Monitoring internet use: Good or bad?
Let’s open a can of worms and make this week interesting, shall we? Is e-mail and Web use monitoring good or bad in a government work place? I bring this topic up because I just read an article that quoted a recent survey in CSO magazine that said that 61% of survey respondents allow e-mail content monitoring while 75% allowed monitoring of Web use.
This made me wonder about government use of employee monitoring. My guess is the percentages would vary depending on the organization's mission and amount of regulation that they must work under. For instance, the Department of Defense and the CIA probably do more monitoring than a local government, for instance. But before we get into who is monitoring and why, let’s talk about the basics of monitoring.
Monitoring can be defined as storage and review of employee e-mail, files, and computer activity. By default we engage in the first part of the definition through our normal IT activities. E-mail and files are regularly backed up for recovery purposes and network activities, such as login and logout times, are often part of log files kept by the network operating system. Our Web activity record is kept by default in the form of history files, cookies, cache, and logs on servers, as well as on the clients themselves.
The key then to "do we monitor" is review. Do we allow the review of e-mail, files or Web use in our organization? I am willing to bet that most of you reading this will say yes to that question. In fact, I am pretty sure that there are extremely few government organizations that would disallow the examination of computer records and e-mail as part of an investigation into harassment, theft, or other conduct not permitted by the organization. Therefore, the majority of us participate in monitoring at the lowest level.
But when most of us hear the term monitoring, we aren’t thinking about the passive, low-level monitoring described above. Most of us think about active monitoring tools and active/purposeful review of information collected by those tools.
From keystroke loggers to e-mail and Web filtering/blocking, there is a tool made that we can employ to record/stop the activity. The question then becomes – should we?
Proponents of active monitoring usually give the following arguments for doing so:
- Increases employee productivity.
- Security – protects confidential information.
- Increases in network performance.
- Aids in regulatory compliance.
- Aids in network/capacity planning.
Detractors of the practice usually give the following arguments:
- Breeds contempt amongst the workforce.
- Lowers productivity.
- Opens the organization up to litigation.
- Can create storage and retention issues.
- Can decrease network/computer performance.
First and foremost, the answer to "should we?" should not come from IT. This is strictly a management and HR decision and the decision to monitor or not and to what degree has to come from them. That’s not to say that IT should not play a leadership role in bringing the issue to management's attention – after all, the tools and capabilities do reside with IT.
In fact, IT must play a strong role in making sure that those who will be making the decisions understand not only the capabilities regarding employee monitoring but also understand the drawbacks. It is with this information that management can weigh all the pros and cons associated with the issue and choose the course that is best for the organization.
No matter what level of monitoring is used, (remember I argued earlier that we all participate in monitoring) the policy should be disclosed very clearly. Make sure your acceptable use policy defines what a violation is and what the consequences are of violating the policy.
Personally, I have always been a big believer of blocking certain types of activities. I think it is in the best interest of the organization and its employees to protect the workers from themselves (to a certain degree.) For example, I would rather proactively block pornography and hate material rather than check up on people, or deal with the results of complaints that might arise from inappropriate use.
Secondly, given open records laws, the more you retain regarding employee behavior, the more fodder there is for unwarranted ill will. For example; if you log Web site activity for the organization and you allow "casual surfing of the internet during lunch and breaks," you will likely find that non-work related Internet activity comprises a large percentage of total Web activity. It won’t matter when and how the activity occurred to the citizenry when they read a headline screaming "Government Employees spend majority of time on eBay!" Think about that when factoring in the pros and cons of monitoring.