The Pandora's box of SMS monitoring

New regulations and technology aimed at monitoring employee text messages and IMs might just describe a road to hell paved with good intentions

As of last December, the Financial Industry Regulatory Authority ruled that securities firms are to treat all electronic communication as they do e-mail when it comes to compliance. That's right: According to FINRA, the largest nongovernmental regulator for securities firms doing business in the United States, text messages and IMs are subject to the same scrutiny as e-mail for a wide array of compliance regulations (see End Note 1, page 15 of FINRA rules).

I spoke with Onset Technology about the company's Advanced Compliance Tool (ACT), server- and client-side software that promises to help organizations comply with FINRA's latest ruling.

For the record, ACT's client side currently works with BlackBerry units, including Verizon's BlackBerry Curve. Versions for Windows Mobile devices will follow.

What ACT does is allow administrators to build a rules engine that recognizes keywords, as well as number strings and patterns, to prevent employees from sending prohibited information over a wireless device. Those rules might be government regulations, quasi-government regs like FINRA's, or they might be company policy. The technology works the same.

Zack Silbinger, vice president of development and marketing at Onset, says the company is the first to market with this kind of technology, but I am sure many will follow.

The upside of communications monitoring On the plus side, technology such as ACT can be used to good ends. For example, Onset's technology can monitor any attempt by a broker to send a message to an analyst. This practice is not condoned, and it is illegal. ACT can help ensure that the "ethical wall" between those two entities in financial services is not breached.

Or consider the nurse who alerted friends that George Clooney was admitted to her hospital. She probably sent the text message as a harmless piece of gossip. Harmless or not, with ACT, the HIPAA compliance administrator could have prevented this faux pas by adding "George Clooney" to ACT's keyword-monitoring system and blasting it out to employees' handheld devices.

By the way, in that seemingly harmless incident, 27 hospital employees, including doctors and nurses, were eventually suspended.

How ACT monitoring works Here's how ACT works. First, the compliance administrator adds rules to the server. Using the employee list from, say, Exchange, the admin can then relate rules to specific groups and create whitelists and blacklists to determine which employees can communicate with whom.

These rules are then pushed out to employees' handsets. When a user attempts to send a message that breaks one of these rules, a pop-up appears on the handheld informing the user. In addition, a copy is sent to the compliance officer. The message or number is also sent to the inbox of the company's archiving system.

From patient lists in a hospital to the use of hot-button words that could lead to a sexual harassment law suit to Social Security and credit card numbers, the technology has a clear purpose for any organization mindful of the legal ramifications of electronic communications.

Although ACT does not record voice conversations, it does record all the details from the call, including time and length of call, as well as who was on the other end of the line.

The ethics of monitoring There is no getting around the fact that compliance regulations are trying to rein in unfettered, prohibited communications that can cause problems down the road. But once this kind of technology is out of the box, Pandora's box, that is, there is no telling how it will be used.

I understand that the folks at Onset are not to blame. They are merely technologists who designed a tool that, for the present at least, will allow companies to steer clear of lawsuits and fines and allow them to be compliant with many more regulations coming down the pike.

However, just like the recent news story in which an infant was stopped from boarding a plane because the child's name was on the no-fly list, I can see abuses of this technology down the road.

This may be a bit far-fetched, but what if at the same time that nurse was texting friends about George Clooney's motorcycle accident, another hospital employee was texting a friend about plans to see George Clooney's latest movie? Would he or she be caught in the same dragnet and suspended, too?

Of course, just as Onset is announcing its new technology, we have Skype caving in to a totalitarian government -- behavior I find awful, and have written as such for a number of years -- by allowing the Chinese government to monitor its customers' messages.

The ethics of technology use is tricky business. And the Skype deal coinciding with Onset's announcement begs two important questions.

First, if the Chinese government came to Onset Technology and said it would like to buy ACT, should Onset refuse?

And second, is the Skype deal with China completely different than what we do here in the States in the name of monitoring for compliance and adherence to government regulations, or does it merely vary in degree?

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies