Who’s Watching You at Work?

When they put in long hours, workers sometimes begin to see their workplaces as something of a second home. They decorate the walls of their cubicles or offices with pictures of loved ones, plants and an assortment of personal memorabilia. No matter what their professional level, when someone’s spending 40, 50, 60 hours a week on the job, that feeling of home-away-from-home can extend to use of electronic devices and computers provided by their employer.

Employer-provided e-mail accounts are used to send personal e-mails; the organization’s network is used to access personal e-mail accounts, surf the Web, conduct personal research, check and post on blogs, and calls of a strictly personal nature are placed on the company’s system.

How homey would their offices and other workspaces feel if workers realized that an ever-growing number of companies have some sort of electronic monitoring and surveillance policy? “E-policies,” as they are sometimes called, have been growing in popularity since 2001, according to a recent study conducted by The ePolicy Institute and American Management Association (AMA).

“Surveillance is now routine business practice among American employers, both large and small, as the cost and ease of introducing have dropped. You leave your rights at the office door every day you go to work. Most surveillance is conducted without any individualized suspicion, and personal as well as business-related information is routinely collected,” explained Jeremy Gruber, legal director at the National Workrights Institute.

Keyboard Surveillance

Two-thirds of the companies included in the “2007 Electronic Monitoring & Surveillance Survey” said they monitor Internet connections. The scrutiny could take the form of tracking content, keystrokes and time spent at the keyboard. Nearly half of respondents said they use those tactics, while another 43 percent reviewed computer files stored on a company-owned PC.

Among the 66 percent of companies that reported monitoring Internet usage, 65 percent use software to block access to unsuitable Web sites. That represents a 27 percent increase since the first survey was conducted in 2001.

“The most important thing employees need to know about electronic monitoring and surveillance is, regardless of the industry in which you work, the size of your company, the number of employees, or your company’s status as a public or private organization, at the end of the day, in the United States, the federal government gives the employer the legal right to monitor all computer transmissions and activity,” said Nancy Flynn, executive director at The ePolicy Institute.

“As an employee, you should assume the boss is reading over your electronic shoulder — even if your boss has told you they do not monitor,” she stated.

In the U.S. as well as many other nations, workers have few privacy protections under the law, according to the Electronic Privacy Information Center. While some state and federal laws grant employees a set of limited rights — forbidding, for instance, a private sector company from forcing an employee to take a polygraph test — by and large there are no protections provided to employees that guarantee privacy in the workplace.

Courts in the U.S. have repeatedly ruled for the employer in cases in which workers assert a right to privacy in the workplace.

“The courts have been consistent, ruling that employees have no expectation of privacy when they use the company’s computer system, and they should assume they’re being monitored even when they are told they are not being monitored,” Flynn explained.

Only two states, Delaware and Connecticut, require an employer to notify workers of electronic monitoring. However, most companies said they inform employees of their e-monitoring practices, regardless of whether they’re obligated by law.

That notification, however, is typically included in the new hire packet employees receive on the first day. With a glut of papers to sign, it’s easy and quite common for an excited new hire to affix his or her signature acknowledging the policy without taking the time to read the document.

“The one thing employees can expect is that on the first day, they will be given a bunch of policies to review, which will include an electronic monitoring policy. Most companies ask their employees to sign off on them, and they do. The unfortunate thing is that employees aren’t given the appropriate amount of time to review those policies,” explained Manny Avramidis, senior vice president of Global Human Resources at the American Management Association.

“They go right into their job, not realizing what they signed off on. And from a monitoring standpoint, [what] they have pretty much signed off on is that they should have no expectation of privacy at all while they are at the workplace. They have essentially checked their privacy at the door,” he told TechNewsWorld.

When employees are not aware of the company policy, they are more apt to do things — shop online, forward potentially offensive chain e-mails, overuse a company cell phone for personal calls — that they would not do if they were constantly reminded or if the policy had been explained in detail, Avramidis said.

‘At Will’ Nation

As electronic monitoring increases, so do terminations connected to misuse of either e-mail or Internet access. Twenty-eight percent of employers have terminated the employment of workers who violated company e-mail policies, used inappropriate or offensive language, excessively used e-mail for personal use, or breached confidentiality rules, according to the study.

Nearly a third of all businesses in the AMA/ePolicy report have fired workers for inappropriate use of the Internet. Grounds for termination in those instances typically focused on viewing, downloading or uploading inappropriate or offensive content; violating a company policy; and excessive personal use.

Employers have enacted these policies mostly to maintain productivity, protect confidential business data and limit their exposure during litigation.

E-mails, along with any other electronically stored information and business records, are the equivalent to DNA evidence, according to Flynn. Roughly one-quarter of businesses have received subpoenas for e-mail from courts and regulators. Another 15 percent have had to defend against workplace lawsuits set off by an employee e-mail, the AMA/ePolicy’s survey found.

“It’s more along the lines to manage productivity. If [employees] in a call center are not taking enough calls, a manager might come in and say, ‘Why aren’t they doing as much?’ If they have access to the Internet, that might be the reason, or they might be taking too many personal phone calls,” Avramidis pointed out.

“Other reasons include that they are looking to protect sensitive business information. Or to protect themselves from litigation, making sure they are not sending the wrong types of e-mails that could potentially be harassing. The policies are not geared toward giving employees a hard time for reasonable usage,” he continued.

“Reasonable use” is a subjective term. It could range from making a phone call home to check on the kids or calling a plumber to check on a repair, so long as it happens on a sporadic basis, Avramidis noted.

“It’s the consistent users that could arguably create exposure for the organization, such as sending intellectual property secrets to others without even knowing they are doing it, or downloading pornography. Those are the folks the companies are most concerned about,” he explained.

The definition of “reasonable use” depends mostly on the business environment, Avramidis stated. Employers will be more lenient with employees if curiosity is an asset in their jobs.

“Employees are working longer hours than they ever have before. It should be acceptable to allow for reasonable personal and private use of computers and other forms of electronic communication, but only a minority of employers allows for reasonable use policies, and even then the surveillance continues uninterrupted,” Gruber told TechNewsWorld.

However, ePolicy’s Flynn advises businesses to make sure that their policies are clearly written and not open to individual interpretation.

“Smaller companies can be the worst offenders, often because their staff are not unionized and because they are unaware of the correct legal advice. They often say ‘take it or leave it — accept monitoring or you’re out.’ Very few small enterprises actually have a written policy in place,” said Simon Davies, director at Privacy International.

Cell Phones, GPS and More

Beyond their company-provided computers, off-site workers who telecommute can be monitored — even though they may be working on a personal device — simply because they are using the network provided by the employer.

Cell phones, smartphones and GPS (Global Positioning System) devices are also fair game. While some states prohibit recording of actual phone calls unless the employee and person on the other end has been notified, organizations can monitor the number of calls made and received, the phone numbers of outgoing and incoming calls and the length of any calls, Avramidis said.

“Companies are increasingly requiring staff to consent to GPS phone tracking. This has been done for some years with mobile workers such as drivers but is now being extended to entire workforce populations,” Davies told TechNewsWorld.

Text messaging is also monitored, and records of incoming and outgoing messages are retained, as the recent high-profile case surrounding Detroit Mayor Kwame Kilpatrick has shown. The embattled mayor is embroiled in a scandal concerning more than 14,000 text messages exchanged with Christine Beatty, his then-chief of staff, with whom he had an extramarital affair.

The Detroit Free Press in January exposed the electronic love notes sent between September and October of 2002 and April and May of 2003. The texts apparently contradict sworn testimony the two gave in a police whistle-blower trial in 2007, where the couple denied having an affair.

“Legislatures have completely abdicated their responsibility to regulate employee privacy, and the result has been employers emboldened to continuing their surveillance outside the traditional workplace with GPS and RFID (radio frequency identification). Indeed, most employer surveillance policies often take years to amend to address new and emerging technologies such as RFID that they are using,” Gruber stated.

Global Practice

While employees in the U.S. and elsewhere around the world should be aware that their bosses have some right to use surveillance techniques, in places like Europe, laws governing the use of such methods must be “proportionate and necessary,” Davies noted.

“In other words, employers cannot simply conduct surveillance merely because it’s in the employment contract,” he explained.

While most policies overseas allow surveillance of Internet, e-mail and phone use, the data protection acts in many countries provide protection against unwarranted, excessive, intrusive or insecure methods of surveillance, according to Davies.

“One of the key issues is whether detailed monitoring is carried out, such as keystroke analysis and e-mail profiling,” he said.