E-mail, Net not private for workers

October 21, 2001

Chuckle over the funny e-mail your sister sent you. Feel free to use the company computer to buy that book from Amazon.com. while you're at it.

Workers may not realize that it is legal for employers to monitor their on-the-job e-mail and other computer use. Even deleted files can often be retrieved.

Johanna Workman, Deseret News

But don't be surprised if your boss calls you in to explain why you're wasting company time and resources on personal pursuits.
And if you've sneaked a peek at a naughty Web site, you might want to clean off your desk.
Chances are pretty good your on-the-job Web browsing and the messages you've sent and received have been read by someone in your company. And the consequences can be severe.
Workplace privacy is no longer just about the results of drug tests, who has access to your medical records and what information the boss has gathered about your financial health, though they're still areas of concern. Online and e-mail habits now dominate.
"There are three big issues that have come up fairly recently," said Andrew Schulman, chief researcher with the Workplace Surveillance Project of the Privacy Foundation: Company time wasted while Web surfing, concern about sexual or racial harassment through e-mail and Internet activity, and fear company information will be leaked, intentionally or not.
"The interesting thing is those are all concerns in the real world, as well," he said. "But where we're seeing monitoring is in e-mail and Internet activity. Co-workers can racially and sexually harass in the real world — and that's more likely, too. They can goof off in the real world. You don't need a computer to do that. As for trade secrets outside the company, you're more likely to sneak them out in a document. But monitoring employee e-mail and Internet use is cheap and easy to do." And companies are doing it in record numbers:

Dozens of products are available to block Web sites, monitor sites visited, log keystrokes or otherwise paint a portrait of an employee's Internet use. Products can search e-mails for keywords that could signal something inappropriate, from tasteless to espionage.
Fourteen million employees, just over a third of the online work force in America, have their Internet or e-mail use under "continuous surveillance" at work, according to Schulman's project.
A poll of chief information officers found 17 percent conduct sporadic e-mail checks, 16 percent never monitor e-mail, 11 percent check on "problem" employees and 38 percent check if there's a complaint or productivity issue.
Northwest Airlines received court-ordered approval to search as many as 20 flight attendants' home computers, looking for evidence they helped organize a sickout last year. The airline reached agreement with the union, but some predict other companies may be "emboldened" to monitor what employees say and do from their own home computers.
The New York Times, Dow Chemical Corp., Merck, South Dakota state government, the Central Intelligence Agency and Xerox are just a sampling of employers who have fired and suspended workers for online misdeeds.
Nearly half the nation's large companies electronically monitor their workers, according to the American Management Association. Add other job-surveillance methods, such as phone-log review or security videotaping, and electronic oversight rises to 67.3 percent. In 80 percent of cases, companies have told employees of their policies.
A wide range of employers, including Microsoft, Disney, Boeing and Motorola, use high-tech snooping techniques. Some companies secretly comb hard drives. Technology makes it possible to create a "mirror" of an employee's hard drive and search it at leisure. Few employees realize deleting a file doesn't get rid of it.
The Minneapolis Star-Tribune reports that courts are increasingly "willing to help companies crack down on so-called cybersmearing — bad-mouthing companies or their management online."
It's not a one-way street. Employees have sued employers for invasion of privacy, defamation and harassment. And employers have fired back. One sued an ex-employee to stop him from sending bulk e-mail to current employees.

Schulman and others point out that employees — even good ones — need "down" time. And they counsel employers to be honest with workers about their expectations.
"I'm not sure why my company is so concerned about the fact that I might order something online," said an employee of a Salt Lake-based credit company who asked that her name not be used. "They're not crying when I put in extra hours to do a project for them. And that happens a lot."
Some companies also monitor personal phone calls. That usually involves checking logs to see what number was dialed and how long the conversation lasted. It's technologically trickier to listen to the call, and federal law says that though calls can be monitored, the boss has to stop listening if they're personal. On the other hand, bosses can and some do note duration and frequency. If there's a policy against personal calls, it could spell big trouble.
A Workplace Privacy Survey last year by the Society for Human Resource Management and West Group found 74 percent monitor Internet use, mostly because of lost productivity or fears of inappropriate behavior. And fewer than 24 percent of those employers believed employee e-mails were private.
Getting a handle on workplace privacy issues isn't easy. The most comprehensive national survey on the topic is more than 5 years old, conducted by Survey Research Laboratories out of the University of Illinois at Urbana-Champaign about the time the Internet was becoming a popular workplace tool.
Still, it offers hints. The survey asked Fortune 500 companies with a combined 3.2 million employees about disclosure of personal employee data, access to it, use of medical records to make employment decisions, drug testing, AIDS testing, polygraph use, hiring private investigators, and arrest, conviction and security records.
An updated version won't be completed for a while, said Ray C. Spencer, one of the study's authors. But he said employee privacy is shrinking.
Employers can amass a surprising amount of personal data on an employee, from financial history to personal relationships. The survey found most employees don't know what's in their own records, and many bosses won't tell them. Almost half of employees didn't know how their records are used.
The information may not just be flowing into your personnel file, either. Employers seem to share quite a bit of it with the outside world. About 70 percent of companies routinely gave information to nongovernment credit grantors — and not just the minimum information to answer a question. Almost half gave information to landlords and one in five to charities — but fewer than half told the employee the information was shared. A large number of the surveyed employers offered no way to fix erroneous information.
Employers can choose whether to tell workers what they're doing. Companies have successfully claimed they own the computers and can monitor them unless they are limited by union contracts or have said they don't monitor use. They own the phone and e-mail system and can monitor those, too.
Employees have few formal privacy rights.
Federally, the Electronic Communications Privacy Act of 1986 seems to confer privacy rights, but the exceptions are extremely broad and flexible. It prohibits blatant things like putting video cameras in the bathroom but not much else. A company needn't tell workers what monitoring is in place. But both workplace privacy critics and proponents say secrecy is a bad idea.
If employers tell workers their policies, chances are good the employee will follow them, experts say. Notice offers protection to the companies should litigation arise.
Companies doing business in Utah approach workplace privacy differently. Some don't monitor anything; others monitor everything. Most lie somewhere in between.
Verizon Wireless monitors a sampling of the phone calls at its call center, a fairly standard practice. An outside company surveys customers who have completed transactions. Employees use the Internet and e-mail as a business tool.
"We do understand there will be a certain amount of personal use and as long as that is kept to a minimum, that's accepted," said regional spokeswoman Debra Haven.
Intermountain Health Care uses software that monitors usage and blocks some sites, said spokesman Daron Cowley. It monitors some phone calls in its insurance plan enrollment section to assure quality service. As for e-mail, "We have a policy where we maintain the right, have the capability and on occasions when we felt we needed to, have accessed e-mail."
Utah's government takes a similar approach, said Health Department spokeswoman Jana Carlson Kettering. The capability exists but isn't used unless there's a suspicion regarding an employee or a complaint has been made.
The University of Utah doesn't seek out people who might be accessing questionable sites, because "on university campuses, the free exchange of information is key to academic and research environments," according to Chris Kidd, security and privacy officer for the Health Sciences at the U.
There are also questions about what would be inappropriate, he said. "Pornography in one instance might be a research paper in another."
But if someone begins consuming large amounts of network bandwidth that caused slowdowns or network problems, that individual would be notified, he said.
Monitoring is permitted if needed for job quality evaluation, but it has to be relevant to performance, employees have to have access to the information gained and disclosure outside the U. is forbidden.
IHC does monitor employees closely to see what information they're accessing about patients. They watch audit trails to make sure someone not involved in care isn't looking at a patient's records. Or that someone involved in care is getting only the information needed to provide that care. Other hospitals, including University Hospital, have almost identical practices.
The State Office of Education sees itself as having a higher level of responsibility than a private employer: that of protecting children.
Law requires school districts to filter the Internet. Employees, students and their parents must sign a promise not to access inappropriate Web sites on school computers.
Teachers do violate the policy, though, said Vicky Dahn, director of curriculum and educational technology in the state office. Seven lost teaching licenses in 2000 for viewing or storing Internet pornography on school computers.
The state education office computers, however, are unfiltered and their e-mail unmonitored. "There's not time in the day," Dahn said. "It's kind of the honor system."
The state office, however, does hear reports of misuse and take action. And it uses the honor system on personal phone calls employees make and requires reimbursement for long-distance calls.

Did you know?

Utah law is mostly silent on questions of workplace privacy. But state employees do have the right to examine and copy their own files if they request it in writing, though they won't be able to see "classified" information.

Computer monitoring can range from blocking sites to tracking where the employee goes online and how long he or she stays there. Actual keystrokes can be recorded and re-created. Or the company can simply track idle time at the computer, if the job is considered computer-intensive.

A burgeoning "employee Internet management" industry is evolving to help businesses monitor email and Web-surfing. And it's a big one. Workplace surveillance is expected to be a $562 million market by 2004, according to the Privacy Foundation.

One of the hottest new technology jobs is that of computer forensic specialist - folks who know how to create copies or snoop through computer hard drives without leaving a trace. They can resurrect files that are seemingly gone forever, access password-protected material and more to get a complete picture of how a computer has been used. They make very good money doing it.