Being Big Brother: Monitoring employees' network activity

If you, as network administrator or IT policy maker, are charged with being Big Brother for your company, there are both legal and technological factors to consider.

In this article, we'll discuss both. Remember, though, that laws differ from country to country and even from state to state, and even if you think you know the law in your jurisdiction, it's subject to change any time a legislative body meets.

Why monitor employees' network activities?

Why should you consider monitoring employees' activities in the first place? Are employers who read their employees' e-mail or keep track of Web sites visited just being nosy and overly controlling? Unfortunately, the company can be held civilly liable or even criminally responsible for employees' actions.

If an employee downloads pornography onto a work computer that is displayed, intentionally or accidentally, to others, the company could be sued for sexual harassment (creating or allowing a "hostile workplace"). If the employee downloads child porn, the company may become caught up in a criminal investigation. If the employee is embezzling money from customers' accounts, the company could be held to be negligent. If an employee uses company equipment to commit any criminal act, at the very least the company may end up having its computers confiscated for evidence.

Even if the employees' activities aren't subject to criminal charges or lawsuits, wasting large amounts of company time surfing non-business-related Web sites, sending personal e-mail or chatting with friends costs the company money in lost productivity.

Downloading large files uses network bandwidth and may slow down the network for legitimate users. Visiting unsafe Web sites may introduce viruses and other malware to the company network. Finally, employees may deliberately or inadvertently expose confidential company information (trade secrets, personnel data, financial information) to unauthorized persons through e-mail or chat.

Monitoring employees' network activities: policy issues

Although there have been a number of cases where employees have sued employers for invasion of privacy (usually under state statutes), in most cases the courts have sided with the employer.

Note: Although many people think the Constitution explicitly guarantees a right to privacy, the privacy protections in the Bill of Rights apply only when the government is the intruder. Some state constitutions or statutes address individual privacy rights, and these differ widely in scope.

Two important concepts used by the court in determining whether monitoring is permissible under the law are:

  • The "expectation of privacy" of the employee
  • The "reasonableness" of the monitoring

Some employees have claimed to have an expectation of privacy because their access is protected by a password. In cases such as Burke v. Nissan Motor Corp. and McLaren v. Microsoft Corp., the courts have rejected that claim and said employees have no expectation of privacy in communications that are sent over the company's network.

Nonetheless, to address the expectation of privacy, companies should have a written policy stating that they will or may monitor specific employee activities, and the policy should be distributed to all employees. Each employee should be required to sign an acknowledgement that heor she received and understands the notification.

The reasonableness principle goes to the reason for the monitoring. The company's case is stronger if you are monitoring for a specific reason, such as:

  • To ensure compliance with company policies
  • To investigate a specific suspected case of misconduct or illegal activity

In the U.S., the Electronic Communications Privacy Act (ECPA) prohibits interception and disclosure of electronic communications, but it contains a "consent" exception that would apply if you have the signed notification, as well as a "business extension" exception that permits monitoring when you have a business-related purpose.

Note: In 1993, the U.S. Congress introduced the Privacy for Consumers and Workers Act, which would have required employers to give notice before electronically monitoring employees. However, the act failed to pass.

Reading employees' e-mail

Sending an e-mail message over the Internet is somewhat like sending a postcard through the mail. Unless it's encrypted, it can be easily intercepted and read at any server along the way. The network administrator can access users' mailboxes on the company e-mail server. Some courts have held this to fall under yet another exception in the Privacy Act, the "service provider" exception, which allows communications services providers to access stored communications.

The sheer volume of e-mail that goes through most companies' networks, however, makes it difficult to monitor. Monitoring software such as Spector CNE can be set to detect key words and phrases you specify, to make it easier to detect policy violations.

In fact, Spector CNE Corporate Network Edition captures and records sent and received e-mail messages, chat conversations, instant messages, file downloads, removable media transfers, Web sites visited, applications launched, network connections established and even logs keystrokes. Key words in e-mail, chat, IM or Web sites can trigger an immediate e-mail alert to administrators. Activity is automatically archived to a central server. For more information, see spectorcne.com.

Monitoring employees' Web access

You can monitor the Web sites visited by employees through the log files of many popular firewalls. Add-in products can extend these capabilities. For example, GFI's WebMonitor for Microsoft ISA Server makes it easy to track the Web sites that users are visiting and the files they're downloading in real time. Administrators can monitor users' Web access from their own browsers.

The software provides histories by URL and by user (see who accessed a particular site or see all sites accessed by a particular user). You can block a connection or download in real time, and you can easily add sites you want to block to an ISA Server access rule. For more information, see gfi.com/webmon.

'Listening in' on IM/chat sessions

Instant messaging and Internet Relay Chat (IRC) are probably the most misused of all network applications. However, it can also be useful for business purposes, so you may not want to prohibit such real-time communications altogether.

There are a number of software programs that you can use to block, monitor and manage IM and chat activity on your network, including Akonix L7 Enterprise, an IM gateway that logs all IM conversations and works with most IM networks, including American Online, Microsoft Corp.'s MSN, Yahoo, ICQ and enterprise IM systems (Microsoft Live Communications Server, IBM Lotus Instant Messaging). You can block file transfers, games, video conferencing and other individual IM features and enforce real-time content filtering. For more info, see akonix.com/products/l7enterprise.asp.

Monitoring and recording IP phone conversations

The federal wiretap statutes generally prohibit recording telephone conversations without the consent of at least one party to the conversation. Some state laws require the consent of all parties. Here's a list of which states require all party consent.

The "business telephone" exception to the federal law generally permits monitoring of a company's business telephone lines for quality control and other business purposes.

According to a paper published in the Michigan Law Review last year, the wiretap statutes don't apply to stored electronic communications, which includes archived VoIP calls. Supreme Court rulings have held that such records have no reasonable expectation of privacy.

Software and devices such as Call Corder, PBXpress and VocalMaxIP are available to record telephone conversations from one or multiple lines and archive them on a hard disk.

Summary

Due to legal requirements, threats to network security and budgetary considerations, more and more companies are finding it necessary to become Big Brother and monitor some or all of their employees' network activities. If you're tasked with implementing a monitoring plan, be sure that the proper policies are in place first, and check into software packages and hardware devices that will make it easier to keep track of what your network users are doing and ensure that they're complying with both company policy and the law.

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security. She is also a tech editor, developmental editor and contributor to more than 20 additional books. Her articles are regularly published on TechRepublic's TechProGuild Web site and Windowsecurity.com, and have appeared in print magazines such as Windows IT Pro (formerly Windows & .NET) Magazine. She has authored training material, corporate whitepapers, marketing material, and product documentation for Microsoft Corp., Hewlett-Packard, DigitalThink, GFI Software, Sunbelt Software, CNET and other technology companies. She lives and works in the Dallas-Fort Worth area and can be reached at deb@shinder.net or at www.shinder.net.

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon