Web at work: Not YourSpace

You probably know that lots of companies monitor the Web sites employees visit while they're at work. But did you know that more companies are moving to track the minutes spent and keystrokes made by employees while they're on the Web?
You probably know that lots of companies monitor the Web sites employees visit while they're at work. But did you know that more companies are moving to track the minutes spent and keystrokes made by employees while they're on the Web?Duane Hoffmann / msnbc.com

It’s March Madness, and a good chunk of the Web browsers on office computers are set to CBS Sports, where the NCAA playoffs are being streamed live.

Maybe your boss is letting you watch some of the games for a few minutes of the day. Or, maybe your company has decided to block the site from you.

Maybe, as global outplacement consultants Challenger, Gray & Christmas suggest, the “annual distraction could cost employers as much as $1.7 billion in wasted work time over the 16 business days of the tournament,” some of it coming from watching the games on work computers.

But it’s not just Web entertainment at work during March and early April that’s a problem. It’s the other 10 months of the year, as well.

Lots of companies monitor the Web sites their employees visit while they’re using work computers; most workers realize that.

More companies, however, are moving to track the minutes spent and keystrokes made by employees while they’re on the Web.

In 2001, when the American Management Association and ePolicy Institute did a first survey on workplace electronic monitoring, 19 percent of employers “told us they were monitoring time logged on and keystrokes,” said Nancy Flynn, ePolicy Institute executive director.

In 2005, it was 36 percent. In the 2007 survey, released last month, “that number had grown to 45 percent,” she said.

Some of the increase may have to do with the economy, and a demand for increased productivity by companies that now have fewer employees to handle the same or larger workload.

The past few years also brought a surge in the popularity of bandwidth-heavy sites such as YouTube, MySpace and Facebook.

The sites, with their large video and audio files, not only strain companies’ computer networks, they involve more than a quick mouse click or momentary distraction from work.

Security and legal liability are also huge issues.

“The organizations that are concerned about the amount of employee time spent (on the Web) and actual content of keystrokes, their concerns revolve around not only productivity, but security,” said Flynn.

“They’re concerned that the Internet sites their employees are viewing, or the images that they’re downloading, uploading, printing or e-mailing, are going to trigger lawsuits. That’s the No. 1 concern.”

At the end of 2006, Flynn said, the federal court system amended rules of federal civil procedure so that “all electronically stored information is subject to discovery in litigation."

If a company is the target of a lawsuit by an employee, all electronic records stored by the company, including what Web sites employees have visited, "can be subpoenaed and used as evidence to support or damage the company's case," she said.

The federal rule “really made clear to all employers that all online activity creates essentially the electronic equivalent of DNA evidence," she said. "You need to keep your online employees in line.”

Monitoring that eBay time
Larry Ponemon, a nationally known privacy and data protection consultant, says companies are using a number of tools designed for security to also monitor employees’ Web activity.

“We all expect monitoring from companies making sure that you’re not doing awful things, such as going to illegal Web sites, or saying awful things in e-mail messages or instant messaging,” he said.

“We’re starting to see more companies using the same technology that was initially designed for security to determine things like, are you on a Web site that is not work-related?”

Such technology includes “keystroke-type logging, to video of what your screen looks like,” to see if there are certain patterns of Web surfing, he said.

“They might use some sort of crawling or sniffing technology on a network to see whether you’re at a Web site that is known to be a site for slackers — for example eBay — places where people spend a lot of time, places that take too much time in the workplace.”

'A little bit too Big Brother-ish'
While most employees accept the idea of monitoring for security, “when we start using it for workplace efficiency, that becomes a little bit too Big Brother-ish for most employees,” Ponemon said.

Employees have “absolutely no expectation of privacy when using the company’s computer system,” said Flynn. “In the U.S., the courts have consistently supported employers on this issue.”

ArcSight is among the companies that provide security software and solutions to government organizations and businesses. Its clients include the Defense Information Systems Agency, Securities & Exchange Commission, Verizon and Xerox.

“The point is, whether it’s an internal or external threat, is to give an idea at any given moment of what’s going on in the network, who’s doing what to what, and should they be doing it? said Brian Contos, ArcSight’s chief security officer.

“One plus one doesn’t always equal two,” he said. “Someone who’s looking at a job Web site from work, that may or may not be an issue. Maybe they’re trying to hire somebody.

“You can’t treat everybody like they’re under a microscope,” he said.

Impact of younger employees
Many younger employees entering the workforce are pretty wired on their own, not needing a company computer to Web surf, but doing it from their iPhones or BlackBerrys.

Problem solved? Not quite.

“We might have an e-mail address, and perhaps a couple of telephone numbers and a mailing address," said Contos. But, "the next generation" probably has " three or four MySpace accounts, 15 e-mail addresses and who knows how much of everything else.

“They’re communicating through multiple channels. Go ahead and plug 1,000 of these people into a corporation, and say, ‘Can you tell me what Bob Smith did today?’

"Now you’ve got to look at 15 different identities, physical access, telephone lines and things like that. It can certainly become a security problem.”

John Challenger, the chief executive of Challenger, Gray & Christmas, which issued the March Madness-worker-loss-of-productivity press release, said he understands why some employers are more liberal when it comes to allowing workers to surf the Web unfettered.

Those employees, he said in an interview, are recognized for “their focus on output and the quality of output.

“Employers know those employees are taking their cell phones and their laptops and their BlackBerrys with them 24/7, and are working while they’re commuting, and working on vacation.”

“Then there’s another group” of employees, he said, such as hourly workers or those whose work is confidential, whose Web time should be tracked with the “sophisticated tracking systems” that are available.

“There are employers who are concerned about how much time is being lost, and as the technology becomes easier and cheaper for them to track their employees, they’re utilizing it,” he said.