By Amy Joyce
Washington Post Staff Writer
Sunday, October 1, 2006
If you think you're being watched, you probably are.
As more news creeps out about the complicated scheme Hewlett-Packard Co. used to spy on executives, board members and reporters to find out who was leaking information to the media, one might wonder: Is someone, right this very minute, watching my keystrokes? Or reading my e-mail? Doing background checks on me even after I'm hired? Noticing when I come and go based on my key card?
How about all of the above -- and more.
With today's technologies, more data and intellectual property is becoming available as employees willingly or accidentally share information as they e-mail, instant message, BlackBerry or just walk out of the office. And so companies are finding ways to track that incoming and outgoing data or to simply block it. Some have hired companies to track e-mail or Web site visits. Some companies keep data on employee movements thanks to electronic key cards. Others block Web sites they don't want employees visiting.
"Technology has provided a capability that we never had before to check up on employees like never before," said Manny Avramidis, senior vice president of global human resources at the American Management Association. "It's within an organization's right to monitor anything you do during work time using work tools."
According to a 2005 survey of 526 companies by the AMA and the ePolicy Institute, 76 percent of companies monitor employee Web site connections, and 36 percent of employers track content that employees are receiving and sending, keystrokes and time spent at the keyboard. And 55 percent of employers retain and review e-mail. All of that monitoring resulted in 26 percent of companies firing employees for misusing the Internet and 25 percent firing workers for misusing e-mail, the survey said.
Because employees understand their e-mail can be monitored, many will send information via IM, maybe with an attachment. Or they may simply use an Internet-based e-mail that bypasses the corporate server. But companies are catching on to that, as well, and hiring such companies as Websense Inc., which monitors employee Internet usage.
Websense has a tool that runs weekly risk reports that categorize Internet usage at a client by category, including adult content and bandwidth consumption. That way, companies can quickly glance at a report and see if anything (or anyone) stands out.
So if, say, one employee is going to Yahoo 10 or 15 times a day, Websense will detect that and report it back to the company client.
"Employers need tools to make monitoring Internet access easy," said Michele Shannon, senior director of product management at Websense. "If you have 1,000 or 2,000 employees sitting at a computer eight or nine hours a day, that could be impossible to track."
Websense surveys have found that more than 70 percent of companies use some kind of filtering tool to block access to specific Web sites. The market for companies like Websense is growing at about 17 percent a year, Shannon said.
Just this week, Websense took it one step further: It announced that it will soon have a tool that can block certain information from leaving the company. It can also block just some people from transmitting particular information. So if, for instance, the company is about to make an announcement it doesn't want the public to know yet, people in the public relations department may get access to send it out a day before anyone else. But if an unauthorized person, say the guy in IT, tries to send it out, he would be blocked from doing so. In addition, that public relations person could be blocked from sending the information via IM or a personal Internet e-mail account.
Marriott International Inc. has a system that blocks inappropriate Web sites, according to Stephanie Hampton, a spokeswoman. It also, like many major companies, has a corporate policy that says the Internet and e-mail should be used for business purposes only. "However, in today's complex world where we blend personal and corporate lives, it is acceptable to use e-mail and Internet for some personal use," she said.
Marriott also doesn't monitor company e-mail daily, she said, though it does have the ability to go back and look at e-mail. But, Hampton said, the company has never had a reason to do that.
But let's not take it too far, said Jamie Johnson, a partner in labor and employment law with Bryan Cave LLP. "Companies don't get any benefit out of intruding in to employees' privacy. And they generally do it when they perceive they have a very serious stake in there," he said.
Potential watching, however, doesn't just stop at employee Internet use.
Some employers are turning to extensive background checks. Companies like Taleo Corp. are hired by organizations not only to do a general background check on all new employees but also to regularly screen existing employees.
"More and more companies are doing this for all the obvious reasons," including an increase in workplace violence and embarrassing events such as RadioShack's discovery that its now-former chief executive lied on his résumé about his education, said Dave Michaud, Taleo's vice president of product marketing. The background checks are being used not only in hiring employees, but also after they are employed because a company needs to know if workers are committing crimes, he said.
Taleo, for example, recently screened 12,000 employees for a major hospital organization who hadn't gone through a Taleo pre-hire screening. It found that 198 current employees had pre-employment felonies and misdemeanors the company didn't know about and that 74 employees had post-hiring problems, including charges related to driving under the influence, prostitution, drugs, fraud and robbery.
Taleo's 620 customers include 31 of the Fortune 100 as well as small and mid-size companies.
Taleo had been a hiring and recruitment firm, but in March, after discovering that 94 percent of its clients were performing background checks on employees new and old, it began doing electronic background checks as well.
But there is another way to track employees.
You know how you barely need a key to enter an office anymore? That's right: Those electronic cards you use to get into work may also be used to track your movement.
In a study last year of six major companies by the Rand Corp., it was found that all of them stored data about who went where and when, thanks to their radio frequency identification tags. According to "9 to 5: Do You Know if Your Boss Knows Where You Are?" five of the six private-sector companies surveyed said the records collected were used to understand movements of an individual going in and out of the building and to describe the behavior of many individuals without identifying who they were. And in all cases, records were linked to other company databases -- mostly to personnel records.
Rand did not identify the companies but said each employs 1,500 or more workers.
Only one of the companies Rand studied had a written policy about how that information can be used, leaving the potential for abuse of the records wide open. And none of the companies told employees that data collected with the access cards "are used for more than simply controlling locks," the survey said.
"I think it wasn't collected with the intent of using it to snoop on employees," said Tora Bikson, one of the study's authors and a senior behavioral scientist. "But a byproduct of digital technologies is that they lay down traces. And somebody will have the 'Aha, we can use this to see who used this when that piece of intellectual property disappeared. Or to see if this person who claims to work 8 to 7 actually works here all day.' "
Taking it one step further, CityWatcher.com, a Cincinnati company that stores surveillance camera footage, implanted two of its employees and its chief executive with a microchip (on a voluntary basis) so they can enter a secure building that no one else can enter. Microchip implantation is becoming slightly more common in the United States and abroad. A handful of Americans have been implanted with microchips that provide access to their medical records. The Mexican government uses implants to give access to a select few to secure facilities. And clubs in Spain and Amsterdam have implants available for people who want to bypass the velvet rope lines.
So how far is too far?
"Employers should take advantage of their legal right to monitor employees' computer accounts," said Nancy Flynn, president of the ePolicy Institute. "But they want to follow best practices that spell out what the rules are. I have never in all my experience heard of a CEO that sits in corner office reading everyone's e-mail."
So we can all breathe a sigh of relief that our co-workers don't know of that fight we're having with the neighbors or those wild e-mailed recollections from last weekend. Right? Well, Flynn has another take, too: "I do hear of people in the IT department charged with the task of looking at employee e-mail either forwarding messages or in some way inappropriately responding to messages."
Good to know.