AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 2001 >> [2001] PrivLawPRpr 31

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Schulman, Andrew --- "Computer and internet surveillance in the workplace" [2001] PrivLawPRpr 31; (2001) 8(3) Privacy Law and Policy Reporter 49


Computer and internet surveillance in the workplace

Andrew Schulman

This is an updated version of a paper first given at the conference ‘E-privacy in the new economy’ organised by the Hong Kong Privacy Commissioner and held in Hong Kong on 26 March 2001. A version of the paper was also given at a Communications Law Centre seminar on email surveillance in Sydney on 28 June. It is reproduced here by kind permission of the author and the conference organisers.

It is likely that about one out of four large companies systematically monitors the computer, internet, or email use of its employees. There are more than 40 products available today which allow employers see what their employees are doing at work on their ‘personal’ computers, in their email and on the internet.

But what do such numbers really mean? What does employer monitoring of employee email, internet and computer usage actually look like? What sorts of things can an employer see employees do at their computers, and what sorts of computer activities are currently invisible to workplace monitoring? This article attempts to show, as concretely as possible using a minimum of technical terminology, what ‘employee monitoring’ of internet and computer usage looks like today.

How much computer and internet monitoring is there, really?

A much quoted recent survey by the American Management Association (AMA) found that more than three quarters of major US firms record and review employee communications and activities on the job.[1]

It is important to note that the AMA study includes monitoring of telephone use (43 per cent of respondent firms), voice mail messages (7 per cent), and video surveillance for security purposes (37 per cent). This article will focus almost entirely on the monitoring of computer, internet, and email use. Even here, though, the AMA numbers are staggering:

Not to be outdone, the Society for Human Resource Management in the US says that a whopping 74 per cent of surveyed HR professionals think their organisations monitor employee internet use.[2]

However, a closer look at the AMA report reveals that ‘most respondent firms carry on surveillance practices on an occasional basis in the manner of spot checks rather than constantly or on a regular routine’. Systematic, constant or routine monitoring is usually what the word ‘monitoring’ evokes, yet few citations of the AMA study have emphasised the point that most of the AMA’s figures represent spot checks rather than full scale surveillance.

The notion that such large scale monitoring of computer, email and internet use is really taking place seems to be contradicted by the state of the employee monitoring (EM) industry. Companies monitoring employees — in the sense of systematic surveillance, rather than spot checks in response to a specific situation — are presumably doing so using commercial EM software. Yet the EM business, while growing, does not report the revenue figures or market penetration one might expect from the AMA survey, or at least from the way in which the AMA survey is typically quoted.

One of the best ways to understand the scope of workplace surveillance is to look at the market for employee monitoring products. Probably the largest EM company, Websense (Nasdaq:WBSN), recently reported its subscription based revenues for the first quarter of 2001 were US $6.7 million, representing more than 8.25 million worldwide customer ‘seats’, pre-paid on a subscription basis.

Aside from indicating that Websense apparently makes as little as US $3.25 per monitored employee per year (though, as noted below, the company itself estimates an average of $15 per employee), the coverage of 8.25 million workers worldwide by the largest EM vendor is hardly consistent with the notion that most employees with computers at ‘large’ companies in the US are being constantly monitored. At the same, the 8.25 million figure — which includes Websense’s recent largest sale ever, 200,000 subscriptions to the US Army, for $1.8 million — is obviously very significant, and provides a useful starting point for understanding the true scope of employee monitoring.

The 8.25 million figure is an overestimate for the number of employees monitored using Websense because, in its default configuration, this product merely blocks certain websites and does not keep any record of attempts to visit these sites, much less of successful visits to non-blocked sites. It is the recording, rather than the blocking, that would constitute monitoring or surveillance. Websense does have a separate module, Websense Reporter, which records all web accesses, not only attempted accesses blocked by Websense, but also all non-prohibited web surfing — and, significantly, this Reporter module is installed by 70 per cent of Websense’s customers, according to a company spokesperson. So instead of 8.25 million workers monitored by Websense, we have perhaps 5.75 million.

Curiously, a representative of what is likely the second largest EM company, SurfControl (Easdaq: SRFC, London: SRF) has been quoted as saying that ‘The market is ... almost untapped, with only 2 per cent of companies doing any kind of filtering’.[3] SurfControl’s own revenues for the year 2000 were about US $15 million; its average order is $4500.[4]

Perhaps SurfControl’s 2 per cent figure is meant to emphasise the potential for growth. Indeed, another widely cited study, by International Data Corp, maintains that the EM market should grow at an annual rate of 55 per cent[5] — a figure clearly inconsistent with the nearly saturated market implied by the notion that three quarters of employers are already engaged in this type of surveillance (or perhaps employers don’t really need products such as SurfControl or Websense to monitor their employees).

Taking Websense’s 8.25 million seats, figuring a similar figure for SurfControl (see below), and adding in the other public companies with EM products — Telemate.Net (TMNT), Elron (ELRNF), N2H2 (NTWO), and Baltimore Technologies (BALT) — plus the several dozen smaller companies with EM products, we are probably talking about 20 to 25 million employees worldwide whose internet, computer, and email usage is being tracked in the constant way that the word ‘surveillance’ usually conveys. (Jupiter Research has reported that 43 million workers in the US currently have online access, and that the US represents about one third of the global internet population.)

All in all, it seems most reasonable to say that perhaps as many as one quarter of employers monitor the computer and internet use of their employees.

Indeed, a recent survey by the office of the Privacy Commissioner for Personal Data (Hong Kong) found that 27 per cent of responding organisations monitor employee computer use, 23 per cent monitor web browsing, and 21 per cent monitor employee email.[6] On the other hand, the Hong Kong survey did not specify whether ‘monitor’ included spot checks in addition to systematic monitoring; it did however refer to ‘devices for monitoring’, perhaps as distinct from a spot check perusal of an employee’s computer in response to a specific suspicion.

Some additional data points

A poll of corporate chief information officers (CIOs) in the US, conducted by CIO Magazine, found that only 17 per cent of CIOs conduct sporadic employee email checks, 16 per cent never monitor employee email, 11 per cent check only on ‘problem employees’, and 38 per cent check only after there has been a complaint or productivity issue.[7]

In the UK, KPMG conducted a small survey in late 2000 and found that around 50 per cent of the surveyed companies monitor internet use ‘infrequently’, around 20 per cent monitor on a monthly basis, and only 11 per cent monitor on a daily basis.[8]

A study by market analysts Frost & Sullivan, reported in PC Magazine [9] states that ‘content filtering’ generated US$119 million in revenue in 2000, 77 per cent of it from corporate customers; in other words, a corporate market for content filtering of about $92 million.

If we take ‘content filtering’ to be roughly synonymous with employee monitoring (as noted earlier, Websense says that approximately 70 per cent of its customers install the ‘Websense Reporter’ module, which logs all web accesses), how many monitored employees does this $92 million represent? Websense has an ‘ROI (return on investment) calculator’ at its website which uses a figure of $15 per employee;[10] similarly, SurfControl has an ROI calculator at its site, which uses a sliding scale, from $1195 for 50 or fewer employees, to $45,000 for 10,000 employees, but with an average of $10 per employee.[11] If we take the lower figure of $10 per employee, the $92 million in corporate revenue in 2000 then represents about 9 million employees — either newly monitored, or with annual monitoring subscriptions renewed.

It does seem probable that something like three quarters of employers have checked up on at least one employee’s computer, email or internet usage at one time or another. But this needs to be distinguished from monitoring. In some ways, to set aside spot checks (which are, arguably, merely a form of supervision) and focus entirely on systematic monitoring, employing an EM product, simply emphasises the scope of true employee monitoring: as suggested above, we’re talking about 20 to 25 million employees whose computer, internet and email is constantly under surveillance.

It is also clear that employee monitoring is growing. For example, while Websense currently claims 8.25 million workers monitored, as recently as October 2000 it claimed only 6 million; in 1999, it claimed 3.3 million users.

Almost every month, a new vendor seems to enter this market. The number of affected workers could also jump dramatically if Microsoft, for example, decided to ‘integrate’ (that is, bundle) employee monitoring capabilities into future versions of its operating systems (Microsoft already promotes a long list of third party ‘reporting’ and ‘access control’ add-ins to its Internet Security & Acceleration Server).[12]

Important distinctions

Having already noted the distinction between spot checking on the one hand, and systematic monitoring on the other, several additional important distinctions should be made — between monitoring email, web surfing, ‘chat’ and instant messaging, or computer activities such as files accessed, programs run and keystrokes entered — when discussing employee monitoring. These are discussed below.

Monitor/log/record or filter/block?

Some products can actually block access to a website, or prevent the sending or receipt of an email, as opposed to simply making a record of the access. From a privacy perspective, filtering/blocking is preferable to monitoring, logging and recording. From an anti-censorship perspective, of course, it might be the other way around. Many products do both: prevent access to a site or an email, and make a record of the attempted access.

Log everything or log exceptions?

Some products by default make a record of everything they see, while also highlighting or raising an alert for violations such as accessing an ‘inappropriate’ website. Other products only record infractions, or at least have this as their default behaviour.

Content/body or traffic data/headers?

Some products will inspect the entire contents of an email message or website to determine its appropriateness; others only inspect the email header (sender, recipient, subject, size and so on) or the website’s address (URL). Similarly, the difference between counting the number of keystrokes and recording the actual keystrokes themselves should be noted.

Aggregate or individual/specific?

When records are kept of employee activities, do the logs tie specific activities to specific employees (for example, ‘Joe made five visits to playboy.com’), or does the employer only keep aggregate statistics (for example, ‘We had 10 visits to playboy.com last month’)? Similarly, do the records include details such as complete URLs (‘Joe visited these specific pages at playboy.com’) or do they provide an aggregate per individual (‘Joe spent a total of 30 minutes at playboy.com’ or a less detailed ‘Joe spent 30 minutes at a site on our prohibited list’)? One approach might be to conduct aggregate monitoring to first see if there’s even a problem that warrants closer inspection.

Inspecting storage or intercepting ‘on the fly’?

Some monitoring involves nothing more than inspecting files on the PC used by an employee, or inspecting copies kept in the employer’s backup server or mail server, or inspecting log files kept by a web proxy server. An EM product is not even required for this; it seems likely that most reported employee firings and suspensions over internet, computer or email usage have involved this type of inspection after the fact. Some EM products simply create additional records which can then be inspected in the same way. Many products, though, actually catch employee activities in ‘real time’, for example by blocking access to websites or inspecting and filtering emails after they have left an employee’s computer, but before they’ve been sent over the internet.

Vendor defaults or customised triggers?

Probably all of these products are customisable by employers. But how much customisation actually goes on? Are employers generally simply going with the defaults set by the vendor? This may be of particular concern when government agencies outside the US install EM products whose database of ‘inappropriate’ sites has been compiled in the US.[13]

For a discussion of client or server/network monitoring see ‘Client based or server based interception?’ below. For a discussion of continuous or random or spot check/response, see ‘How much computer and internet monitoring is there, really?’ above.

Issues

There are numerous reasons, both good and bad, for employers to monitor the personal computer (PC) and internet activities (including email and web surfing) of employees. Two of the driving forces behind this monitoring are simply the decreased cost and increased ease of use of workplace surveillance software. Amusingly, some of these products were originally intended for parents and schools to monitor the online activities of children (‘nannyware’), or for spouses to monitor each other (‘adulteryware’).[14] Could this be what businesses mean when they describe their workforce as ‘part of the family’?

Employers can monitor the PC and internet activities of employees either by intercepting data in ‘real time’ (which also allows prohibited activities to be blocked or filtered) or by inspecting stored data after the fact.

Employers can install interception devices on the PC used by the employee, and/or on the network. Where the employer plants this ‘bug’ or ‘wiretap’ (as it were) determines the sort of information that the employer can gather.

Software installed on an employee’s PC, such as WinWhatWhere Investigator or Webroot WinGuardian, can capture the keystrokes (even deleted ones) that an employee types; it can also ‘see’ what the user does in programs, such as Microsoft Word, that are located on the PC. In contrast, products installed on the network, such as eSniff or SurfControl, are best for monitoring employee email and web surfing — and are certainly more suitable if the employer wants to monitor the activities of a large group of users at the same time. Some programs (such as Trisys Insight) take a hybrid approach, installing a small ‘agent’ program on the PC that communicates with the main program installed on the network.

An employer primarily interested in monitoring employee productivity, for example, might prefer a very different type of surveillance device from an employer whose main concern is, say, preventing (or at least detecting) sexual harassment in the workplace. Detecting trade secret leakage may require different technology from preventing visits to websites that specialise in pornography or gambling.

Another way to monitor employees is to examine stored data. This might include perusal of log files maintained by the employer’s proxy server, or it might be as simple as the human resources (HR) department using a web search engine to see if they can find out anything about the personal web postings of employees or prospective employees.

Employee surveillance software can employ different ‘triggers’ when determining whether to raise an alert. Some products scan all emails for certain keywords, much as the US FBI’s Carnivore was reported to do.[15] Others check all attempted web accesses against a list of unapproved sites. Some vendors claim that their products use ‘artificial intelligence’ or ‘neural networks’ to spot problems (working along the lines of ‘given this piece of email I don’t like, figure out all the other emails I won’t like, and block them’). Some products simply log all employee activities in excruciating detail, and leave it to a human (or perhaps another program) to figure out which items, if any, are cause for concern.

Many (and possibly most) of these products, in addition to monitoring (that is, recording entries in a log file), proactively block or filter web access, for example refusing to establish a connection with a pornographic website or refusing to allow the sending of an email with a viral attachment. Issues of censorship and free speech (or rather, freedom to receive speech) have been raised regarding these products, for example when installed at public libraries or public schools in the US.[16]

The privacy concern, however, involves the monitoring rather than the blocking/filtering aspect of these products; they can, over time, assemble a comprehensive profile of web surfing, email, applications and so on, all associated with the employee’s identity (such as a workstation ID assigned by the employer).

Some worrisome implications

What about monitoring of public employees? For example, in the US, do the log files produced by EM software installed in Federal, State, and local government offices become ‘public records’ that are subject to Freedom of Information (FOI) requests?

As email and email attachments become the ‘lifeblood’ of companies, is it really the employer’s intent to memorialise every email conversation by keeping detailed employee monitoring logs? How long will these logs be kept? There’s a danger that the previously ephemeral (the equivalent of casual conversations at the water cooler) will now be fixed in a permanent record. The technology is available to record pretty much everything that happens at work (Shoshana Zuboff’s fascinating early look at employee monitoring, In the Age of the Smart Machine: The Future of Work and Power[17] refers to this possibility as the ‘textualisation of work’). Of course, this isn’t just an issue with employee monitoring; note for example the Deja.com archive of Usenet postings recently acquired by Google.[18]

Are there any intellectual property issues here?

Assuming that almost all employees commit some infraction of computer and internet usage policies at one time or another, will stockpiles of employee-monitoring logs be used later as a ‘wishing well’ by supervisors and employers seeking, for example, to disguise layoffs as disciplinary actions? Will the log files created by employee monitoring software become a ‘honeypot’ for litigation (see below)?

Is monitoring essentially an editorial function, in effect turning the employer into a ‘publisher’ rather than a mere distributor of any material that appears on its system, and thus potentially more liable than it would be without monitoring for any contents that pass through its system? (Note for example the perverse disincentive created in the US by the 1995 decision in Stratton Oakmont v Prodigy, which led in part to a ‘good samaritan’ provision in the subsequently overturned Communications Decency Act.[19]

While employers presumably install workplace surveillance to reduce risk, liability and costs, this surveillance introduces new risks, liabilities, and costs. Installing an email monitoring system which tries to filter out objectionable email could, for example, leave the employer that much more responsible for any objectionable email that the system fails to prevent, or may simply serve as a new storage mechanism — a ‘honeypot’ — for ‘smoking gun’ documents to be discovered later during litigation. And, of course, it may open the employer up to employee complaints of intrusion.

Why monitor employees?

There are numerous reasons why employers might monitor the computer and internet activities of employees, but all these reasons should address the following two questions.

1. What risks are we trying to prevent or detect or manage here?

2. What policy is this monitoring intended to enforce?

In a 1993 survey employers said their reasons for monitoring were to:[20]

A survey in the November 1997 issue of PC World gives employers reasons as:

At the same time, monitoring employee PC and internet activity — and thus possibly intruding on employee privacy — can actually provide benefits, including privacy benefits, to some groups besides the employer. Employee monitoring may help enforce restrictions on access to customer personal data. For example, the US Health Insurance Portability and Accountability Act (HIPPA) mandates the use of ‘audit trails’ to protect the privacy of patient data. According to one medical security specialist:

Privacy should be protected in health care by ‘tagging’ all health data with the names of every single person who viewed it. ... Any patient who wants to see their record should be given immediate access to it. Then they would be able to see exactly who has been viewing their data, which, many people don’t realise, can total hundreds and hundreds of individuals. [21]

These individuals are, needless to say, monitored employees. Thus, privacy for one group, (such as patients or consumers) may be bought at the price of privacy for another group (employees).

As the HIPPA example suggests, some employers are essentially required to monitor employees. To take another example, some form of employee monitoring would seem to be required for compliance with US Securities and Exchange Commission (SEC) record-keeping rules. This is reflected in the AMA survey, which shows much higher monitoring in the financial sector than in any other. Some products, such as the SRA Assentor email monitoring product, are targeted specifically at financial institutions.[22]

Monitoring may also be necessary to reduce a sexually or racially ‘hostile environment’ in the workplace, which is at least arguably a privacy issue.[23]

The following is a list, in no particular order, of some concerns that have been related to employee monitoring:

Many of these reasons may not have been clearly articulated at the time employee monitoring products are purchased and installed. It is possible that employee monitoring is sometimes put in place with only the vaguest sense of what it will ‘do’ for the employer.

PC and internet monitoring: driving forces

Indeed, employee monitoring software may sometimes be installed, less with a clear purpose of enforcing specific policies and managing specific risks, and more because the software is ‘there’, readily available, at an apparent low cost (as shown in the figures below in US dollars).

In other words, the initial cost of purchasing employee monitoring software is generally far less than US$100 per user, and in large organisations may be as little as US$5 per user. (Of course, the actual total cost of ownership is likely to be much greater, when you consider that someone must not only install and maintain the software but must, most importantly, be ready to respond appropriately to the personnel issues raised by the output that employee monitoring software produces.)

This apparent low cost is probably driving the adoption of employee monitoring in the same way that the low cost of cameras has promoted increased use of visual surveillance.

In a sense, we’re dealing here with the technical possibility of ‘Carnivore on the desktop’: ubiquitous, fine granularity surveillance in the hands of every employer. On the other hand, it is crucial to recall the survey figures given earlier: right now probably no more than 25 per cent of employers are monitoring their employees.

As noted earlier, some of the ‘spy on your employees’ products started off life as ‘cybernanny’ products for the home/school market. With the difficulty of maintaining B2C (business-to-consumer) internet products, many of these companies looked around to see what else they could do with their cybernanny products, and realised that other businesses (B2B) might be a better market. Thus, the attempted transition from B2C to B2B is another driving force in employee monitoring.

Companies are gradually realising that the whole idea of a ‘personal computer’ creates workplace problems — particularly with essential resources increasingly located on the internet rather than on the PC, there is perhaps a trend to treat the PC more as a centrally administered terminal than as a ‘personal computer’. IT departments may see employee monitoring as a way to regain some control over the desktop. If so, there is a danger that technical considerations may end up being allowed to drive policy. One interesting question is whether IT departments, rather than HR, are generally being left responsible for employee monitoring.

Client based or server based interception?

All available employee monitoring products are essentially programs that report on (and in some cases constrain) how other programs are used. Having installed an employee monitoring program, an employer can — depending on the type of program — see how much time employees (individually and/or in aggregate) spend playing Solitaire, or what websites they visit, or even read email messages that they typed but then deleted and didn’t send. The employer may also be able to prevent employees from visiting certain websites, or from sending or receiving certain emails.

One way to understand these products is to consider where they are installed. There are basically two types: server based monitors, designed to be installed on the employer’s network, and client based monitors, designed to be installed right on the PC used by the employee.

First, we’ll look at the network (server), then at the PC (client). To see the difference, let’s imagine a typical employee, whiling away the time playing Solitaire. Wes Cherry, the Microsoft programmer who wrote the Solitaire game included with Windows, has noted that he has singlehandedly ‘wasted more corporate time than any other developer’ (though employers might recall that many employees first learned to use a mouse by playing Solitaire). The question is: can the corporation tell (short of looking over his or her shoulder) whether an employee is playing Solitaire?

To hear the vendors’ claims, the answer is yes, they can see everything. Naturally, privacy advocates, whose chilling reports in turn sometimes help reinforce vendor hype, rely upon these Orwellian claims.

Network based (server) products

eSniff, who make workplace surveillance hardware, claim:

If an employee goes outside of your eboundaries, eSniff provides an exact copy of everything that was on their screens; sites visited, chat room activity, email — everything.[25]

Now, eSniff provides network based surveillance; that is, like a wiretap, it listens in ‘real time’ to everything that employees do on the network. According to the company:

The eSniff device uses patent pending linguistic and mathematical techniques to analyse the content and context of all TCP/IP traffic. All traffic is analysed; Web, email, chat, ftp, telnet, print jobs, absolutely all traffic that crosses the wire.

Another example of network based monitoring is SurfControl’s amusingly named LittleBrother[26] (oddly, there doesn’t yet seem to be an employee monitoring program called BigSister). The products made by the largest employee monitoring vendor, Websense, are also network based, plugging into an employer’s firewall, proxy or cache server.

These server based products produce reports that would show if an employee was playing a web based version of Solitaire — but not the Solitaire (nor FreeCell or MineSweeper) that come bundled with Windows, because these games run entirely on the PC without making a network connection. When a network based surveillance product like eSniff claims they can monitor ‘everything’, they mean everything on the network (and actually ‘everything on the network’ isn’t quite right either, because many of these products can’t do much about encrypted content, such as web pages that use the https:// rather than the http:// protocol).

This approach is good for detecting (and with some products, perhaps even preventing) employees from visiting pornographic sites, from whiling away the day at web based gaming sites like Pogo.com, from taking on a second job as a ‘day trader’ (though recent events on Wall Street may do more to curb this activity), from venting a bad attitude about the company at a site whose unprintable name is F***edCompany.com, or from sexually harassing their coworkers via email.

PC based (client) products

But it can’t catch them viewing porn that they’ve already downloaded to their computer, nor can it see how much time they waste playing games off a CD ROM (unless the game ‘phones home’ over the network), nor could it see them copy company secrets to a floppy disk, or polish their resume in Word. These are all activities that happen on a PC, generally without accessing the network.

To see those sorts of things, employers need something more akin to a camera, located right on the PC used by the employee, rather than a listening device (so to speak) like eSniff that sits on the network.

A good example of such a client based product is WinWhatWhere Investigator.[27] This product records the names of programs run, the titles of the windows that are open on a computer, and — most significantly — the keystrokes typed, including ones that you subsequently deleted.

For example, while WinWhatWhere Investigator was running on my PC, I wrote an email to a friend that contained the text, ‘I think I have herpes’ (this text comes from a recent advertisement for SafeWeb, an anonymising product which promises to protect employees from monitoring by ‘anyone — including your boss’). I then deleted the line, and typed, ‘I’m fine’. Then I decided not to send the message after all.

WinWhatWhere’s report showed the following: ‘I think I have herpes. I’m fine.’ In other words, my ephemeral thoughts have now been permanently recorded (this fixing of ‘deleted’ contents may raise some interesting intellectual property issues). The report also showed that the ‘[m]essage has not been sent’. It also showed the nickname (but not the actual email address) of the aborted email’s intended recipient.

I’ve also seen WinWhatWhere record personal information (such as passwords) that I’ve entered onto ‘secure’ web pages, encrypted with https://, such as the customer information page at Amazon.com. Even if the employee uses the SafeWeb anonymising service, WinWhatWhere can still capture keystrokes and window titles (which often describe websites visited).

On the other hand, WinWhatWhere does not appear to detect the typing of a passphrase in the Windows version of PGP (Pretty Good Privacy) encryption software; PGP uses Windows ‘console’ input which, like DOS input, is missed by client based monitors due to the technique they happen to use to ‘hook’ the keyboard (for what it’s worth, a more compulsive monitor would use a low level ‘virtual device driver’ rather than employing the higher level SetWindowsHook API).

Because the surveillance occurs right on ‘your’ PC — actually, it’s not literally surveillance at this point, just logging of activities to a file or database, for later perusal — rather than on a central server, it is obvious that more activities can be monitored than from a network based program. And it can be done whether you are connected to a network or not.

You can configure these programs to hide their presence from most users, though the vendors generally recommend that employers make the monitors’ presence known (though not in a way that allows the monitor to be easily disabled).

But since the program runs on a PC used by an employee, how is the employer going to see the report that WinWhatWhere so compulsively keeps? An employer (or an HR or IT person assigned this task) could walk up to the PC itself, press a special key sequence and view the report, or the program can be configured to periodically ‘stealth email’ the report to a designated address.

In contrast to the server based monitors, this obviously isn’t monitoring in ‘real time,’ nor does this level of detail seem conducive to large scale surveillance of many users at the same time from a single location (think of Montgomery Burns looking at his multiple monitors on the cartoon, The Simpsons). However, WinWhatWhere can be configured to save its log files to a network file server, with logs from multiple PCs poured into a single database and the entries from each individual PC distinguished by user name. Coupled with WinWhatWhere’s configuration options to turn off some forms of monitoring, such as keystroke logging, this could perhaps be made into a systemwide monitoring tool.

Another client based monitor is Webroot WinGuardian.[28] In addition to capturing keystrokes and logging programs run and websites visited, WinGuardian can capture ‘screenshots’ (that is, graphic images of the entire computer screen) at specified intervals (down to once per minute) and then email them out for remote viewing. The screenshots can then be ‘played back’ on another computer to see what the employee was doing, literally every minute of the day.

Yet another such product is Spector, from SpectorSoft. I’ve spoken with one HR director who installed Spector on an employee’s PC after repeated complaints (by other employees), and after his own repeated denials, that he was spending hours every workday viewing pornography. This is probably a representative example of non-systematic monitoring, conducted in response to a specific situation. The HR director said that Spector covertly saved away frequent screenshots of the employee’s activity and that viewing these screenshots later, after the employee had left for the day, was (a) necessary under the circumstances, and (b) extremely creepy, ‘like looking at someone else’s screen through their own eyes’. Spector’s own website makes these promises for this $69.95 product:

Automatically record everything your spouse, children and employees do online ... Spector SECRETLY takes hundreds of screen snapshots every hour, very much like a surveillance camera. With Spector, you will be able to see EVERY chat conversation, EVERY instant message, EVERY email, EVERY website visited and EVERY keystroke typed.[29]

To eliminate the awkward need for viewing saved records on the employee’s PC, SpectorSoft also makes eBlaster which, for an additional $69.95, sends out detailed email reports: ‘eBlaster delivers detailed activity reports, including all websites visited, all applications run, and all keystrokes typed, right to your email address, as frequently as every 30 minutes.’

These client based monitors are beginning to sound like what is known as a RAT (remote admin trojan), similar to Symantec’s pcAnywhere, or the notorious hacker tool ‘Back Orifice’. These ‘trojan horse’ programs typically include both keystroke logging and screenshot capture, and so could conceivably be used for employee monitoring.

Having just looked at client based employee monitoring, it is crucial to note that few EM products currently use this technique in a systemwide fashion. WebSense, SurfControl, Elron Internet Manager and MIMESweeper, for example, are all server based. Practically all the EM software installed at major companies is server based. However, client based monitoring does give a good illustration of what’s technically possible with employee monitoring software available today; one just has to remember that this particularly intrusive technique is not in widespread use. As the Spector example illustrates, though, HR departments may be using such products to deal with specific problem employees.

Hybrid (client/server) products

Some workplace surveillance products, like Trisys Insight, are hybrids.[30] This involves a small ‘agent’ program on the PC used by the employee, which sends messages to a server program. This company even offers an ‘outsourced’ service, whereby Trisys itself will monitor your employees’ activities for you. Trisys doesn’t monitor specifics like keystrokes or the text of email messages; instead, it concentrates on measuring the amount of time spent at websites or using specific applications.

Another hybrid program is Wards Creek GameWarden.[31] According to the company:

Its client/server technology allows for monitoring and enforcing company policies on playing local games such as Solitaire and Minesweeper or multi-player network games like Doom, Descent or X-Wing/Tie Fighter.

There appears to be a trend towards hybrid client/server monitoring. Two recent products, Actis Net Intelligence[32] and Cerberian,[33] each include an ‘agent’ that sits on the employee’s PC and reports back to a server program. As noted earlier, many server based products are not able to fully handle web pages encrypted with the https:// protocol, and having a small ‘agent’ program on the PC would help with this too; for example, EM vendors might look into this approach as a way to defeat web anonymisers such as SafeWeb.

Future trends

Having speculated earlier in this article that it might be natural for Microsoft to enter the EM business, and having just suggested a trend towards doing more client based monitoring via ‘agent’ programs, here are some other possible future trends in EM.

On the other hand, ‘divergence’ away from the PC into wireless devices will force EM vendors to keep up, perhaps by putting monitoring software into wireless networks (Websense at one point announced a deal with Nokia); there may also be a call for integration with location tracking (GPS).

Conclusion

The phrases ‘employee monitoring’ and ‘workplace surveillance’ evoke Orwellian images of Big Brother sitting at a central computer console, watching everything his employees do at their computers — every keystroke or mouse click, every email message, every web page — and responding to ‘inappropriate’ usage the moment it happens.

Truly, as noted above, relatively inexpensive software now makes these capabilities cheap and potentially ubiquitous.

However, it’s important to appreciate the differences among workplace surveillance programs. There is generally a trade off between real time monitoring (the employer can watch what the employees do, as they do it), on the one hand, and the ability to take a perfect picture of employee activities, on the other. Right now, ubiquitous, fine grained employee monitoring is technically feasible but not a widespread practice. As noted above, most companies that even employ EM software (and recall that they are still in a minority) are using the server based approach, which can be intrusive enough, but which doesn’t have quite the intrusive capabilities of client based monitoring.

There probably isn’t much of a privacy interest in goofing off at work. But there is a privacy interest in not having exact recordings kept of precisely what you were doing while taking a break, while working, or even while goofing off. v

Andrew Schulman, Fellow, Privacy Foundation, US <www.privacyfoundation.org/workplace>.


[1]<www.amanet.org/press/amanews/ems2001.htm>; see also <www.amanet.org/research/pdf/ems_short2001.pdf>.

[2]<www.relojournal.com/jan2001/watched.htm>.

[3] Computer Reseller News 4 January 2001.

[4]<www.theregister.co.uk/content/archive/18111.html>.

[5]<www.websense.com/company/idc.pdf>.

[6]<www.pco.org.hk/info/newsletter/prithoughts4.html>.

[7] <news.excite.com/news/pr/010425/fl-cio-magazine-poll>.

[8]<www.kpmg.co.uk/kpmg/uk/press/detail.cfm?pr=837> .

[9] 10 May 2001; <www.zdnet.com/pcmag/stories/reviews/0,6755,2717617,00.html>.

[10] See the JavaScript source code for <www.websense.com/products/why/wscalc.cfm> .

[11] See the JavaScript source code for <www.surfcontrol.com/resources/business/roi_calc/index.html> .

[12] See <www.microsoft.com/ISASERVER/thirdparty/reporting.htm> and <www.microsoft.com/ISASERVER/thirdparty/accesscon.htm>.

[13] See <www.efa.org.au/Publish/PR000629.html>.

[14] See <www.msnbc.com/news/570411.asp>.

[15] See <dir.yahoo.com/Computers_and_Internet/Internet/Issues/Privacy/Carnivore>.

[16] See <dir.yahoo.com/Society_and_Culture/Issues_and_Causes/Civil_Rights/Censorship/Internet_Censorship/Blocking_and_Filtering/>.

[17] Basic Books 1988.

[18] See ‘Privacy concerns for Google archive’ New York Times 7 May 2001.

[19] See Overly MR e-policy pp 50-51: ‘The greater the control a business has over the content of a communication, the more likely it will be found to be a publisher.’

[20] Piller C ‘Bosses with x-ray eyes’ MacWorld June 1993.

[21] Quoted in Health Data Management October 1998 p 60.

[22] See <www.sra.com>; SRA has also built a product that Nasdaq uses to monitor stock chat boards.

[23] But see, for example, the argument against overbroad use of the term ‘privacy’ in Wacks R Law, Morality, and the Private Realm Hong Kong University Press 2000.

[24] See <www.kenwithers.com/>.

[25] <www.esniff.com>.

[26] <www.littlebrother.com>.

[27] <www.winwhatwhere.com/>.

[28] <www.webroot.com/chap1.htm>.

[29] <www.spectorsoft.com/>.

[30] See <www.born2e.com/isgt/MainPage.asp> for a live online demo; you get to snoop on selected Trisys employees.

[31] <www.wardscreek.com/main.htm>.

[32] See <theregister.co.uk/content/6/18387.html>.

[33] See <deseretnews.com/dn/view/0,1249,250011010,00.html>.

Additional references

‘1999 Utility guide: corporate filtering’ PC Magazine 4 May 1999 <www.zdnet.com/pcmag/features/utilities99/corpfilter08.html> .

Berkley T ‘Peeping tools: nine tools that can snoop on your employees’ Network World 10 July 2000 <www.nwfusion.com/research/2000/0710feat.html>.

Clement A ‘Office automation and the technical control of information workers’ (1982), in Vincent Mosco and Janet Wasko Political Economy of Information University of Wisconsin Press Madison 1988, pp 217-246.

Conry-Murray A ‘The pros and cons of employee surveillance’ Network Magazine 5 February 2001 <www.networkmagazine.com/article/NMG20010125S0011/2>.

Dalton C ‘Preventing corporate network abuse gets personal’ Network Magazine 5 February 2001 <www.networkmagazine.com/article/NMG20010126S0003/2>.

Data Protection Commissioner (UK) ‘Draft Code Of Practice: the use of personal data in employer/employee relationships’ October 2000; see <wood.ccta.gov.uk/dpr/dpdoc.nsf>.

Internet Product Watch: list of filtering and monitoring products <ipw.internet.com/protection/filtering_monitoring/index.html>

Overly M E-policy: How to Develop Computer, E-policy, and Internet Guidelines to Protect Your Company and Its Assets AMA New York 1998.

Privacy Foundation (US) Workplace Surveillance Project <www.privacyfoundation.org/workplace>.

Schulman A ‘The “boss button” updated: web anonymisers vs employee monitoring,’ Privacy Foundation Workplace Surveillance Project, 24 April 2001 <www.privacyfoundation.org/workplace/technology/tech_show.asp?id=63&action=0>.

Seltzer L ‘Monitoring software’ PC Magazine 6 March 2001 <www.zdnet.com/pcmag/stories/reviews/0,6755,2684024,00.html>.

Timberline Technologies: alphabetical list of content filter products <www.timberlinetechnologies.com/products/contentfilt.html>.

Wallace B and Fenton J ‘Is your PC watching you?’ PC World 5 December 2000 <www.pcworld.com/resource/printable/article/0,aid,32863,00.asp>.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/2001/31.html