Reporting on Your Employees' Internet Access? 130
kooky45 asks: "My team has recently installed content filters for my company which restrict the web sites that employees can visit. It also logs the sites they do visit; not whole URLs, just the site domain names. This has been useful for a couple of disciplinary investigations of employees suspected of wrongdoing. However, word has got round to some managers that this capability exists. They are starting to ask my team to provide lists of sites that their team members have accessed over the past few weeks, claiming they are suspicious of time wasting on the Internet and need proof. We're pushing back because of privacy concerns but the pressure is building on us. We have no experience in this area, and I'd like to ask Slashdot how other companies handle this, what the important considerations are, and where it could all go wrong?"
Our solution (Score:5, Insightful)
"We don't take requests from department managers".
At our shop, requests for such information come from the HR director or the General Manager and only those people. And such information is provided to them and them alone. Such rules make our lives easier. HR and/or the GM workout what to do with the department head -- solutions which may involve IT or not.
Such requests are rare now. They are usually handled by the supervisor alone now without need of escalation.
HR policy (Score:4, Insightful)
Also pop in the managers usage as well - as someone else pointed out.
Managers (Score:5, Insightful)
Find a New Job (Score:5, Insightful)
However, word has got round to some managers that this capability exists. They are starting to ask my team to provide lists of sites that their team members have accessed over the past few weeks, claiming they are suspicious of time wasting on the Internet and need proof.
It takes real time to develop a culture in a workplace. If your culture is such that managers are looking for evidence of "slacking" to try to motivate them or replace them, then you are probably looking at a lost cause. The only thing I can recommend is a well written letter to someone high up in the company about the dangers of an adversarial workplace culture and the resulting brain drain and poor quality.
We're pushing back because of privacy concerns but the pressure is building on us. We have no experience in this area, and I'd like to ask Slashdot how other companies handle this, what the important considerations are, and where it could all go wrong?"
Any manager that needs to look at logs like this for their employees is incompetent and dragging your company down. A good manager provides positive incentives for employees and creates loyalty both to himself and to the company by treating employees like people. The only reason to consider removing an employee is if they are not getting their job done. If this is the case, then they should be able to tell him why. If he does not trust them, he should find someone else regardless of what a log says.
Treating your employees as mercenaries will make them act that way. Why should they give 2 weeks notice if they're leaving? Why shouldn't they steal office supplies if they can get away with it. Why shouldn't they make a copy of your customer database or defect to the competition? If money is all you are offering, then you can always be outbid.
One thing you might want to consider and which might be able to pull you company out of its cultural death spin is moving drastically from secret monitoring to complete openness. Make an announcement to the whole company that internet monitoring is being applied and then open the system up to everyone. Managers will be able to see what sites their employees visit, but employees will be able to see what sites their bosses visit and when and for how long. We have such a system here, and every now and again we'll announce in a meeting the person who wasted the most time on Slashdot that month.
With such a move to openness i does not seem so much like an us versus them arrangement, but rather an even playing field for all. It works for us, but then we also have a very progressive culture of treating employees well and avoiding micro management. People take on responsibilities and the only problem is if they don't live up to them. No one cares if I post on Slashdot in the middle of the day, so long as I get my work done and it is of sufficient quality. It may be too late where you work, however. You might want to seriously consider looking for an employer that is smarter.
The Golden Rule (Score:4, Insightful)
Re:Company owns the internet access (Score:4, Insightful)
Re:Find a New Job (Score:2, Insightful)
> We have such a system here, and every now and again we'll announce in a meeting the person who wasted the most time on Slashdot that month.
I don't consider Slashdot a waste of time. It is three things: A source of information, a source of encouragement (see what other people in the same situation go through, and how they cope/resolve), and a way to feel part of a community of like-minded people.
All three of these benefits are generally lacking for geeks in the Fortune 500 workplace environment.
If you don't like my conclusions, draw your own!
Ultimately a Management decision (Score:3, Insightful)
Some companies make it very clear that people who work for them are subject to monitoring, etc., and can expect no privacy. Others will have the same general policy, but have other policies in place as to who can see the logs and under what circumstances. That's what you'll have to establish, and it's a decision that should be handled at a management level high enough to make it stick.
My answer, in the absense of an established policy would be "Have your boss talk to my boss, and they can hash it out with HR and Legal."
This needs to be a company policy... (Score:2, Insightful)
I suspect that this is also further complicated by the fact that employment is regulated at the detail level on a state by state basis, and therefore the legal aspects of your situation will be influenced by local laws.
However, what I would do if this is the first time this has happened is to run this by the head of the HR department or someone who handles such things within the company. Where I live, if there is no policy, the employee whose information is being disclosed might have some legal rights, or could simply try to sue everyone involved if something negative happens. I suspect this could happen anywhere, as well. If HR has a discrete policy, then you are covered and the rules are clear.
Personally, I'd get someone in authority (boss, HR, legal) to give you in writing their guidelines, and perhaps take the opportunity to help create a policy if it doesn't exist.
I have worked for/with several large corporations, and each one has had very clear guidelines, spelled out in detail in the AUP for computer/internet use which employees must sign as part of the hiring paperwork. My wifes' company, for instance, (a large multinational news firm) allows any line manager to request the internet records of any employee after discussing it with their appointed HR rep (each manager has his/her own HR rep who handles such things and is involved with the managers on a daily basis). I've also worked with other organizations where only the security team, who had independent authority and worked hand-in-hand with management and HR, had direct access to the records.
However, I must mention the most brilliant and most efficient filtering scheme I've ever seen: make everything public. I worked with one of the large credit card corporations a while back, and when they first allowed general internet access, they had a website that simply logged *EVERY* employees browsing history (not urls, just domains). An employee could see his managers, the managers could see the employees. It worked brilliantly, since no one was going to risk being exposed as having gone to even questionable sites, so there were very few abuses. Plus it required no upgrades, no computers, no power, and virtually no effort. I suppose this was a good implementation of Cory Doctorow's recent suggestion about making security public. Too bad they discontinued it because of lawsuit concerns.
Re:Company owns the internet access (Score:3, Insightful)
and who wants to work for someone that is that out of touch with reality. Employees slack off at work, if someone does not understand that concept, well they are flat out idiots and i am willing to bet, have extremely high turn over rates.
Those no down time employees, usually burn out and come back with an AR15...
Re:Company owns the internet access (Score:3, Insightful)
California Labor Law requirements are fairly strict (with a bit of wiggleroom, but not much) on when breaks must be provided.
Blame Sacramento. I'd like a government that treated it's citizens as adults.
Re:Company owns the internet access (Score:3, Insightful)
but basically, this monitoring business is just a replacement for common sense, ie at the end of the day, did the employee get his shit done...that is all that matters. but instead you get managers who think they will suddenly be in touch with employees by monitoring their internet usage, instead of just paying attention to the quality of the work.
Re:Tell them, "sure!" (Score:3, Insightful)
Management "Rights" (Score:2, Insightful)
Now, the company provides a computer and internet access for an employee to do his or her job. It is not required to provide Internet access so an employee can surf around anywhere he or she wants, sit on slashdot, and manage their home life from work. It doesn't matter wherther an employee is on a "break" or not--it's still a company-owned computer in a company-provided location and the employee is still on paid time. The employee is still using company resources for private use, no matter how small. In government there is a well-established legal principle called a "gift of public funds." It's not allowed, period, and the reason is to prevent you the taxpayer, from getting ripped off.
It has been well established that companies DO have the right to monitor employee e-mail. A case in Washingtson State was when an employee used state-owned computer and email for union activities. She was fired. It was upheld. There was a similar case a few years back with Epson. The employee was fired. It was upheld. It has also been well established that employers have the right to monitor internet usage and they have the right to filter internet usage. In some cases, it is required by the government.
To reiterate: It does not matter whether you agree with this or whether you think this is a good idea. There are all kinds of reasons to disagree with this and all kinds of reasons that this isn't a good idea. I'M NOT SAYING IT IS A GOOD IDEA.
Now, the IT Department is not in charge of running the company. By and large, the IT Department does not make the widgits. IT's job is to support the people who make the widgits, the people who decide which widgits to make and how many of them to make, and the people who provide the opportunity for employees to be hired and paid to make the widgits. IT has no "right" to resist or push back, and if it does just out of principle, it is WAY out of line. If an IT Department did that after being told not to, they should be fired.
However, if these requests ar
Re:Company owns the internet access (Score:3, Insightful)
Whether it had been necessary to step in or not, they would have. They're government, after all.
Blame still lies with Sacramento!
Re:How much is it worth? (Score:5, Insightful)
Firstly, I think there should be an expressed expectation of privacy, or level thereof. I expect that my employer wouldn't put a camera in the bathrooms. I think what keeps some from doing so is the letter of the law and the blanket coverage of all employees, including those responsible for the cameras. But I'm not going to bother to find and quote any decisions. My employer has a stated computer useage requirements. It is intentionally vague, but not beyond most people's comprehension. For instance, it doesn't identify the web filtering in place, but specifically prohibits circumventive behavior. I'm not happy about this as I don't agree with the filtering of sites like the wikipedia as personal pages. But I hardly find it reason enough to find other work.
But the expectation of entitlement to anything not compensated for is rediculous. The idea that only the educated have bargaining power is rather ignorant. Your assertion that companies will lose out on the best employees seems to imply that because it decided to settle for less than the best that it will fail. My employer is a prime example of the contrary. This may be true when applied to entities of different sizes, say an accounting office with ten people might have greater friction and turnover over something as simple as web filtering. But even it would not instantly go out of business due to restictive uses.
The only variable that ultimately affects any business is money. People will put up with a lot of unnecessary shit for the right price. That is the double edge sword of getting what you pay for. Pay peanuts, expect elephants.
All the evidence of slacking that you need... (Score:4, Insightful)
Minimize the amount of logging to begin with (Score:1, Insightful)
I didn't see anyone mention that you should minimize the amount of logging. At my last job we could log and flag a lot of stuff. But one of the discussion points as I was implimenting some systems, was that if we log something and know about it, then that might increase liability or compel us to take action.
We were mainly concerned to try and keep users from running P2P apps and avoid receiving letters from RIAA/MPAA/etc, and to be aware of external hostile network threats, hack/probe attempts, etc. If we could start observing people's browsing habits and logging more closely, which we could have, then we might have to take action based on that additional info we collected.
I think the best policy is to maintain the minimum amount of logging as possible. 2nd, I like the other suggestions of making the information accessible and open to everyone and we can observe the boss as well as the boss observing the employee. As well as controlling who can make requests for that specific info on the other scenario, like one senior manager and HR person. You don't want to spend 1/2 your day compiling reports and statistics and dealing with these requests.
Personally I don't work so well feeling like I'm being constantly watched, and my efficiency and productivity can go into the toilet if they mount cameras behind my back, and things like that. People can say blah blah blah company's stuff and company's time... but living in a paranoid micromanaged state is highly stressful and I'd rather see companies evaluating their employees on the quality of their work, and if they're getting it done on time.
I've worked in a micro-managed call center before as a tech support employee where they could take screen captures and play back movies of your desktop and what you were doing, armed security guards, cameras, etc lots of monitoring and managers with wireless headsets that would be standing over you the moment your calltime went over a threshhold, 40-80 deep in queue for weeks at a time... It's no fun and makes people want to leave for something else ASAP. I've seen employees have heart attacks and be wheeled off in ambulances, and people just completely freak up, start throwing things, screaming across the floor "Fsck this! I can't take it anymore!". I don't think our jobs have to be so miserable...
I've had to setup internet use policies (Score:2, Insightful)
Re:Company owns the internet access (Score:2, Insightful)
Re:Our solution (Score:3, Insightful)