true&db=buh&AN=6673613&site=ehost-live

Kent, S. (2005). Policing the home office. Employers Law, 16-2. Retrieved November 13, 2007 from
Business Source Premier database. http://temp8.cc.umb.edu/login?
url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=16503798&site=ehost-
live

Koutropoulos, A. (2007). MSIS613 Class Notes for September 5, 2007

25
Koutropoulos, A. (2007). MSIS613: Internet Privacy Survey. SurveyMonkey.com. Retrieved November
30, 2007 from http://www.SurveyMonkey.com

Langin, D. J. (2005). Employer liability for employee use of peer-to-peer technology. Journal of
Internet Law, 9(5), 17-4.

McNamara, P. (2005). Net Buzz. Network World, 55(19), 54-1/2. Retrieved November 15, 2007 from
Business Source Premier database. http://temp8.cc.umb.edu/login?
url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=17082942&site=ehost-
live

McNulty, E. (2007). Boss, I Think Someone Stole Our Customer Data. Harvard Business review, 85(9),
37. Retrieved November 19, 2007 from Business Source Premier database.

MTV, 2007. Retrieved November 23, 2007, from

http://www.mtv.com/news/articles/1567539/20070821/index.jhtml

MIT. Employee Handbook. Retrieved November 15, 2007, from http://hrweb.mit.edu/policy/toc.html

Mitnick, K. D. (2003). Are You the weak link? Harvard Business review, 81(4), 18-3. Retrieved
November 13, 2007 from Business Source Premier database.
http://web.ebscohost.com/ehost/detail?vid=1&hid=21&sid=16cd1c5e-2b1f-43c9-8f7e-
1cc8f5aabae9%40SRCSM2

MySpace.com. (2007). Number of Registered Users. Retrieved November 20, 2007, from
http://www.myspace.com

NCAS, US-CERT(2007), retrieved November 2007 from http://www.us-cert.gov/cas/tips/ST06-

003.html

TGDaily(2007), DoD blocks social networking and video sites, retrieved November 2007 from
http://www.tgdaily.com/content/view/32026/113/

TheStreet(2007), retrieved November 2007 from

http://www.thestreet.com/brknews/general/908216.html

Oroville Mercury-Register, Retrieved November 23, 2007 from http://www.orovillemr.com/

Private Practice.(2002). People Management, 8(10), 20-2. Retrieved November 13, 2007 from
Business Source Premier database.

Privacy Rights, 2007, Retrieved November 2007 from http://www.privacyrights.org/fs/fs7-work.htm

Radcliff, D. (2000). Dicey ethical dilemmas; Before you track employees' Web surfing habits, make
sure your company has a clearly defined policy. Network World, 17(22), 65-1. Retrieved
November 13, 2007 from Academic OneFile database. http://temp8.cc.umb.edu/login?
url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=3190151&site=ehost-live

Risky Business (2006). Cabinet Maker, (5493), 36-1. Retrieved November 15, 2007 from Business
Source Premier database. http://temp8.cc.umb.edu/login?
url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=23179260&site=ehost-
live

26
Rose, C. (2001). Keeping Dabs on web use. People Management, 7(11), 49-1. Retrieved November
15, 2007 from Business Source Premier database. http://temp8.cc.umb.edu/login?
url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=4687318&site=ehost-live

Rosenbush, S. (2006). How LinkedIn broke through. BusinessWeek, Retrieved November 15, 2007
from http://www.businessweek.com/technology/content/apr2006/tc20060410_185842.htm

Schlesinger, L. (1998). Trust, verify, but don't constrain. Network World, 15(46), 46-2/5. Retrieved
November 15, 2007 from Business Source Premier database. http://temp8.cc.umb.edu/login?
url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=2529993&site=ehost-live

Sifry, D. (2006). State of the Blogosphere. Retrieved November 20, 2007, from
http://www.sifry.com/alerts/archives/000436.html

Silnicki, G. (2007). Caught in the web. Canadian Business, 80(13), 61. Retrieved November 13, 2007
from Business Source Premier database. http://temp8.cc.umb.edu/login?
url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=25531424&site=ehost-
live

Stanford University. Employee Manual. Retrieved November 15, 2007, from

http://adminguide.stanford.edu/

Suitt, H. (2003). A Blogger in their Midst. Harvard Business review, 81(9), 30. Retrieved November
19, 2007 from Business Source Premier database.

Twentyman, J. (2007). Protect yourself from an inside job. Director, 60(6), 30-1. Retrieved November
15, 2007 from Business Source Premier database. http://temp8.cc.umb.edu/login?
url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=23660877&site=ehost-
live

The Register. Retrieved November 23 2007, from

http://www.theregister.co.uk/2006/07/03/us_govt_funds_online_snooping/

University of Connecticut. Employee Manual. Retrieved November 15, 2007, from

http://www.hr.uconn.edu/emptoc.html

University of Massachusetts. (2007). University of Massachusetts Responsible/Acceptable Use of

Computing and Data Resources (2nd ed.) University of Massachusetts. Retrieved November 10,
2007 from http://www.umassp.edu

Urbaczewski, A. & Leonard, J. M. (2002). Does electronic monitoring of employee internet usage
work? Communications of the ACM, 45(1), 80-4. Retrieved November 15, 2007 from Business
Source Premier database. http://temp8.cc.umb.edu/login?
url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=11934590&site=ehost-
live

Urbaczewski, A. & Leonard, J. M. (2003). Web Browser, What's that secret you're keeping? Business
Horizons, 46(5), 25-8. Retrieved November 15, 2007 from Business Source Premier database.
http://temp8.cc.umb.edu/login?url=http://search.ebscohost.com/login.aspx?
direct=true&db=buh&AN=10697049&site=ehost-live

Urban Dictionary. s.v. dooce. Retrieved November 15, 2007, from

http://www.urbandictionary.com/define.php?term=dooce

27