Your boss may be monitoring your e-mail

Personal computers were supposed to liberate the workplace. So why do so many companies use them to spy on workers?

Published December 8, 1999 5:00PM (EST)

Worried that your boss knows you've been checking out those nudie sites and sending dirty jokes? You should be.

Just last week the New York Times fired 20 employees at a Virginia payroll processing center for violating corporate policy by sending "inappropriate and offensive" e-mail, and the Navy reported that it disciplined more than 500 employees at a Pennsylvania supply depot for sending sexually explicit e-mail. Xerox fired 40 people in October for violating company computer policies and Boeing has fired a few on similar grounds too. Such cases hardly come as a surprise: 45 percent of major U.S. companies engage in "electronic monitoring of communications and performances," according to a 1999 survey conducted by the American Management Association (AMA).

Many firms contend that this "monitoring" -- defined by the survey as the storage and review of e-mail, voice mail messages, computer files, even telephone conversations and videos of employee job performance -- is a tool to measure employee productivity. Some companies, including the Times, only check employee e-mail when they've been apprised of a violation of corporate policy, but others routinely monitor computer activities to identify employees who are slacking on the job or whose X-rated surfing habits or e-mail messages could potentially expose a company to sexual harassment suits. And surveillance software marketed by companies like Telemate.Net promises even more. Telemate.Net says it can help employers detect security breaches, "monitor employees' compliance with Internet and voice network usage policies and detect abuse" and "measure productivity of Internet and telephone-based sales activities."

"After all, an employee's at work to do work," says Eric Rolfe Greenberg, director of management studies at the AMA. "Employers have a legitimate interest in a worker's performance."

Privacy advocates, of course, are up in arms. "Companies should not be monitoring their employees unless they have proof they're failing to complete their work or misusing company resources," says Andrew Shen, a policy analyst for Electronic Privacy Information Center (EPIC). "To do so is a violation of their right to privacy."

Wouldn't you be absolutely irate if you found out your company was recording and listening to the phone calls you made? It's a practice that would be understandable if those calls related directly to your job performance, as they would if you were a telemarketer, but not in too many other industries. Why shouldn't employees have the same expectations about their e-mail or meanderings on the Web? It is called a personal computer, after all.

But the troubling truth is that employers can monitor every word typed and every site visited on a company-owned computer -- and be completely within the law.

Unlike a cop wiretapping your phone, your boss needs no subpoena, no suspicion that you've ever wasted an iota of company time, before reading your e-mail or employing surveillance software to track your Web surfing habits. And there are few laws challenging the corporate view that any information sent or received by an employee's computer is company property. Connecticut is the only state, according to the American Civil Liberties Union (ACLU), whose laws require companies to disclose their monitoring practices to employees. Not a single state has outlawed the practice.

"Our policy essentially says e-mail is primarily a tool for business communication and, like any other communication here, [e-mail messages] must be consistent with conventional standards of ethical and proper conduct, behavior and manners," says New York Times spokeswoman Nancy Nielsen. She declined to give any details about the alleged e-mail transgressions of the staff at the Norfolk, Va., payroll-processing center -- although an article in the Virginian Pilot reported that the incident involved "X-rated e-mails ... a mix of jokes and photos such as attachments of nude celebrities."

Of course, anyone with an e-mail address knows it's next to impossible to keep your in-box free of dirty jokes and sexually explicit JPEGs. If my in-box is any judge, even in this era of sexual harassment suits, a lot of professional people have no qualms about forwarding a little X-rated fun on to friends and colleagues.

Civilian and military employees of the Navy are apparently no different. A Navy investigation begun in May revealed that 500 people at a Mechanicsburg, Pa., supply depot had traded sexually explicit cartoons and photos or sexually suggestive jokes and stories; nine were suspended from work and letters of reprimand or admonishment were sent to several hundred others. "This poses a threat not only to the overall sexual harassment-free climate, but to the public trust reposed in us all to use government resources wisely," read a July memo to base employees.

Ostensibly, employers monitor employee's computer activities to avoid sexual harassment lawsuits and improve productivity. Yet, if these are the only reasons management is interested in employees' electronic activities, why wouldn't they inform workers of their surveillance policies? Wouldn't employees be less likely to engage in "inappropriate" behavior if they knew they were being watched?

"I don't think anyone would deny sexual harassment lawsuits are a significant problem for employers," says Jeremy Gruber, legal director for the ACLU's Workplace Rights Project. But, he adds, the threat of such suits doesn't justify wholesale monitoring of all employee communications.

"Simply because an employee is on a pornography site doesn't mean a company is automatically liable," he says, dashing a common theme of corporate mythology. An employer would be liable only if he or she knew (or should have known) that an employee was feeling harassed because of another employee's surfing habits, he says, and that he or she did not take proper action against the employee who was visiting the offensive site. Similarly, an employer would have to be informed that an employee was sending sexually explicit e-mail to someone who did not want to receive it for the company to be liable. "Employers have used the threat of sexual harassment lawsuits as a justification for generalized, random monitoring ... and this random monitoring without cause is an overreaction and an invasion of employee privacy."

Nielsen wouldn't discuss exactly what transpired at the Times, but at least one person who claims to be among those fired says there was nothing unusual going on. "I personally never downloaded porn," writes "landrol," in an online discussion on the Virginia Pilot site. "I may have received it in my e-mail, unsolicited, but never once did I seek out and download it ... I think there are more effective ways to deal with this sort of incident. The company went way overboard."

"It sickens me to hear the media portraying it as some sort of porno ring when it wasn't," he continues. "You can't tell me that other organizations don't circulate jokes within their e-mails."

Nielsen had little to say about "landrol's" defense. "We don't discuss internal employment decisions but the matter was thoroughly investigated and the decision was well-founded," she says. The Times sent out a company-wide memo announcing the terminations and reminded employees that it "does not routinely monitor the e-mail communications of employees ... [but] we do investigate when a violation of the company's e-mail policy is reported."

Boeing and Xerox are among the companies that do routinely monitor employees. In October, the Xerox Corporation reported that it had terminated 40 people for engaging in online activities that violated company policies. Most engaged in "excessive abuse of the Internet by spending a majority of their work days visiting inappropriate sites" such as pornography and gambling sites, says spokeswoman Christa Carone. That behavior, she adds, resulted in productivity losses for the company.

"Xerox is able to review a lengthy log of all the Internet sites viewed by Xerox users as well as amount of time on each site," she said, describing the monitoring system the company uses. "From this log, we have identified several sites to monitor. From there, we can track down excessive abuse."

The ACLU's Gruber says such surveillance has increased over the past 10 years in large part because the cost of doing it has plummeted. Monitoring software is readily available and easy to implement. "If you have properly trained managers and supervisors, they should notice if an employee's productivity has dropped dramatically or is not up to a certain level, at which point it would be entirely justifiable for an employer to monitor him or her," says Gruber. "Random monitoring without cause, on the other hand, is a gross invasion of privacy."

Boeing, however, argues that a company can use surveillance and still create a healthy work environment. Employees "are allowed to use company-owned equipment for personal reasons during non-working hours, like before and after work or during lunch," says spokesman Bob Jorgensen, but they are warned that certain sites, including those that advocate terrorism, racial or cultural hatred or pornography -- should never be accessed, whether during work hours or not. "A company policy requires new hires to be informed of our Web monitoring," says Jorgensen, and all company computers issue a warning upon start-up to further remind workers that their computer use might be reviewed without their permission or notice.

Managers are reminded that people could land on a taboo site a few times without meaning to -- by clicking through the results of a search engine query, for instance. And workers are given verbal warnings and suspensions before being fired for repeated offenses. "Less than a dozen people [of 203,000 employees] have been fired to date because they continued to return to inappropriate sites," says Jorgensen.

But monitoring employee activities -- with or without due warning -- is invasive and unnecessary, say privacy advocates. "Upon entering the workplace, one does not lose one's rights as a citizen," says EPIC's Shen. "Just as one expects communications to remain private at home, so they should in the workplace -- especially considering how much of the monitoring takes place without any cause or suspicion."

The law, however, does not currently support EPIC's view. One harrowing tale about how little freedom of personal communication we have at work can be found in the story of Michael Smyth. In 1994 the Pillsbury Company fired Smyth for the transmission of what it deemed to be inappropriate and unprofessional comments after he sent an e-mail to a co-worker in which he called his employers "back-stabbing bastards." Smyth took Pillsbury to court, claiming wrongful termination.

As noted in the opinion issued by the Pennsylvania District Court judge who heard the case, Pillsbury had "assured its employees, including plaintiff, that all e-mail communications would remain confidential and privileged ... [and] that e-mail communications could not be intercepted and used by defendant against its employees as grounds for termination or reprimand."

Regardless, Smyth's complaint was shot down in 1996. The court ruled that his right to privacy was not violated since he shouldnt have expected e-mail messages sent through the company's system to be considered private -- even though he had been told by the company they would be.

Because of cases like Smyth's -- in which the Pillsbury Company violated a relationship of trust with its employee -- workers are, rightly, getting a bit paranoid about the e-mail they send at work. For it is a very real example of a conspiracy theorist's nightmare-come-true: Big Brother is watching, even when he assures you that he isn't.

Remember when the personal computer was hailed as a tool to empower the worker? Of course, for the most part, it is. But how empowering is it to learn that you have good reason to fear blowing off steam about your boss, or sending dirty jokes to your husband?

If you're hoping the government might come to the rescue, you'd better not hold your breath. In 1994, Congress defeated the Privacy for Consumers and Workers Act, which would have given employees fairly extensive protection from electronic monitoring, similar to that recommended by the ACLU. Though Sen. Conrad Burns, R-Mont., is sponsoring a bill to improve consumer privacy online, it seems no member of Congress is currently pushing legislation to protect workers' privacy.

The record is similarly thin on a state level. For instance, not only did California Gov. Gray Davis shoot down a bill in October that would have required firms to inform employees of monitoring policies before implementing them, but his own administration was reportedly monitoring its own employee e-mail, according to a story in the San Francisco Examiner.

The law may not require it, but employers should inform their workers of policies concerning computer surveillance practices, says the American Management Association. "Such behavior is simply good management and involves respect for people's right to know," says the AMA's Greenberg. "And you really can't have a deterrent effect unless people know the company is able to track you," he adds.

But simply disclosing surveillance practices is not enough, according to privacy advocates. The ACLU suggests that companies alert employees when they are being monitored and give workers access to all personal electronic data collected through monitoring.

"Even if employers notify employees that they monitor behavior -- and maybe even gain their consent to do so -- surveillance would still not qualify as a fair practice by any stretch of the imagination," says EPIC's Shen. "If an employee thinks it is unnecessarily intrusive, what would he or she do, quit? Informing employees that they are going to be monitored is nothing more than bullying them to gain tacit agreement."

And yet, as the Pillsbury victory shows, companies are compelled neither to inform their workers that they're being monitored nor to adhere to the terms they've presented about how they'll treat electronically transmitted information. Of course, such behavior has led to workplace tensions. Distrustful employees now self-censor their surfing to avoid being "busted" for visiting the "wrong" sites and they use Web-based e-mail (like the free accounts available on Hotmail or Yahoo) for personal communications.

Obviously, there's nothing wrong with keeping personal communications separate from work -- but it certainly goes against the grain of the mentality fostered by the Internet start-ups that gave birth to some of these communications technologies. To cultivate a round-the-clock work culture, in which people live in their office and are committed to the company's success above all else, you need more than stock options -- you need an environment in which people feel they can be themselves.

"We do not monitor our staff members' online activities," says Bob Young, chairman of Red Hat. "The reason is that if we did they'd quit. Seriously. And I wouldn't blame them one bit," he adds. "On the other hand we do hold them responsible for their online activities, in exactly the same way that companies have always held their staff responsible for any activities outside of work that affected the employer."

That attitude -- that you don't need a watchdog to keep your employees from wasting the whole day on porn sites -- certainly seems more prevalent at younger, smaller companies than old-school Fortune 500 firms. Indeed, it seems that low-level workers, whose job productivity can be measured in discrete numbers -- like the number of calls made or sales closed -- are the most likely to be monitored on the job.

"It is very easy to make a Big Brother story out of our survey findings," Greenberg cautions. "But a closer examination will confirm that such monitoring is focused on specific job categories like customer service and telemarketing, for the most part," he says. Supervisors often review an employee's communications in his or her presence as a means of evaluating his or her job performance.

While that may be true -- there is nothing to stop any employer from monitoring anyone's e-mail or surfing habits. "American employees in the private work force," says Gruber, "are absolutely without constitutional protection."

By Maura Kelly

Maura Kelly is co-author (with Jack Murnighan) of "Much Ado About Loving: What Our Favorite Novels Can Teach You About Date Expectations, Not So-Great Gatsbys, and Love in the Time of Internet Personals."

MORE FROM Maura Kelly

Related Topics ------------------------------------------

Aclu Privacy The New York Times