Being Big Brother: Monitoring employees' network activity
If you, as network administrator or IT policy maker, are charged with being Big Brother for your company, there are both legal and technological factors to consider. In this article, we'll discuss both. Remember, though, that laws differ from country to country and even from state to state, and even if you think you know the law in your jurisdiction, it's subject to change any time a legislative body meets.
Why monitor employees' network activities?
Why should you consider monitoring employees' activities in the first place? Are employers who read their employees' e-mail or keep track of Web sites visited just being nosy and overly controlling? Unfortunately, the company can be held civilly liable or even criminally responsible for employees' actions.
If an employee downloads pornography onto a work computer that is displayed, intentionally or accidentally, to others, the company could be sued for sexual harassment (creating or allowing a "hostile workplace"). If the employee downloads child porn, the company may become caught up in a criminal investigation. If the employee is embezzling money from customers' accounts, the company could be held to be negligent. If an employee uses company equipment to commit any criminal act, at the very least the company may end up having its computers confiscated for evidence.
Even if the employees' activities aren't subject to criminal charges or lawsuits, wasting large amounts of company time surfing non-business-related Web sites, sending personal e-mail or chatting with friends costs the company money in lost productivity. Downloading large files uses network bandwidth and may slow down the network for legitimate users. Visiting unsafe Web sites may introduce viruses and other malware to the company network. Finally, employees may deliberately or inadvertently expose confidential company information (trade secrets, personnel data, financial information) to unauthorized persons through e-mail or chat.
Monitoring employees' network activities: policy issues
Although there have been a number of cases where employees have sued employers for invasion of privacy (usually under state statutes), in most cases the courts have sided with the employer.
Although many people think the Constitution explicitly guarantees a right to privacy, the privacy protections in the Bill of Rights apply only when the government is the intruder. Some state constitutions or statutes address individual privacy rights, and these differ widely in scope.
Two important concepts used by the court in determining whether monitoring is permissible under the law are:
- The "expectation of privacy" of the employee
- The "reasonableness" of the monitoring
Some employees have claimed to have an expectation of privacy because their access is protected by a password. In cases such as Burke v. Nissan Motor Corp and McLaren v. Microsoft Corp., the courts have rejected that claim and said employees have no expectation of privacy in communications that are sent over the company's network.
Nonetheless, to address expectation of privacy, companies should have a written policy stating that they will or may monitor specific employee activities, and the policy should be distributed to all employees. Each employee should be required to sign an acknowledgement that he/she received and understands the notification.
The reasonableness principle goes to the reason for the monitoring. The company's case is stronger if you are monitoring for a specific reason, such as:
- To ensure compliance with company policies
- To investigate a specific suspected case of misconduct or illegal activity
In the U.S., the Electronic Communications Privacy Act (ECPA) prohibits interception and disclosure of electronic communications, but it contains a "consent" exception that would apply if you have the signed notification, as well as a "business extension" exception that permits monitoring when you have a business-related purpose.
In 1993, the U.S. Congress introduced the Privacy for Consumers and Workers Act, which would have required employers to give notice before electronically monitoring employees. However, the Act failed to pass.
Reading employees' e-mail
Sending an e-mail message over the Internet is somewhat like sending a postcard through the mail. Unless it's encrypted, it can be easily intercepted and read at any server along the way. The network administrator can access users' mailboxes on the company e-mail server. Some courts have held this to fall under yet another exception in the ECPA, the "service provider" exception, which allows communications services providers to access stored communications.
The sheer volume of e-mail that goes through most companies' networks, however, makes it difficult to monitor. Monitoring software such as Spector CNE can be set to detect key words and phrases you specify, to make it easier to detect policy violations. In fact, Spector CNE Corporate Network Edition captures and records sent and received e-mail messages, chat conversations, instant messages, file downloads, removable media transfers, Web sites visited, applications launched, network connections established and even logs keystrokes. Key words in e-mail, chat, IM or Web sites can trigger an immediate e-mail alert to administrators. Activity is automatically archived to a central server. For more information, see http://www.spectorcne.com/
Monitoring employees' Web access
You can monitor the Web sites visited by employees through the log files of many popular firewalls. Add-in products can extend these capabilities. For example, GFI's WebMonitor for Microsoft ISA Server makes it easy to track the Web sites that users are visiting and the files they're downloading in real time. Administrators can monitor users' Web access from their own browsers.
The software provides histories by URL and by user (see who accessed a particular site or see all sites accessed by a particular user). You can block a connection or download in real time, and you can easily add sites you want to block to an ISA Server access rule. For more information, see http://www.gfi.com/webmon/
"Listening in" on IM/chat sessions
Instant messaging and Internet Relay Chat (IRC) are probably the most misused of all network applications. However, it can also be useful for business purposes, so you may not want to prohibit such real time communications altogether.
There are a number of software programs that you can use to block, monitor and manage IM and chat activity on your network, including Akonix L7 Enterprise, an IM gateway that logs all IM conversations and works with most IM networks, including AOL, MSN, Yahoo, ICQ and enterprise IM systems (Microsoft Live Communications Server, IBM Lotus Instant Messaging). You can block file transfers, games, video conferencing and other individual IM features and enforce real-time content filtering. For more info, see http://www.akonix.com/products/l7enterprise.asp
Monitoring and recording IP phone conversations
The federal wiretap statutes generally prohibit recording telephone conversations without the consent of at least one party to the conversation. Some state laws require the consent of all parties (for a list of which states require all party consent, see http://www.callcorder.com/phone-recording-law-america.htm#State%20Laws%20(Table)
The "business telephone" exception to the federal law generally permits monitoring of a company's business telephone lines for quality control and other business purposes.
According to a paper published in the Michigan Law Review last year, the wiretap statutes don't apply to stored electronic communications, which includes archived VoIP calls. Supreme Court rulings have held that such records have no reasonable expectation of privacy.
Software and devices such as Call Corder and PBXpress (www.callcorder.com) and VocalMaxIP (http://www.businesssystemsuk.co.uk/call_recording_vocalmaxip.asp) are available to record telephone conversations from one or multiple lines and archive them on a hard disk.
Due to legal requirements, threats to network security and budgetary considerations, more and more companies are finding it necessary to "become Big Brother" and monitor some or all of their employees' network activities. If you're tasked with implementing a monitoring plan, be sure that the proper policies are in place first, and check into software packages and hardware devices that will make it easier to keep track of what your network users are doing and ensure that they're complying with both company policy and the law.