by G. Daryl Nord, Tipton F. McCubbins, and Jeretta Horn Nord
E-Monitoring in the Workplace: PRIVACY, LEGISLATION, AND SURVEILLANCE SOFTWARE Protecting the corporation while respecting employee privacy— an old puzzle made more complex with new software.
“Through advanced computer technology, employers employees. Workplace monitoring has existed for a can now continuously monitor employees’ actions with- long time in one form or another and will undoubt- out the employee even knowing he or she is being edly continue to proliferate and become increas- ‘watched.’ The computer’s eye is unblinking and ever- ingly sophisticated as technology advances. This present. Sophisticated software allows every minute of article examines the employer/employee workplace the day to be recorded and evaluated [1].” privacy relationship, identifies the existing federal and state law governing workplace privacy, and dis- ncreasingly, personnel in institutions world- cusses the rapidly developing monitoring software wide use email and the Internet on a daily market. basis at work. This daily reliance and depen- dency on technology has created new issues WORKPLACE PRIVACY Iwith respect to employee privacy in the workplace Most U.S. citizens are accustomed to the expecta- and has added new stress to the employer-employee tion of privacy. Privacy, as defined by the Merriam- relationship. Employee privacy, long considered a Webster dictionary is a: the quality or state of being basic right, is often taken for granted by employees. apart from company or observation; b: freedom However, as a result of technological monitoring, from unauthorized intrusion
COMMUNICATIONS OF THE ACM August 2006/Vol. 49, No. 8 73 Do you know anyone who occasionally takes a sending of sensitive data via email attachments as well moment out of his or her day to check a stock quote, as the ongoing concern of viruses entering the busi- sports score, or movie listing online at work? As of ness from outside communications. Consequently, January 2002, approximately 55 million U.S. adults employers are monitoring employee’s computer and accessed the Internet at work, up from 43 million in Internet access to a greater degree than in the past. As March 2000. Fifty-five percent of those with Inter- illustrated in Table 1, the American Management net access at work went online on a typical day in Association surveys conducted from 1999 to 2001 2001, compared to 50% in 2000, and many were and again in 2005, exposed the growing trend of going online more frequently throughout the day employer monitoring of employees’ computer files, than they had in 2001T able[10]. 1 . SurvMoreey than Results 72% by ofAMAemail on Employ messaging,ee Monitoring. and Internet connections [2]. Internet users do more than just surf the Web. Pop- According to another recent AMA survey, the ular Internet activities include instant messaging, 2003 E-mail Rules, Policies and Practices Survey, downloading music, and over half (52%) of watching video clips [9]. 1999 2000 2001 2005 employers monitor email. In another Internet Storage and review of computer files 21.4% 30.8% 36.1% 50% Three-fourths of the work-related study, Storage and review of email messages 27% 38.1% 46.5% 55% 1,100 employers surveyed
Yankelovich Partners dis- Monitoring Internet connections NA 54.1% 62.8% 76% have put written email covered that 62% of policies in place. And workers go online at Table 1. Survey results by AMA 22% have terminated an employee for violating work for personal rea- on employee monitoring. email policy [3]. sons at least once a day, while about 20% do so 10 or more times a day. In a FEDERAL PRIVACY LEGISLATION IN THE WORKPLACE 2002 study by the Computer SecurityNo Instituterd table 1Most (8/06) U.S.-based employees assume they have a con- (CSI), 78% of polled enterprises reported employee stitutional right to privacy. However, constitutional abuse of Internet access privileges by workers, rights to privacy are generally inferred through the including downloading pirated software or pornog- U.S. Constitution’s Fourth Amendment’s rights to raphy, shopping on the Internet, and inappropriate freedom from unreasonable search and seizure. use of email systems. These studies readily show the These freedoms usually apply only to state actions. escalating magnitude of non-work related Internet In an employment context, state actions are fairly use at work. narrowly limited to protecting federal, state, and municipal employees. Private-sector employees must mployers want to make sure their employees look elsewhere for protection. Possible sources for are using company time productively and such protection from employer snooping include not creating a legal liability for their business federal legislation and state common law tort actions as a result of harassing or offensive commu- such as invasion of privacy [4]. Enications. A recent study revealed that 10% of U.S. The primary piece of federal legislation suggest- companies have received subpoenas resulting from ing employee privacy interest is the Electronic Com- employee email [5]. In addition, employers have secu- munications Privacy Act (ECPA). However, there rity concerns relating to the intentional or accidental are three exceptions under the ECPA that effectively
Workplace monitoring has existed for a long time in one form or another and will undoubtedly continue to proliferate and become increasingly sophisticated as technology advances.
74 August 2006/Vol. 49, No. 8 COMMUNICATIONS OF THE ACM eliminate any substantial expectation of privacy an The third exception is the “consent” exception. If employee might have with respect to his/her at least one party to the communication is either the employer. party who intercepts the communication or gives The first of the ECPA exceptions is theT “providerable 2. Survconsenteillance Capabilitiesto the interception of Monitoring then the Softwa ECPAre has not exception.” If an employer actually owns and is pro- been onviolated. the Mar Theket Tod“consent”ay. exception apparently viding the telephone, email, or Internet services to applies even when the sender of the intercepted the employee being monitored, there is little doubt that the The workplace end user types any keystroke in any window on his/her remote PC, that text appears on the employer is protected from network administrator’s screen in real time or archived to a corporate server. employee privacy claims. How- Typed text that is monitored may include email messages, online chat conversations, documents, passwords ever, if the employer is merely and all other keystrokes. providing email services through The network administrator can view the actual screen of the workplace desktops being monitored. a third-party Internet provider, it Internet usage can be monitored in real time and a log file recording of all Internet activity can be made. is not as clear that the employer A spy module can see and list software running on the remote PC and can view in real time the software would enjoy the same protection. applications and run executions.
Nevertheless, given the fact the A record and activity log for all workstations on the local or shared network location can be produced. employer is “providing” the Monitoring software provides the ability to take snapshots of a remote PC screen or active window in provider, coupled with the gener- specified time intervals and save them on the local or shared network location. ous interpretation that most The workplace user's system can be turned off, restarted, and actually logged completely off the network. courts have granted employers, The network administrator can run programs and execute commands on remote computers, open Web there is good reason to believe pages or documents, send instant messages for remote users, and terminate remote processes. that even these providers of Files can be readily copied including logs and screenshots from the desktop computers. The administrator providers would enjoy protection can have the same file access permissions, as a current user has on the workplace computer. from employee privacy suits [7]. Multiple employee computers can simultaneously be monitored from a single workstation in the LAN. The second exception is the Workplace surveillance software that runs on monitored computers is hidden and difficult for an employee to locate or even know that the software is present and monitoring their every keystroke. The monitoring “ordinary course of business” software usually cannot be terminated without the network administrator's permission. exception. It really provides an exception to the definition of an electronic device, and therefore Table 2. Surveillance communication has been assured that all email com- capabilities of excludes the employer’s monitor- monitoring software munications would remain confidential and privi- ing from the ECPA and the on the market today. leged. NoIn Srdmyth table v. The 2 (8/06) Pillsbury Company, Smyth employee protections provided sent his supervisor emails that contained inappropri- therein. Under this exception the ate and unprofessional comments from Smyth’s employer may monitor employee communications home computer. The supervisor received the email to ensure such legitimate business objectives as assur- over Pillsbury’s email system. The email included ing quality control, preventing sexual harassment, such statements such as “kill the backstabbing ...” and preventing unauthorized use of equipment, such and referred to the company’s holiday party as the as excessive telephone or email usage. “Jim Jones Koolaid affair.” At a later date the com- However, the “course of business” language also pany intercepted these email messages and termi- implies a limitation on the extent of monitoring in nated Smyth’s employment based upon their the event the employer discovers he has accessed a content. personal conversation. In monitoring telephone con- Although the court did not explain exactly how versations it is well established that employers can the interception took place, the email messages were continue to listen only for so long as it takes to deter- apparently retrieved from storage with the supervi- mine the conversation is in fact personal. At that sor’s consent. As a result of the consent, even the point, the employer must cease the surveillance. The prior promise of confidentiality did not provide the case setting the standard for this limitation is a 1983 employee with privacy protection. case dealing with the use of the telephone. A thor- ough examination of the standard as it applies to STATE PRIVACY CASE LAW email usage has not yet occurred, but a similar appli- The common law tort of invasion of privacy is rec- cation should probably be expected. However, at ognized by most states. The Restatement (Second) least one case has suggested that no monitoring of an of Torts §652B defines invasion of privacy as: employee’s personal email may be allowed without “...intentionally intruding, physically or otherwise, prior notification [8]. upon the solitude or seclusion of another..., if the
COMMUNICATIONS OF THE ACM August 2006/Vol. 49, No. 8 75 Along with the ever-increasing exploitation of technology in the workplace has come the capability for employers to see and measure nearly every aspect of company usage.
intrusion would be highly offensive to a reasonable tinguish between illicit information being carried person.” Employees have tried to use this tort as a through public space from the front door of a busi- protection for privacy in the workplace. Although it ness to an employee’s locked storage locker and an shows some potential for privacy protection, it has email message sitting in an inbox before being trans- generally stumbled over two problems. The first is ferred to a protected personal folder, such distinc- that the employee must have a reasonable expecta- tions are not so obvious as to deny a need for tion of privacy, and the second is that the intrusion recognition. However the court seemed sufficiently would be highly offensive to the reasonable person. confident in its analysis that it did not address the In McLaren v. Microsoft (1999), Microsoft made issue. available to McLaren, as part of his employment, use In determining that the intrusion was not highly of an email system owned and administered by offensive, the court properly recognized the impor- Microsoft. McLaren had the right and ability to tance of whether the intrusion was justified. The store email he received either in the server-based fact that McLaren was under investigation, and that “inbox” or in a “personal folder” protected by a per- he had notified Microsoft that the email was rele- sonal store password. As part of a harassment inves- vant to that investigation, clearly support the court’s tigation, Microsoft decrypted McLaren’s personal finding that Microsoft’s actions were justified. store password and broke into his personal folder Therefore, they were not highly offensive even even though it had been specifically requested by though the actions had been specifically forbidden McLaren not to do so. by McLaren and led to his dismissal. McLaren argued that the password-protected per- sonal folder was basically the same as a locked stor- COMPANY ELECTRONIC COMMUNICATIONS POLICY age locker provided by a company for employees to In a case [11] in which the California Appellant store personal items in while at work. It has long Court ruled in favor of the employer strictly on the been accepted that employees have a legitimate basis of a signed electronic communications policy, expectation of privacy with regard to such lockers. the court stated that at a minimum the policy However, the court rejected this argument. It stated should contain a statement that: that because the email was first received and stored in the “inbox,” which was subject to inspection, 1. Electronic communication facilities provided by McLaren could have no expectation of privacy sim- the company are owned by the company and ply by moving it to a protected folder. How this is should be used solely for company business. different from a telephone call that can only be 2. The company will monitor all employee Internet monitored long enough to determine if it is of a and email usage. It should state who may review business or personal nature the court did not the information, the purposes for which the explain. True, in this case, the fact that the email information may be used, and that the informa- messages were pertinent to a harassment investiga- tion may be stored on a separate computer [6, 7]. tion would make them subject to legitimate business 3. The company will keep copies of the Internet scrutiny. However, the court did not seem to rely on and email passwords. this fact in declaring a blanket open season on email 4. The existence of a separate password is not an monitoring. Second, although it is possible to dis- assurance of the confidentiality of the communi-
76 August 2006/Vol. 49, No. 8 COMMUNICATIONS OF THE ACM cation or other “protected” material. employee workplace privacy with the need for 5. The sending of any discriminatory, offensive, or employers to manage and protect company resources unprofessional message or content is strictly from non-productive, non-work related activities. prohibited. Federal and state legislation governing monitoring 6. The accessing of any Internet site that contains and workplace privacy will undoubtedly continue to offensive of discriminatory content is prohibited. evolve and be tested in the court systems. 7. The posting of personal opinions on the Internet There are many legitimate reasons for organiza- using the company’s access is strictly prohibited. tions to want to know what is occurring on their This is particularly true of, but not limited to, computer systems. Those reasons range from work- opinions that are political or discriminatory in place harassment, to loss of productivity, and even to nature. company sabotage. Therefore, it is easy to under- 8. Although not included in the court’s list, the stand why it would be prudent for companies to policy should clearly state potential repercussions have such a strong incentive to find a healthy bal- to the employee for violating the policy [4]. ance between employee privacy rights and organiza- tional concerns. c egally, these requirements are considered minimum standards that a sound policy References should meet. They should be clear and 1. American Civil Liberties Union (ACLU). Workplace Rights on Elec- tronic Monitoring, ACLU online archives; unequivocal, and they should be read and archive.aclu.org/issues/worker/legkit2.html. signed by each employee. However, the employer 2. American Management Association, AMA Research: Workplace Mon- L itoring and Surveillance, 1999, 2000, 2001 and 2005; should also remain aware of the employee’s normal www.amanet.org/research/archive_2001_1999.htm. human desire for reasonable amounts of privacy. 3. American Management Association, Survey on Workplace E-Mail Therefore the employer should try to minimize Reveals Disasters in the Making, May 28, 2003; www.amanet.org/press/amanews/Email_Survey2003.htm. unnecessary intrusion into this privacy expectation 4. Bloom, E., Schachter, M., and Steelman, E. Justice in a Changing in order to reduce the negative impact on employee World: Competing Interests in the Post 9-11 Workplace: The New Line Between Privacy and Safety. 29 Wm. Mitchell L. Rev. 897 (2003). morale. 5. Crimmins, J. Even federal judges come under surveillance when online. Chicago Daily Law Bulletin 147, 159 (Aug. 14, 2001). MONITORING SOFTWARE 6. Deal v. Spears, 980 F.2d 1153, 1155-1157 (8th Cir. 1992). 7. DiLuzio, S. Workplace E-Mail: It’s Not as Private as You Might Think. Along with the ever-increasing exploitation of tech- 25 Del. J. Corp. L. 741 (2000). nology in the workplace has come the capability for 8. Kopp, K. Electronic Communications in the Workplace: E-Mail Mon- employers to see and measure nearly every aspect of itoring and the Right of Privacy. 8 Seaton Hall Const. L. J. 861 (1998). 9. Neilson//NetRankings, U.S. Online Population Internet Use. (Dec. company computer usage. The dilemma that 18, 2002); www.nielsen-netratings.com/pr/pr_021218.pdf. employers must resolve is how to balance the obvi- 10. Pew Internet & American Life, Getting Serious Online: As Americans Gain Experience, They Use the Web More at Work, Write Emails with ous benefits of employee use of technological tools More Significant Content, Perform More Online Transactions, and with the risks inherent in providing those tools to Pursue More Serious Activities, (Mar. 3, 2002); employees. As stated earlier, many employers have www.pewinternet.org/reports/toc.asp?Report=55. 11. TBG Insurance Services Corporation v. The Superior Court of Los Angeles sought to achieve this balance by electronically mon- Co.; Robert Zieminski, Real Party in Interest, 96 Cal. App. 4th 443; itoring the use that their employees make of email, 117 Cal. Rptr. 2d 155 (Cal. App. 2002). the Internet, and other computer-related activities. Monitoring software allows employers to see, G. Daryl Nord ([email protected]) is a professor of Management Science & Information Systems in the William S. Spears measure, and manage employees’ computer systems, School of Business, at Oklahoma State University, Stillwater, OK. monitors, disks, software, email, and Web and Inter- Tipton F. McCubbins ([email protected]) is an net access. The software can automatically archive all associate professor of Legal Studies in Business in the William S. collected information into a corporate network Spears School of Business, at Oklahoma State University, Stillwater, OK. server for review at a later time. The list in Table 2 Jeretta Horn Nord ([email protected]) is a professor of illustrates the many capabilities of typical monitor- Management Science & Information Systems and Associate Dean for ing software readily available on the market today by Undergraduate Programs in the William S. Spears School of Business, companies such as Spectorsoft and DynaComm. at Oklahoma State University, Stillwater, OK.
Permission to make digital or hard copies of all or part of this work for personal or CONCLUSION classroom use is granted without fee provided that copies are not made or distributed E-monitoring and employee workplace privacy are for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute issues that will continue to present questions and to lists, requires prior specific permission and/or a fee. problems for some time to come. In addition, it looks as if there will be ongoing efforts to balance © 2006 ACM 0001-0782/08/0800 $5.00
COMMUNICATIONS OF THE ACM August 2006/Vol. 49, No. 8 77