What Your Workers are Really Up To

John Conlin is browsing around some company's network again. Click-click—now he's searching employees' e-mail by keywords. Not only can he sniff out which Web sites workers have visited, but he can see how long they were there and at what time. All this snooping leaves no tracks.

What Conlin does is not illegal. In fact, it's probably already happening at your company. If not, just wait. Conlin's company, eSniff, sells an electronic monitoring device that allows businesses to spy on their workers. It may sound like a scene from 1984. But as either an employee or a manager, you'd better get used to it. Last year some 82 percent of businesses monitored their employees in some way, according to the American Management Association.

It's not hard to see why. The Net provides all kinds of productivity-frittering distractions—from instant messaging to eBay, pornography, and sports scores. Worse, company secrets may be floating across your firewall. And what you dismiss as simple timewasting could be setting you up for harassment, discrimination, copyright infringement, and other lawsuits.

Trouble with the Law

But can a company snoop without telling its workers in advance? "Employers absolutely have the right to set whatever terms of employment they want to, assuming they're not discriminatory," explains Robert Lass, director of consulting services at Gleeson, Sklar, Sawyers & Cumpata, an accounting and management consultant firm.

Cathleen Sullivan, a principal at RedHawk, which specializes in ethics consulting, amplifies the point. "It's naïve for people to come to the workplace with an expectation of privacy," she says. "Of course, employees come to work feeling like their desk and their office is their sanctuary. But understand: Employers have their foot to the fire. They are responsible for their employees' actions."

In some industries the stakes are too high to stand by and do nothing. Mark Woodall, MIS manager at ERMI Environmental Laboratories in Allen, Texas, has to be so careful about his work that it verges on paranoia. "The Environmental Protection Agency has got one hand down our shorts, so we have to really make sure we're on the straight and narrow around here," he says. ERMI charges clients between $500 and $10,000 to test water and soil samples and issue written reports. Deliberately fudging these test results is a criminal offense.

"The EPA will march in here with holstered side arms. I know that other labs have gotten into trouble because of a few bad seeds on the inside, and I wanted to make sure we didn't have that same problem here," Woodall says. It's critical that he be able to identify more than simply the Web sites his staff are surfing, but also every keystroke that goes into their reports, as well as date and time stamps to show when reports have been modified.

To keep a sharp eye on all this, he installed WinWhatWhere's Investigator software on several of the computers used by his 50-person staff—but he's not telling which ones. "I didn't tell the staff which brand of software I was using, or what it was capable of," he explains. "I didn't want them to know what the boundaries were." He did, however, tell employees that they're being watched. "I don't particularly want to find problems. My sole intent is not to catch people and fire them. I think that's a misuse of the software, but you have to protect yourself legally."

Give Away the Farm

Lawsuits are not the only risk employers face. Intellectual property can make its way out of the office more easily than ever with the help of electronic communications. For instance, Conlin, COO of eSniff, says the first thing the Denver Broncos football team entered into its eSniff monitor was the phrase "first 15," shorthand for the script, or playbook, of the first 15 plays planned for the next game.

eSniff logs all IP traffic, recording and reporting anything that's been labeled as suspicious. The administrator can then view the log summaries and quickly drill down to the actual content of any questionable e-mail to make sure it hasn't fallen into the wrong in-box.

Should employers doubt the prevalence of e-mail and Net abuse, Conlin provides them with a simple demonstration of his product. "We've never installed eSniff on a network and not found it to have a lot of inappropriate activity," he says, adding that close to 100 percent of workers register some kind of improper use.

That level of abuse is terrifying to any company aware of its vulnerability to lawsuits. "Think about the number of legal areas that companies are responsible for," says Joseph Murphy, a partner at Compliance Systems Legal Group. "Harassment, discrimination, environmental protection, copyright infringement, workplace safety, consumer protection. It's a list the length of my arm."

Both Sullivan and Lass point out that growing midsize businesses are at the highest risk for such problems. "Companies that have matured in some fashion past their infrastructures are most at risk because they won't yet have established documentable policies around IT security," says Lass.

Sullivan cautions, too, that executives at very small companies should not fool themselves into thinking they're immune just because they are personally familiar with their staff. "Even if they have only 35 people, they really are no less responsible for adhering to federal regulations. They may feel shocked and dismayed by a lawsuit, but they are nonetheless responsible," she says.

Stamp Out Cyberslacking

Despite the threat of lawsuits, a study from the Society for Human Resource Management found that among companies that monitor employees electronically, less than one-quarter do so to mitigate legal risk. Some 45 percent do it because they suspect employees are slacking.

"The problem is, people have seen too many Net Zero commercials and they think it's their God-given right to be on the Internet," says Lass. "People who wouldn't dream of removing a paper clip from the office think nothing of taking 20 minutes to check yesterday's baseball scores. It's not any different from stealing pencils or paper or anything else from the office."

There are two ways to remedy cyberslacking: monitoring Internet use (and making sure employees know you're doing it), and simply blocking sites deemed unrelated to work. Neither is an easy—or bulletproof—fix.

E-mail monitoring requires additional personnel and a significant amount of preparation and follow-up to be effective. And just blocking sites you don't want employees to visit is almost more trouble than it's worth: Clever employees will squander hours trying to crack the blocking codes or surfing for sites that slip through the filters.

If nothing else, a monitoring system with the right amount of follow-up can help employees realize how much company time they waste on the Internet—and help get them back on track.

Howard Stewart, president of AGM Container Controls in Tucson, Arizona, had a feeling that one of his employees was using her PC for personal use a little too much. "When I talked to the employee, she denied she was using e-mail or the Internet for personal use," he says, explaining that the company has a written policy against using the Internet for anything other than work. "However, I knew that this policy was ineffective because a few of my employees had come to the realization that I couldn't monitor their usage."

Stewart chose a simple program from Strategic Business Solutions called Resource Monitor. "Boy, oh boy! Was that employee ever surprised when I was able to point-by-point negate each of her denials that she was using the computer for personal use," Stewart says. "Was she ever shocked to discover that I could give her the exact dates and times she was on, and how long she had been at inappropriate sites. Up to that point, she had claimed that she didn't have enough time to take on additional projects at work."

Robo-Boss

Monitoring alone won't remedy cyberslacking. "If deadlines are missed or the quality of work is going down," says RedHawk's Sullivan, "that's a performance issue and should be handled as a performance issue." The cure is a conventional get-well plan: stricter goals, better ways to benchmark performance, and other tools familiar to managers.

eSniff's Conlin agrees that technology alone—even his own product—cannot solve the problem. "This isn't some magical machine that performs management for me," he says. "That's a terrible path to take, and it's not sustainable."

Worse, monitoring tools can poison office relations, promote double standards about personal business, and force managers to take disciplinary actions that are not commensurate with the abuse of productive time. What's needed, says Sullivan, are clear policies regarding all company resources—from copiers to phones.

"Personal use shouldn't interfere with getting work done," she says, "but it doesn't necessarily have to be cut off outright." For example, a company may allow personal use before 8:30 a.m., during the lunch hour, and after 5:30 p.m.

Above all, tell employees how they're being monitored and why. Employees should also have access to any personal data you collect on them, says the American Civil Liberties Union. And you should make privacy guarantees about that information explicit.

Porn Isn't Funny

No matter what you think of pornography, it invites nothing but trouble in the workplace. And porn isn't the only kind of offensive—and lawsuit-baiting—content. Topics such as race, disability, religion, and sexual preference—whether intended to offend or not—are fraught with controversy.

Even flip language in e-mail can stir up trouble. Conlin checks his monitors for what he calls language of conflict. Extreme examples: "I'm going to kill that guy" and "I could beat your head in." Lawyers love to take this stuff out of context.

Still, employees who traffic sexually explicit e-mail messages and Web sites create no end of trouble. In 1999 The New York Times summarily fired nearly two dozen people from a Virginia branch office for sending and receiving e-mail that had jokes about blond women. Dow Chemical had a rash of firings in 2000 for similar offenses.

"Firing a good employee without progressive discipline and counseling is a knee-jerk reaction," management consultant Lass asserts, but he has sympathy for the response. Leaving such a person on the job may be a lawsuit waiting to happen. The Equal Employment Opportunity Commission doesn't allow much leeway on the matter. According to EEOC policy, the employer is responsible for maintaining a harassment-free workplace—not just trying to.

So here's the rub: Whether you fire or discipline an offending employee, your company can still be sued. And as Conlin puts it, "multimillion dollar lawsuits add up."

Preventive Medicine

Obviously, monitoring employees is not meant to trigger mass firings. It's meant to prevent bad behavior.

"A compliance and ethics program does not need to be expensive. It's not the dollars you spend, it's the management commitment," says Murphy of Compliance Systems Legal Group. He suggests using a simple video explaining company policy. "However, merely having a policy will not hold up if you don't enforce it."

Demonstrating that the monitoring software really works, communicating a clear policy about acceptable online behavior, and enforcing it are all necessary steps.

So is informing your workforce that they're being watched. "To be covert about monitoring really doesn't promote an air of security. If it's found out—and it will be—I think that there will be a huge backlash," says Sullivan.

Companies are worse off when they monitor employees but fail to enforce policies about illegal or offensive behavior. In a lawsuit, you have no defense. "If it's found that you collected this information and did nothing, you really put your company in more hot water than if you turned a blind eye," Sullivan says.

When Randy Dickson, a systems analyst for the Connecticut-based multimedia production firm Sonalysts, revealed at the company's 2001 annual meeting that employee Internet use had been monitored using eSniff, the reaction was surprisingly positive. "There was some shock value, but most of the folks were happy to see it because we're an employee-owned business. If something is going to distress the company financially, they want to see it dealt with in a logical manner," he says. Dickson was pleased to find there was less abuse going on than he thought.

For instance, Dickson had been concerned about time wasted using instant messaging, but found that most of the IM activity was for legitimate business use and was actually saving the company money on phone bills. He also found system abuse that was caused by simple ignorance and easily corrected.

"One guy was playing Internet radio all the time. He assumed the service was free, but it was eating up bandwidth and we pay for our T1 line based on use," Dickson explains. Once informed, the employee stopped using the service.

"That's one of the virtues of eSniff," says Dickson. "When we first started the monitoring, people hadn't quite gotten the message about acceptable use. Since telling them about eSniff, though, it's gotten much easier."

Kayte Vanscoy is a New York–based freelance writer.

Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in Ziff Davis Smart Business.