Reporting on Your Employees' Internet Access?

kooky45 asks: "My team has recently installed content filters for my company which restrict the web sites that employees can visit. It also logs the sites they do visit; not whole URLs, just the site domain names. This has been useful for a couple of disciplinary investigations of employees suspected of wrongdoing. However, word has got round to some managers that this capability exists. They are starting to ask my team to provide lists of sites that their team members have accessed over the past few weeks, claiming they are suspicious of time wasting on the Internet and need proof. We're pushing back because of privacy concerns but the pressure is building on us. We have no experience in this area, and I'd like to ask Slashdot how other companies handle this, what the important considerations are, and where it could all go wrong?"

Our solution

[Jhon]

Our simple answer:

"We don't take requests from department managers".

At our shop, requests for such information come from the HR director or the General Manager and only those people. And such information is provided to them and them alone. Such rules make our lives easier. HR and/or the GM workout what to do with the department head -- solutions which may involve IT or not.

Such requests are rare now. They are usually handled by the supervisor alone now without need of escalation.

HR policy

[martin]

unless there's something in the staff policy about 'not' visiting sites people might deem offensive/doing non work on computers etc etc there's not alot the managers can do.

Also pop in the managers usage as well - as someone else pointed out.

Managers

[the eric conspiracy]

It sounds to me like the managers don't have enough to do and are wasting their time micromanaging employees.

Find a New Job

[99BottlesOfBeerInMyF]

However, word has got round to some managers that this capability exists. They are starting to ask my team to provide lists of sites that their team members have accessed over the past few weeks, claiming they are suspicious of time wasting on the Internet and need proof.

It takes real time to develop a culture in a workplace. If your culture is such that managers are looking for evidence of "slacking" to try to motivate them or replace them, then you are probably looking at a lost cause. The only thing I can recommend is a well written letter to someone high up in the company about the dangers of an adversarial workplace culture and the resulting brain drain and poor quality.

We're pushing back because of privacy concerns but the pressure is building on us. We have no experience in this area, and I'd like to ask Slashdot how other companies handle this, what the important considerations are, and where it could all go wrong?"

Any manager that needs to look at logs like this for their employees is incompetent and dragging your company down. A good manager provides positive incentives for employees and creates loyalty both to himself and to the company by treating employees like people. The only reason to consider removing an employee is if they are not getting their job done. If this is the case, then they should be able to tell him why. If he does not trust them, he should find someone else regardless of what a log says.

Treating your employees as mercenaries will make them act that way. Why should they give 2 weeks notice if they're leaving? Why shouldn't they steal office supplies if they can get away with it. Why shouldn't they make a copy of your customer database or defect to the competition? If money is all you are offering, then you can always be outbid.

One thing you might want to consider and which might be able to pull you company out of its cultural death spin is moving drastically from secret monitoring to complete openness. Make an announcement to the whole company that internet monitoring is being applied and then open the system up to everyone. Managers will be able to see what sites their employees visit, but employees will be able to see what sites their bosses visit and when and for how long. We have such a system here, and every now and again we'll announce in a meeting the person who wasted the most time on Slashdot that month.

With such a move to openness i does not seem so much like an us versus them arrangement, but rather an even playing field for all. It works for us, but then we also have a very progressive culture of treating employees well and avoiding micro management. People take on responsibilities and the only problem is if they don't live up to them. No one cares if I post on Slashdot in the middle of the day, so long as I get my work done and it is of sufficient quality. It may be too late where you work, however. You might want to seriously consider looking for an employer that is smarter.

The Golden Rule

[LifesABeach]

As a manager of engineering teams, I do not look to closely at what the staff does; As long as the product works, and it is delivered in a timely manner. The company owns the equipment, so there is a need to respect its ownership. I tell the team leaders that it is not a good thing to be caught accessing the design ideas from a porn site, at work. And I do know that the porn industry is light years ahead of all of us when it comes to copyrights, revenues, downloads, and traffic monitoring. My advice for companies that have managers that need to spy on employees is to ask that manager for immediate status report on all outstanding projects. Then start increasing that managers work load. If a person has time to spy, then that person has time to work; For the good of the company. And if there is no work for that person, then maybe the Finance Department should be brought into the loop at that time.

Re:Company owns the internet access

[Skreems]

I continue to hope that good managers would understand people getting sidetracked during the day. Browsing /. and random news stories is my way of letting my brain process on something so it gets internalized, and I can then go tackle the problem head on. I don't work well just beating my head against something, I have to poke at it for a while and then go read or play a flash game for 10 minutes and let it sink in. Subconcious processing, transfer to long-term memory, whatever it is, it's how I work. I'm plenty productive despite hitting /. about 5 times a day.

Re:Find a New Job

[chris_mahan]

All good except for this tidbit:

> We have such a system here, and every now and again we'll announce in a meeting the person who wasted the most time on Slashdot that month.

I don't consider Slashdot a waste of time. It is three things: A source of information, a source of encouragement (see what other people in the same situation go through, and how they cope/resolve), and a way to feel part of a community of like-minded people.

All three of these benefits are generally lacking for geeks in the Fortune 500 workplace environment.

If you don't like my conclusions, draw your own!

Ultimately a Management decision

[Bagheera]

From reading the post, I'm guessing you're one of the folks who actually works for a living, rather than manages other people who actually work for a living. Decisions like this usually aren't handled at the "actually do it" level. This is definitely something I'd kick up through the management chain, as this is something that should be clarified at a company policy level.

Some companies make it very clear that people who work for them are subject to monitoring, etc., and can expect no privacy. Others will have the same general policy, but have other policies in place as to who can see the logs and under what circumstances. That's what you'll have to establish, and it's a decision that should be handled at a management level high enough to make it stick.

My answer, in the absense of an established policy would be "Have your boss talk to my boss, and they can hash it out with HR and Legal."

This needs to be a company policy...

[Gybrwe666]

From the description, there appears to be no policy in place governing how IT information can be used by company management. The problem lies in that fact, not the fact that someone is requesting the information.

I suspect that this is also further complicated by the fact that employment is regulated at the detail level on a state by state basis, and therefore the legal aspects of your situation will be influenced by local laws.

However, what I would do if this is the first time this has happened is to run this by the head of the HR department or someone who handles such things within the company. Where I live, if there is no policy, the employee whose information is being disclosed might have some legal rights, or could simply try to sue everyone involved if something negative happens. I suspect this could happen anywhere, as well. If HR has a discrete policy, then you are covered and the rules are clear.

Personally, I'd get someone in authority (boss, HR, legal) to give you in writing their guidelines, and perhaps take the opportunity to help create a policy if it doesn't exist.

I have worked for/with several large corporations, and each one has had very clear guidelines, spelled out in detail in the AUP for computer/internet use which employees must sign as part of the hiring paperwork. My wifes' company, for instance, (a large multinational news firm) allows any line manager to request the internet records of any employee after discussing it with their appointed HR rep (each manager has his/her own HR rep who handles such things and is involved with the managers on a daily basis). I've also worked with other organizations where only the security team, who had independent authority and worked hand-in-hand with management and HR, had direct access to the records.

However, I must mention the most brilliant and most efficient filtering scheme I've ever seen: make everything public. I worked with one of the large credit card corporations a while back, and when they first allowed general internet access, they had a website that simply logged *EVERY* employees browsing history (not urls, just domains). An employee could see his managers, the managers could see the employees. It worked brilliantly, since no one was going to risk being exposed as having gone to even questionable sites, so there were very few abuses. Plus it required no upgrades, no computers, no power, and virtually no effort. I suppose this was a good implementation of Cory Doctorow's recent suggestion about making security public. Too bad they discontinued it because of lawsuit concerns.

Re:Company owns the internet access

[Tweekster]

Well since basically every employee does that, an employer that does not expect and understand it is far past delusional.
and who wants to work for someone that is that out of touch with reality. Employees slack off at work, if someone does not understand that concept, well they are flat out idiots and i am willing to bet, have extremely high turn over rates.

Those no down time employees, usually burn out and come back with an AR15...

Re:Company owns the internet access

[Jhon]

AC... Lovely. But I'll reply.

California Labor Law requirements are fairly strict (with a bit of wiggleroom, but not much) on when breaks must be provided.

Personally, my company treats employees as adults

Blame Sacramento. I'd like a government that treated it's citizens as adults.

Re:Company owns the internet access

[Tweekster]

Um guess what, they are already allowed to do that today.

but basically, this monitoring business is just a replacement for common sense, ie at the end of the day, did the employee get his shit done...that is all that matters. but instead you get managers who think they will suddenly be in touch with employees by monitoring their internet usage, instead of just paying attention to the quality of the work.

Re:Tell them, "sure!"

[pegr]

I did it one better back in the day. Proxy logs were themselves available online. Anyone could look at anyone else's history. Problem solved and I didn't have to do anything else.

Management "Rights"

[mschuyler]

It doesn't really matter what the IT Department thinks about this issue, or whether people in general think it is a good idea or not. It doesn't matter that some slashdot readers get all emotional over this and criticize all managers as idiots no matter who they are or where they work. The only thing that matters is whether a company has a legal right to do so. There are some states where employees have certain legal rights and expectations, but I guarantee you slashdot readers are not the ones who will make this determination. If it's a matter of whether or not a company has a fixed "policy" for this sort of thing, okay--that's just an internal 'legal' matter, right? Courts have consistently ruled that if an employer makes up a policy and writes it down, they then must follow that policy. A lot of successful employee lawsuits are precisely because the employee can prove the company did not follow their own written policy. The reason policy manuals grow so thick and unwieldy is because when a situation comes up that isn't written down somewhere inevitably some 'sea lawyer' employee will say, "Well, it isn't written down that I can't so you can't tell me I can't." I have personally had that happen. My boss and I took it upon ourselves to take a trip to a client one week, and the next week an offical policy came down that said no one could go on a trip without official authorization from headquarters. So as a result policy manuals start to cover how many times an employee can take a potty break and how many breaths per minute are allowed. Nothing can be relegated to common sense because there isn't any--and it's not just managers. Anyone who has been a manager in today's modern corporations knows employees' concept of entitlement is such that they make up 'rights' that don't exist and can make any manager's life miserable to the point that it ain't worth it. Maybe not at Google, but the workforce is not made up of the world's brightest engineers. the average IQ is still 100 and half the employees are below that.

Now, the company provides a computer and internet access for an employee to do his or her job. It is not required to provide Internet access so an employee can surf around anywhere he or she wants, sit on slashdot, and manage their home life from work. It doesn't matter wherther an employee is on a "break" or not--it's still a company-owned computer in a company-provided location and the employee is still on paid time. The employee is still using company resources for private use, no matter how small. In government there is a well-established legal principle called a "gift of public funds." It's not allowed, period, and the reason is to prevent you the taxpayer, from getting ripped off.

It has been well established that companies DO have the right to monitor employee e-mail. A case in Washingtson State was when an employee used state-owned computer and email for union activities. She was fired. It was upheld. There was a similar case a few years back with Epson. The employee was fired. It was upheld. It has also been well established that employers have the right to monitor internet usage and they have the right to filter internet usage. In some cases, it is required by the government.

To reiterate: It does not matter whether you agree with this or whether you think this is a good idea. There are all kinds of reasons to disagree with this and all kinds of reasons that this isn't a good idea. I'M NOT SAYING IT IS A GOOD IDEA.

Now, the IT Department is not in charge of running the company. By and large, the IT Department does not make the widgits. IT's job is to support the people who make the widgits, the people who decide which widgits to make and how many of them to make, and the people who provide the opportunity for employees to be hired and paid to make the widgits. IT has no "right" to resist or push back, and if it does just out of principle, it is WAY out of line. If an IT Department did that after being told not to, they should be fired.

However, if these requests ar

Re:Company owns the internet access

[Zigg]

Whether it had been necessary to step in or not, they would have. They're government, after all.

Blame still lies with Sacramento!

Re:How much is it worth?

[Associate]

I get the feeling that you are wrong for the wrong reasons.

Firstly, I think there should be an expressed expectation of privacy, or level thereof. I expect that my employer wouldn't put a camera in the bathrooms. I think what keeps some from doing so is the letter of the law and the blanket coverage of all employees, including those responsible for the cameras. But I'm not going to bother to find and quote any decisions. My employer has a stated computer useage requirements. It is intentionally vague, but not beyond most people's comprehension. For instance, it doesn't identify the web filtering in place, but specifically prohibits circumventive behavior. I'm not happy about this as I don't agree with the filtering of sites like the wikipedia as personal pages. But I hardly find it reason enough to find other work.

But the expectation of entitlement to anything not compensated for is rediculous. The idea that only the educated have bargaining power is rather ignorant. Your assertion that companies will lose out on the best employees seems to imply that because it decided to settle for less than the best that it will fail. My employer is a prime example of the contrary. This may be true when applied to entities of different sizes, say an accounting office with ten people might have greater friction and turnover over something as simple as web filtering. But even it would not instantly go out of business due to restictive uses.

The only variable that ultimately affects any business is money. People will put up with a lot of unnecessary shit for the right price. That is the double edge sword of getting what you pay for. Pay peanuts, expect elephants.

All the evidence of slacking that you need...

[ivan256]

...is a lack of results/deliverables in the expected time frame. Either your employees are producing at an acceptable level or they aren't. I don't understand why many managers feel they need to waste time with the cat and mouse games. Perhaps the real question this guy should be asking is "Why do the middle managers at my company have time available to look into this; Perhaps we should have fewer middle managers."

Minimize the amount of logging to begin with

[Anonymous Coward]

Off into the AC void :(

I didn't see anyone mention that you should minimize the amount of logging. At my last job we could log and flag a lot of stuff. But one of the discussion points as I was implimenting some systems, was that if we log something and know about it, then that might increase liability or compel us to take action.

We were mainly concerned to try and keep users from running P2P apps and avoid receiving letters from RIAA/MPAA/etc, and to be aware of external hostile network threats, hack/probe attempts, etc. If we could start observing people's browsing habits and logging more closely, which we could have, then we might have to take action based on that additional info we collected.

I think the best policy is to maintain the minimum amount of logging as possible. 2nd, I like the other suggestions of making the information accessible and open to everyone and we can observe the boss as well as the boss observing the employee. As well as controlling who can make requests for that specific info on the other scenario, like one senior manager and HR person. You don't want to spend 1/2 your day compiling reports and statistics and dealing with these requests.

Personally I don't work so well feeling like I'm being constantly watched, and my efficiency and productivity can go into the toilet if they mount cameras behind my back, and things like that. People can say blah blah blah company's stuff and company's time... but living in a paranoid micromanaged state is highly stressful and I'd rather see companies evaluating their employees on the quality of their work, and if they're getting it done on time.

I've worked in a micro-managed call center before as a tech support employee where they could take screen captures and play back movies of your desktop and what you were doing, armed security guards, cameras, etc lots of monitoring and managers with wireless headsets that would be standing over you the moment your calltime went over a threshhold, 40-80 deep in queue for weeks at a time... It's no fun and makes people want to leave for something else ASAP. I've seen employees have heart attacks and be wheeled off in ambulances, and people just completely freak up, start throwing things, screaming across the floor "Fsck this! I can't take it anymore!". I don't think our jobs have to be so miserable...

I've had to setup internet use policies

[Centurix]

For a few clients I've worked at. The only time they really want to read any logs is when they want to get rid of a specific employee. If you're not on their hit list you didn't have a worry, but it you were then they would find the smallest detail in a log to pick you out and fire you for breaking their internet use policy.

Re:Company owns the internet access

[talledega500]

they own the bathroom too

Re:Our solution

[cloricus]

Plus this allows IT to give users some breathing room when they are using the computer (daily reading of dilbert for example) which leads to a happy interaction between staff and IT.