From the moment you walk into work until the moment you leave, your boss or his minions may be spying on you.
Computerworld has noted before that surveillance cameras are becoming more common in the workplace ("Big Brother is watching you ... and he's a computer"). But what we are talking about here is the more insidious tracking of your digital footprints as you go about your computing workday. When you start thinking about all the ways that you can be digitally tracked, it can make even the least paranoid person sit up and take notice.
By now, most of us know that our Web browsing histories are stored on our own PCs, which comes in handy when we want to track down a cheating spouse or errant teenager, but is less useful when we are looking at, shall we say, recreational sites at the workplace. Granted, this history can be easily erased if someone knows the right command. But when you are connected to a corporate network, this information can easily be recorded by any number of network packet-capturing and forensic products that are typical these days (see the list at the bottom of this article).
There is even one product, called Locate from eTelemetry Inc., that will cross-correlate your IP address, network log-in name, machine location and other data, making it easier to track you down when you do something that you shouldn't be doing. (See the review here.)
The same is true for how easy it is to view most of your e-mail and instant messaging conversations. There are products from Symantec Corp. and others that can be used to audit these conversations and record everything that is transmitted across the enterprise network (see the list below). Because most of these conversations occur with plain text, they are very easy to record using these tools. The one exception has to do with encrypted messages, and we'll get to that in a moment under defensive measures. The old saying goes, "Don't put anything in e-mail that you wouldn't write on a postcard." E-mail is that public and that easy to track.
And if you have a business cell phone, chances are someone in your telecommunications department is reading your monthly call list and looking at your calls, too. Some of the cellular carriers can provide near-real-time calling data via their billing Web sites, so the watchers don't even have to wait for the printed bills.
If you have been issued an electronic corporate ID card that you use to gain entry to your building, your entries and possibly exits are being recorded somewhere for posterity. And finally, there are those security cameras to capture your image on videotape.
E-mail and IM defensive measures
So how can you defend yourself? There are several different types of tools available. First, at the most basic level, you can encrypt your e-mails and IMs with products such as PGP Desktop that are free or low-cost and can be installed with a minimum of bother. The one drawback is that your correspondents have to use the same product to encrypt their messages back to you. One nicety about PGP is that it can automatically encrypt all AOL Instant Messenger sessions, provided your correspondents are using it too.
Encryption can hide the text of your e-mail messages, but in some cases not necessarily the names of the participants, depending on how your correspondents have set up their software.
PGP Desktop runs on Windows, Linux and Mac OS X and comes in several versions and support packages. Most cost less than $100. There are also free chat software alternatives such as X-IM.net, PSST (which also does voice chats) and a free version of PGP, too. There is also the free Hushmail Communications Corp. service that hosts encrypted e-mail accounts and just needs a Web browser to operate.
Another chat alternative that automatically encrypts all sessions is that of Skype Ltd. There are two potential drawbacks to its use. First, many corporate IT shops have tried to block Skype for various reasons, so it may raise more red flags if you start using it for your communications. Second, Skype can be set up to automatically record all chat sessions to your local drive: I had to fire one employee a few years ago, and he didn't realize that all of his sessions were nicely recorded on his machine that he returned to the company -- something to keep in mind. (The default settings on other IM chat clients is usually not to record all sessions, but it is worth taking a quick look to make sure.)
Web defensive measures
Probably the best advice is to stick to work-related Web browsing when you are at the office, but the Web is often too tempting, especially when those e-mails and IMs from colleagues arrive daily with "check this site out." There are a number of tools that you can use if you wish for your Web surfing to remain anonymous. The easiest way is to connect to one of any number of anonymous proxy servers, such as TheFreeCountry.com, that will hide your origins. There are also products from Anonymizer Inc. called Total Net Shield and Anonymous Surfing, which cost $100 and $30 per year, respectively, and can further hide your identity.
Any of these products won't get around the general packet-capturing programs that will record your originating IP address, but at least you won't be leaving any digital tracks on the sites themselves. The downside here is that some corporate IT departments specifically block access to these proxies or don't allow you to change from the corporate proxy server, so this might be a moot point anyway.
Protected desktop
Another solution is to use a "protected desktop" tool. For extreme measures, you could make use of Microsoft Virtual PC or something similar, but a much better and less expensive solution is from Mojopac.com. This is a product that is geared mainly toward people who use lots of Internet cafes or other public computers and want to protect themselves from infection or just carry all their standard tools with them in one easy place. Mojopac installs software to any USB thumb drive and will automatically launch a protected, virtual session from the drive. Once you are inside this session, you don't have access to your host's PC resources, but you don't leave any trace of your activities on it, either. You can install Mojopac on a variety of USB devices, including all iPods (other than the Shuffle). It costs $50 for a single installation.
As you can see, a few ounces of prevention may be worth the agony of detection. And while there isn't a single tool that can do everything, it is worth keeping in mind what activities can be detected for your own sanity.
Paranoia Product List
General-purpose packet-capture tools
IM auditing and monitoring tools
E-mail/IM encryption tools
Anonymous proxies
Protected desktop
David Strom is a writer, editor, public speaker, blogging coach and consultant. He is a former editor in chief of Network Computing and "Tom's Hardware" and has his own blog at Strominator.com. He can be reached at david@strom.com.