Jemar Austin is taking names. Officially, he is the information systems director
at the Alabama Motors Association, a 100-employee branch of the Automobile Association
of America (AAA). Informally, he's the company's Internet cop--something you'll
do well to keep in mind if you work with him. Thanks to a clever, relatively inexpensive
piece of software, Austin can see where you've gone online, when you went there,
and how long you stayed. He knows if you hunted for a new job or shopped on eBay
on company time. And he most definitely knows if you browsed any porn sites.
Every two weeks, Austin generates reports that reveal, among other things,
which employees are the company's heaviest Internet users.
"If I see users pop up who should not be on there, I can then see the
sites they've looked at [and] which sites they tried to go to but were blocked,"
Austin says. If something doesn't look right, he can notify the user's manager.
In the year and a half since Alabama Motors Association installed the software--a
package called SuperScout from SurfControl in Scotts Valley, California--that's
happened only once. An employee was spending a good chunk of company time shopping
for a boat. The manager spoke to the employee, the sites were blocked, and that,
Austin says, ended the problem.
A growing number of companies are calling such tactics preventive medicine.
Some employees say a better name is Big Brother. What no one disputes, however,
is that for all the benefits of desktop Web access, there are also significant
risks. E-mail and the Web can boost productivity by enhancing communications,
collaboration, and research capabilities. However, they can just as surely undermine
efficiency, should users spend too much time surfing the Web for personal ends.
There are other concerns, too: It doesn't take many employees downloading Springsteen
songs and Planet of the Apes trailers to clog corporate networks. And it takes
only one employee accessing sexually explicit material to embroil a firm in
an expensive lawsuit.
What is also clear is that abuses, big and small, do happen. Already, companies
such as Dow Chemical, The New York Times, and Xerox have fired employees for
inappropriate Internet use. Last September, a survey by the career Website Vault.com
found that 90 percent of employees surf non-work-related Websites at the office.
Only 4 percent admitted to looking at pornography, but the other numbers are
hardly reassuring to employers: 37 percent have looked for jobs; 34 percent
check stocks; 26 percent send nonbusiness instant messages. If you think a quick
glimpse of quotes or an e-mail to your grandma is no big deal, consider that
13 percent of employees spend over two hours a day surfing nonbusiness sites,
while 10 percent receive 21 or more personal e-mails each workday. And then
there is all the e-mail they write and send.
Less clear is what companies should do. On the surface, the answer seems easy:
install monitoring or blocking software. Packages that block objectionable sites
or let you keep tabs on employees' online activity are plentiful. Considering
the likely gains in productivity and protection against liability, such products
seem to be cost effective. Websense Incorporated, which filters sites at more
than 12,000 companies, including 239 of the Fortune 500, estimates costs at
approximately US$15 per employee per year. That might not seem like much to
pay for all the benefits, but there is another side to this issue.
For starters, what exactly should you block? Sexually explicit sites are a
no-brainer. But do you really want to cut off shopping sites? Maybe it's not
such a bad idea for someone to take five minutes to buy a gift at Amazon.com
or even to purchase an extra battery for a company laptop. Five minutes on Amazon.com
sure beats a two-hour lunch, and five minutes on PC Connections' site may be
better than having an employee spend hours getting an item requisitioned, approved,
ordered, received, and, weeks later, delivered, especially compared to the 48-hour
delivery many Websites offer.
What's more, blocking software may not be as reliable as it seems. With thousands
of new sites appearing daily, how can any censoring program keep up? Even tougher:
Many sites are good for some uses, bad for others. Searching a news site for
job-related trends may be essential, but time spent on the same site checking
basketball scores is wasted.
Rather than blocking sites en masse, you may prefer to monitor employees--keeping
tabs on Internet access, generating reports, and solving problems as they occur.
But how will that kind of surveillance go over with employees? How will you
deal with infractions? How much monitoring or blocking is too much?
"Some companies overreact, and that does hurt morale," says Dr. Andrew
DuBrin, professor of management at the Rochester Institute of Technology and
a frequent writer on workplace-psychology issues. Unhappy workers may become
former workers, and losing workers costs money.
So the challenge is to create a monitoring policy that protects both your business
and your employees' privacy. The goal is to provide a measurable benefit without
stirring alarm among employees or causing turnover. Fortunately, the sheer diversity
of filtering and monitoring technologies provides rich options to create a program
that matches the needs of any company and its employees.
Never in history have there been so many ways to monitor employees. James Bond
isn't the only one walking around with a homing device in his pocket. High-tech
ID cards let hospitals track the location of medical staff; key-card systems note
when employees come and go. And there are always those old reliables: storing
and reviewing voicemail messages, and backing up computer files, so that the information
remains available after employees hit the delete button. But the real action these
days revolves around the Internet.
Each year, the American Management Association surveys thousands of companies,
mostly large ones, on the electronic surveillance methods they use. Between
1997 and 2001, the percentage of companies recording and reviewing employee
telephone conversations has remained constant at around 10 percent. Similarly,
the percentage of voice-mail monitoring has hovered steadily at around 6 percent.
But e-mail monitoring has exploded, from 15 percent in 1997 to 46 percent in
Putting the brakes on Web access has also become a priority. In Vault.com's
1999 survey, 31 percent of employers said they restricted or monitored Internet
use. By the next year, that number was up to 42 percent.
All this makes for heady days at the companies selling access-control software.
Websense, for example, has seen 20 percent quarter-to-quarter growth for the
past year and a half, according to CEO John Carrington. The company's $30 million
in revenues last year more than doubled 1999's total. The money isn't in the
software sales--it's in subscriptions to Websense's crown jewel, a constantly
updated database of potentially problematic sites. Currently, the database boasts
more than two million sites, comprising over half a billion Web pages.
What customers get from Websense Enterprise is daily access to a list of sites
that managers may not want employees to visit. Other access-control solutions
work in much the same way. Through a combination of automated tools and human
analysts, Websense Enterprise hunts down new sites and places them in one of
68 categories. The selling point is twofold: Companies don't have to devote
resources to finding noxious sites themselves--a hopelessly futile task given
the number of new sites that pop up daily. And managers can choose particular
categories to block.
"The system is very customizable," Carrington says. "Some customers
are draconian, shutting everything down; others are much more progressive, saying
they're going to block pornography, but everything else is fair game."
Websense's own research shows that most clients lean towards the draconian.
Of the 68 categories, only a handful deal with sites that would give a company's
lawyer pause: adult content, gambling, illegal activities, racism, hate, and
violent activity. Other categories include abortion advocacy, activist groups,
cultural institutions (including galleries and museums), educational institutions,
gay and lesbian issues, health information, hobbies, job search, news, personals,
political groups, religion, restaurants, search engines, sex education, shopping,
sports, and travel. When Websense surveyed its customers, it found that more
than 75 percent managed over 40 categories, either blocking them outright, allowing
access only after a warning appears onscreen, or limiting access to certain
users or times of day. In all cases, Websense's software can monitor and report
on activity, both good and bad.
Of course, even seemingly innocuous sites like eBay and ESPN.com can pose problems
when employees spend hours looking at them or when the activity is hogging precious
"A day trader with real-time quotes uses ten times the bandwidth of an
ordinary user," says Vijay Balakrishnan, senior vice president of marketing
at TeleMate.Net Software, an Atlanta maker of Internet-usage management solutions.
Consider another statistic from the Vault survey: 53 percent of employees limit
personal surfing to less than a half hour a day. If you cut off access to the
shopping and travel sites, are you coming down too hard on employees who already
self-regulate their nonbusiness surfing? And if you limit access to, say, lunchtime,
or simply monitor usage, are you sending a message that all personal browsing
is frowned upon? In effect, are you creating an environment in which users are
afraid to browse anything remotely non-job-related, even though some personal
use really is permissible?
"We have a security person who can see what sites people are looking at,"
says an employee at a semiconductor manufacturer who did not wish to reveal
her identity or her company's name. "It takes me five minutes to order
my contact lenses, but I feel I'll get into trouble. I'm thinking, 'Is he watching
me; should I be doing this?' Anything I wanted to order, I would do it at home.
Finally, I said, 'Screw it; I stare at this screen all day, and I need my contacts
to see.' It's not like I'm buying jewelry on eBay."
This manufacturer does not block shopping sites, and nowhere in its seven-page
Internet policy is such use prohibited. The company's monitoring policy is hardly
secret either: All employees see a link to it whenever they log on to the Internet.
But still, the policy has fostered confusion and suspicion.
"It clarifies certain things we can't do, but not what we can do,"
the employee says. "I think it creates ambiguity intentionally, so that
they can use it against you if they need to."
Such confusion--and the hard feelings it creates--can easily be avoided.
"It's not enough just to have a policy," says Ellen Bayer, practice
leader for human resources at the American Management Association. "You
have to communicate it and make sure people understand it." Handing out
a memo doesn't suffice; neither does simply posting a policy online. "There's
training involved," Bayer says. "Give demonstrations and be as specific
as possible, so everyone understands the parameters."
But few companies supplement their Internet-use policies with formal training.
The policies themselves can typically be boiled down to one key point: Web access
is a company resource that should not be used in any way that would embarrass
or otherwise cause grief for the company. Fine. But what does that really mean?
Sending a nude photograph around the office is generally recognized as a bad
idea, but there are plenty of gray areas.
"Most people don't intend to write inappropriate e-mail, so how do they
know what bad e-mail is?" Bayer says. "You need to give concrete examples."
Employers may be slowly starting to come around on this point. After four years
of using Websense Enterprise to block hate and sex sites, Bic Consumer Products,
a 1,000-employee division of Bic USA, is developing a set of Internet Q&As
for employees."They're guidelines," says Paul Russo, senior vice president
of human resources at Bic,"basic dos and don'ts. We recognize that our
employees will make limited personal use of the Net." The guidelines are
in place to make sure everyone has the same rules.
No doubt, an easy way to eliminate ambiguity is to block sites outright. There's
certainly no confusion when a user trying to access a Website finds a big "You
can't enter" message on the screen. But again, the trick is setting limits
that don't undermine productivity. It's a judgment call. Alabama Motors Association,
for example, blocks gambling, job search, sex, shopping, and vehicle sites,
among others. Canon Information Systems Inc., a 133-employee subsidiary of the
giant Japanese electronics maker Canon Inc., blocks gambling and sex, but not
job search and shopping.
Until a site-management program has been assessed, less blocking is best. Austin,
the information systems manager at Alabama Motors Association, recalls a case
in which an employee planning a business trip couldn't book a car rental because
the Hertz site had been classified under vehicles, a blocked category. Austin
simply unblocked the site, but an employee trying for a quick purchase on Amazon.com
wouldn't fare as well. There would have to be "a desperate need,"
says Austin, who adds that a manager would have to give approval.
Though strict limits on access appear to boost productivity--it's hard to goof
off online if you can't get there--in the long term, the policy may backfire.
Employees could certainly make purchases from their computers at home, assuming,
of course, that they have them. But that may be impractical, notes Deborah Pierce,
staff attorney at the Electronic Frontier Foundation in San Francisco. Pierce
is also skeptical about identifying problem sites. No matter how many people
a filtering company employs, it will never keep up, she notes. "Filtering
is very subjective, and the companies are inflicting their view of the world
on everyone else."
Carrington, the Websense CEO, has heard these criticisms before: "Do we
ever miss a site? Yes. Are there sites that are misclassified? Yes." But
the errors, he says, are minimal and easily corrected. Until 1999, Websense
built its database manually, a "Herculean effort," Carrington acknowledges.
"You could hire 25,000 employees to look at these pages but still not keep
up with the Web."
So Websense delegated the task to automated crawlers that scour Websites using
pattern-recognition algorithms. The crawlers examine Web pages for textual clues
that suggest whether the site falls into any of the forbidden categories, assigning
a confidence rating to its judgment of each page.
"If the rating is 99.5 percent, [the site] gets thrown in the system automatically,"
Carrington says. But if the crawler returns a lower confidence rating, say 98
percent, one of Websense's 24 human analysts decides.
The rise in monitoring and blocking employees' Web use is new, but the underlying
problem is not.
"There have always been ways to fritter away time," says Dr. DuBrin,
adding that most employees use the Web in moderation. The best policy is one
that doesn't disadvantage responsible workers. Striking a fair balance in regulating
personal activities achieves the best results.
If blocking is problematic for an employer, the company can use software simply
to monitor Web use and to generate reports of where and when employees are surfing.
There are significant benefits to doing this, beyond making sure that no one is
looking at porn or spending too much time reading The Onion. Managers, for example,
can see which departments or users are frequenting job-search sites, thus getting
warning of possible dissatisfaction.
But monitoring is labor intensive. Small companies probably don't have the
resources to dedicate a manager to sifting through usage reports. Indeed, many
midsized companies don't either. At Canon Information Systems, the IT department
consists of five people. According to James Underwood, Canon's manager of information
services, monitoring "is not a good use of their time." Blocking,
on the other hand, "takes the burden of policing off my staff," he
If you do monitor, be rigorous about it. Consider the employee who is downloading
sexually explicit photos in view of others: Under sexual-harassment law, if
an employer knows about the offending behavior but doesn't act, there's greater
likelihood of liability. Monitoring software puts you on notice. If you detect
abuses and then don't do anything, Pierce says, "you're on the hook."
One legal issue employers need not worry about, however, is their employees'
privacy rights. To put it bluntly, workers don't have any. Or at least not many.
"The case law makes it clear that you have very little [in the way of]
privacy rights at work," Pierce says. "Your employer owns the equipment;
they're paying you; they have the right to make sure you're doing the work.
"Though the Electronic Communications Privacy Act (ECPA) of 1986 appears
on a quick read to give employees all sorts of privacy protections, it includes
broad exceptions that limit protection in the workplace. "It's hard to
think of an example that wouldn't fit an exception," Pierce says. The law
prohibits only the most egregious surveillance schemes, such as installing cameras
in the bathroom. E-mail and the Web are fair game.
Companies don't even have to inform employees that they are being monitored,
though legislation has been introduced at both state and federal levels to require
So far, these bills have gone nowhere.
But just because an employer can do something doesn't mean it should. Monitoring,
in particular, is risky business if not implemented carefully. The risk is that
employees will respond with hostility--or leave.
Fortunately, there are ways to block and monitor without causing mutiny or
exodus. First and foremost, experts say, is to give notice that you're monitoring,
even if that isn't legally required.
"It's a bad idea to monitor people and not tell them about it," Pierce
says. "They find out; it harms morale; people quit."
DuBrin recommends that management "give a clear business justification"
for its policies. For example, if you cut off music sites, tell employees you're
doing so because the huge downloads hog the company's bandwidth.
Of course, blocking some sites will be harder to justify than blocking others.
Take job-search sites: No boss wants employees looking for a new gig on company
time, but if you cut off job sites, your employees may think you've done so
because there are better jobs out there. Cut off shopping sites, and employees
may think you don't trust them to control their shopping. As you set policy,
consider the message the policy sends.
In particular, Bayer says, a draconian approach isn't going to cut it: "You
need to say a certain amount of time for personal use is okay." And whatever
policies you set, make sure they carry weight.
"Twice I was taken aside for sending a lot of e-mail," says a former
employee of a national insurance company. "My manager would say, 'Don't
do that.' " Later, the manager would come by and ask if the employee had
found any interesting sites. "Our policy wasn't going to get enforced,"
the employee says.
Before implementing any monitoring or blocking policy, do the homework: understand
the implications, including costs and risks. Consider outsourcing the blocking
process. Initially, limit restrictions to the obvious, such as porn sites. Make
sure the rationale for the policy is explained clearly and effective training
takes place. Make information, with examples, readily available to employees.
Finally, monitor the monitoring process. It should have clear, measurable goals.
Institute ways to gauge employee reactions. Done well, monitoring and blocking
programs can save money, limit liability, and increase--not undermine--overall