Your boss is snooping on you

The latest development: Companies can now scan your computer's hard drive from a remote location--meaning your bosses could read all the data on your office PC.
Written by Robert Vamosi, Contributor
COMMENTARY--In a recent column, my colleague Patrick Houston wrote about how companies now have the ability to block instant messaging at work.

Some employers already forbid the use of file-sharing software such as KaZaa. Does this sound like a trend? I think so. The latest development: Companies can now scan your computer's hard drive from a remote location--meaning your bosses could read all the data on your office PC (even the deleted stuff) without your knowledge.

This could get a lot of employees in trouble. I'm not talking about getting caught using your office's laser printer to create invitations for a personal party. Rather, I'm talking about companies, fearing employee lawsuits regarding harassment or other issues, using digital forensics to make sure you're abiding by company policies.

As scary as this may sound, I'm not opposed to it. After all, your company owns the hardware and software you use at work. Why shouldn't it make sure you're using it for legitimate purposes? Whether you agree with me or not, it's time to stop thinking of your office computer as a private place.

Employer snooping is not an entirely new concept. For years, companies have been able to examine the contents of employees' hard drives. But that used to entail shutting down the individual's computer, making an image of the hard drive with a program like Norton Ghost, then spending hours looking for incriminating data.

The problem for employers has been that Windows destroys a fair amount of your information when the computer is turned off (whether you pull the plug or shut it down properly). So, even though companies could reconstruct some deleted material, other data--such as temp files--was lost permanently.

That's where Pasadena, Calif.-based Guidance Software comes in. Guidance has a line of forensic software products, called EnCase, which can make an image of a Windows system without shutting it down. Guidance's latest addition to this line, EnCase Enterprise Edition, is designed to scan desktops on a corporate network--without employees knowing what's going on.

Why am I not worried? Because I believe this type of software provides accurate information that can definitively prove whether or not an individual has legitimately violated company policy.

Take, for example, a situation in which HR discovers an employee is viewing pornographic materials in Outlook, an act the company has banned. Some employees may worry they could be wrongfully accused if these materials were arriving against their wishes in the form of spam. But with EnCase, the employers would be able to determine whether the materials were spam, or part of a pattern of lewd behavior (as evidenced, perhaps, by images stored on the PC, or by documented visits to pornographic Web sites).

I can even think of some potentially useful applications of this type of software. Let's say that, while at my office printer, I see an image of the corporate headquarters exploding. Whoever created that image could be a risk to the company. Using EnCase, my company's IT department could determine which system generated the image. HR could then investigate that employee's behavior to determine whether he or she is really a danger to coworkers.

My general feeling is that, if you use a desktop, notebook, or handheld that's company property, you shouldn't store personal information on it. For instance, I use a secondary Web-based account for personal e-mail. And some Web services, like online banking, I just won't use at work. Yes, it would be convenient to bank during the day, but for me it's too big a risk to think the company might get hold of my sensitive information. I'd rather wait until I get home to check my account balance.

I'm not saying your work computer has to be sterile. On mine I do have digital photos of my family and friends--but I don't store personal e-mails or credit card information. It's all a question of how comfortable you feel knowing your company can find out about your personal life.

I know some people will continue to carry out personal business at work. One of my coworkers not only obtained a copy of his credit report on his work computer, but also printed out the report on an office printer (which he shares with several other people). Though he promptly erased the report from his hard drive, a company using tools like EnCase Enterprise could access his credit card number as well as his entire credit history if it so desired.

I say: With powerful new tools like EnCase Enterprise available, why take chances at work? It's time to keep our private lives out of the office, whether we like it or not.

Editorial standards