I spy

If you work for a large financial services company and use the Internet, you are probably subject to a so-called acceptable use policy. Translation?

If you work for a large financial services company and use the Internet, you are probably subject to a so-called acceptable use policy. Translation?

By John Wagley
April 2002
Institutional Investor Magazine

Everything you do on the Web or with e-mail is filtered through Internet management software. In other words, you’re being watched.

There’s nothing secret or illegal about the practice. And it isn’t provoking much outcry from privacy advocates, in part because the policies are so well publicized: They are spelled out in employee handbooks and in many cases require a signature upon receipt.

The guidelines tend to be broad and explicit: “Use of the Internet and e-mail are subject to monitoring. Users may be subject to limitations on their use of such resources.” Similarly, the disclaimers that are now routinely appended to outgoing e-mails - “This transmission is confidential and intended solely for the person or organization to whom it is addressed. . .” - are supposed to underscore that the message serves a business purpose and that the company is keeping an eye on it.

To some, these policies are the surest sign that the Internet’s supposed ability to remake global capitalism, in part by unleashing employee creativity and eradicating corporate bureaucracy, was largely a fantasy. At least where workplace conduct is concerned, enforcement and control now prevail. Thanks to a timely convergence of laws that require some degree of employer due diligence and the availability of technologies that enable it, corporations have the motive and means to operate as virtual police states if they choose.

Companies, like governments, have been gaining legal and political leeway to take security steps that once may have seemed extreme. The terrorist attacks last September only accelerated an existing trend. In an American Management Association survey last year of mostly mid- and large-size companies, 47 percent acknowledged storing and reviewing employee e-mail, up from only 15 percent in 1998. Some 63 percent said they tracked individual employees’ Internet connections - and that was before September 11.

The 9/11 effect was obvious in a January survey commissioned by SurfControl, one of the leading sellers of Internet management technology: Of 1,948 U.S. corporate technology executives who responded, 70 percent said they took steps to bolster corporate security after the attacks.

The popularity of employee monitoring systems is unquestionable. SurfControl’s revenues in its second fiscal quarter, which ended December 31, rose 58 percent, to $13.3 million, as the company added customers including Australia’s Adelaide Bank, the Federal Reserve Bank of Philadelphia and Sun Life Financial Services of Canada. Congleton, U.K.-

based SurfControl has seen its shares, which trade on the London Stock Exchange, climb from a pre-September 11 price of 240 pence ($3.41) to 675p.

A SurfControl rival, San Diego-based Websense, has been enjoying similar prosperity: Among its 16,500 clients are 261 members of the Fortune 50(including fourth-quarter 2001 additions Countrywide Credit Industries and SBC Communications), 75 companies listed on Japan’s Nikkei 225 index (including Fujitsu and Sony Corp.) and 50 of the U.K.'s FTSE 100 (including Barclays and Rolls-Royce). Websense’s fourth-quarter revenue jumped 95 percent, to $11.3 million, and its stock price rose from $15.79 on September 10 to $28.35 as of mid-March.

The tools sold by SurfControl and Websense are powerful and, their customers stress, necessary. Financial institutions, for example, must comply with increasingly strict customer-privacy regulations - notably, provisions of the Gramm-Leach-Bliley Financial Services Modernization Act that began taking effect in 2000 - for which Internet and e-mail controls are made to order.

“It’s really in the last 12 to 18 months that I’ve seen a spike in financial companies monitoring Web sites and electronic communications,” says Michael Overly, a Los Angeles-based lawyer who specializes in information technology for the firm Foley & Lardner.

Improper disclosures and privacy violations aren’t the only concerns. Corporations are also constantly on guard against viruses and other network security intrusions, which Internet management software can help prevent by prohibiting unauthorized downloads.

Then there’s the issue of employee productivity. Framingham, Massachusetts-based research firm International Data Corp. estimates that 40 percent of Internet surfing on the job is not work-related.

The filtering systems that block offending traffic are built around large, continuously expanding databases of Web sites. Websense tracks more than 3 million sites divided into 79 content categories - entertainment, gambling and pornography among them - that employers can choose to restrict companywide, by department or even by individual.

“The shipping department may just need Federal Express and the post office site, while marketing might need more,” says SurfControl’s U.S. president, Kevin Blakeman.

Corporations clearly believe that this technology addresses a real problem. Half of those surveyed by AMA said they had reprimanded employees for improper Internet usage. Such behavior, typically involving pornography downloads or off-color jokes, has come to light in legal actions against employees of institutions including Citigroup and Morgan Stanley - and there are doubtless many more unpublicized cases.

But where does a well-intentioned Internet management policy cross the line of propriety and personal respect?

A year before the September 11 attacks, the proper boundaries between employer and employee were being actively debated. The Washington-based Labor Policy Association, an employer lobby, was fighting a labor-supported bill in Congress that would have regulated workplace monitoring, imposing fines of up to $500,000 for a corporation’s failure to make at least annual policy disclosures of its monitoring to employees. The proposal was ultimately killed.

Even after September 11 the privacy issue hasn’t completely faded, warns Larry Ponemon, CEO of Privacy Council, a Richardson, Texas, firm that advises companies on privacy systems and policies. “If individual workers feel marginalized or that personal privacy rights have been violated, then the consequences can be severe,” notes Ponemon.

Harriet Pearson, IBM Corp.'s chief privacy officer, agrees: “I think this will be a continuing issue. Some policies will have to be very detailed. Telemarketers, for example, have to know they are being monitored.”

Financial institutions, say observers, have escaped serious criticism by being forthright and applying common sense.

“Do you want to prevent an employee from spending a few minutes buying a gift on Amazon for his wife?” asks attorney Overly. Indeed, most employers allow incidental Internet activity that does not hamper productivity or otherwise violate company policy.

Adds Pamela Housley, compliance manager at San Francisco-based investment banking firm Thomas Weisel Partners: “One question is, Who are you going to assign to determine which Web sites are inappropriate? Also, once you have information on employee Web surfing, what do you do with it?”

The answers are clearer with regard to e-mail monitoring and archiving, which financial institutions must do both to comply with regulations on client correspondence and to gather evidence for resolving disputes and for litigation such as sexual harassment cases. Assentor, an e-mail program from Fairfax, Virginia-based SRA International, lets compliance officers flag keywords and phrases for later review. Executives can adjust the sensitivity level to home in on selected individuals - new hires, for example. Assentor users include Alliance Capital Management, Bank of New York Co., Deutsche Bank and New York Life Insurance Co.

One downside of Assentor is that its searches produce false positives, which must be reviewed by compliance staff. “What you try to do is adjust the system and also learn to instantly spot messages that are harmless,” says Housley at Thomas Weisel, which uses the system. “There is an art to this.”

In selling its EmailXaminer system, OTG Software in Rockville, Maryland, touts its ability to integrate e-mail monitoring into central systems administration. It especially appeals to smaller firms without large technical teams on call, says Chris Gray, EmailXaminer product manager. “It’s really a training and supervisory tool, allowing e-mail to flow unimpeded,” Gray explains.

Ravi Jethmal, vice president of compliance at Abel/Noser Corp., a New York brokerage with 50 employees, says he uses the OTG product to review 25 percent of broker-dealer communications - a task that takes two hours out of his week.

At the extreme, for companies that want to know all that their employees are up to, is Spector, a system from SpectorSoft Corp. that takes cameralike snapshots of everything anyone does online and enables the data to be remotely retrieved.

SpectorSoft products can be installed on personal computers without the users’ knowledge, says president Doug Fowler. To date, they have been used primarily in the consumer market - people monitoring their spouses and children online. But the Vero Beach, Florida, company’s latest application, Spector Pro, is designed to inform employers when specified words - say, “I hate my boss” - come up.

In most business settings, however, less drastic measures suffice. Foley & Lardner’s Overly says he knows of one firm that regularly posted a list of the top sites visited by each department. “If Playboy was at the top of somebody’s list, you could bet it wouldn’t be there the following month,” he says.