Cyberveillance

By CHARLOTTE FALTERMAYER

How's this for a nightmare? You are passed over for a promotion. You go ballistic and start typing an e-mail to a co-worker, ranting about your boss and how you're thinking about suing the company for discrimination. Then your rational side kicks in. You realize that maybe you weren't the best candidate and delete the message. End of story? Not quite. It turns out that every character you typed, errors and all, has been stored for the boss to see. You get a call from the corner office. Mr. Bullmoose would like to see you.

Something right out of an updated Orwell, circa 2084. Except there's no need to wait that long: it's going on today. In offices around the U.S., managers are installing software that monitors their employees' computer activity, both online and off-line--every message sent, every website visited, every file formatted and, perhaps most Orwellian of all, every key stroked, even if the employee never stored the data. And you may never know it's all happening.

About 17% of FORTUNE 1,000 companies, along with half a dozen federal agencies, now have so-called monitoring software, according to International Data Corp., a research firm in Framingham, Mass. The figure is expected to jump to 80% by 2001. And about 12% of companies in an American Management Association survey said they do not notify their employees of their monitoring activities.

Increasingly, corporations are using sanctions against violators of their rules on computer use. Twenty-eight percent of companies in the A.M.A. survey said they have dismissed employees for misuse or personal use of telecommunications equipment. Last year Xerox fired 40 employees for what it deemed inappropriate use of the Internet, and the New York Times axed 23 workers for sending what were considered to be obscene e-mails on company computers. "We are on the verge of creating a surveillance society in the workplace," says American Civil Liberties Union associate director Barry Steinhardt. Monitoring advocates reply that the threat of intellectual-property theft, lawsuits and just plain goofing off by employees warrants a little--or a lot of--spying.

At the moment, monitoring for most companies means tracking e-mail and Net use. Elron Software of Burlington, Mass., makes Message Inspector, a program that sniffs out inappropriate terms--as defined by whoever owns it--from incoming and outgoing e-mails. When it finds one, the program obliterates the e-mail or records it in a company database. San Diego firm Websense offers Websense Enterprise, a Trekkie name for a program that blocks access to inappropriate Web pages and logs every minute employees spend on each site.

The surreptitious off-line capabilities of snooping programs are creating a booming industry. Off-line surveillance means someone spying on anything you do while not connected to the Net. That includes simple word processing like constructing drafts or writing in a diary. The most far-reaching programs keep a log of every letter you type and delete. "Scanning for key words and websites is not rocket science," says Jonathan Penn, analyst at Giga Information Group, an e-business advisory firm in Cambridge, Mass. "We're talking about something that's soon going to approach a billion-dollar market."

Just how sophisticated is the technology? Look at what Corporate Defense Strategies of Maywood, N.J., has on offer. Last year managers at a New York City import-export company suspected it was being robbed by two employees. CDS advised the firm to install Investigator, a software program that could furtively log every single stroke of the suspects' computer keys and send an encrypted e-mail report to CDS. Investigator revealed that the two were deleting orders from the corporate books after they were processed, pocketing the revenues and building their own company from within. The program picked up on their plan to return to the office late one night to swipe a large shipment of electronics.

Last February, as police hid in the rafters of the firm's warehouse, the suspects gained entry, only to get a big surprise. The pair are charged with embezzling $3 million over 2 1/2 years, a significant chunk of revenue for the $25 million-a-year firm. They could face 10 to 12 years in prison.

Investigator is the brainchild of WinWhatWhere Corp. in Kennewick, Wash. It monitors all PC activity, including programs running, and traces any files that are being copied and moved, deleted or renamed. Says creator Richard Eaton: "We're monitoring your off-line Solitaire game, things you've written in a chat room, documents you print on the company letterhead that you don't even save." Investigator retails for as little as $99 a copy and comes with an optional banner to notify anyone under surveillance of its presence. But the program will also do bizarre things to stay concealed, such as duplicate and reidentify itself. Since Investigator made its debut in 1998, it has been installed in 7,000 locations. Version 3 will be out in a month or two.

Programs like Investigator have the law on their side, explains Amelia Boss, chairwoman of the American Bar Association's business law section. Employers are free to monitor an employee's use of their networks so long as they don't violate labor and antidiscrimination laws--by targeting union organizers, for example, or minorities. Existing constitutional, statutory and common-law doctrines have not been interpreted to cover employee monitoring. Some union contracts limit an employer's ability to monitor during downtime like lunch hours, but they typically don't bar monitoring altogether. And while federal law prohibits wiretapping and the monitoring of private phone conversations, it does not preclude an employer from monitoring its own systems. Only Connecticut has so far passed a law mandating notification of e-surveillance.

That concerns the A.C.L.U. and others. Says Adam Clayton Powell III, vice president of the Freedom Forum, which defends the First Amendment: "The vast majority of employees are unaware of the extent to which monitoring goes on." Nonetheless, the A.C.L.U.'s Steinhardt says his offices are getting more frequent calls from spooked employees. "There's not much we can do," he says. "The technologies are developing at light speed, while the law that protects us from their misuse is developing at the speed of a tortoise." Still, the law may catch up. The California legislature is reintroducing a notification bill that was vetoed in October by Democratic Governor Gray Davis. Last month Senator Charles Schumer of New York introduced the federal Notice of Electronic Monitoring Act, which has a similar aim.

Whatever position employers take on notification, those who monitor say their technology is worth it and offer some sobering numbers. A survey by the Computer Security Institute and the FBI found that 71% of respondents had detected unauthorized access to systems by insiders and that 79% had detected employee abuse of Internet privileges. In 1995 Chevron Corp. paid $2.2 million to four female employees who asserted that they had been sexually harassed because of jokes sent through the company network. For abuses to end, snooping proponents argue, monitoring must take place. Eaton, an A.C.L.U. member who supports notification laws, touts his product's positive and practical uses: "It can not only prove guilt--it can prove innocence."

But as the technology advances, so will the demand for privacy in the e-workplace. Until a new balance is struck, however, you'd better start leaving the building when you want to talk trash about your boss. And don't forget to look over your shoulder.