It is usually possible to reconcile employees’ legitimate privacy concerns and a company’s equally legitimate rights and obligations to collect data if you go about it properly. A story in Der Spiegel shows what happens when you get it wrong. The story does at least give an opportunity to explain the difference between spy software and data collection.
As its name implies, the e-Disclosure Information Project, which I run, exists to spread knowledge and understanding about the collection and use of electronic documents. My primary focus is on the common law countries (mainly the UK and US) which require discovery of documents in litigation, but the increase in the powers of regulators brings the same issues to countries which do not have that litigation obligation. The area where mainland EU principles collide with US discovery is in relation to privacy and data protection matters. I come across these subjects mainly in the context of trying to explain to Americans what the concepts mean, why they matter rather more to Europeans than to them, and how proper regard to privacy is not necessarily incompatible with an adequate collection of data if they take the trouble to understand both the legislation and the underlying concerns which drive the legislation.
Occasionally, the opportunity arises to do the opposite, and to help Europeans understand that not every collection of data is an invasion of privacy, that there are legitimate reasons for needing to collect data, and that the appropriate software implemented with proper safeguards poses no threat to legitimate privacy concerns. Indeed, given that the need and obligation to collect data exists anyway, it is better to have a system, the skills to support it, and an auditable process than to rely on the ad hoc methods of collection which are the only alternative.
The key in both directions is co-operation and informed persuasion. It is quite hard to promote understanding in the abstract. It is easier either when people see a need to understand for their own reasons, or where there is a misapprehension to correct. As with politics or personal relationships, you need an opposition, something to argue against, to present a cogent set of arguments. Arguments depend on facts, and the Der Spiegel story suggests a shortage of accurate facts, with the gap filled with surmise and suspicion. The result will almost certainly suit no-one involved.
The story appeared in the February 28 issue of Der Spiegel under the eye-grabbing heading “US Concern Honeywell installed spy software on employees’ computers. Works Councils and lawyers consider that as illegal”. Honeywell, it said, was “curious about the activities of its employees”. It had installed Guidance Software’s EnCase which, it said, could copy a hard disk, analyse emails, track internet activity, and recover deleted data even if it had been overwritten. “EnCase is so good” it went on, “that the FBI and the investigative unit of Scotland Yard use it”.
The software was referred to in terms as “spy-software” and a “virtual tracker”. Quoting Lenin, Der Spiegel said that “trust is good, control is better” before admitting, rather lamely in the circumstances, that there was no evidence that Honeywell had actually used the software. Honeywell was quoted as saying that it needed EnCase to protect the network from viruses and Trojans.
Where to begin with this collection of nonsense? It is hard to tell from my translation whether Der Spiegel is merely reporting the views of others or supplying its own, so I will assume in its favour that it is the former. Even the much-used Lenin quotation is unverifiable, although he did say “Freedom is good but control is better”. I do not imagine that Guidance Software minds its application being described as “so good”, and some of the functions listed by Der Spiegel are indeed things which EnCase excels at. To describe it as “spy-software” or as a “virtual tracker” is just not right, and there is more at stake here than one supplier’s specification list. I have come across a web posting about the Der Spiegel article which refers to “sniffer-software”, so the story gets less accurate as it spreads – one thing Lenin really did say was that a lie told often enough becomes truth. If the already confusing and highly inflammatory subject of privacy is to be stirred up, we might as well get some basic facts right.
Let us start by asking why a company might need to collect data apart from the alleged desire to spy on its employees. Regulated companies are required to produce data in many circumstances and other national authorities have the right to demand information which companies have a corresponding duty to provide, often very quickly. If allegations are made of bribery or other corruption, or about anti-competitive behaviour, then a company must investigate it at once – “must” meaning that they are required by law to do so. A company has its own legitimate reasons for searching its computer systems – a suspicion of fraud or computer hacking, or that an employee is stealing the company’s secrets (not a small fear for a technology company), or trying to influence its share price, all warrant immediate action, often in circumstances where it is necessary to keep quiet about it. Against all this must be balanced the right of employees to keep private their personal information.
There is more than one way to collect the data needed for these purposes. Employees might be set to trawling servers for documents and mail files, and read them to check their contents. A third party collection expert may be called in to do it, perhaps taking a full disk image of all the computers for review by consultants or lawyers – there are plenty of good collectors, one should say, who would do the exercise properly, collect no than more is needed, and audit every step of the way, but there are many others who would just collect everything.
What does “properly” mean in this context? One of the many features of a “proper” collection is the ability to be selective about what is collected, not just at container level (e.g. a file folder or a mail custodian’s folders) but at document level. Another is the ability to track what has been collected (and what has not), by whom and with what search parameters. Yet another is that the exercise be repeatable – that is, that if the same process is run tomorrow it will achieve the same results apart from data which has in fact changed. The effect of such capabilities is that companies may be highly selective about what they collect, that they may involve others in the decisions where appropriate, and that they can show what they have done. Further, the task may be accomplished without anyone, the collector included, knowing what is in the documents.
All these things in fact offer protection for private data, not the reverse. The parameters of the search can be set to take account of private folders and can incorporate protocols (agreed, for example, with a works council) designed to protect privacy as well as make the users accountable.
These actions involve passive technology – the application takes data as it finds it and collects or ignores it depending on the rules which have been set. There are many types of active software applications which are designed to intercept and monitor e-mails, to crawl employee’s data, log keystrokes and monitor activity as it happens. EnCase is not one of them.
In any discussion about data privacy, German works councils are identified as the strictest upholders of privacy rights, but not necessarily as the hardest to deal with (that would be their French equivalents). Their reputation is more for wanting to be closely involved in any data collection exercise in order to be part of the decision-making process, and that is in fact a statutory right going back decades. The use of tools like EnCase actually enhances that co-operative approach because EnCase offers (indeed, requires) the development of a process with rules and parameters which allows employers to involve works councils in implementation, and audit facilities which enable them to show what has or has not been done.
So what went wrong here? Although US lawyers and, occasionally, US courts, can appear heavy-footed in their attitude to EU privacy obligations, the same is not generally true of software suppliers – they are generally adept at fine-tuning their applications to local markets. Since EnCase does in fact have the ability to identify and respect private data, it seems unlikely that Guidance Software has understated its suitability for the privacy regimes of its European market. Guidance Software posts a white paper on its website entitled Obtaining German Works Council Approval to Collect Employees’ E-Mail and Electronic Documents. In addition to encouraging companies to contact their works councils “as early as possible,” the Guidance Software white paper states that “If employees create a folder in their computer file structure with an agreed-upon folder name in which they can place all of the personal data, EnCase Enterprise’s search criteria can be configured to leave that folder untouched, so that none of that data will be collected.”
Even if you strip away the hysterical stuff about spy-software and virtual tracking, you are left with the impression that the works council really does not understand what EnCase has been installed for, what it does and what it can do. That suggests to me that the employer neglected to tell the works council what it was doing.
There are a few articles on privacy on this blog, most of them reporting the advice given by well-known experts in international data collections. The recurring theme is that the mechanics of collection are easy compared with the political and cultural implications – see, for example Foreign collections need more than big feet. Dealing with German works councils involves more than mere cultural sensitivities – the law requires that employers involve them in decisions affecting the workforce, quite apart from the wider implications of privacy law.
The duty to approach such problems co-operatively cuts both ways. The works council may be cutting off its nose to spite its face if the upshot of its court action is that Honeywell has to remove EnCase. Honeywell must have some mechanism in place to collect data to meet its general compliance obligations. If it is not EnCase, it will almost certainly be something more intrusive and closer to the “spy-software” which the works council fears.
I cannot imagine that Guidance Software will be too bothered by the furore. One of the few assertions in the article which is actually correct is that EnCase is used worldwide by big corporate and law enforcement agencies for data collections. The worst downside for Guidance may be the possibility that a widely-read article will result in their being besieged by enquiries for a spy technology which they do not in fact have.