Open secrets online: What’s personal and what’s corporate?

Any employee with an Internet connection now has the power to share confidential information—and the law is catching up
Photo illustration by Lauren Cattermole
Photo illustration by Lauren Cattermole

Simard Westlink is a transportation and warehousing company in Richmond, B.C., with customers ranging from Rona to Dollarama. In early 2012, one of its customers emailed the firm saying he had seen a video on YouTube showing a client’s oversized promotional golf balls sitting in the company’s warehouse. The 43-second video was hardly dramatic, but the fact that an employee had apparently been broadcasting information about its customers to YouTube’s one billion users sparked an investigation. The company eventually discovered dozens of YouTube videos showing employees goofing around with forklifts, unloading goods, arguing and playing with insects on the warehouse floor. One video claimed to show “Dollarama foodstuffs stored with lethal sodium cyanide.”

The company didn’t have to go far to find the amateur documentary filmmaker. According to court records, all the videos had been posted under the YouTube username “William Wallace,” which was the name of an actual warehouse employee. In total, Simard claims Wallace uploaded 93 videos taken while at work to YouTube over two years. He was fired in April. In the ongoing legal battle that has followed, Simard says the videos have cost the company $250,000 in lost business from angry clients. (The company denies that it ever improperly handled dangerous chemicals, or stored them near food.)

Simard discovered the hard way just how much power today’s workers have to spill the beans on their employer’s most sensitive information. From Twitter to Facebook to professional networking sites like Glassdoor and LinkedIn, any employee with an Internet connection now has access to a limitless array of tools to instantly—and anonymously—share workplace gossip and confidential corporate data with the world.

The law is slowly catching up to the exhaustive reach of social media into the workplace, leading to a recent spate of “Facebook firings” in Canada. Court rulings have upheld the right of companies to fire employees who have hurled insults at co-workers and supervisors through their personal social media accounts.

In December, a court upheld the right of Corner Brook Pulp and Paper in Newfoundland to fire an employee named Victoria Stokes after she took to Facebook to rant about a serious safety incident at her job, telling two supervisors, “Lets see how insignificant you feel when you got a rope around ur neck and ur balls soaking in gasoline.” In 2012, an Ontario court permitted Bell Technical Solutions to fire two Peterborough employees who had spread gossip and jokes about their boss on an employee’s private Facebook page. Although the Facebook page wasn’t open to the public, the court ruled that enough of their co-workers had read the posts that they had harmed the company’s reputation. “If you put stuff on social media that’s work-related, you can get fired for it,” says Doug MacLeod, an Ontario employment lawyer. “Everybody gets frustrated at work. Making it public only hurts your employer. Why would you bite the hand that feeds you?”

But while companies might have clear grounds to fire employees who rant on social media, they have a much harder time trying to contain that information once it’s gone out. Despite multiple court orders requiring Wallace to remove the Simard Westlink videos from YouTube, in November someone uploaded 28 of them to a different YouTube account called “Richmond Guy.” The company is now asking the court for permission to access Wallace’s computers and delete any videos it finds.

South of the border, the Texas Supreme Court is set to rule on whether it can order a legal recruiting firm to remove a blog post alleging a former employee orchestrated a kickback scheme. A lower court rejected it, saying such posts were protected as free speech.

At least four companies have tried to subpoena Glassdoor, the website that lets employees review their jobs, to unmask the identities of employees who have posted negative reviews. In 2011, the International Air Transport Association took Glassdoor to court asking for details on a disgruntled poster named “IATA Anonymous.” Last year, a financial planning firm in New Jersey subpoenaed the site to find out the identity of several “John Does” who had posted reviews such as: “The owner is a psychopathic egomaniac, the co-owner is a spineless punch-toy.”

None of the subpoenas has been successful, says Glassdoor community expert Scott Dobroski. To limit its legal liability, the site also manually reviews all of the nearly six million reviews it receives on more than 300,000 companies. About 15 per cent are rejected for revealing too much insider information, insulting co-workers by name, or using profanity.

Dobroski says Glassdoor is simply replicating online the kind of conversations that have long gone on between employees in the lunchroom before the advent of the Internet. “All this information has already been out there and people have had the right to free speech to share it in the elevator, over the dinner table, at a bar,” he says. “Now people have that same right to free speech to share their opinion online.”

Just as employees have a widening array of online avenues to dish on their employer, companies are turning to increasingly sophisticated tools to track what their workers are sharing about them online. Corporations routinely install “exfiltration” software that can monitor everything that happens on any corporate device, such as whether an employee who normally works nine-to-five suddenly starts logging onto his work computer in the middle of the night, or copies a large volume of internal data to a thumb drive, says Tom Keenan, a University of Calgary computer security expert and author of the forthcoming book Technocreep, about the ways in which technology has eroded our privacy rights.

Keenan himself was once hired by the CEO of a major Calgary firm for a late-night rendezvous to secretly install a keyword logger on the computer of an employee suspected of sending sensitive bid information to a competitor. He brought candles with him since the lights in the building automatically shut off at 9 p.m. and the employee had access to computer systems that would have told him whether the lights had been turned on overnight. “I was doing this bizarre candlelight hacking session at four in the morning,” he says. “But we got the evidence.” The employee resigned a few days later.

Some companies have created entire “intelligence centres”—teams dedicated to surfing the web all day looking for what’s being said about them or their executives, says Scott Kaine, president of Cyveillance, a Virginia firm that offers such web-scanning services to Fortune 100 clients.

Companies like Cyveillance make a living out of sorting through billions of Facebook posts, tweets, Instagram photos and chat room conversations looking for information that might harm a company’s reputation or endanger its employees. The volume of data is increasing at a breakneck pace. Kaine says the amount of online data Cyveillance’s crawler are sorting through has quadrupled in the last four months alone. “It’s like all this new real estate is opening up and we’re having to go through it to see if there are any land mines there,” he says.

Chat rooms are a particularly popular place for employees to advertise purloined company data they want to sell to hackers. Disgruntled workers tend to be the ones who cause the most damage, but Kaine says many of the employee-generated social media “landmines” his company finds are from workers who aren’t trying to cause problems. It might be the children of a high-profile executive compromising the family’s security by discussing their vacation plans on Twitter. Or the employee of an energy company who posts a picture on Instagram of a work-related trip, not knowing he’s publicly revealing a site where his company plans to drill for oil.

In 2011, Scott McClellan, then a vice-president at Hewlett-Packard, updated his LinkedIn profile describing in detail his work overseeing the company’s new cloud computing services. Unfortunately for HP, the company hadn’t publicly announced the new service. McClellan quickly deleted the post, but not before it was picked up by dozens of technology blogs, offering rivals like Amazon an advanced look at HP’s plans. Perhaps the most extreme example of accidental oversharing occurred in 2007, when American soldiers in Iraq took pictures with their cellphones of new helicopters being delivered to a military base. They uploaded them to the Internet, not realizing that most photos taken with cellphone cameras are embedded with GPS coordinates. The next day, four of the helicopters were destroyed in a bomb attack. “Every employer should be very, very worried about what employees might be doing with their confidential information,” says Toronto employment lawyer Howard Levitt. “Employers are going to great efforts to preserve it. They don’t want to let the shareholders know how imperilled they are.”

The sheer volume of inadvertent employee leaks has spawned an entire industry, known as “competitive intelligence,” that scours the web looking for information on companies on behalf of their competitors.

Sites like LinkedIn and Twitter walk a fine line between allowing employees to promote their professional accomplishments to the world and revealing sensitive information to rivals. Github allows programmers to post snippets of code from their company’s software to a community of experts that can help them solve glitches. But that can also provide a window into a company’s proprietary software. Slideshare lets people share PowerPoint presentations and PDFs, which means it’s also a gold mine for uncovering internal marketing materials from price lists, to presentations about how a company recently beat the competition.

Add to that the growing number of online employee forums dedicated to specific industries or even companies. Cafepharma has become the go-to place for pharmaceutical reps to complain about work. Target employees have their own forum, the Break Room, which includes Canadian employees venting about empty shelves and stockrooms.

Company interns are among the best sources of corporate intelligence on the web since they often don’t fully understand what information a company needs to keep private and are actively trying to promote their accomplishments to future employers. “They have the most incentive to put information on every profile they have to get the next job, because it probably isn’t with you,” says Sean Campbell, co-founder of Cascades Insights, an Oregon-based corporate intelligence firm that has worked for Canadian clients.

Employees don’t even need to say anything incriminating on their social media profiles to give rivals a peek into their internal operations, he says: “If 90 per cent of a company’s employees have a LinkedIn profile, you might be able to see that they have 40 sellers in financial services in New York. Then you can go to an executive and say, ‘Yeah we’re getting our butts kicked on the east coast, but they have 40 sellers in a market you want us to target and we only have three.’ ”

Glassdoor is a favourite haunt for corporate sleuths. The company offers free reports tracking the history of employee sentiment for any company in its database. Companies can also buy a dossier detailing which of Glassdoor’s users have been browsing the job ads of their competitors—where they live, what industries they work in and how much work experience they have.

With the proliferation of employee-driven data making its way online, labour lawyers and corporate security experts all point to the need for companies to develop policies that spell out exactly how employees can use social media to talk about work—both on the job and at home. Some companies have already begun installing software to warn employees when they’re about to violate their company’s social media policy. “It will route them to a training video and basically say, ‘Hey you’re not supposed to do this, so now you have to sit here and watch this video for the next 15 minutes to get retrained,’ ” says Cyveillance’s Kaine.

But in an era where employees are expected to develop their own personal brand online and where many young workers consider their social media profiles to be an extension of themselves, the line between what’s personal information and what’s company property is often blurred. A complete ban on using social media at work or discussing company business online in off hours isn’t likely to go over well at companies looking to recruit younger workers.

What’s personal and what’s corporate when it comes to a worker’s online presence is still a legal grey area. For instance, if a salesperson uses LinkedIn to solicit clients, switches companies and then updates his LinkedIn status with the name of his new employer, is that a violation of his non-solicitation agreement? “It will get to the courts at some point,” says MacLeod, the employment lawyer.

The law is far more clear when it comes to the consequences facing disgruntled workers taking to YouTube or Facebook to dish about their employers. Not that legal precedents are expected to solve that particular problem anytime soon. If anything, employees will only have more opportunities to retaliate against their bosses as the online tools that let them air their grievances continue to expand. After all, as long as there’s been work, there have been employees complaining about it. “People got angry at their employers in 1920 just like they get mad at them now,” says Campbell. “Only now you have a much bigger microphone.”