Chapter 4. PRIVACY AT WORK

In the 21st century, the phrase “workplace privacy” has become something of an oxymoron. If you work in the public sector, you may be able to lean on the U.S. Constitution and other state and federal laws for a modicum of protection. If you’re slaving away for a private firm, your privacy rights can essentially be summarized as “their property, their rules.”

In the past, workplace monitoring was spurred by a desire to increase productivity. These days, corporations are more worried about attackers than slackers. Worms, viruses, spyware, and other malicious code can reach into the network of computers at any corporation, and cost billions of dollars in lost income and time spent cleaning up the mess. Hackers and electronic eavesdroppers can compromise a company’s internal networks and steal confidential data—if employees don’t accidentally leak the information first via email or instant messaging. Concerns about security lead human resource executives to employ in-depth background checks and pre-employment screening. And that’s barely scratching the surface.

But different companies have different cultures. Some may strictly forbid extracurricular web surfing; others may allow it as a perk for break times, or encourage you to explore the Web because it makes for more informed employees. Some firms record every call you make or scan every email message; others only monitor randomly or in situations where they suspect wrongdoing. And, of course, a few benighted firms don’t monitor at all but rely on their employees to act appropriately.

Clearly, it pays to figure out what kind of company you’re working for. What activities does your employer monitor and how? You’ll want your company to put its policies in writing, so everyone knows where the lines are drawn. You should ask your boss what he’s doing to protect your privacy, not just invade it. And while you’re at it, you should find out what’s legal, what isn’t, and what’s unknown. This chapter will give you those goods, and more.

THE INTERNET AT WORK

Surfing on Company Time

The Annoyance:

I think my boss is watching where I go on the Web. Aren’t employers required to notify you if they monitor your web activity?

The Fix:

In general, no. With very few exceptions, private employers can monitor everything you do in the workplace and aren’t required to tell you a thing about it. (Government employees actually enjoy a few more rights; see the sidebar "Better Fed than Dead?“)

Some employers include vague language like “we reserve the right to monitor your activities,” either on a splash screen when you turn on your computer or buried deep within the employee handbook. Of course, that doesn’t tell you whether they are monitoring or how they might be going about it. Only Connecticut and Delaware require employers to notify employees before monitoring their online communications. In other states it’s entirely up to each company.

Lewis Maltby, president of the National Workrights Institute (http://www.workrights.org), says that while there’s little you can do to prevent your boss from monitoring your online behavior, you can make monitoring less intrusive and more transparent:

  • Ask your boss whether your company monitors employee communications, and if so, what types of communication and how. If your boss doesn’t know, ask her to inquire further about this and get back to you.

  • Once you find out what’s monitored, decide how you want to communicate personal information. For example, if your company routinely scans email traffic but not phone calls, you may want to call your spouse or your doctor the next time you need to discuss a personal issue (although a better idea would be to use your cell phone or another line not owned by your company).

  • If you don’t like being monitored, make your objections known. If enough employees complain, the company may alter its policies (don’t hold your breath). At the very least, insist your employer add a written policy to the employee handbook detailing which online activities are allowed and what the company does to ensure compliance.

Find out why your company is monitoring employees, and see if there’s a less intrusive method of achieving its security goals. For example, instead of using web monitoring software to log every site an employee visits, your employer could use the same program to block employees from visiting objectionable sites—such as porn and hate speech sites—that could cause the company legal headaches. Companies concerned about productivity loss could adjust the software to allow access to certain types of sites at specified hours—say, news or travel sites during lunch or after work—or for a certain number of minutes each day. Maltby says many firms would happily embrace policies that protect their needs without alienating their employees. “Most employers are not interested in spying on you,” says Maltby. “They’re just trying to avoid sexual harassment suits, prevent the loss of their trade secrets, and keep people from spending all day on the Net when they should be working. [But]...companies don’t have to violate your personal privacy to protect their legitimate business interests.”

Visit http://NasteePix.com, Get Fired?

The Annoyance:

I work hard, but I like to do a little recreational web surfing during break times. Can I get fired for this?

The Fix:

You might. It all depends on your employer’s policies and what you mean by “recreation.” If your definition includes gambling, viewing photos of scantily-clad models, downloading MP3s, or trolling hate-speech blogs, you stand a pretty good chance of getting canned. According to a 2001 survey by the American Management Association (AMA), 62 percent of companies monitor Internet content, and more than a third of those firms disciplined employees for breaking their Net policies. (The AMA doesn’t say how many of those folks got fired, but you can be sure some did—see "Privacy in Peril: Prurient Interest.”)

The trouble is that many corporations lack any kind of written guidelines on what’s acceptable behavior. Porn is an obvious no-no, but what about news, political, or travel sites? A study by The Center for Business Ethics at Bentley College found that over 90 percent of companies allow “reasonable personal usage” of the Web, but only 42 percent define what “reasonable” means. So find out what your employer does and doesn’t allow (see Table 4-1.) Some questions to ask:

  • Are employees allowed to use their work Internet connection for personal use?

  • If so, is personal use restricted to certain times of day (like lunch breaks or after 5 p.m.)?

  • Are there limits on the amount of time employees can surf each day?

  • What types of sites are prohibited?

  • What penalties will be assessed if employees break the rules?

  • Are there procedures in place for employees to dispute claims made against them? (For example, your computer was infected with spyware that drove it to illicit sites.)

Mark Rowe, one of the authors of the Bentley study, says a degree of recreational use is permissible in many organizations, but “companies are not being sufficiently explicit in terms of their policies. There need to be very clear guidelines for employees.”

Table 4-1. Let’s be reasonable...

Activities allowed

% of companies that allow them

Source: Reproduced with permission by the Center for Business Ethics at Bentley College.

Job searches

25

Online Trading

28

Online shopping

51

Online banking

54

News sites

84

Out of the Office, But Not Out of Sight

The Annoyance:

I telecommute from home two days a week. I keep my Quicken checkbook, digital photos, and other personal stuff on the computer at home I use for work. Does my boss have a right to snoop around my home PC?

The Fix:

It depends on whose gear you’re using. If your employer furnished the computer you use for telecommuting, then it has the right to look at anything on it.

If you’re using your own computer, you have more privacy rights, but you’re far from in the clear. If you’re logging into the corporate network and using that to connect to the Internet, your employer can monitor where you go and what you do online, though it probably can’t legally look at what’s on your hard drive. Even if you’re on your own dime when paying for Net access, if you’re checking a corporate email account, your employer can certainly monitor your inbox and outbox.

Tip

Privacy attorney Parry Aftab (http://www.aftab.com) advises her corporate clients to set up web kiosks in employee break areas that are exempt from company monitoring. That way, employees would have the freedom to access the Web without penalty, and employers would avoid liability for what the employees do online.

“If the company supplied it, they have the right to do anything they want,” says privacy rights attorney Parry Aftab (http://www.aftab.com). “Those same rules apply to other employer-supplied gear like laptops, cell phones, pagers, handheld PCs, Blackberries, and so on. It’s much broader than computers, which is something most people tend to forget.”

You may have also waived your privacy rights as part of a work-at-home agreement, says Aftab, which could give your boss unfettered access to your home computer (though probably not other machines on your home network). If you signed a telecommute agreement, now’s the time to examine the fine print.

Whose Email Is It, Anyway?

The Annoyance:

I sometimes use my work email for personal use. I don’t want my boss reading it.

The Fix:

Join the club. Nearly 9 out of 10 people use work email to send or receive personal messages, according to a 2004 survey by the AMA. That same survey found that 60 percent of companies monitor email communications with the outside world, and one in four companies has fired someone for violating their email policies.

If you must send personal mail at work, you could use a webmail account such as Yahoo Mail or Hotmail instead of your corporate account. But remember, when you’re using your work PC and/or your employer’s network, your boss still has the legal right to read your outbound or inbound messages. And she could do it in a variety of ways.

For example, your IT department could have a “sniffer” device on the network that captures unencrypted data as it passes over network wires. It might employ software such as netReplay that lets them view what’s on users’ screens—kind of like a closed circuit TV camera trained on your PC. The office geek squad might install a keylogging program on your machine that captures everything you type. At the very least, companies concerned about employee communications can use web monitoring software to log the time you spend on these webmail sites and/or limit your access to them.

One way to defeat a sniffer is by encrypting your mail so that only you and the intended recipient can read it. (See the tip below.) Encryption is especially useful when you need to share confidential business information across the wires. But if your employer has installed a monitoring device on your computer, there’s little you can do short of disabling the device—which is likely to get you in far hotter water.

As with web monitoring, find out what kinds of messages your employer looks at and how, suggests NWI’s Lewis Maltby, and see if you can carve out some personal use that won’t infringe on company policies. For example, you could ask your bosses to fine-tune the scanning software to make exceptions for messages that are almost certain to be personal—like email you send to your spouse.

Beware of IT Spies

The Annoyance:

I know my company is scanning my email. But I also suspect the little twerps in my company’s IT department are reading my messages just for kicks, and then blabbing about it to the world.

The Fix:

They very well might. A recent survey by Forrester Consulting and Proofpoint found that 44 percent of large companies hire people to scan outgoing email looking for trade secrets, copyrighted material, or anything else that could get the company in legal trouble. The problem with this, says NWI’s Lewis Maltby, is that few companies have anyone assigned to watch the watchers. Slightly more than half of the companies surveyed by Bentley College had written guidelines on how Internet monitoring is supposed to be conducted. Only a third required company monitors to sign a confidentiality agreement, and one in four performed no oversight at all. The survey only included companies that employed ethics officers—so if these folks aren’t thinking about keeping email monitors in line, imagine what the rest of Corporate America is like (see Table 4-2).

Again, your best solution is to ask management. Do they have written guidelines that govern monitoring procedures? Are monitors bound by a confidentiality agreement? What’s done to ensure they are following proper procedures?

The bottom line, says Frederick S. Lane III, author of The Naked Employee: How Technology is Compromising Workplace Privacy, is to be very careful about what company resources you use. “If you don’t want your employer reading email you send to your buddy at Alcoholics Anonymous, or your doctor, or your child, don’t use your employer’s computer to send that mail.”

Table 4-2. Who’s watching you online?

Title

% with access to monitoring data

Source: Reproduced with permission by the Center for Business Ethics at Bentley College.

Security guards department

58

Human resources

56

Internal auditors

38

Chief Information Officer

36

CEO

12

Individuals being monitored

8

Chewing the Fat on Chat

The Annoyance:

I use instant messaging to check in with my friends and family while I’m at work. Can my boss see who I’m talking to and when I’m logged on?

The Fix:

He sure can. For the moment, instant messaging is slightly more private chat than email. The Forrester survey found only 21 percent of companies are keeping an eye on IM communications, but that number is likely to grow as more companies adopt IM as a business tool and realize the potential havoc that IM could wreak. For example, the SEC now requires securities dealers to archive business IM records for three years; healthcare companies may also be required by federal statutes to preserve any electronic communications regarding patient health records, including IM.

With software such as FaceTime Communications' IM Auditor or Akonix L7 Enforcer, your company’s IT department can log the amount of time you spend on IM, record all your conversations, and/or block certain activities on IM such as file sharing. They can monitor all the major chat clients (so don’t think using AOL’s or MSN’s IM software makes you safe). They can also log when you’re online; so if you set your messenger software to indicate that you’re not at your desk when you really are, your boss may think you’re goldbricking.

You may be able to keep your IM private by using products such as Hushmail’s Hush Messenger (http://www.hushmail.com), which uses PGP encryption to scramble private conversations with other Hush Messenger users, or IMpasse (http://www.im-passe.com), which likewise automatically encrypts and decrypts messages sent via AIM, Yahoo Messenger, and MSN Messenger. Otherwise, when you use IM, assume someone’s listening—because even if they aren’t now, they probably will be soon.

Tip

You want to notify the SEC that your company is breaking the law, but you don’t want your boss to find out who squealed. Or maybe a coworker has a personal hygiene problem, but you just don’t have the heart to tell him to his face. http://Anonymizer.com offers a free email service (https://www.anonymizer.com) that lets you send messages that are completely untraceable. Of course, anonymous services like this can also be used to harass or stalk people—so please use your anonymity for good, not evil.

Do Your Hunting From Home

The Annoyance:

I hate my job, so during breaks at work, I’ve been posting digital résumés on job boards like http://Monster.com. There’s no way my boss can find out, is there?

The Fix:

There is. If your company has installed web filtering software like Websense or SurfControl—or even just looked at the network server logs—your boss could easily find out exactly how much time you’ve been spending at http://Monster.com or any other online job board. If the company uses an email security program such as ClearSwift’s MIMESweeper, it could scan outgoing email looking for telltale signs (like file attachments with “résumé” in the title). If they use a keylogger, they can detect what you’ve been typing on your PC at any time. And so on.

One solution may be to use an anonymous proxy server and email encryption, assuming you can get them to work through the office firewall. But a better idea is simply to avoid using your work PC for anything involving a job search—unless you want your boss to help you in your quest by firing you. (For more tips on Net job hunting privacy, see "Who’s Reading Your Résumé?“)

Get Computer Privacy Annoyances now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.