Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Being Big Brother: Monitoring employees' network activity

Deb Shinder   Today’s Top Stories    or  Other Security Stories  
 

Sign up to receive Security Resource Alerts

October 03, 2005 () -- If you, as network administrator or IT policy maker, are charged with being Big Brother for your company, there are both legal and technological factors to consider.
In this article, we'll discuss both. Remember, though, that laws differ from country to country and even from state to state, and even if you think you know the law in your jurisdiction, it's subject to change any time a legislative body meets.
Why monitor employees' network activities?
Why should you consider monitoring employees' activities in the first place? Are employers who read their employees' e-mail or keep track of Web sites visited just being nosy and overly controlling? Unfortunately, the company can be held civilly liable or even criminally responsible for employees' actions.
If an employee downloads pornography onto a work computer that is displayed, intentionally or accidentally, to others, the company could be sued for sexual harassment (creating or allowing a "hostile workplace"). If the employee downloads child porn, the company may become caught up in a criminal investigation. If the employee is embezzling money from customers' accounts, the company could be held to be negligent. If an employee uses company equipment to commit any criminal act, at the very least the company may end up having its computers confiscated for evidence.
Even if the employees' activities aren't subject to criminal charges or lawsuits, wasting large amounts of company time surfing non-business-related Web sites, sending personal e-mail or chatting with friends costs the company money in lost productivity.
Downloading large files uses network bandwidth and may slow down the network for legitimate users. Visiting unsafe Web sites may introduce viruses and other malware to the company network. Finally, employees may deliberately or inadvertently expose confidential company information (trade secrets, personnel data, financial information) to unauthorized persons through e-mail or chat.
Monitoring employees' network activities: policy issues
Although there have been a number of cases where employees have sued employers for invasion of privacy (usually under state statutes), in most cases the courts have sided with the employer.
Note: Although many people think the Constitution explicitly guarantees a right to privacy, the privacy protections in the Bill of Rights apply only when the government is the intruder. Some state constitutions or statutes address individual privacy rights, and these differ widely in scope.
Two important concepts used by the court in determining whether monitoring is permissible under the law are:

  • The "expectation of privacy" of the employee

  • The "reasonableness" of the monitoring

Some employees have claimed to have an expectation of privacy because their access is protected by a password. In cases such as Burke v. Nissan Motor Corp. and McLaren v. Microsoft Corp., the courts have rejected that claim and said employees have no expectation of privacy in communications that are sent over the company's network.
Nonetheless, to address the expectation of privacy, companies should have a written policy stating that they will or may monitor specific employee activities, and the policy should be distributed to all employees. Each employee should be required to sign an acknowledgement that heor she received and understands the notification.
The reasonableness principle goes to the reason for the monitoring. The company's case is stronger if you are monitoring for a specific reason, such as:
  • To ensure compliance with company policies

  • To investigate a specific suspected case of misconduct or illegal activity

In the U.S., the Electronic Communications Privacy Act (ECPA) prohibits interception and disclosure of electronic communications, but it contains a "consent" exception that would apply if you have the signed notification, as well as a "business extension" exception that permits monitoring when you have a business-related purpose.
Note: In 1993, the U.S. Congress introduced the Privacy for Consumers and Workers Act, which would have required employers to give notice before electronically monitoring employees. However, the act failed to pass.
Reading employees' e-mail
Sending an e-mail message over the Internet is somewhat like sending a postcard through the mail. Unless it's encrypted, it can be easily intercepted and read at any server along the way. The network administrator can access users' mailboxes on the company e-mail server. Some courts have held this to fall under yet another exception in the Privacy Act, the "service provider" exception, which allows communications services providers to access stored communications.
The sheer volume of e-mail that goes through most companies' networks, however, makes it difficult to monitor. Monitoring software such as Spector CNE can be set to detect key words and phrases you specify, to make it easier to detect policy violations.
In fact, Spector CNE Corporate Network Edition captures and records sent and received e-mail messages, chat conversations, instant messages, file downloads, removable media transfers, Web sites visited, applications launched, network connections established and even logs keystrokes. Key words in e-mail, chat, IM or Web sites can trigger an immediate e-mail alert to administrators. Activity is automatically archived to a central server. For more information, see spectorcne.com.
Monitoring employees' Web access
You can monitor the Web sites visited by employees through the log files of many popular firewalls. Add-in products can extend these capabilities. For example, GFI's WebMonitor for Microsoft ISA Server makes it easy to track the Web sites that users are visiting and the files they're downloading in real time. Administrators can monitor users' Web access from their own browsers.
The software provides histories by URL and by user (see who accessed a particular site or see all sites accessed by a particular user). You can block a connection or download in real time, and you can easily add sites you want to block to an ISA Server access rule. For more information, see gfi.com/webmon.
'Listening in' on IM/chat sessions
Instant messaging and Internet Relay Chat (IRC) are probably the most misused of all network applications. However, it can also be useful for business purposes, so you may not want to prohibit such real-time communications altogether.
There are a number of software programs that you can use to block, monitor and manage IM and chat activity on your network, including Akonix L7 Enterprise, an IM gateway that logs all IM conversations and works with most IM networks, including American Online, Microsoft Corp.'s MSN, Yahoo, ICQ and enterprise IM systems (Microsoft Live Communications Server, IBM Lotus Instant Messaging). You can block file transfers, games, video conferencing and other individual IM features and enforce real-time content filtering. For more info, see akonix.com/products/l7enterprise.asp.
Monitoring and recording IP phone conversations
The federal wiretap statutes generally prohibit recording telephone conversations without the consent of at least one party to the conversation. Some state laws require the consent of all parties. Here's a list of which states require all party consent.
The "business telephone" exception to the federal law generally permits monitoring of a company's business telephone lines for quality control and other business purposes.
According to a paper published in the Michigan Law Review last year, the wiretap statutes don't apply to stored electronic communications, which includes archived VoIP calls. Supreme Court rulings have held that such records have no reasonable expectation of privacy.
Software and devices such as Call Corder, PBXpress and VocalMaxIP are available to record telephone conversations from one or multiple lines and archive them on a hard disk.

Summary
Due to legal requirements, threats to network security and budgetary considerations, more and more companies are finding it necessary to become Big Brother and monitor some or all of their employees' network activities. If you're tasked with implementing a monitoring plan, be sure that the proper policies are in place first, and check into software packages and hardware devices that will make it easier to keep track of what your network users are doing and ensure that they're complying with both company policy and the law.

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security. She is also a tech editor, developmental editor and contributor to more than 20 additional books. Her articles are regularly published on TechRepublic's TechProGuild Web site and Windowsecurity.com, and have appeared in print magazines such as Windows IT Pro (formerly Windows & .NET) Magazine. She has authored training material, corporate whitepapers, marketing material, and product documentation for Microsoft Corp., Hewlett-Packard, DigitalThink, GFI Software, Sunbelt Software, CNET and other technology companies. She lives and works in the Dallas-Fort Worth area and can be reached at deb@shinder.net or at www.shinder.net.

Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Blogs

"This company's infrastructure group is running a disaster recovery exercise with a reluctant participant: an IT manager who's notorious as..." Read more...
"It's IT Blogwatch: in which Mozilla's Firefox Web browser continues to gain market share, smashing records as it does so...." Read more...
Read more Security posts or See all Blogs

Microsoft promises four patches next week
Google gives away home-cooked Web application security scanner
Storm botnet stages Fourth of July attacks
More top stories...
Microsoft trumpets security additions in upcoming IE8
Apple cuts price of high-end SSD MacBook Air by $500
Ultrathin showdown: Apple MacBook Air vs. Lenovo ThinkPad X300 vs. Toshiba Portege R500

This old laptop: Revitalizing an aging notebook on the cheap
All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how.
Bill Gates moves on
Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft.
Five things you should never tell your boss
There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss.
Hands-On: Firefox 3 fixes what's broke and keeps what's right
With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
Data Center Management Zone
Enterprise-Class Security Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
Business Intelligence and Analytics Zone


Ads by TechWords

See your link here
Why SaaS is Vital to Email and Web Security
Why SaaS is Vital to Email and Web Security
Download this webcast, free, compilments of Webroot Software
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Eliminate SPAM, Gain Productivity
Get this white paper now!
(Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Deploying Virtualized NetWare on Linux Whitepaper
Toward More Flexible, Next-Generation Collaboration Solutions
Driving Business Success Through Workgroup Choice and Flexibility
View more whitepapers 

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.