Monitoring e-mail: Management or thought police?
(IDG) -- Sometimes being an IT manager can feel more like being a cybercop than a tech professional. That's because one of IT's roles is often to make sure that employees aren't abusing e-mail privileges or surfing objectionable sites while at work. And although employer's interests, the protection of intellectual property, and productivity need to be considered, so does the company's corporate culture and employees' privacy rights. As some recent high-profile cases prove, it's a murky arena where the line is blurred between visions of Big Brother on the one hand and a free-for-all liability nightmare on the other.
Indeed, the numbers demonstrate that surfing the Web at work has become as popular as gossiping by the watercooler. Computer Economics (CE), a Carlsbad, Calif.-based research firm, estimates that companies lost $5.3 billion to recreational Web surfing in 1999. "The illegitimate use of the Web and the personal use of e-mail by employees have become commonplace. When the boss is not around, improper use of the Web is normal," says Michael Erbschloe, vice president of research at CE.
Partly out of necessity and partly as a preventative measure, two-thirds of major American firms now do some type of in-house electronic surveillance, and 27 percent of all firms surveyed monitor e-mail, the American Management Association reported in April 2000. And although human resources and legal counsel play a large role when it comes to setting and implementing policy, IT often carries the greatest responsibility as the implementors of snooping technology. So how do IT managers balance individual privacy and the need to maintain corporate security? Very carefully.
Who draws the line and where?
Of high-profile cases where employees were fired for misusing company e-mail, the 1999 episode at an administrative center for The New York Times, in Norfolk, Va., is perhaps the most culturally intriguing. After all, this is a media empire built on principles of free speech. An incident at the Chevron Corporation involved a $2.2 million lawsuit brought in 1995 by employees who were offended by an e-mail joke titled "25 Reasons Why Beer is Better Than Women."
Would the facts of e-mail usage transgressions at either company bring similar responses and reactions elsewhere? Perhaps. But these two cases highlight an interesting fact: Both management and employees can claim violation of e-mail or Internet usage policies. And IT is often stuck in the middle.
In general, IT implements policy using monitoring and/or filtering software on both e-mail and Internet usage, but does not actually set the policy. Occasionally, however, especially in smaller organizations, IT is not only the enforcer of policy but also the policymaker.
Corporate culture and management expectations play a critical role in how IT goes about setting and implementing e-mail and Internet monitoring policy.
Experts say that government agencies -- particularly those involved in security and defense -- and financial corporations tend to have the strictest policies, whereas small Internet companies seem to be the most liberal.
Relying on good judgment
At Silver Spring, Md.-based IDEV, a Web services firm with 40 employees, Tony Byrne, the senior vice president of Web development, generally relies on his staff's professional work ethic rather than a strict set of guidelines for using the Web and e-mail. Byrne says, "Think of it as a laissez-faire policy. Everything that we do, including anything in the public arena, we really have to consider our clients and their interests because we are a client-services company.
"A lot of how we judge things like e-mail and Internet usage is in the prism of those two things," Byrne says. "Are people using good judgement and being ethical and professional in their behavior and thinking of our clients' interests? Once we set that up as the overall code of what we follow and we stick to that, then we can have a more liberal policy about e-mail and Internet usage."
Because of the company's size and reliance on employees' judgment, IDEV doesn't monitor e-mail or Internet usage. "The only formal prohibition is that we prohibit the use of computers and e-mail system in ways that are disruptive, offensive to others, or harmful to morale," explains Byrne. Luckily, to Byrne's recollection, there have been no misuse incidents at IDEV and employees have acted in accordance with expectations.
Protecting intellectual property
At a small Internet services firm, not having to monitor employee e-mail and Internet usage with an iron fist is an option. But when intellectual property and sensitive corporate information pass through e-mail on a regular basis, it is essential to have clear policies about what information may or may not pass via the Net, and you must have the software to back up those policies. Such is the case at one of the world's best known media companies.
Jeff Uslan, director of information protection at 20th Century Fox in Los Angeles, and his team oversee the e-mail and Internet usage of over 10,000 employees. They must make sure that confidential information about movie scripts, deals, and other Fox business does not leak outside the company's e-walls. "We look more for the loss of intellectual property and e-mail-borne viruses," Uslan says.
Monitoring inappropriateness can be a challenge because the very subject of an e-mail -- the plot of a script or movie, for instance -- may contain language that other companies would find objectionable. "We don't look for e-mail of your latest baby pictures or someone commenting on seeing a star on the lot. There is a definite line between what is abusive, inappropriate, or excessive [and what is acceptable].
"[A case of] excessive [Internet use] would be [handled] between manager and employee and could be a performance issue. HR gets involved from that point. They may request a printout of the employee's e-mail and/or Internet activity. Generally it is resolved, a warning is issued, and that is the end of it," Uslan says.
Because many software packages on the market lack in one feature or another, many IT managers such as Uslan mix several software packages to help track usage.
Uslan must keep an eye on thousands of employees and contractors. He opts for monitoring software that is robust, easy to upgrade, and intuitive enough that it doesn't give lots of false alerts. For Web content filtering, he chose Elron Software's IM Web Inspector and IM Message Inspector software to help protect his organization's intellectual property without being overly intrusive to employees. Web Inspector scans the actual content of a Web page, in addition to the URL name. Message Inspector's filtering technology can scan the actual context of an e-mail message to determine whether the message should be simply monitored or redirected.
"Most monitoring tools can send e-mail to alert the system admin or security that a given threshold has been exceeded," explains Uslan. "In the case of Elron, I have it set to do a number of things. If it picks up a virus, it will page me with an alert. In cases where we have a complaint from an employee that they are receiving harassing e-mail, I get both the e-mail and a page."
The tools are enough to give Uslan and his team a clear vision of both employee Web and e-mail usage. He can set up the software with rules to eliminate inappropriate use. For example, if an employee is spending hours of company time on eBay, Web Inspector will send an alert to the appropriate department manager via e-mail. If an employee accidentally tries to send a confidential document outside the company, Message Inspector can redirect the e-mail back to the employee with a message explaining why the communication was blocked.
Protecting public image
As the vice president of technology at The Heritage Foundation, Michael Spiller has another issue with which to contend: reputation. His employer is a high-profile, conservative Washington think tank. In addition to the usual e-mail and Internet usage no-nos of porn and off-color material, Heritage's nonprofit status requires that its 190 employees not internally endorse any candidates or use the organization's computer systems in political campaign work. That means no e-mails about fundraisers or even job postings related to the new administration.
To this end, Stiller uses Watchguard, which can track all Web traffic."Internally we use SMS [Security Management System] from Microsoft to assist and monitor employees. But we do not monitor employees unless we have a reason to," he says.
Currently, the Foundation does not block specific Web sites, but in the next few months, it is planning to integrate the blocking feature into the firewall. For example, sites such as Whitehouse.com, a porn site, will be blocked, whereas whitehouse.gov, the official presidential site, won't be. "Our main emphasis for the policies and procedures is that employees use the Internet and e-mail system for business," Spiller says.
IT managers must keep up with new technologies, new usage issues, and individual privacy concerns. "All organizations, both large and small, need to implement and update their system-usage and e-mail policies continuously," Spiller advises.
"These policies are put into place so that an employee has guidelines on how to use the company's services in the manner that the company has designated. Without a policy in place, you could be opening your organization to employees using their Web access and e-mail service in a manner that could misrepresent your organization. A few policies in place could save you headaches in the long run," Spiller adds.
Combining tools and policies
Once a company decides to move ahead with e-mail monitoring, there are a variety of products on the market to choose from that will help automate the process. Giga Information Group says that the best known products in this field are Content Technologies MIMEsweeper, Worldtalk WorldSecure Server, Elron Software Message Inspector, Trend Micro eManager, and TenFour TFS Secure Messaging Server.
"Companies may have to implement several tools to get the best coverage: one focusing on monitoring, one focusing on blocking, and one that can capture all traffic," says Jonathan Penn, a senior analyst at Giga.
In the report "E-Mail Policy Guidelines," Penn points out that each can be configured to block or quarantine messages based on keywords or phrases, which are used to detect e-mail with confidential content, e-mail with inappropriate (i.e., harassing or offensive) content, and spam messages. They all include some means of virus protection, the ability to block or delay messages based on size and number of recipients, and the ability to append a disclaimer or statement of confidentiality to an outgoing message.
Some of these products also have features for monitoring message attachments. Most of these products sit at the corporate firewall intercepting SMTP traffic,thereby monitoring only e-mail that leaves or enters the corporate network. Some of these products plug directly into Microsoft Exchange or Lotus Domino.
But finding the right tool or mix of tools needs to be a function of combining policy, technical capabilities and needs, and the benefit to the company. "When setting policy, companies should understand the real business benefit behind it. If the policy isn't tied to a clear business benefit, then it really shouldn't be there," adds Penn.
E-mail monitoring policy guidelines
Corporate e-mail monitoring policies may include the following, says Barbara Weil Gall, an attorney with the law firm of Ireland Stapleton Pryor Pasco P.C., in Denver.
A manager's e-mail-and Internet-monitoring checklist
Monitoring employees: Eyes in the workplace
RELATED IDG.net STORIES:
New privacy guidelines proposed by trade group
Electronic Privacy Information Center
|Back to the top|