• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL



Surfing on Company Time

The Annoyance:

I think my boss is watching where I go on the Web. Aren't employers required to notify you if they monitor your web activity?

The Fix:

In general, no. With very few exceptions, private employers can monitor everything you do in the workplace and aren't required to tell you a thing about it. (Government employees actually enjoy a few more rights; see the sidebar "Better Fed than Dead?")

Some employers include vague language like "we reserve the right to monitor your activities," either on a splash screen when you turn on your computer or buried deep within the employee handbook. Of course, that doesn't tell you whether they are monitoring or how they might be going about it. Only Connecticut and Delaware require employers to notify employees before monitoring their online communications. In other states it's entirely up to each company.

Lewis Maltby, president of the National Workrights Institute (http://www.workrights.org), says that while there's little you can do to prevent your boss from monitoring your online behavior, you can make monitoring less intrusive and more transparent:

  • Ask your boss whether your company monitors employee communications, and if so, what types of communication and how. If your boss doesn't know, ask her to inquire further about this and get back to you.

  • Once you find out what's monitored, decide how you want to communicate personal information. For example, if your company routinely scans email traffic but not phone calls, you may want to call your spouse or your doctor the next time you need to discuss a personal issue (although a better idea would be to use your cell phone or another line not owned by your company).

  • If you don't like being monitored, make your objections known. If enough employees complain, the company may alter its policies (don't hold your breath). At the very least, insist your employer add a written policy to the employee handbook detailing which online activities are allowed and what the company does to ensure compliance.

Find out why your company is monitoring employees, and see if there's a less intrusive method of achieving its security goals. For example, instead of using web monitoring software to log every site an employee visits, your employer could use the same program to block employees from visiting objectionable sites—such as porn and hate speech sites—that could cause the company legal headaches. Companies concerned about productivity loss could adjust the software to allow access to certain types of sites at specified hours—say, news or travel sites during lunch or after work—or for a certain number of minutes each day. Maltby says many firms would happily embrace policies that protect their needs without alienating their employees. "Most employers are not interested in spying on you," says Maltby. "They're just trying to avoid sexual harassment suits, prevent the loss of their trade secrets, and keep people from spending all day on the Net when they should be working. [But]...companies don't have to violate your personal privacy to protect their legitimate business interests."


Feel like someone's watching your every move at work? Someone probably is. Surveys by leading research organizations consistently show employee monitoring is on the rise. Here are some of the ways Corporate America watches its workers. (Unless otherwise noted, the stats that follow derive from surveys conducted by the American Management Association.)

Web monitoring: Nearly two-thirds of U.S. firms actively monitor their workers' web activity, according to the AMA. Most use software made by companies such as Websense or SurfControl, which sits on the company's network servers and logs every URL visited by every employee. The software could also be used to simply block attempts to reach forbidden sites without recording all of your web activity.

Email scanning: Almost half of American firms scan the content of employee email. Many use software, such as ClearSwift's MIMESweeper, that scans message text for keywords and blocks internal or external email containing sensitive information (e.g., company secrets or potentially harassing messages); other firms hire people to do the job.

Phone recording: Around one in ten businesses record employee conversations, although legally, companies aren't allowed to eavesdrop on private conversations. About 8 percent tap into your work voice mailbox.

Hard drive snooping: More than a third of surveyed firms admit to digging through their employee's hard drives. Most companies can do this over the company network without you ever knowing.

Capture and logging software: One in five companies records what users are doing at their machines in real time. Some install software that logs every keystroke or periodically captures what's on your screen. Software such as Chronicle Solutions' netReplay or TrueActive Monitor can record every single thing you do, all day long.

Surveillance cams: Think those security cameras are there for your protection? Some 15 percent of companies routinely videotape employees to measure job performance.

Personal searches: If you work in the public sector or in an industry that requires security clearances, you probably pass through a metal detector when you enter and leave the office every day. You might also be searched on your way in or out. At companies—especially retailers—where employee theft is rampant, going through your purse or backpack is standard operating procedure.

Background checks: Some employers merely check references and make sure you really did get that degree from Harvard. But if you're going for a high-level executive position, don't be surprised if the firm hires a private investigator to pry into your life.

Drug tests: At nearly all Fortune 500 companies and many smaller ones, applying for a job means peeing into a cup. Many companies also conduct random blood tests of current employees, although this practice appears to be declining.

Other employees: The guy in the next cubicle may be ratting you out. The 2003 National Business Ethics Survey found that 65 percent of employees reported misconduct to management.


Want to surf from work but still cover your tracks? Using Anonymizer's free proxy server (http://www.anonymizer.com), you can surf to any site while hiding its address from your employer's web monitoring software (see Figure 4-1). Your boss will know you visited Anonymizer.com, but won't know where you went beyond that. Anonymizer is available as a free toolbar for Internet Explorer; support for Firefox and other browsers is due later this year.

But the free toolbar is just really a demo—many sites either don't display or are deliberately blocked. That's because Anonymizer really wants you to fork over $30 for its Anonymous Surfing app, which installs on your hard drive. (Of course, if your employer already blocks access to Anonymizer.com or prevents you from installing browser plug-ins or software, you're out of luck.) Your company might also be able to suss out your surfing habits in other ways, using keyloggers or screen capture utilities.

For an explanation of how anonymous proxy servers work, as well as directories to free proxies around the world, visit the Public Proxy Servers site (http://www.publicproxyservers.com) or Anonymity Checker (http://www.anonymitychecker.com). The Electronic Privacy Information Center provides a long list of tools you can use to privately surf the Web, send email, or engage in online chat at work; see http://www.epic.org/privacy/tools.html.

annoyances 4-1. Anonymizer lets you surf at work without revealing where you've gone on the Web-say, to your favorite Shatner fetish site.

Visit NasteePix.com, Get Fired?

The Annoyance:

I work hard, but I like to do a little recreational web surfing during break times. Can I get fired for this?

The Fix:

You might. It all depends on your employer's policies and what you mean by "recreation." If your definition includes gambling, viewing photos of scantily-clad models, downloading MP3s, or trolling hate-speech blogs, you stand a pretty good chance of getting canned. According to a 2001 survey by the American Management Association (AMA), 62 percent of companies monitor Internet content, and more than a third of those firms disciplined employees for breaking their Net policies. (The AMA doesn't say how many of those folks got fired, but you can be sure some did—see "Privacy in Peril: Prurient Interest.")

The trouble is that many corporations lack any kind of written guidelines on what's acceptable behavior. Porn is an obvious no-no, but what about news, political, or travel sites? A study by The Center for Business Ethics at Bentley College found that over 90 percent of companies allow "reasonable personal usage" of the Web, but only 42 percent define what "reasonable" means. So find out what your employer does and doesn't allow (see Table 4-1.) Some questions to ask:

  • Are employees allowed to use their work Internet connection for personal use?

  • If so, is personal use restricted to certain times of day (like lunch breaks or after 5 p.m.)?

  • Are there limits on the amount of time employees can surf each day?

  • What types of sites are prohibited?

  • What penalties will be assessed if employees break the rules?

  • Are there procedures in place for employees to dispute claims made against them? (For example, your computer was infected with spyware that drove it to illicit sites.)

Mark Rowe, one of the authors of the Bentley study, says a degree of recreational use is permissible in many organizations, but "companies are not being sufficiently explicit in terms of their policies. There need to be very clear guidelines for employees."

Table 4-1. Let's be reasonable...
Activities allowed% of companies that allow them
Job searches25
Online Trading28
Online shopping51
Online banking54
News sites84
Source: Reproduced with permission by the Center for Business Ethics at Bentley College.

Out of the Office, But Not Out of Sight

The Annoyance:

I telecommute from home two days a week. I keep my Quicken checkbook, digital photos, and other personal stuff on the computer at home I use for work. Does my boss have a right to snoop around my home PC?

The Fix:

It depends on whose gear you're using. If your employer furnished the computer you use for telecommuting, then it has the right to look at anything on it.

If you're using your own computer, you have more privacy rights, but you're far from in the clear. If you're logging into the corporate network and using that to connect to the Internet, your employer can monitor where you go and what you do online, though it probably can't legally look at what's on your hard drive. Even if you're on your own dime when paying for Net access, if you're checking a corporate email account, your employer can certainly monitor your inbox and outbox.

Privacy attorney Parry Aftab (http://www.aftab.com) advises her corporate clients to set up web kiosks in employee break areas that are exempt from company monitoring. That way, employees would have the freedom to access the Web without penalty, and employers would avoid liability for what the employees do online.

"If the company supplied it, they have the right to do anything they want," says privacy rights attorney Parry Aftab (http://www.aftab.com). "Those same rules apply to other employer-supplied gear like laptops, cell phones, pagers, handheld PCs, Blackberries, and so on. It's much broader than computers, which is something most people tend to forget."

You may have also waived your privacy rights as part of a work-at-home agreement, says Aftab, which could give your boss unfettered access to your home computer (though probably not other machines on your home network). If you signed a telecommute agreement, now's the time to examine the fine print.


Even the boss can be caught with his, umm, pants down—and end up paying a stiff penalty. Michael Soden, chief executive of the Bank of Ireland, was forced to resign in June 2004 after porn was found on his office PC during routine maintenance. Although the adult content broke no laws, Soden's behavior violated internal bank policies.

Soden might consider applying for work at LL Media. According to a report in The Register, a UK-based technology site (http://www.theregister.co.uk), the Danish IT firm has given employees free subscriptions to porn sites as a form of fringe benefit. However, certain types of porn sites aren't allowed, and company employees can only use the subscriptions on their home PCs.

Whose Email Is It, Anyway?

The Annoyance:

I sometimes use my work email for personal use. I don't want my boss reading it.

The Fix:

Join the club. Nearly 9 out of 10 people use work email to send or receive personal messages, according to a 2004 survey by the AMA. That same survey found that 60 percent of companies monitor email communications with the outside world, and one in four companies has fired someone for violating their email policies.

If you must send personal mail at work, you could use a webmail account such as Yahoo Mail or Hotmail instead of your corporate account. But remember, when you're using your work PC and/or your employer's network, your boss still has the legal right to read your outbound or inbound messages. And she could do it in a variety of ways.

For example, your IT department could have a "sniffer" device on the network that captures unencrypted data as it passes over network wires. It might employ software such as netReplay that lets them view what's on users' screens—kind of like a closed circuit TV camera trained on your PC. The office geek squad might install a keylogging program on your machine that captures everything you type. At the very least, companies concerned about employee communications can use web monitoring software to log the time you spend on these webmail sites and/or limit your access to them.

One way to defeat a sniffer is by encrypting your mail so that only you and the intended recipient can read it. (See the tip below.) Encryption is especially useful when you need to share confidential business information across the wires. But if your employer has installed a monitoring device on your computer, there's little you can do short of disabling the device—which is likely to get you in far hotter water.

As with web monitoring, find out what kinds of messages your employer looks at and how, suggests NWI's Lewis Maltby, and see if you can carve out some personal use that won't infringe on company policies. For example, you could ask your bosses to fine-tune the scanning software to make exceptions for messages that are almost certain to be personal—like email you send to your spouse.


Need to send personal email from work but don't want the boss to sneak a peek? Encrypt (scramble) your messages so that only you and your intended recipient can read them. There are a zillion email encryption products out there, but one of the easiest is Hushmail (http://www.hushmail.com), a webmail service based on the Pretty Good Privacy (PGP) encryption technology. (To send encrypted mail, your recipient must also use Hushmail or a compatible product, such as PGP Mail.) To create a free Hushmail account, simply pick a username, provide a passphrase (such as "To err is human, but it feels divine"), and jiggle your mouse pointer around on screen to create a random number sequence that Hushmail will use to encrypt your messages. That's it.

The free version of Hushmail includes a meager 2MB of storage. For $30 to $90 a year you get customer support, from 32MB to 128MB of storage, and the ability to access your Hushmail account using Outlook and other POP3 email programs. You can also stick with your existing email package and just use PGP encryption software, such as PGP Personal Desktop ($59, http://www.pgp.com) or the free (but harder to use) PGP 8.1 (available at http://www.pgp.com/products/freeware.html). For more email encryption tools, see the Electronic Privacy Information Center's list at http://www.epic.org/privacy/tools.html.

Beware of IT Spies

The Annoyance:

I know my company is scanning my email. But I also suspect the little twerps in my company's IT department are reading my messages just for kicks, and then blabbing about it to the world.

The Fix:

They very well might. A recent survey by Forrester Consulting and Proofpoint found that 44 percent of large companies hire people to scan outgoing email looking for trade secrets, copyrighted material, or anything else that could get the company in legal trouble. The problem with this, says NWI's Lewis Maltby, is that few companies have anyone assigned to watch the watchers. Slightly more than half of the companies surveyed by Bentley College had written guidelines on how Internet monitoring is supposed to be conducted. Only a third required company monitors to sign a confidentiality agreement, and one in four performed no oversight at all. The survey only included companies that employed ethics officers—so if these folks aren't thinking about keeping email monitors in line, imagine what the rest of Corporate America is like (see Table 4-2).

Again, your best solution is to ask management. Do they have written guidelines that govern monitoring procedures? Are monitors bound by a confidentiality agreement? What's done to ensure they are following proper procedures?

The bottom line, says Frederick S. Lane III, author of The Naked Employee: How Technology is Compromising Workplace Privacy, is to be very careful about what company resources you use. "If you don't want your employer reading email you send to your buddy at Alcoholics Anonymous, or your doctor, or your child, don't use your employer's computer to send that mail."

Table 4-2. Who's watching you online?
Title% with access to monitoring data
Security guards department58
Human resources56
Internal auditors38
Chief Information Officer36
Individuals being monitored8
Source: Reproduced with permission by the Center for Business Ethics at Bentley College.

Chewing the Fat on Chat

The Annoyance:

I use instant messaging to check in with my friends and family while I'm at work. Can my boss see who I'm talking to and when I'm logged on?

The Fix:

He sure can. For the moment, instant messaging is slightly more private chat than email. The Forrester survey found only 21 percent of companies are keeping an eye on IM communications, but that number is likely to grow as more companies adopt IM as a business tool and realize the potential havoc that IM could wreak. For example, the SEC now requires securities dealers to archive business IM records for three years; healthcare companies may also be required by federal statutes to preserve any electronic communications regarding patient health records, including IM.

With software such as FaceTime Communications' IM Auditor or Akonix L7 Enforcer, your company's IT department can log the amount of time you spend on IM, record all your conversations, and/or block certain activities on IM such as file sharing. They can monitor all the major chat clients (so don't think using AOL's or MSN's IM software makes you safe). They can also log when you're online; so if you set your messenger software to indicate that you're not at your desk when you really are, your boss may think you're goldbricking.

You may be able to keep your IM private by using products such as Hushmail's Hush Messenger (http://www.hushmail.com), which uses PGP encryption to scramble private conversations with other Hush Messenger users, or IMpasse (http://www.im-passe.com), which likewise automatically encrypts and decrypts messages sent via AIM, Yahoo Messenger, and MSN Messenger. Otherwise, when you use IM, assume someone's listening—because even if they aren't now, they probably will be soon.


If you think your boss eavesdropping on your instant messaging chats is bad, consider this. At a technology conference in June 2004, IMLogic managing director Derek O'Carroll told a story about an executive whose IM client was infected by a virus. The virus proceeded to record all his IM conversations and email them to everyone in his buddy list. The conversations included negative comments about coworkers—who were included on his IM buddy list (apparently they weren't close buddies). Next thing the exec knew, he was looking for a new job. Thus inspiring a twist on the old adage: if you can't say anything nice, don't say it on IM.

You want to notify the SEC that your company is breaking the law, but you don't want your boss to find out who squealed. Or maybe a coworker has a personal hygiene problem, but you just don't have the heart to tell him to his face. Anonymizer.com offers a free email service (https://www.anonymizer.com) that lets you send messages that are completely untraceable. Of course, anonymous services like this can also be used to harass or stalk people—so please use your anonymity for good, not evil.

Do Your Hunting From Home

The Annoyance:

I hate my job, so during breaks at work, I've been posting digital résumés on job boards like Monster.com. There's no way my boss can find out, is there?

The Fix:

There is. If your company has installed web filtering software like Websense or SurfControl—or even just looked at the network server logs—your boss could easily find out exactly how much time you've been spending at Monster.com or any other online job board. If the company uses an email security program such as ClearSwift's MIMESweeper, it could scan outgoing email looking for telltale signs (like file attachments with "résumé" in the title). If they use a keylogger, they can detect what you've been typing on your PC at any time. And so on.

One solution may be to use an anonymous proxy server and email encryption, assuming you can get them to work through the office firewall. But a better idea is simply to avoid using your work PC for anything involving a job search—unless you want your boss to help you in your quest by firing you. (For more tips on Net job hunting privacy, see "Who's Reading Your Résumé?")

  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint