The Privacy of Web Surfing

At the end of each business trip or family vacation, when you've lugged your weary self home, the first cold dash of reality is unpacking. Out from the luggage come the travel-worn clothes, souvenirs, unsent postcards, flight-surviving paperbacks, purloined toiletries, amusement park stubs, credit card receipts, local coinage, and tourist maps. This motley collection of stuff offers a good idea of where you went, the food you ate, and what you did while you were away.

Each time that you travel the World Wide Web, you bring back precisely the same type of post-travel tidbits, albeit in electronic form. It's a little more difficult to view the remnants of your Web journeys; the trade-off, however, is that the record of the journey maintained by your computer is far more detailed than anything that comes out of your suitcase.

The Lure of Office Web Surfing

The popularity of Web surfing in the office can be traced to one main factor: Even today, the Internet connections in most offices are far faster than the connections that most employees have at home. That helps to explain why graphics-intensive sites like sports news, stock trading, and pornography see strong surges in activity beginning at 9:00 A.M. East Coast Time.

As we saw in Chapter 1, Web surfing by employees raises two main concerns for employers: productivity and liability due to the dissemination of inappropriate materials. Without adequate discipline, the World Wide Web can be a tremendous time sink; no other medium comes close to matching the Internet's depth of materials, interactivity, and sheer distractive potential.

Ironically, nonproductive Web surfing can be a problem for adult companies as well. Juli Stone, the director of sales and marketing for Falcon Foto, one of the largest providers of content for adult websites, has had to contend with employees who don't spend enough time surfing porn sites. "People have gotten into trouble at our office," Stone said, "for visiting nonporn sites too often. One guy was fired for spending all day monitoring his auctions on eBay." Falcon Foto doesn't have a written policy regarding Web use, Stone reported. "It's easy enough to walk around the office and see what everyone is doing," she said. "If they're not looking at a porn site, they're not working."

The other concern is that unfettered Web surfing carries a real risk of liability for employers—there is a simply staggering amount of offensive material online, the vast majority of which can be downloaded and redistributed throughout a company with a few clicks of a mouse. A company that does not take steps to limit or discourage the distribution of offensive materials runs a serious risk of litigation alleging a hostile work environment.

Log Files, Browser Caches, Packet Sniffers, and Filters and Monitors

A company that wants to monitor your Web surfing activity has an almost endless number of options for doing so, and for doing so without your knowledge. In reality, many companies tell their employees they are monitoring Web activity in the hope that advance notice will cut down on the problem; some say they monitor but actually don't; the majority, however, monitor in one fashion or another without any notice to their employees at all. Currently, there is no legal requirement for an employer to tell its employees that it is monitoring Web surfing activity.

A company's Web surveillance options fall generally into one of the following four categories:

1. Log files and cookies

2. Browser caches

3. Packet sniffers

4. Filters and monitors

Each of these various monitoring techniques offers an employer valuable insight into how you're spending your time on the World Wide Web; taken together, they can form a devastatingly accurate picture of your surfing habits.

• Log Files. Log files are the readily visible lists of resources that you've visited online. The two most popular browsers—Netscape Navigator and Microsoft's Internet Explorer—maintain log files to help make your journeys in cyberspace more convenient. Navigator, for example, has a drop-down button that reveals a list of the various sites that you've visited recently. Navigator also maintains an extensive history list as part of its normal operation. The history list shows every website that you've visited recently, broken down day by day (you or the network administrator can set the number of days to be recorded). If your network administrator wishes to do so, she can quite easily look at your drop-down list or your browser's history file and get a pretty good idea of what sites you've been visiting.

• Browser Caches. Browser caches are less readily accessible than log files, but the information that they contain is far more detailed and potentially damaging. A browser displays Web pages on your computer screen by downloading all of the components of the Web page (images, banners, text, buttons, etc., each of which is a separate computer file), storing the files on your computer's hard drive, and then putting them back together on your screen so that you can view the page's information. The directory (or directories) in which the pieces of the various Web pages are stored as they are downloaded is called the browser cache.

  Although the files contained in the browser cache are only fragments of larger Web pages, it's not difficult to get a pretty good sense of the pages from which they were drawn. Depending on your browser settings and the size of your computer's hard drive, your cache directory may contain hundreds or thousands of files used to make up complete Web pages, ranging from buttons and banners to text to images—basically, anything that you've viewed recently on a Web page. In addition, the cache directory tracks the address of the Web page from which something was downloaded, the date it was first accessed, the date it was last accessed, and so on. Given the sheer amount of information available, it's not surprising that browser caches have become a particularly popular source of investigation for company managers, prosecutors, and litigation attorneys.

• Packet Sniffers. When information (an e-mail or Web page, for instance) is sent from one computer to another across the Internet, it is broken into multiple units called "packets." Each packet is electronically stamped with the information needed to deliver the message to the intended recipient and reconstruct the data when all of the packets arrive at their destination. By breaking messages and data into packets, the Internet can work more efficiently (computers can balance workload by sending packets along different routes) and protect itself from damage (if one computer system goes down, packets can be routed around the failed system).

  A "packet sniffer" is a computer program that is installed on a computer that sends and receives Internet traffic. It looks at each packet that goes through the system, and if the packet contains certain words or phrases, the program saves the packet for further review. Most if not all of the Web monitoring or filtering programs discussed below are packet sniffers. If the software is installed on your computer, it will only look at the traffic between your computer and the Internet. If the software is installed on your company's main gateway computer or Internet service provider, then the software can be configured to look at every packet flowing in and out of your company.

• Filters and Monitors. Most employers would rather that inappropriate materials never show up on your computer in the first place. There are two main approaches that businesses can take to restrict inappropriate Web surfing: Announce that they are monitoring online activity and hope that employees will regulate their own behavior, or install one of the myriad filtering programs designed to actively block access to inappropriate materials.

One of the current leaders in workplace filtering software is Websense, Inc., a San Diego-based software company that markets a server-based filtering program by the same name. Websense is actively working to create and dominate a new industry sector, "employee Internet management" (EIM). Websense claims that there are more than 17,500 organizations using its software, including Compaq (now Hewlett-Packard), General Motors, American Express, Blue Shield, Calvin Klein, IBM, and Pepsi, and that on any given day, nearly 7 million employees "are managed with the company's software."

Websense works by intercepting Web page requests from each browser and comparing the website address to the addresses listed in a database of over 3.5 million websites. The websites contained in the database are organized into thirty-one categories; companies that install the software can choose which categories of sites the software should block. Among the categories most typically blocked are:

• Adult material, including adult content, nudity, sex, sex education, and lingerie and swimsuit

• Drugs, including abused drugs, prescribed medications, supplements/ unregulated compounds, and marijuana

• Gambling

• Illegal/questionable, covering sites that provide instruction in or promote criminal activity

• Racism/hate

• Violence

Employers can also choose to block other types of sites, ranging from general entertainment to shopping to job search information. Websense also provides filtering to premium customers for three different groups of materials:

• Productivity management, which blocks advertisements, freeware/shareware downloads, instant messaging, message boards and clubs, online brokerages and trading, and pay-to-surf sites

• Bandwidth management, which blocks Internet radio and TV, streaming media, peer-to-peer file sharing, personal network storage and backup, and Internet telephony

• Malicious websites

In theory, Websense or one of its dozens of competitors can be implemented in such a way as to have relatively little impact on employee privacy. The software's sole function, for instance, could be to block access to forbidden websites. But in these days of stunning computing power, virtually unlimited storage space, and nearly instantaneous communication, restricting filtering software to simply blocking sites is like using grapes only to make jelly. There's just so much more you can do with them.

In addition to blocking access to forbidden sites, Websense also contains a module called the Websense Reporter, which enables employers to track the types of websites being visited by employees, list the amount of time that employees spend surfing, determine whether Web access policies need to be changed, and calculate the cost to the business of nonwork-related surfing.

Using a program like Websense can pose some risks for employers as well. One of the components of the Websense suite is the Webcatcher, which automatically adds sites to the filter database, depending on the surfing habits of a company's employees. Over time, a utility like Webcatcher could enable Websense to develop fairly detailed information about the activities of its customers and their employees. In addition, the records maintained by a utility like the Websense Reporter could prove useful in corporate litigation. For instance, records indicating that some of a company's employees were spending hours each day surfing adult websites might well support a claim that a hostile work environment exists.

Hardware Monitoring Tools

Although the vast majority of tools for monitoring Web activity are software based, there are a few hardware solutions available to the suspicious employer. For instance, the website e-bugging.com offers the "PC Monitor," a hardware-only monitoring tool. The PC Monitor is a small device, approximately two inches long and one-half inch in diameter, containing a micro-controller and a fixed amount of nonvolatile memory. ^[14] Installing the PC Monitor takes less than a minute: All that's required is to unplug the keyboard cable from the back of the computer, plug the PC Monitor into the keyboard port, and then plug the keyboard cable into the PC Monitor.

Once installed, the PC Monitor records every keystroke made on the keyboard, up to the limits of its memory: 8Kb (forty-nine dollars), 32Kb (ninety-nine dollars), or 64Kb ($159). Since each keystroke takes up one byte, the largest PC Monitor can store roughly 64,000 keystrokes, which is about how many keystrokes it took to write this chapter.

The PC Monitor is easy to use without the employee's knowledge. Since all of the Monitor's electronics and monitoring are self-contained, it does not cause any unusual hard drive or CPU activity, and few computer users would think to check the back of their computer every time they sit down to use it. It's remotely possible that someone could stumble across the contents of the PC Monitor's memory by accident, but with a sufficiently secure password, the chances of that happening are fairly small.

Another popular option for employers who wish to monitor their employees' Web surfing is to use a hidden video camera pointed at an employee's monitor. Depending on the layout of the workplace, an employer could configure the video set-up so that a number of monitors could be viewed at the same time.

Improvements in wireless technology will also make monitoring employees' Internet use easier. In the not-too-distant future, most personal computers will come equipped with peripherals (like keyboards and mice) that have wireless technology built into them. The leading contender today is called Bluetooth, a radio frequency-based technology that allows devices to communicate with each other without cables. A Bluetooth-enabled device will be equipped with a small microchip containing a radio module capable of transmitting and receiving at around 2.45 Ghz, a frequency that is essentially unused for other purposes. Each microchip will have built into it both software controls and unique identity codes so that the device can be positively identified by other devices, and so that only those devices that have been given permission to communicate can do so.

The adoption of wireless devices like Bluetooth-equipped keyboards (Microsoft received approval for its version from the Federal Communications Commission in mid-August 2002) will give employers another avenue for monitoring and recording the keystrokes of an entire office. Nobody is advertising tools for conducting eavesdropping on Bluetooth devices so far, but the day can't be far off. Recognizing the dangers of interception, Bluetooth developers are working aggressively to develop techniques to minimize unauthorized eavesdropping by corporate spies. But a corporation may well feel no compunction about intercepting the transmissions of its own Bluetooth devices for surveillance purposes and will be in a much better position to do so than some corporate interloper.

No Legal Protection for Surfing or Game Playing

Do you have any reasonable expectation of privacy in your surfing habits or the Web information stored on your computer? In a word, no. Even if you could credibly argue that you have a reasonable privacy interest in the URLs that you type into your Web browser, that minimal privacy interest is easily trumped by the very real business concerns faced by your employer: productivity, appropriate use of bandwidth, and reduction of potential sources of liability. In fact, the situation is worse than you may think: Not only do you have no privacy interest in your Web surfing habits at work, you have no possessory interest either. If you choose to reveal your interests or hobbies or consumer preferences by using your office computer to access the Internet, that information is increasingly a potential source of revenue for your employer. Admittedly, the vast majority of businesses don't have enough employees to interest potential marketers, but there are certainly a large number that do. For instance, if the Web surfing habits (or attempted habits) of the 7 million people currently monitored by Websense could be aggregated (which certainly could be done), that's a reasonable pool of marketing data. The same is true for Websense's larger individual clients, including General Motors (265,000 employees), American Express (84,400), Blue Shield (150,000), IBM (319,876), and Pepsi (37,000). ^[15]

Do you surf the Web each morning for news about your favorite sports team? Perhaps your employer can make a few cents marketing that information to the NBA or the NFL. Have you been recently e-mailing your brother about your receding hairline? Companies that specialize in hair replacement treatments might be interested in purchasing that information to help target their marketing. The possibilities for matching particular employees with particular marketers are unlimited.

The thought of your employer analyzing your e-mails and Web surfing habits for potentially marketable information may be abhorrent to you. But as we've seen, employees have very few (if any) real privacy rights when it comes to information transmitted across a company-owned computer system. As matters currently stand, employers don't get anything back from personal use of Internet access by employees, apart from decreased productivity and greater potential liability. The sale of such data may be a price that employees have to pay if they choose to reveal their interests at work.

^[14]"Nonvolatile" means that the memory retains the information stored in it even after the computer's power is turned off.

^[15]Figures regarding number of employees drawn from capsule corporate summaries prepared by and displayed on the Hoover's Online website (www.hooversonline.com).