Worker watchers

Want to know what your employees are doing online? You can find out without spooking them
Written by Alan Cohen, Contributor on

Jemar Austin is taking names. Officially, he is the information systems director at the Alabama Motors Association, a 100-employee branch of the Automobile Association of America (AAA). Informally, he's the company's Internet cop--something you'll do well to keep in mind if you work with him. Thanks to a clever, relatively inexpensive piece of software, Austin can see where you've gone online, when you went there, and how long you stayed. He knows if you hunted for a new job or shopped on eBay on company time. And he most definitely knows if you browsed any porn sites.

Every two weeks, Austin generates reports that reveal, among other things, which employees are the company's heaviest Internet users.

"If I see users pop up who should not be on there, I can then see the sites they've looked at [and] which sites they tried to go to but were blocked," Austin says. If something doesn't look right, he can notify the user's manager. In the year and a half since Alabama Motors Association installed the software--a package called SuperScout from SurfControl in Scotts Valley, California--that's happened only once. An employee was spending a good chunk of company time shopping for a boat. The manager spoke to the employee, the sites were blocked, and that, Austin says, ended the problem.

A growing number of companies are calling such tactics preventive medicine. Some employees say a better name is Big Brother. What no one disputes, however, is that for all the benefits of desktop Web access, there are also significant risks. E-mail and the Web can boost productivity by enhancing communications, collaboration, and research capabilities. However, they can just as surely undermine efficiency, should users spend too much time surfing the Web for personal ends. There are other concerns, too: It doesn't take many employees downloading Springsteen songs and Planet of the Apes trailers to clog corporate networks. And it takes only one employee accessing sexually explicit material to embroil a firm in an expensive lawsuit.

What is also clear is that abuses, big and small, do happen. Already, companies such as Dow Chemical, The New York Times, and Xerox have fired employees for inappropriate Internet use. Last September, a survey by the career Website Vault.com found that 90 percent of employees surf non-work-related Websites at the office. Only 4 percent admitted to looking at pornography, but the other numbers are hardly reassuring to employers: 37 percent have looked for jobs; 34 percent check stocks; 26 percent send nonbusiness instant messages. If you think a quick glimpse of quotes or an e-mail to your grandma is no big deal, consider that 13 percent of employees spend over two hours a day surfing nonbusiness sites, while 10 percent receive 21 or more personal e-mails each workday. And then there is all the e-mail they write and send.

Less clear is what companies should do. On the surface, the answer seems easy: install monitoring or blocking software. Packages that block objectionable sites or let you keep tabs on employees' online activity are plentiful. Considering the likely gains in productivity and protection against liability, such products seem to be cost effective. Websense Incorporated, which filters sites at more than 12,000 companies, including 239 of the Fortune 500, estimates costs at approximately US$15 per employee per year. That might not seem like much to pay for all the benefits, but there is another side to this issue.

For starters, what exactly should you block? Sexually explicit sites are a no-brainer. But do you really want to cut off shopping sites? Maybe it's not such a bad idea for someone to take five minutes to buy a gift at Amazon.com or even to purchase an extra battery for a company laptop. Five minutes on Amazon.com sure beats a two-hour lunch, and five minutes on PC Connections' site may be better than having an employee spend hours getting an item requisitioned, approved, ordered, received, and, weeks later, delivered, especially compared to the 48-hour delivery many Websites offer.

What's more, blocking software may not be as reliable as it seems. With thousands of new sites appearing daily, how can any censoring program keep up? Even tougher: Many sites are good for some uses, bad for others. Searching a news site for job-related trends may be essential, but time spent on the same site checking basketball scores is wasted.

Rather than blocking sites en masse, you may prefer to monitor employees--keeping tabs on Internet access, generating reports, and solving problems as they occur. But how will that kind of surveillance go over with employees? How will you deal with infractions? How much monitoring or blocking is too much?

"Some companies overreact, and that does hurt morale," says Dr. Andrew DuBrin, professor of management at the Rochester Institute of Technology and a frequent writer on workplace-psychology issues. Unhappy workers may become former workers, and losing workers costs money.

So the challenge is to create a monitoring policy that protects both your business and your employees' privacy. The goal is to provide a measurable benefit without stirring alarm among employees or causing turnover. Fortunately, the sheer diversity of filtering and monitoring technologies provides rich options to create a program that matches the needs of any company and its employees.

Never in history have there been so many ways to monitor employees. James Bond isn't the only one walking around with a homing device in his pocket. High-tech ID cards let hospitals track the location of medical staff; key-card systems note when employees come and go. And there are always those old reliables: storing and reviewing voicemail messages, and backing up computer files, so that the information remains available after employees hit the delete button. But the real action these days revolves around the Internet.

Each year, the American Management Association surveys thousands of companies, mostly large ones, on the electronic surveillance methods they use. Between 1997 and 2001, the percentage of companies recording and reviewing employee telephone conversations has remained constant at around 10 percent. Similarly, the percentage of voice-mail monitoring has hovered steadily at around 6 percent. But e-mail monitoring has exploded, from 15 percent in 1997 to 46 percent in 2001.

Putting the brakes on Web access has also become a priority. In Vault.com's 1999 survey, 31 percent of employers said they restricted or monitored Internet use. By the next year, that number was up to 42 percent.

All this makes for heady days at the companies selling access-control software. Websense, for example, has seen 20 percent quarter-to-quarter growth for the past year and a half, according to CEO John Carrington. The company's $30 million in revenues last year more than doubled 1999's total. The money isn't in the software sales--it's in subscriptions to Websense's crown jewel, a constantly updated database of potentially problematic sites. Currently, the database boasts more than two million sites, comprising over half a billion Web pages.

What customers get from Websense Enterprise is daily access to a list of sites that managers may not want employees to visit. Other access-control solutions work in much the same way. Through a combination of automated tools and human analysts, Websense Enterprise hunts down new sites and places them in one of 68 categories. The selling point is twofold: Companies don't have to devote resources to finding noxious sites themselves--a hopelessly futile task given the number of new sites that pop up daily. And managers can choose particular categories to block.

"The system is very customizable," Carrington says. "Some customers are draconian, shutting everything down; others are much more progressive, saying they're going to block pornography, but everything else is fair game."

Websense's own research shows that most clients lean towards the draconian. Of the 68 categories, only a handful deal with sites that would give a company's lawyer pause: adult content, gambling, illegal activities, racism, hate, and violent activity. Other categories include abortion advocacy, activist groups, cultural institutions (including galleries and museums), educational institutions, gay and lesbian issues, health information, hobbies, job search, news, personals, political groups, religion, restaurants, search engines, sex education, shopping, sports, and travel. When Websense surveyed its customers, it found that more than 75 percent managed over 40 categories, either blocking them outright, allowing access only after a warning appears onscreen, or limiting access to certain users or times of day. In all cases, Websense's software can monitor and report on activity, both good and bad.

Of course, even seemingly innocuous sites like eBay and ESPN.com can pose problems when employees spend hours looking at them or when the activity is hogging precious network resources.

"A day trader with real-time quotes uses ten times the bandwidth of an ordinary user," says Vijay Balakrishnan, senior vice president of marketing at TeleMate.Net Software, an Atlanta maker of Internet-usage management solutions.

Consider another statistic from the Vault survey: 53 percent of employees limit personal surfing to less than a half hour a day. If you cut off access to the shopping and travel sites, are you coming down too hard on employees who already self-regulate their nonbusiness surfing? And if you limit access to, say, lunchtime, or simply monitor usage, are you sending a message that all personal browsing is frowned upon? In effect, are you creating an environment in which users are afraid to browse anything remotely non-job-related, even though some personal use really is permissible?

"We have a security person who can see what sites people are looking at," says an employee at a semiconductor manufacturer who did not wish to reveal her identity or her company's name. "It takes me five minutes to order my contact lenses, but I feel I'll get into trouble. I'm thinking, 'Is he watching me; should I be doing this?' Anything I wanted to order, I would do it at home. Finally, I said, 'Screw it; I stare at this screen all day, and I need my contacts to see.' It's not like I'm buying jewelry on eBay."

This manufacturer does not block shopping sites, and nowhere in its seven-page Internet policy is such use prohibited. The company's monitoring policy is hardly secret either: All employees see a link to it whenever they log on to the Internet. But still, the policy has fostered confusion and suspicion.

"It clarifies certain things we can't do, but not what we can do," the employee says. "I think it creates ambiguity intentionally, so that they can use it against you if they need to."

Such confusion--and the hard feelings it creates--can easily be avoided.

"It's not enough just to have a policy," says Ellen Bayer, practice leader for human resources at the American Management Association. "You have to communicate it and make sure people understand it." Handing out a memo doesn't suffice; neither does simply posting a policy online. "There's training involved," Bayer says. "Give demonstrations and be as specific as possible, so everyone understands the parameters."

But few companies supplement their Internet-use policies with formal training. The policies themselves can typically be boiled down to one key point: Web access is a company resource that should not be used in any way that would embarrass or otherwise cause grief for the company. Fine. But what does that really mean? Sending a nude photograph around the office is generally recognized as a bad idea, but there are plenty of gray areas.

"Most people don't intend to write inappropriate e-mail, so how do they know what bad e-mail is?" Bayer says. "You need to give concrete examples."

Employers may be slowly starting to come around on this point. After four years of using Websense Enterprise to block hate and sex sites, Bic Consumer Products, a 1,000-employee division of Bic USA, is developing a set of Internet Q&As for employees."They're guidelines," says Paul Russo, senior vice president of human resources at Bic,"basic dos and don'ts. We recognize that our employees will make limited personal use of the Net." The guidelines are in place to make sure everyone has the same rules.

No doubt, an easy way to eliminate ambiguity is to block sites outright. There's certainly no confusion when a user trying to access a Website finds a big "You can't enter" message on the screen. But again, the trick is setting limits that don't undermine productivity. It's a judgment call. Alabama Motors Association, for example, blocks gambling, job search, sex, shopping, and vehicle sites, among others. Canon Information Systems Inc., a 133-employee subsidiary of the giant Japanese electronics maker Canon Inc., blocks gambling and sex, but not job search and shopping.

Until a site-management program has been assessed, less blocking is best. Austin, the information systems manager at Alabama Motors Association, recalls a case in which an employee planning a business trip couldn't book a car rental because the Hertz site had been classified under vehicles, a blocked category. Austin simply unblocked the site, but an employee trying for a quick purchase on Amazon.com wouldn't fare as well. There would have to be "a desperate need," says Austin, who adds that a manager would have to give approval.

Though strict limits on access appear to boost productivity--it's hard to goof off online if you can't get there--in the long term, the policy may backfire. Employees could certainly make purchases from their computers at home, assuming, of course, that they have them. But that may be impractical, notes Deborah Pierce, staff attorney at the Electronic Frontier Foundation in San Francisco. Pierce is also skeptical about identifying problem sites. No matter how many people a filtering company employs, it will never keep up, she notes. "Filtering is very subjective, and the companies are inflicting their view of the world on everyone else."

Carrington, the Websense CEO, has heard these criticisms before: "Do we ever miss a site? Yes. Are there sites that are misclassified? Yes." But the errors, he says, are minimal and easily corrected. Until 1999, Websense built its database manually, a "Herculean effort," Carrington acknowledges. "You could hire 25,000 employees to look at these pages but still not keep up with the Web."

So Websense delegated the task to automated crawlers that scour Websites using pattern-recognition algorithms. The crawlers examine Web pages for textual clues that suggest whether the site falls into any of the forbidden categories, assigning a confidence rating to its judgment of each page.

"If the rating is 99.5 percent, [the site] gets thrown in the system automatically," Carrington says. But if the crawler returns a lower confidence rating, say 98 percent, one of Websense's 24 human analysts decides.

The rise in monitoring and blocking employees' Web use is new, but the underlying problem is not.

"There have always been ways to fritter away time," says Dr. DuBrin, adding that most employees use the Web in moderation. The best policy is one that doesn't disadvantage responsible workers. Striking a fair balance in regulating personal activities achieves the best results.

If blocking is problematic for an employer, the company can use software simply to monitor Web use and to generate reports of where and when employees are surfing. There are significant benefits to doing this, beyond making sure that no one is looking at porn or spending too much time reading The Onion. Managers, for example, can see which departments or users are frequenting job-search sites, thus getting warning of possible dissatisfaction.

But monitoring is labor intensive. Small companies probably don't have the resources to dedicate a manager to sifting through usage reports. Indeed, many midsized companies don't either. At Canon Information Systems, the IT department consists of five people. According to James Underwood, Canon's manager of information services, monitoring "is not a good use of their time." Blocking, on the other hand, "takes the burden of policing off my staff," he says.

If you do monitor, be rigorous about it. Consider the employee who is downloading sexually explicit photos in view of others: Under sexual-harassment law, if an employer knows about the offending behavior but doesn't act, there's greater likelihood of liability. Monitoring software puts you on notice. If you detect abuses and then don't do anything, Pierce says, "you're on the hook."

One legal issue employers need not worry about, however, is their employees' privacy rights. To put it bluntly, workers don't have any. Or at least not many.

"The case law makes it clear that you have very little [in the way of] privacy rights at work," Pierce says. "Your employer owns the equipment; they're paying you; they have the right to make sure you're doing the work. "Though the Electronic Communications Privacy Act (ECPA) of 1986 appears on a quick read to give employees all sorts of privacy protections, it includes broad exceptions that limit protection in the workplace. "It's hard to think of an example that wouldn't fit an exception," Pierce says. The law prohibits only the most egregious surveillance schemes, such as installing cameras in the bathroom. E-mail and the Web are fair game.

Companies don't even have to inform employees that they are being monitored, though legislation has been introduced at both state and federal levels to require such notice.

So far, these bills have gone nowhere.

But just because an employer can do something doesn't mean it should. Monitoring, in particular, is risky business if not implemented carefully. The risk is that employees will respond with hostility--or leave.

Fortunately, there are ways to block and monitor without causing mutiny or exodus. First and foremost, experts say, is to give notice that you're monitoring, even if that isn't legally required.

"It's a bad idea to monitor people and not tell them about it," Pierce says. "They find out; it harms morale; people quit."

DuBrin recommends that management "give a clear business justification" for its policies. For example, if you cut off music sites, tell employees you're doing so because the huge downloads hog the company's bandwidth.

Of course, blocking some sites will be harder to justify than blocking others. Take job-search sites: No boss wants employees looking for a new gig on company time, but if you cut off job sites, your employees may think you've done so because there are better jobs out there. Cut off shopping sites, and employees may think you don't trust them to control their shopping. As you set policy, consider the message the policy sends.

In particular, Bayer says, a draconian approach isn't going to cut it: "You need to say a certain amount of time for personal use is okay." And whatever policies you set, make sure they carry weight.

"Twice I was taken aside for sending a lot of e-mail," says a former employee of a national insurance company. "My manager would say, 'Don't do that.' " Later, the manager would come by and ask if the employee had found any interesting sites. "Our policy wasn't going to get enforced," the employee says.

Before implementing any monitoring or blocking policy, do the homework: understand the implications, including costs and risks. Consider outsourcing the blocking process. Initially, limit restrictions to the obvious, such as porn sites. Make sure the rationale for the policy is explained clearly and effective training takes place. Make information, with examples, readily available to employees.

Finally, monitor the monitoring process. It should have clear, measurable goals. Institute ways to gauge employee reactions. Done well, monitoring and blocking programs can save money, limit liability, and increase--not undermine--overall productivity.

Editorial standards