It’s legal, it’s happening and it can get you fired
(By Kim Zetter. Additions by Sushan Shetty)

When Sunil Chandra, senior executive at a Mumbai marketing firm, was accused by his boss of passing on his company’s vital data to a competing firm, Chandra* denied it.

“But we have the proof,” his boss told Chandra, and they showed it to him, as clear as daylight. Chandra resigned immediately.

It’s a fact of life in the 21st century workplace: The boss may well be watching, especially if you use a computer, as in Chandra’s case.

And with young employees who may have quickly changing loyalties, more and more companies see the need to spy. “An employer can use special software to monitor everything-it’s as if a camera is watching your computer,” says Vijay Mukhi of Mumbai, president of the Foundation for Information Security and Technology (FIST). “Such software works without being identified, even by an anti-virus program.”

That’s unless you’re about as tech-savvy as S. B. Sarin, who worked for the Indian subsidiary of a Korean electronics firm. In June 2004, when Sarin made his first visit to their headquarters in Suwon, South Korea, his bosses in India could, if they wished, view any activity on his laptop’s screen. “I was always aware of how well my bosses knew what I was up to,” says Sarin, a software engineer. “My laptop was taken from me to ‘prepare it for travel’ just before I left, and they installed surveillance software in it.”

What can such software do? We got the answer from Ismael Rodriguez, a network analyst for Copier Country, a small New York company that sells photocopiers. A few years ago, after a salesman took the firm’s customer database when he left for a new job, Rodriguez installed a program called Spector Pro on most of the company’s computers. The software, made by SpectorSoft, can track and block the websites a user tries to visit and log his or her every keystroke. Rodriguez says that although he won’t examine anyone’s computer use unless his boss asks him to, most Copier Country staffers know much of their desktop activity is now open to potential scrutiny.

“I can see screen shots of what they do in Yahoo!,” he says. “I can see what they’re typing, whether it’s résumés or business-related stuff. The program even keeps track of songs that employees download to their iPod. There’s not anything these guys can get away with that I can’t see.”

A 2005 survey by the American Management Association and the ePolicy Institute found that about three out of four US companies regularly track which websites their employees visit. More than half use surveillance software to scour office email (looking for hot-button keywords like sex in the subject line or body of messages). More than a third extend their snooping to monitor how much time workers spend at the computer, record their keystrokes or log their downloads. And one in four companies reports firing someone for improper email use.

No such survey has been done for India, but experts like Vijay Mukhi know that an increasing number of Indian companies are beginning to do such monitoring, and this is more so with businesses that have parent companies abroad, especially in the US.

As the use of monitoring software grows, more of the activity that many of us consider innocent is getting caught in the net. When she first joined a multinational corporation, a hardworking Rohini Srinivasan* was “caught” after she innocently uploaded some work-related information into her personal Yahoo! account. “I simply wanted to work from home over the weekend to finish a job on time,” says Rohini. “Imagine my shock when I learnt that I was going to be fired for it.”

Fortunately, her supervisor stepped in and pointed out that Rohini, who had been doing so at her previous job, was not told that this was illegal here at the time of her induction.

And who hasn’t opened his email to find a message from a friend passing along something-a goofy YouTube clip, an off-colour joke, a link to her brother’s new blog-that she’s sure everyone will find hilarious. If it does get a laugh, it’s probably passed along to a few more people.

No big deal, right? That’s surely what Heidi Arace and Norma Yetsko thought, until they lost their jobs at a US bank. Their idea of what was fun to share via office email wasn’t amusing to their bosses, who found it offensive enough to fire the two longtime employees. Because the bank, like most companies today, has a formal policy against internal distribution of offensive material.

“It was like I lost everything in my life,” Arace said in 2004. She got in trouble for passing along, among other things, a joke email with the subject line “Vote Hillary” and an attached picture of US Senator Hillary Clinton’s head pasted onto the body of a woman flashing her breasts. “You get a simple email like this, you read it, you chuckle, forward it on, click. Done deal. You don’t think of the policy, because everyone was doing it.”

There are plenty of valid reasons for companies to monitor their workers’ computer use. Productivity is one. A 2005 survey by salary.com and America Online found that employees on average wasted at least two hours a day-much of it online-doing things other than work, at an annual cost to businesses of about $759 billion.

And people waste time in many ways. Pavan Duggal, a New Delhi Supreme Court advocate specializing in cyber laws, knows of a young employee at a Mumbai call centre whose organization’s surveillance webcams “caught her,” as Duggal puts it, “in a compromising position with a male visitor in her cabin.” She was fired.

Improper computer use can also spell legal trouble. Downloading pirated music or movies onto a work computer can prompt a copyright-infringement suit. Viewing pornography or sending sexually suggestive emails can lead to sexual harassment claims. No business wants to end up like Chevron, which had to pay $2.2 million to female employees after male workers circulated offensive emails. (The message contained in one: “25 Reasons Why Beer Is Better Than Women.”)

Says Nancy Flynn, the ePolicy Insti-tute’s executive director and author of books on workplace computing rules, “If a company gets embroiled in a lawsuit, you can take it to the bank that its email will be subpoenaed.”

Security is another concern. Porn, gambling and gaming sites, for example, can harbour viruses and other malicious programs that load onto a computer secretly and allow outsiders to damage a network or make off with sensitive information.

Companies also have competitive reasons to keep tabs on workers. Dan Geer, vice president and chief scientist at Verdasys, a data-security company, recalls installing the company’s Digital Guardian system on the network of a company that makes video games, and catching a worker trying to steal the designs for a new game before its release. This worker, Geer says, had logged in to a credit union site, ostensibly to handle personal banking. What he was actually doing was opening the door to an accomplice who had himself hacked into the credit union’s network and was waiting there to swipe the game files.

Companies are using two types of spying software: network-based programs that monitor all traffic passing through a system, and programs that sit directly on an employee’s desktop.

Vericept Protect is an example of the first type. The software searches all correspondence for any indication that employees are accidentally or maliciously communicating sensitive data, and blocks it. Vericept also claims it can examine the tone of an email to detect job dissatisfaction. Someone who sends a message saying “I hate my job” or “You’re not going to believe what my idiot boss did today” could be poised to upload company files in anticipation of leaving the job.

Vericept makes products to monitor other Web activities as well. Paul Pilotte, a senior product manager at the company, says it helped one client fend off a harassment suit filed by a senior employee who claimed someone had left printouts from an adult website in her office. The company planned to give her a large severance package until it used a Vericept tool to examine her Web use. That search, Pilotte says, found that the employee had printed the pages herself. On another occasion, Vericept helped catch a worker who had installed a keylogger on a manager’s computer to extract the boss’s passwords.

Products that monitor an individual desktop have names like Remote Spy and NetVizor. These can record everything a person types, from bank passwords to the names of illnesses searched on WebMD. It also logs and monitors emails sent and received (including those in personal Yahoo!, Hotmail and Gmail accounts), instant message chats, and the names of documents opened or printed. They can even capture a snapshot of a computer screen, providing an employer with a replica of what the employee is seeing on his or her monitor. (Another product called Mobile Spy takes some of the same stealth surveillance to company-issued cellphones by allowing the boss to view a log of phone numbers called and see every text message sent.)

Kelly Todd, information-services security analyst for Securities America Financial Corporation, an independent broker dealer with several hundred employees, won’t say what kind of software his company uses. But he does say as soon as “somebody types an email and hits Send, before it even gets to the central email server, it goes through a system that archives the email.”

No one “sits there reading email,” he adds. But employees know that they’re being monitored. “We tell them, If you’re not willing to stand on your desk and shout something across the room, don’t put it in an email, because somewhere down the road, someone will read it.”

Most large companies are like Todd’s, says Lawrence Orans, an analyst for Gartner Research: They monitor overall email traffic and only target a worker if a problem pops up. But it’s well known that companies don’t always communicate their computer-use policies adequately, as was the case with Rohini Srinivasan, who only wanted to do more work for her employer from home. But if you’re not lucky enough to have, like her, a superior who acted in all fairness and pointed out the lack of communication, employees have little protection.

No law compels a firm to reveal to employees that surveillance software has been installed. Cyber lawyer Pavan Duggal points out that, in India, there is no particular law of privacy. And, if there be any, it’s derived only from the Fundamental Right to “life and personal liberty,” which the law interprets as one protecting an individual’s right to privacy as well.

“India’s Information Technology Act, too, is completely silent on almost all aspects of privacy,” adds Duggal. “There is no law to prevent an employer from infringing on an employee’s privacy. Article 21 of the Constitution [Fundamental Rights] has been interpreted by the Supreme Court to include the right of privacy but it is enforceable against State action only, and not against private entities. And it is reasonable to presume that an employee should have no expectation of such privacy at an employer’s premises, while using the employer’s assets.”

Chirag Unadkat, CEO of Wesra, a Mumbai internet security and audit company, too, feels employers are well within their rights to take steps to protect themselves against employees who waste time or act maliciously. “In my opinion it’s alright to have monitoring technology even without an employee’s knowledge,” says Unadkat. “That is the best way of catching an employee who may be working against the interests of the company.”

But civil liberties groups, trade unions and privacy lawyers worldwide will disagree, especially given the limits to which workplace spying will go. Last month, The Times of London reported that Microsoft had applied for a patent for new spy software that monitors employees’ productivity, physical wellbeing, competence and workplace frustration levels through wireless sensors that measure such things as heart rates, brain signals, facial expressions, blood pressure, body temperature and respiration rate! (Microsoft refused to comment on the patent application.)

It seems that technology will continue to creep unabashedly into the workplace. So, if you blog, forward naughty email, flirt, chat, search for a new job, or crib about your boss online, just remember that it’s safest to use your own computer for any of that in the comfort of your home.



The Future of Employer Snooping


Some companies are going beyond the desktop to monitor their employees.

Radio frequency ID chips in employee key cards serve the same function as time-clock punch cards, allowing employers to know when workers enter the office and even track their movements within a building. One downside: The cards can be lost or stolen. In 2006 CityWatcher.com, a video-surveillance firm, dealt with that flaw by implanting RFID chips in the arms of two willing workers authorized to enter a secure room holding government surveillance videos.

GPS-enabled cellphones can serve a similar function outside the office, transmitting signals that alert supervisors when a worker leaves a particular building, and mapping his or her movements on a computer screen.

Geofencing technology by a company called Xora can be incorporated into cellphones. Once installed, it can send email alerts when an employee drives too fast or loiters too long in one spot. Employers can also designate specific areas-bars, sports venues, home addresses-as off-limits during work hours. Phones can then send an alert if a worker strays into the prohibited locations.

Biometric devices are increasingly being deployed by private companies and government agencies to control building access. Scans of workers’ fingerprints, irises or retinas can be used in conjunction with, or in place of, electronic badges. Wasp Barcode Technologies makes a biometric attendance-tracking system that requires employees to place a finger on an electronic reader instead of punching in with a time card. A worker playing hooky can’t have a buddy clock in for him. Unlike the RFID chip in an electronic ID badge, a biometric marker can’t generally be tampered with (though there have been claims that fingerprints can be duplicated). To Frederick Lane, author of The Naked Employee, biometric scans raise significant privacy concerns. One issue: The retina may indicate the presence of some diseases, such as AIDS, a congestive heart condition and hypertension. “If someone worked at a company for a long time,” he says, “you could probably take a series of snapshots of an individual retina over a period of time and make an inference if they were developing some medical condition.”

7 Rules to Live By


Some simple tips for what to do-and not do-when using your work computer:

* Know your company’s computer-use policy and comply with it.
* Assume you’re being monitored, and behave accordingly.
* Never bad-mouth your company online.
* Don’t use personal email accounts or post to a blog.
* Avoid transmitting any message that could embarrass you or others if made public.
* Don’t think instant messaging (chat) is less permanent than email.

When surfing the Web, never click on something flagged NSFW (not safe for work).