Admit it -- you've used your
computer at work to view non-work-related
Heck, if you are reading this article at work, you might already be guilty
as charged. More than 70 percent of the adult online population has accessed
the Internet at work for personal use at least once, according to a
September 2000 eMarketer study. Employees are sending personal
games, viewing pornography, shopping, checking
stock prices and
gambling online during working hours.
Cameras in the workplace keep an eye on employee
Don't think these cyberslacking activities are going unnoticed.
More than one-third of the 40 million American workers with Internet access
have their e-mail and Internet usage under constant surveillance, according
to a study from the
Privacy Foundation. With a simple software application, your boss can be
tapping into your computer and see what you're doing in real-time. Whether
you are guilty of wasting company time or not, your
computer might be
under surveillance. You can be monitored without your knowledge -- employers
are not required to notify you that you're being observed.
At the center of the debate surrounding workplace surveillance is the
question of employee privacy rights. In this edition of
you'll learn about the various kinds of software that enable employers to
monitor your computer activities. We will also discuss the legalities of
A Growing Trend
The growing number of employers who are monitoring their employees'
activities is a result of the low cost of the monitoring technology, a
growing percentage of employees using their computers for personal use and
an increase in employees leaking sensitive company information. Employers
are also watching their workers to avoid sexual harassment and
discrimination lawsuits that stem from inappropriate and offensive e-mails
circulating within a company.
Instead of monitoring those employees who exhibit suspicious behavior,
many employers are instituting "continuous, systematic surveillance"
in the workplace, according to a Privacy Foundation study written by Andrew
Schulman. Reports of companies firing workers for misusing workplace
computers are becoming more common as an increasing number of employers
implement electronic monitoring software.
Computers leave behind a trail of bread crumbs that can provide employers
with all the information they could possibly need about an employee's
computer-related activities. For employers, computers are the ultimate spy.
There's little that can stop an employer from using these surveillance
There are basically five methods that employers can use to track employee
- Packet sniffers
- Log files
- Desktop monitoring programs
- Closed-circuit cameras
Computer-monitoring programs carry such names as Shadow,
SpyAgent, Web Sleuth and Silent Watch. The prices of these
programs range from as little as $30 to thousands of dollars. The number of
employers who believe that they need these programs and the relatively low
cost has resulted in an emerging multi-million dollar industry called
Employee Internet Management.
Let's examine some of the Internet surveillance technology and how it's
Computer-network administrators have used packet sniffers for years
to monitor their networks and perform diagnostic tests or troubleshoot
problems. Essentially, a packet sniffer is a program that can see all of the
information passing over the
is connected to. As data streams back and forth on the network, the program
looks at, or "sniffs," each packet. A
packet is a
part of a message that has been broken up.
Normally, a computer only looks at packets addressed to it and ignores
the rest of the traffic on the network. But when a packet sniffer is set up
on a computer, the sniffer's network interface is set to promiscuous mode.
This means that it is looking at everything that comes through. The amount
of traffic largely depends on the location of the computer in the network. A
out on an isolated branch of the network sees only a small segment of the
network traffic, while the main
domain server sees
almost all of it.
A packet sniffer can usually be set up in one of two ways:
- Unfiltered - captures all of the packets
- Filtered - captures only those packets containing specific data
Packets that contain targeted data are copied onto the
hard disk as
they pass through. These copies can then be analyzed carefully for specific
information or patterns.
When you connect to the Internet, you are joining a network maintained by
your Internet service provider (ISP). The ISP's network communicates
with networks maintained by other ISPs to form the
foundation of the Internet. A packet sniffer located at one of the
servers of your ISP would potentially be able to monitor all of your online
activities, such as:
- Which Web sites you visit
- What you look at on the site
- Whom you send e-mail to
- What's in the e-mail you send
- What you download from a site
- What streaming events you use, such as audio, video and
From this information, employers can determine how much time a worker is
spending online and if that worker is viewing inappropriate material.
It Could Mean Your Job
More than one-quarter of American companies have
fired employees for misuse of office e-mail or Internet connections,
and 65 percent report taking disciplinary actions for similar offenses,
according to the
American Management Association (AMA). Here are some of the
high-profile cases where employees were fired or reprimanded for
- October 1999 - Xerox dismisses 40 workers for inappropriate
use of the Internet related to the viewing of pornographic Web sites.
- December 1999 - The New York Times fires 23 employees for
distributing pornographic images via e-mail.
- July 2000 - Dow Chemical fires 50 workers and disciplines
200 others for distributing sexually explicit and violent material.
- September 2000 - Dow fires another 24 and reprimands 235
more for e-mailing sexually explicit or violent material.
- September 2000 - Orange, a British mobile-phone company,
fires 40 employees for downloading pornography.
- November 2000 - The Central Intelligence Agency fires four
employees and reprimands 18 for participating in a secret chat room
created in a classified computer system for exchanging jokes.
- June 2001 - A junior-high principal in Seattle is fired for
allegedly viewing inappropriate material on school-district-owned
- July 2001 - Northwestern University fires an employee for
allegedly storing thousands of
MP3 files on
her work computer.
- January 2002 - Enron fires several employees for posting
information about financial abuses in online message boards.
Desktop monitoring programs work differently than packet sniffers. They
can actually monitor every single action you take with your computer.
Every time you provide some form of input for your computer, whether it's
typing on the keyboard or opening a new application, a signal is
transmitted. These signals can be intercepted by a desktop monitoring
program, which can be installed on a computer at the
system level or the assembly level. The person receiving the intercepted
signals can see each character being typed and can replicate what the user
is seeing on his or her screen.
Desktop monitoring programs can be installed in two ways:
- Physically - Someone sits at the computer and installs the
- Remotely - A computer user opens an e-mail attachment. The
attachment, which contains a program the user wants to install, may also
contain desktop monitoring software. This is described as a Trojan
horse -- a desired program that contains an undesired program.
Desktop monitoring programs have the ability to record every keystroke.
When you are typing, a signal is sent from the
keyboard to the
application you are working in. This signal can be intercepted and either
streamed back to the person who installed the monitoring program or
recorded and sent back in a text file. The person it's sent back to is
usually a system administrator. However, keystroke intercept programs are
also popular among "hackers."
Hackers often use desktop monitoring programs to obtain user
passwords. Intercept programs, because they record keystrokes, also make
users susceptible to having their
numbers and other sensitive personal data stolen.
Employers can use the desktop monitoring program to read e-mail and see
any program that is open on your screen. Desktop replicating software
captures the image on the
by intercepting signals that are being transmitted to the computer's
These images are then streamed across the network to the system
administrator. Some prepackaged programs include an alert system --
when a user visits an objectionable Web site or transmits inappropriate
text, the system administrator is alerted to these actions.
But employers don't need to install software to track your computer use.
There are actually systems built into every computer that make finding out
what you've been doing pretty easy.
Your computer is full of log files that provide evidence of what
you've been doing. Through these log files, a system administrator can
determine what Web sites you've accessed, whom you are sending e-mails to
and receiving e-mails from and what applications are being used. So, if you
are downloading MP3
files, there's more than likely a log file that holds data about that
In many cases, this information can be located even after you've deleted
what you thought was all the evidence -- but deleting an e-mail, or a file,
doesn't erase the trail. Here are a few places where log files can be found:
- Operating systems
- Web browsers (in the form of a
- Applications (in the form of backups)
If the hard drives of an employee's computer and a system administrator's
computer are connected, a system administrator can view the log files
remotely. The administrator has to have access to the drive to check
files remotely. Otherwise, a system administrator can check the computer
before an employee comes in or after the employee leaves for the day.
You might be surprised at how many companies are monitoring employee
activities. In the next section, you'll find out just how widespread this
Computer surveillance is by far the primary method of monitoring employee
activity. However, employers are still using traditional methods such as
phone calls, storing and reviewing voice mail and video-recording
employees on the job, according to the
American Management Association (AMA).
"The lines between one's personal and professional life can blur with
expectations of a 24-seven work week, but employees ought to engage in some
discretion about personal activities carried out during the official hours
of work," Ellen Bayer, AMA's human resources practice leader, said.
Currently, 78 percent of all companies use some type of
surveillance system. Here is a breakdown of the methods they use:
- Storing and reviewing computer files: 36 percent
- Video-recording employees: 15 percent
- Recording and reviewing phone calls: 12 percent
- Storing and reviewing voice mail: 8 percent
The ACLU estimates that employers
eavesdrop on about 400 million telephone calls annually. Federal
forbid eavesdropping on conversations unless one of the parties to the
conversation consents, but the
Electronic Communication Privacy Act of 1986 allows employers to listen
to "job-related" conversations. The ECPA gives employers almost total
freedom to listen to any phone conversation, since it can be argued that it
takes a few minutes to decide if a call is personal or job-related.
Cameras can monitor actions that computer programs
In addition to monitoring phone conversations, employers often place
video cameras in the work area to monitor employee activity. Small cameras
are sometimes implanted and directed to view the computer, so that the
employee's computer activity can be monitored that way.
"Privacy in today's workplace is largely illusory," Bayer said. "In this
era of open-space cubicles, shared desk space, networked computers and
teleworkers, it is hard to realistically hold onto a belief of private
space. Work is carried out on equipment belonging to employers who have a
legal right to the work product of the employees using it."
In the next section, we will further explore the legalities of workplace
monitoring and answer the question of just how much privacy you can expect
Simply stated, courts in the United States tend to favor the employer in
workplace-surveillance cases. For that reason, employees should always use
good judgment when logging onto the Internet and sending e-mails. Choose
your words carefully; you never know who might read your correspondence.
Under the Electronic Communications Privacy Act (ECPA), electronic
communications are divided into two groups:
- Stored communication
- Communication in transit
Under the law, electronic communication in transit has almost the
same level of protection as voice communication, meaning that intercepting
it is prohibited. Accessing stored electronic communication, such as
e-mail sitting on a
waiting to be sent, is not illegal. The courts have ruled that since the
e-mail is not physically traveling anywhere -- is not "in transit" -- it
does not have the same level of protection.
This directly contradicts many laws regarding traditional mailing
systems. If the U.S. Postal Service worked this way, no one would be allowed
to open your mail as long as it were being carried to your mailbox; but the
second it is placed in the mailbox and stops moving, your neighbors would be
free to come over, open and read your mail. This, of course, is not how laws
regarding the postal system work. It is illegal to tamper with someone
The U.S. Constitution contains no express right to privacy, but
the U.S. Supreme Court has historically upheld an implied right to
privacy. However, this right does not apply to employees. Courts seem to be
upholding the idea that since the company owns the equipment and the office
space, it has a right to monitor its employees to prevent misuse of that
equipment and space.
With more companies installing monitoring devices and technology, you
should be careful the next time you send that e-mail to mom or check out the
latest sale at your favorite online store while at work. Your employer could
be watching, listening and recording.