Your Boss Is Watching

In a recent study on Internet deprivation, people forced to live without Net access for two weeks said they missed the "private space" the Internet provided them at work.

Well, I have news for you. That Internet account you have at work is not your private space. It's also your boss's space, and your boss's boss's space, and so on up the line. In fact, if you think you have any real privacy on the job, you're laboring under a delusion. Here are some of the more common myths about Net privacy at work.

Myth number one: My company would never spy on its employees. Maybe so, but if that's the case, you're in the minority. According to surveys by the American Management Association, nearly two-thirds of companies actively monitor where their employees go on the Web. Some 52 percent scan e-mail, and around one in five keeps an eye on instant messaging.

These companies aren't just being nosy. An employee who accesses objectionable Web sites could expose the employer to lawsuits for fostering a hostile workplace environment. Employees could accidentally (or deliberately) spill confidential corporate information over e-mail or IM, or allow worms to spread throughout a corporate network. And while there are tools that help you get around such employer restrictions--the Electronic Privacy Information Center maintains a page of them--you use them at your own risk.

Myth number two: If my company were spying on me, I'd know about it. Not necessarily so, Sherlock. Most monitoring is done at the network level, and most employers are under no legal obligation to tell you if you're being monitored. (Connecticut has a law requiring employers to notify workers; a similar law was passed by the California Assembly earlier this year, but Governor Schwarzenegger vetoed it in September.)

When companies do notify employees, they typically do it with a quickly disappearing splash screen or a sentence buried in the employee handbook that says the company reserves the right to monitor communications. So just because you can get to www.cats-who-love-dogs.com (not a real site) on your work PC doesn't mean someone isn't logging your visits there. You need to ask your boss for the company's written policy on employee monitoring. If the company doesn't have a policy, request that it create one.

Myth number three: It's perfectly fine to do a little recreational surfing at work, as long as I don't visit the wrong kind of sites. Maybe it is, but you may want to find out what your boss considers the "wrong kind" of sites. In a study (PDF) by the Center for Business Ethics at Bentley College, more than 90 percent of companies allow "reasonable personal usage" of the Web, but only 42 percent define "reasonable." For example, four out of five of businesses surveyed said it was okay for employees to visit news sites, but only about half allowed employees to shop or bank online. Better to ask questions first and surf later.

Myth number four: My e-mail conversations are none of my boss's business. That's true, but only if you're using your own computer and your own account. Otherwise companies can and do scan e-mail, even the personal stuff. In one AMA survey, some 60 percent of companies that monitor e-mail use software to scan e-mail for keywords and block sensitive information from going out. A study (PDF) by Forrester Consulting and Proofpoint found that 44 percent of large firms hired people to read corporate e-mail. About half the firms in the Bentley study had created written guidelines telling employees how to perform Internet monitoring, and only a third made monitors sign confidentiality agreements. The next time you send a personal note from work, remember that you might also be sharing this information with the geeks in the IT department.

Myth number five: I can use Webmail services to get around my boss's e-mail snooping. Sorry, Bunky. Using services like Yahoo or Hotmail can make it harder for your boss to spy on your e-mail conversations, but they hardly make it impossible. Your company could use Web-monitoring software like Websense or SurfControl to block access to these sites, or log how much time you're spending at them and confront you about it. Network administrators could also install a "sniffer" that reads unencrypted data as it passes down the wires.

About one in five firms surveyed by the AMA routinely monitors computer use, for example by installing keystroke loggers that record everything you type, or software that periodically captures what's on your screen. All of that can be used to spy on your Webmail messages, as well as virtually everything else you do on your PC.

Myth number six: I use instant messaging for most of my personal communications, so my privacy is secure. I H8 2 disappoint U, but IM isn't as private as you'd like to believe. One-fifth of organizations currently monitor employees' instant messaging, according to Forrester, and many more companies are becoming hip to the potential of IM as a business tool and the dangers it poses. Software like FaceTime Communications' IM Director or Akonix Enforcer can record all your conversations, and/or block certain activities on IM such as file sharing. Federal legislation requires some organizations, like health firms or security brokers, to retain records of certain IM conversations. So even if you're in the clear now, your IM habits are unlikely to go unmonitored for long.

Myth number seven: I work at home, so I can do whatever I please. Don't be so sure. It all depends on whose equipment and Internet connection you're using. If your employer supplied the machine, your company can do anything it pleases with the computer, including examining your personal files on the hard drive. If you use your own PC but log in using your employer's Net connection, the company can legally track any of your activity online, unless you have an agreement that states otherwise. So unless you own the gear and the bandwidth, better delete anything you don't want your boss to see.

Myth number eight: I can do anything I want, as long as I delete the evidence from my computer. Dream on, Bubba. For one thing, it's likely that the evidence is still sitting there in your Recycle Bin. Even if you empty the bin, files can be easily recovered until they've been overwritten with other data.

If you're on a corporate network, forget about it. Your e-mail and the contents of your hard disk are probably archived on backup media, where they can persist for years. And that's assuming your employer doesn't use Web-monitoring software, keyloggers, or other forms of digital surveillance on the network. Paper burns and memories fade, but digital evidence can live forever.

Myth number nine: My workplace privacy rights are protected by law. Not as much as you might think. While government employers must follow the U.S. Constitution, restrictions on unlawful search and seizure or self-incrimination don't apply to private companies. A handful of federal employment laws restrict the kinds of information companies can collect about you before you're hired, and some states (like California) extend privacy protections to employees of private entities, but most don't. Mostly you're at your boss's mercy.

Myth number ten: Even if my bosses catch me doing something naughty on the Net, they can't fire me for it. I've got bad news for you: Companies can and will fire people over Net naughtiness. According to the AMA, one in four companies surveyed in 2004 had terminated employees for violating their e-mail policies, up from 22 percent in 2003 and 17 percent in 2001 (there was no 2002 survey). So don't say you haven't been warned.

PC World Contributing Editor Dan Tynan has written extensively on Internet privacy and security. He is currently hard at work on Privacy Annoyances, which will be published by O'Reilly Media.

Subscribe to the Security Watch Newsletter

Comments