"To this day, I regret not taking that stuff to the FBI," says Bryan.
It happened six years ago, when Bryan, who asked that his last name not be published, was IT director for the U.S. division of a £250 million multinational corporation based in Germany.
The company's Internet usage policy, which Bryan helped develop with input from senior management, specifically prohibited the use of company computers to access pornographic or adult-content Web sites. One of Bryan's duties was to monitor employee Web surfing using SurfControl and report any violations to management.
Bryan knew that the executive, who was a level above him in another department, was popular both within the U.S. division and the German parent.
So when SurfControl turned up dozens of pornographic Web sites visited by the exec's computer, Bryan figured "my best course of action was to follow the policy."
"That's what it's there for," he reasoned. "I wasn't going to get into trouble for following the policy." He went to his manager with copies of the Web logs in question (which he still has in his possession and made available to Computerworld for verification).
Power and prowess
Bryan's case may be extreme, but it's a good example of the ethical dilemmas that IT workers encounter on the job. IT employees have privileged access to digital information, both personal and professional, throughout the company, and they have the technical prowess to manipulate that information.
That gives them both power and responsibility -- to monitor and report employees who break company rules; to sneak a look at salary information or read personal e-mails that reveal love affairs; or to uncover evidence that a co-worker is embezzling funds from the company.
But ethics professionals, technology industry watchers and IT workers say, there's no consensus on how to wield that power or fulfill that responsibility, at least not officially. And that often puts IT people in uncomfortable positions.
In Bryan's case, he didn't get into trouble, but neither did the porn-viewing executive, who beat Bryan to the human resources director with "a pretty outlandish explanation," says Bryan. The executive claimed that his ex-wife was publishing pictures of their kids on the Internet, and he had been trying to find out where. "He said he thought this might show up in a report on him, and he just wanted them to know that he was not going to be doing that anymore."
The company accepted the explanation and tabled the incident, despite Bryan's documentation, which he showed to his direct superior and to human resources and which he insisted be placed into the man's personnel file. Bryan considered going to the FBI, but the Internet bubble had just burst and jobs were hard to come by. "It was a tough choice," he says. "[But] I had a family to feed."
In theory, ethical behavior is governed by federal and state laws, corporate policy, professional ethics and personal judgment. But as Bryan now realises, and other tech workers discover all the time, navigating those muddy waters can be one of the most daunting challenges in an IT professional's career.
To give just one example of how confusing ethical transgressions can be: Child pornography is illegal in the U.S., but the law does not necessarily require individuals to report it.
A handful of states, including Arkansas, Missouri, Oklahoma, South Carolina and South Dakota, have laws requiring IT workers to report child pornography, and others are considering similar measures. But they're still in the minority.