From Not So Innocent
Ismael Rodriguez is a network analyst for Copier Country, a small New York company that sells photocopiers. A few years ago, after a salesman took the firm’s customer database when he left for a new job, Rodriguez installed a program called Spector Pro on most of the company’s computers. The software, made by SpectorSoft, can track and block the websites a user tries to visit and log his or her every keystroke. Rodriguez says that although he won’t examine anyone’s computer use unless his boss asks him to, most Copier Country staffers know much of their desktop activity is now open to potential scrutiny.
“I can see screen shots of what they do in Yahoo!,” he says. “I can see what they’re typing, whether it’s résumés or business-related stuff. The program even keeps track of songs that employees download to their iPod. There’s not anything these guys can get away with that I can’t see.”It’s a fact of life in the 21st-century workplace: The boss may well be watching, especially if you use a computer. A 2005 survey by the American Management Association and the ePolicy Institute found that about three out of four companies regularly track which websites their employees visit. More than half use surveillance software to scour office e-mail (looking for hot-button keywords like sex in the subject line or body of messages). More than a third extend their snooping to monitor how much time workers spend at the computer, record their keystrokes or log their downloads. And one in four companies reports firing someone for improper e-mail use.
As the use of monitoring software grows, more of the activity that many of us consider innocent is getting caught in the net. Who hasn’t opened his e-mail to find a message from a friend passing along something—a goofy YouTube clip, an off-color joke, a link to her brother’s new blog—that she’s sure everyone will find hilarious. If it does get a laugh, it’s probably passed along to a few more people.
No big deal, right? That’s surely what Heidi Arace and Norma Yetsko thought, until they lost their jobs at PNC Bank in New Jersey. Their idea of what was fun to share via office e-mail wasn’t amusing to their bosses, who found it offensive enough to fire the two longtime workers. Because the bank, like most companies today, has a formal policy against internal distribution of offensive material, Arace and Yetsko had no viable defense. (Bank officials declined to comment.)
Valid Reasons for Monitoring
“It was like I lost everything in my life,” Arace said in 2004. She got in trouble for passing along, among other things, a joke e-mail with the subject line “Vote Hillary” and an attached picture of Sen. Hillary Clinton’s head pasted onto the body of a woman flashing her breasts. “You get a simple e-mail like this, you read it, you chuckle, forward it on, click. Done deal. You don’t think of the policy, because everyone was doing it.”
There are plenty of valid reasons for companies to monitor their workers’ computer use. Productivity is one. A 2005 survey by salary.com and America Online found that employees on average wasted at least two hours a day—much of it online—doing things other than work, at an annual cost to businesses of about $759 billion.
Improper computer use can also spell legal trouble. Downloading pirated music or movies onto a work computer can prompt a copyright-infringement suit. Viewing pornography or sending sexually suggestive e-mails can lead to sexual harassment claims. No business wants to end up like Chevron, which had to pay $2.2 million to female employees after male workers circulated offensive e-mails. (The message contained in one: “25 Reasons Why Beer Is Better Than Women.”)
Says Nancy Flynn, the ePolicy Institute’s executive director and author of books on workplace computing rules, “If a company gets embroiled in a lawsuit, you can take it to the bank that its e-mail will be subpoenaed.”
Security is another concern. Porn, gambling and gaming sites, for example, can harbor viruses and other malicious programs that load onto a computer secretly and allow outsiders to damage a network or make off with sensitive information.
Companies also have competitive reasons to keep tabs on workers. Dan Geer, vice president and chief scientist at Verdasys, a data-security company, recalls installing the company’s Digital Guardian system on the network of a company that makes video games, and catching a worker trying to steal the designs for a new game before its release. This worker, Geer says, had logged in to a credit union site, ostensibly to handle personal banking. What he was actually doing was opening the door to an accomplice who had himself hacked into the credit union’s network and was waiting there to swipe the game files.
Steve Roop, a vice president at Vontu, another data-security firm, says such a sinister scenario is rare. Most workers who leak sensitive information do it by accident: “It’s good people doing dumb things.”
Roop says one client, a cell phone maker, had an employee who got so excited about a new phone’s design that he sent a prerelease graphic to a fan site, hoping to create advance buzz. “It allowed competitors to knock off that design and jeopardize the earnings flow for their own company.”
Companies are using two types of spying software: network-based programs that monitor all traffic passing through a system, and programs that sit directly on an employee’s desktop.
Vericept Protect is an example of the first type. The software searches all correspondence for any indication that employees are accidentally or maliciously communicating sensitive data, and blocks it. Vericept also claims it can examine the tone of an e-mail to detect job dissatisfaction. Someone who sends a message saying “I hate my job” or “You’re not going to believe what my idiot boss did today” could be poised to upload company files in anticipation of leaving the job.
Ways Employers Spy
Vericept makes products to monitor other Web activities as well. Paul Pilotte, a senior product manager at the company, says it helped one client fend off a harassment suit filed by a senior employee who claimed someone had left printouts from an adult website in her office. The company planned to give her a large severance package until it used a Vericept tool to examine her Web use. That search, Pilotte says, found that the employee had printed the pages herself. On another occasion, Vericept helped catch a worker who had installed a keylogger on a manager’s computer to extract the boss’s passwords.
One product that monitors an individual desktop is NetVizor. It can record everything a person types, from bank passwords to the names of illnesses searched on WebMD. It also logs and monitors e-mails sent and received (including those in personal Yahoo!, Hotmail and Gmail accounts), instant message chats, and the names of documents opened or printed. It can even capture a snapshot of a computer screen, providing an employer with a replica of what the employee is seeing on his or her monitor. (Another product called Mobile Spy takes some of the same stealth surveillance to company-issued cell phones by allowing the boss to view a log of phone numbers called and see every text message sent.)
Kelly Todd, information-services security analyst for Securities America Financial Corporation, an independent broker dealer with several hundred employees, won’t say what kind of software his company uses. But he does say as soon as “somebody types an e-mail and hits Send, before it even gets to the central e-mail server, it goes through a system that archives the e-mail.”
No one “sits there reading e-mail,” he adds. But employees know that they’re being monitored. “We tell them, If you’re not willing to stand on your desk and shout something across the room, don’t put it in an e-mail, because somewhere down the road, someone will read it.”
Most large companies are like Todd’s, says Lawrence Orans, an analyst for Gartner Research: They monitor overall e-mail traffic and only target a worker if a problem pops up.
That’s how Tasha Newitt got snared. Newitt and seven co-workers were fired by the Washington State Department of Labor and Industries after the agency examined all employees’ e-mail usage. The inquiry followed a female worker’s sexual harassment claim against a male manager in 2001. In the process, investigators found 418 personal messages in Newitt’s account.
Newitt, who had processed workers’ compensation claims for eight years, admits that one e-mail to her boyfriend discussing intimate details of their relationship was inappropriate. But, she says, most of what the agency objected to involved joke e-mails (some sent by supervisors, she claims), a poem and birthday wishes, plus messages she got but didn’t open or forward. The agency was unmoved. Her termination letter, Newitt says, didn’t cite her for sending personal e-mails but for receiving them and not reporting them to a supervisor.
“I had a death in my family, and so I had received on that day an e-mail from a friend, a co-worker who was in the same building, who sent me a little poem,” Newitt says. “And that was in my termination letter.”
Violating Unspoken Policies
She says she lost her home and car, and that her children had to live with their father for a time because she was broke. (Eventually she got a new job as an office manager.)
Jerry Gilliland, a spokesman for the labor department, declined to discuss details of the case. He said the agency’s policy banned the use of office technology for personal reasons, except in rare cases with manager approval, and that employees learned of the policy at their orientation. Gilliland added that state law also bans the use of electronic equipment for private purposes.
Newitt says she thought the policy covered Web surfing, not e-mail, and was stunned to be fired without a warning.
The ePolicy Institute’s Nancy Flynn says that companies don’t always communicate their computer-use policies adequately. According to a 2006 ePolicy survey, 76 percent of organizations said they had a written policy about e-mail use, but only 42 percent conducted training about the policy and explained how violators would be disciplined. (Short of firing, violators commonly face fines that range from $1,000 to $3,000 per infraction.)
Workers have little protection. No federal law compels a firm to say when monitoring software is installed. And Connecticut and Delaware are the only two states to require employers to tell workers they’re being monitored.
Bloggers, too, are learning they have little protection for what they say about employers on personal websites. Freedom of speech doesn’t ensure job security. And some are finding that online activity can damage a career before it begins. Stacy Snyder was working toward a bachelor of science in education and a teaching certificate from Millersville University in Pennsylvania. Her supervising teacher at the high school where she was doing in-class training says Snyder was inviting students to visit her MySpace page. Among the contents: a photo of Snyder wearing a pirate hat and holding a plastic cup. A caption read “Drunken Pirate.”
High school officials called Snyder’s MySpace activity inappropriate and unprofessional. Subsequently, she says, she had to forfeit the teaching certificate and switch to a bachelor of arts degree. She has sued Millersville for what she says is unfair punishment; the university refutes her claims. In any case, her teaching career may be over already.The Future of Employer Snooping
Some companies are going beyond the desktop to monitor their employees.
Radio frequency ID chips in employee key cards serve the same function as time-clock punch cards, allowing employers to know when workers enter the office and even track their movements within a building. One downside: The cards can be lost or stolen. In 2006 CityWatcher.com, a video-surveillance firm, dealt with that flaw by implanting RFID chips in the arms of two willing workers authorized to enter a secure room holding government surveillance videos.
GPS-enabled cell phones can serve a similar function outside the office, transmitting signals that alert supervisors when a worker leaves a particular building, and mapping his or her movements on a computer screen.
Geofencing technology by a company called Xora can be incorporated into cell phones. Once installed, it can send e-mail alerts when an employee drives too fast or loiters too long in one spot. Employers can also designate specific areas—bars, sports venues, home addresses—as off-limits during work hours. Phones can then send an alert if a worker strays into the prohibited locations.
Biometric devices are increasingly being deployed by private companies and government agencies to control building access. Scans of workers’ fingerprints, irises or retinas can be used in conjunction with, or in place of, electronic badges. Wasp Barcode Technologies makes a biometric attendance-tracking system that requires employees to place a finger on an electronic reader instead of punching in with a time card. A worker playing hooky can’t have a buddy clock in for him. Unlike the RFID chip in an electronic ID badge, a biometric marker can’t generally be tampered with (though there have been claims that fingerprints can be duplicated).
7 Rules to Live By
Some simple tips for what to do—and not do—when using your work computer:
- Know your company’s computer-use policy and comply with it.
- Assume you’re being monitored, and behave accordingly.
- Never bad-mouth your company online.
- Don’t use personal e-mail accounts or post to a blog.
- Avoid transmitting any message that could embarrass you or others if made public.
- Don’t think instant messaging is less permanent than e-mail.
- When surfing the Web, never click on something flagged NSFW (not safe for work).