Is Your Cubicle (or Donut) Bugged?

When we think of wiretapping, our minds leap naturally to the image of a trench-coated FBI or CIA agent, hunched with earphones over a jumble of wires through which the bad guy's voice can be heard with startling clarity. There's some truth to that image (or at least there was), but the reality is far broader. While government agents obviously do conduct wiretaps, their efforts at surveillance are more closely monitored and subject to far greater restrictions than businesses, who have been able to listen in on the conversations of their employees with near-impunity for decades.

Fading Telephone Privacy at Work

Over the last century, improvements in technology have dramatically changed our expectation of privacy when making a telephone call. In the early days of the American telephone system, private phone calls were virtually nonexistent. It was cheaper for the phone companies to install and operate shared lines, which in turn made them less expensive for consumers; as late as 1950, 75 percent of all of the phone lines in the United States were party lines, shared by as few as two families or as many as twenty-four. ^[1]

To listen in on your neighbor's phone call, all you had to do was pick up your receiver. This was often regarded as a "feature" rather than a drawback; long before the phone companies introduced three-way and conference-calling technology, party lines enabled a number of neighbors to share the local gossip. The inherent appeal of party line technology was demonstrated in the 1980s, when phone companies introduced multiperson chat lines. The forerunners of today's Internet chat rooms and IRC channels, the party lines were best known for making it possible for teens to run up sometimes phenomenal phone bills.

In the latter half of the twentieth century, our privacy expectations regarding phone calls changed. The installation of advanced switching technology made it possible to dial numbers directly anywhere in the country without the assistance of an operator, who might be tempted to listen in. In addition, as the cost of telephone lines and equipment steadily dropped, the number of single-user lines increased, and consumers proved increasingly willing to pay for them. Over the course of a generation, we came to expect that a telephone conversation was as private as a face-to-face chat in our living room. ^[2]

Our privacy expectations regarding phone calls have been reinforced by the actions of the Supreme Court and Congress. After more than forty years of decisions upholding wiretapping because it did not involve a physical invasion of space, in 1967 the Supreme Court reversed itself in Katz v. United States, ^[3] holding that the constitutional protection from search and seizure protects people, not places. If we make a telephone call, the Court said, under circumstances that indicate a reasonable expectation of privacy, then government agents cannot intercept it without a warrant. Congress's Omnibus Crime Control and Safe Streets Act of 1968 was more of a mixed bag from a privacy point of view: While it did permit governmental agents to conduct wiretaps for the first time since the passage of the Communications Act in 1934, it also imposed strict requirements on the issuance of wiretap orders.

To a large degree, we have extended our expectation of privacy for phone calls to the workplace. For example, when we pick up the phone to make a call, we assume that no one is secretly listening in on an extension. In fact, one recent privacy poll found that 81 percent of us believe that employers have no right to monitor our phone calls at work. ^[4]

But employers do have a right to monitor our phone calls, so long as the monitoring is within "the ordinary course of business," which is why we so often hear the phrase, "This call may be monitored to ensure quality service" or some similar variation. Your employer can also monitor your phone calls when you give either explicit or implied consent. However, if your employer determines that you are making a personal call, he or she is supposed to stop any monitoring. As some commentators have pointed out, however, that loophole can give an employer 2–3 minutes of lawful eavesdropping. And not surprisingly, there is unequivocal evidence that some employers do not hang up at all.

In its 2001 annual survey of workplace monitoring and surveillance, the American Management Association estimated that 12 percent of the major U.S. corporations periodically record and review telephone calls, while 8 percent store and review voice mail messages. A far higher percentage (43 percent) monitor the amount of time that employees spend on the telephone, and check the phone numbers that have been called. Employers are motivated primarily by the impact excess phone calls can have on productivity, but also by concerns over the quality of customer service, possible loss of trade secrets, and security issues.

Tracking the phone numbers that an employee calls can be as simple as reading the monthly phone bill; a slightly more aggressive step involves installing a pen register, which records every number dialed from a particular phone. However, as computers and phones become increasingly integrated, more and more employers will be able to use PCs and software to track employee phone usage and produce detailed reports of all telephone activity.

According to Telemate.Net, one manufacturer of telephone monitoring software, over 20 percent of all workplace calls are personal. The company sells a software product called Telemate™ Call Accounting that a company can use to track all of the data generated by the company's telecom resources. The software allows management to identify "the calls and call patterns placed by individuals, teams, departments, and the organization." This software produces reports that:

• Identify call volume, topics, destinations, sources, length, frequency and peak calling times.

• Track account activity and build a marketing prospect/customer database.

• Classify phone numbers to identify potential productivity distractions.

• Integrates electronic calling card and DISA usage data to detect access code theft or fraud.

• Identify inbound callers to spot abuse or incorrect routing of 800 calls. ^[5]

Employers are particularly interested in such software because it helps them avoid concerns about the improper interception of employee telephone calls under the Omnibus Crime Control Act and the Electronic Communications Privacy Act; all the software does is analyze patterns of phone usage.

Employer Bugs and Wiretaps

One significant aspect of the 1968 Omnibus Crime Control legislation was that Congress excluded switchboards and other types of business equipment from the definition of "interception devices." The practical effect of that exclusion was that for another twenty years, businesses were able to continue their nearly century-long practice of listening in on workplace conversations ^[6] without fear of violating the new federal wiretap laws.

In the last fifteen years, there have been some efforts-most notably the Electronic Communications Privacy Act-to restrict the amount of eavesdropping that employers can do to their employees. Although the Act continues to favor employers, the threat of both civil and criminal liability has probably cut back on the amount of corporate eavesdropping that occurs.

Not surprisingly, however, there are no reliable figures on how many employers in this country are using hidden bugs and secret wiretaps to listen to their employees and their customers. In most states, it is illegal to record a conversation without the consent of all participants. The Granite Island Group, a Boston-based technical surveillance counter measures firm, offers a list of the signs that you may be bugged: ^[7]

• People seem to know your activities when they shouldn't.

• Your AM/FM radio has suddenly developed strange interference.

• Electrical wall plates appear to have been moved slightly or "jarred."

• The smoke detector, clock, lamp, or exit sign in your office or home looks slightly crooked, has a small hole in the surface, or has a quasi-reflective surface.

• Certain types of items have "just appeared" in your office or home, but nobody seems to know how they got there. Examples include clocks, exit signs, sprinkler heads, radios, picture frames, and lamps.

• You notice small pieces of ceiling tiles or "grit" on the floor or on the surface area of your desk. ^[8]

Magstripe Cards

Currently, the most widely available and heavily implemented technology for tracking employee movement is the same familiar magnetic strip (or "magstripe") found on the back of the country's more than 1.4 billion credit cards. Magnetic strip technology, which has been around since the early 1970s, is now commonly integrated into employee IDs.

The typical magstripe is a thin strip of plastic film containing thousands of small (1/20-millionths of an inch) magnetic particles. Using a magnetic field, the particles in various sections of a magnetic strip can be oriented to the North or South Pole. Once information has been recorded on the strip, it can be deciphered by a magstripe reader. ^[9]

Typically, an employer will issue IDs that encode certain information on the ID magstripe, such as an employee's name, ID number, security level, and so forth. Depending on the level of security in place at the company, the employee will have to swipe her ID through a magstripe reader in order to gain access to the parking lot, the front door, and/or various internal door-ways. The magstripe readers are typically wired into a network, so that when an employee swipes her card, the information in the strip can be verified by a central database. In addition, most such systems are specifically designed to record the date, time, and identity of each person who goes through a business's various checkpoints.

One drawback to a card reader system is that information about employee movement is collected only when the employee swipes his card. That limits the amount of information and level of detail that an employer can collect. An employer could set up a system that required employees to swipe their cards to go in or out of every door, but doing so has obvious practical difficulties, including cost and inconvenience. In addition, the hassle of constantly swiping an ID card would undoubtedly spur an employee rebellion. Magstripe cards have a number of other drawbacks. The physical process of swiping a magnetic strip tends to wear it out, which means that the strip eventually needs to be replaced. Exposure to a magnetic field can scramble or erase the data. And the structure for storage of data is well known, and the raw materials and software necessary to produce magstripe cards are readily available (thanks largely to the fact that the same technology is used on credit cards, which are a lucrative target), so they are all too easy to duplicate

The main concern for employers who use card readers (magstripe or otherwise) to monitor access and movement is the phenomenon of "tailgating," when one employee swipes his card and other employees pass through without swiping theirs. Some businesses have gone so far as to make "tailgating" a forbidden practice, and there's a growing industry of companies that market devices specifically designed to prevent tailgating. For instance, Designed Security, Inc., in Bastrop, Texas, offers a product called the ES520 Tailgate Detection System, which sounds an audible alarm or sends an alarm signal to a guard station if more than one person tries to pass the system on a single card swipe.

A challenge facing any employer who installs a security system is that employees often won't use it or will try to get around it. But security continues to be a critical issue—employers want the ability to know where their employers are and where they've been. As a result, employers are showing strong interest in tracking systems that require a minimum of employee participation. Until RFID technology becomes widespread, the leading candidate for more effective employee tracking is the incorporation of infrared technology into employee IDs.

The Heat Is On

Each morning when I go into the kitchen to turn on the teakettle, I pick up a small plastic box and press a bright orange button in the upper left-hand corner. Fifteen feet across the room, a shelf-top stereo system powers up and Vermont Public Radio begins providing me with the day's news and weather. The same technology is familiar to anyone who has purchased a television in the last twenty years—the infrared remote control, a device now widely blamed for robbing us of the eighteen calories per hour we would burn by actually getting up off the couch to change television channels.

Infrared remote controls, first introduced in the early 1980s, were a big improvement over earlier designs, which used wires physically connected to the television's dials, pulses of light, or ultrasonic signals. (The early designs all had serious drawbacks. Wire remotes were slow and sometimes made people trip; photovoltaic remotes don't work well in sunlight; and ultrasonic remotes often make dogs howl.) ^[10] Today's infrared remote control devices make use of a discovery that occurred 200 years ago, when Sir Frederick Herschel used a prism to split light into its component colors and measured the temperature of each color. He observed that the temperature increased as he progressed through violet, blue, green, yellow, orange, and red, and that the very highest temperatures were just beyond the red section of the spectrum. He concluded that there were invisible rays beyond red that behaved like visible light. Herschel coined the phrase "calorific rays" for the invisible beams; they later became known by their current name, infrared rays. ^[11]

Despite our inability to see infrared rays directly, Herschel's discovery has proven to be immensely valuable. Infrared cameras pointed out into space allow us to peer through interstellar dust clouds. Other cameras pointed earthward use the infrared portion of the spectrum to monitor the environment, track weather around the globe, and even discover centuries-old footpaths and prehistoric settlements. On Earth, thermal imaging cameras are used in a wide variety of applications, including the maintenance of mechanical systems, the testing of personal computer circuit boards, search and rescue efforts, and medical diagnosis.

The Active Badge System

The development of the infrared LED in the early 1960s has given rise to a huge number of applications, the most familiar of which is the remote control, and in 1989, researchers at the Cambridge University Computer Laboratory in Cambridge, England, began work on a system that incorporated infrared LEDs into employee identification badges. ^[12] After roughly four years of work, their research resulted in the development of the "Active Badge."

The basic concept of the Active Badge is straightforward. Employees are given a special identification card equipped with an infrared LED that sends out a unique code every fifteen seconds or so. If the card is within six meters of an infrared sensor (mounted on a wall or ceiling), the code is read by the sensor. The sensor is connected to a network of other sensors, all of which are linked to a central station. The central station periodically retrieves data from each of the sensors and uses the information to compile a map of each badge's current location.

As careful readers have already noted, the most obvious limitation of the Active Badge system is that it tracks badges and not people; it only tracks people if they actually wear or carry the badges, and more specifically, the badges that have been assigned to them. In the view of the designers of the Active Badge, the fact that you can take the badge off is one of the system's advantages:

There will always be some days when for whatever reason somebody does not wish to be located. This is easy to solve because the system tracks badges and not people. Anybody in this situation can easily remove their badge and leave it on a desk. The Active Badge system will now be fooled into concluding that person is somewhere where they are not. This kind of escape mechanism is not an undesirable system feature and may be an important factor in making this system acceptable for common use. ^[13]

Technically speaking, when an Active Badge is put in a drawer or an employee's pocket, it slowly goes to sleep (as a power-saving measure). The sensor network will continue to display the badge's last known location, but the likelihood of finding the badge at that location (displayed as a probability on the Active Badge information screen) will steadily decrease.

The question for employees is how well such disappearances from the sensor grid will be tolerated by their employers. In a work environment where there is a strong management expectation that employees will wear their Active Badges, periodically taking off the badge and "disappearing" from the sensor system will undoubtedly be perceived as negative behavior. Companies can (and sometime do) impose a requirement that employees wear an Active Badge at all times, but with a technology that immediately raises so many privacy hackles ("Let's see, George, it says here that you spent a total of two hours yesterday in the second floor restroom—are you feeling ok?"), employers are taking a more persuasive approach.

The chief benefit that employers offer in exchange for wearing the Active Badge is a more efficient workplace. The Active Badge system makes it easier to receive phone calls while moving around a building and makes it easier to locate coworkers. Call-routing, of course, is only one of the Active Badge's capabilities. The Active Badge system was designed with the following commands:

• WITH—a list of the other badges in the same area as the target badge

• LOOK—a list of badges currently located in a particular area

• NOTIFY—an alarm that goes off when a particular badge is picked up by the sensor system. (NOTIFY was designed to make it possible to deliver an urgent message to someone who had been out of the building and had just returned. It could be easily modified to sound an alarm when a particular badge enters an area where it is not authorized.)

• HISTORY—a log of the badge's location over a period of time

When the Active Badge was first developed, the period of history recorded was limited to a single hour, and the information was stored in dynamic memory, not archived to permanent storage. Back in 1992, storage was still quite expensive: roughly $4 per megabyte. By the summer of 2002, you could buy a 160-gigabyte hard drive for $229.98. One hundred sixty gigabytes will hold a lot of Active Badge data.

Infrared Badges at Work

By 1997, nurses in over 200 hospitals were wearing infrared badges. The manufacturer, Executone Information Systems, called its version the Infostar Infrared Locator System, and described it as "an infrared-based, wireless locating system to help healthcare staff quickly find people and equipment."

More recently, the lead in infrared badge technology has been assumed by Versus Technology, based in Traverse City, Michigan. Versus has been particularly aggressive in integrating telephone systems with the badge technology. Its PhoneVision™, Versus says, makes it possible for callers to "'see' (through the telephone) the location of the person [they] are trying to reach":

By wearing a lightweight badge which emits infrared signals containing location data, the individual's location is instantly available. The location information is received by the system and is accessible to users through the telephone. By simply entering the person's extension, PhoneVision™ identifies the exact location of a person at that point in time. Once a person is located, the user may choose to ring the nearest extension, hear a list of others at that location, or automatically be forwarded to voice mail. ^[14]

The chief benefit of its infrared badge system, Versus claims, is the ability to locate staff members quickly, improving staff efficiency and enhancing patient care. In addition to locating specific individuals, the Versus system can also be configured to display the badges of various groups in different colors, so that administrators can see at a glance the locations, for instance, of all the nurses or all the cleaning staff.

In addition to locating individuals, the Versus PhoneVision™ system is also designed to locate equipment. Any piece of equipment can be rigged with an infrared tag containing a unique code:

Simply dial into the system, enter the equipment's ID number, and PhoneVision™ will automatically identify its location. If desired, you may also choose to hear who is with the equipment or hear what other equipment is at that location.

There's some concern on the part of employees, and nurses in particular, that systems like PhoneVision™ will increase the tendency of management to look at them as merely bipedal pieces of equipment. Certainly, an infrared badge increases the granularity of the data available to an employer, i.e., the level of detail about each employee's activities during the course of the day. Employers argue that the additional information will help them evaluate internal processes to make them more efficient, and that the system will also help reduce ambient noise (since employees can be located quickly without having to be paged). Nonetheless, employees are concerned that the accumulated infrared badge data will be another tool to help employers demand additional work or deny salary increases.

Wash Up, Doc?

The next time that you're sitting in your doctor's office, ask yourself this question: Has she washed her hands since examining her last patient? Better yet, ask your doctor that question: The odds are less than one in three that she has.

How about the harried waitress who plucks your morning toast out of the toaster at the diner, or the prep cook who makes your midday Caesar's salad? According to the U.S. Food and Drug Administration, as many as 1,400 people die each year as a result of food poisoning that can be traced directly to poor restaurant hygiene. The chances that you might get sick are frighteningly higher—roughly one in fifteen Americans in any given year will spend a miserable day or night that a little soap and water could have prevented.

From the outset, employees have been concerned that the infrared badge technology can reveal private and potentially embarrassing information, particularly about time spent in the bathroom. That concern seems almost quaint today, given the fact that infrared badge technology is being integrated into systems that are specifically designed to monitor employee hygiene habits.

You might think that the bathroom is the last bastion of privacy, a scrutiny-free zone that even employers can't invade. That may once have been true, but the potential for ruinously expensive litigation is pushing employers to overcome even the most basic concerns. Even if no one actually dies, a wave of food poisoning can ruin a restaurant; likewise, a malpractice suit resulting from the death of a patient due to poor hygiene can cost a hospital tens of millions of dollars. When numbers like that are tossed around, employers have a hard time justifying a continued respect for employee privacy.

In the spring of 1997, a New Jersey-based company, Net/Tech International, Inc., introduced the Hygiene Guard system for use in food service and health care facilities. The system uses sensors in employee restrooms, including sensors on soap dispensers and faucets, to make sure that employees engage in proper hygiene. The first system was installed at the Tropicana Casino and Resort in Atlantic City, with others soon following at George-town University Hospital and the Willam Beaumont Army Medical Center in El Paso, Texas.

Like other infrared sensor systems, the restroom sensors are tied into a central network that maintains a log of each employee's adherence to proper hygiene procedures. If an employee leaves the bathroom without washing up, an entry is made in the employee's log on the main computer. The Hygiene Guard system can also be programmed to cause an employee's badge to start flashing if he fails to wash up properly. Data from the various logs can be sorted and printed out in a variety of ways, and preformatted reports are available that can be reviewed with specific employees or posted on an employee bulletin board.

A variant on the Hygiene Guard system is produced by a Weymouth, Massachusetts, company called UltraClenz, which manufactures the Pro-Giene system. UltraClenz works with employers to establish an appropriate hand-washing schedule, and then issues each employee an infrared badge that beeps and flashes each time the employee is supposed to wash his hands. When the employee goes into the restroom, sensors in the sink faucet, soap dispenser, and towel dispenser record whether the employee has actually used them. It's not a system designed to make employees feel particularly dignified:

The system instructs the employee on each step in sequence by both voice capacity as well as a LCD read out. The time interval for each function is determined by you and consists of the following functions; wetting hands, applying soap, lathering hands for a full twenty seconds, rinsing hands, and drying with a towel. The individual is recognized as having completed a protocol hand wash that is recorded and time stamped.

Pro-Giene will also, on a real-time basis, recognize employees who have or have not successfully completed the procedure or who may be overdue for their scheduled wash. ^[15]

Given the limited attention that Congress has paid to employee privacy rights in general, it's not particularly surprising that there is no "Freedom from Employer Bathroom Monitoring Act." As we've seen, employer monitoring of our most basic communication—speech—is permitted when it is in the "ordinary course of business." While courts have shown some sympathy for the idea that certain spaces, even on business property, are off-limits to surveillance (e.g., bathrooms and locker rooms), it's hard to argue that the prevention of contamination and illness are not part of the "ordinary course of business" in a hospital or restaurant.

^[1]Although the number is microscopically small, party lines are still in use in remote areas, although their continued existence is threatened by the Internet, which doesn't share nicely with other types of services on POTS (plain old telephone service) lines.

^[2]Ironically, technology is shifting that expectation again. A large number of mobile phone users are willing to forego privacy in exchange for the convenience of making phone calls in subways, cafes, restaurants, movie theaters, and other public places.

^[3]389 U.S. 347 (1967).

^[4]"Employee Monitoring, Investigations, and Privacy Rights," Jackson Lewis LLP, n.d. Available online at http://www.jacksonlewis.com/publications/articles/20010923/default.cfm.

^[5]"Telephone abuse," Telemate.Net website. Available online at http://www.telemate.net/product/callaccounting/telephoneabuse.asp.

^[6]The practice of listening in on employee conversations for "quality assurance purposes" began as early as the 1920s.

^[7]Following the impeachment of President Clinton, that small detail caused Linda Tripp some serious problems; her recordings of her conversations with Monica Lewinsky violated the Maryland eavesdropping law, since she did not have Lewinsky's consent to make the recordings.

^[8]For a complete list, see "Warning Signs of Covert Eavesdropping or Bugging," Granite Island Group website. Available online at www.tscm.com/warningsigns.html.

^[9]The process is essentially the same as the one used to record music on an audiocassette tape.

^[10]"History of the Remote Control," n.p., n.d. Available online at www.modellbahnott.com/tqpage/ihistory.html.

^[11]"Infra-" is a prefix from the Latin word meaning "below"; infrared rays have frequencies that are below those of red light. By comparison, ultraviolet rays have frequencies that are higher ("ultra-") than violet light. Herschel is scheduled to be honored for his discovery in 2007 with the launch of the Herschel Space Observatory, an infrared-based telescope being operated by the European Space Agency.

^[12]One of the fascinating aspects of the World Wide Web is that it enables people to demonstrate their unquestionable expertise on incredibly arcane subjects. One of the premier examples of this phenomenon is Craig S. Johnson's LED Museum, which is devoted to the history and taxonomy of light emitting diodes (ledmuseum.home.att.net/ledleft.htm). Mr. Johnson claims to have spent 11,000 hours over the last thirteen years to creating and maintaining his website, and there is utterly no reason to disbelieve him.

^[13]Roy Want, Andy Hopper, Veronica Falcao, and Jonathon Gibbons, "The Active Badge Location System," ACM Transactions on Information Systems, vol. 10, no. 1 (January 1992), pp. 91–102.

^[14]Versus Technology, Inc., "Phone Vision™," n.d. Available online at www.versustech.com/phonevis.htm.

^[15]"Pro-Giene System," UltraClenz, Inc., n.d. Available online at www.ultraclenz.com/index.html.