Slashdot Mirror
Reporting on Your Employees' Internet Access?
kooky45 asks: "My team has recently installed content filters for my company which restrict the web sites that employees can visit. It also logs the sites they do visit; not whole URLs, just the site domain names. This has been useful for a couple of disciplinary investigations of employees suspected of wrongdoing. However, word has got round to some managers that this capability exists. They are starting to ask my team to provide lists of sites that their team members have accessed over the past few weeks, claiming they are suspicious of time wasting on the Internet and need proof. We're pushing back because of privacy concerns but the pressure is building on us. We have no experience in this area, and I'd like to ask Slashdot how other companies handle this, what the important considerations are, and where it could all go wrong?"
Our employee AUP specifically states that the company equipment belongs to the company, and there should be no expectation of privacy. It also states we perform monitoring of Internet and email activity. All employees are required to agree to the policy before they are granted access. Supervisors occasionally do request reports from our logs when they're trying to determine how productive their employees are. This is one of the reasons we have the logging in place.
Our simple answer:
"We don't take requests from department managers".
At our shop, requests for such information come from the HR director or the General Manager and only those people. And such information is provided to them and them alone. Such rules make our lives easier. HR and/or the GM workout what to do with the department head -- solutions which may involve IT or not.
Such requests are rare now. They are usually handled by the supervisor alone now without need of escalation.
Like all employment, everything is negotiable. For example, employers have the right to be as draconian as they wish. Some don't allow internet access at all, for example. Some do with heavy filtering, and dismissal for the slightest infraction, for ANYONE. Employees on the other hand, are not without rights themselves, chief amonst them, the right to walk away. If an employer seems unreasonable, then work for someone else. If you don't have the skills to do that, put up with it until you do. People who won't better themselves shouldn't bother to complain.
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
...and, as part of our corporate policy, any employee you request browsing history on will get a copy of YOUR browsing history.
I would guess that would limit requests.
- Tony
If your company pays for the internet access and for the machines the employees are using to access the internet, it would be foolish to feel they have any right to privacy. I don't like the idea of higher ups being able to see what I've been doing online, but I understand that since I'm using the company's internet connection and their computer (and their electricity, and the time I'm being paid to work) they can snoop in at any time. God save us all if they discover how much time people spend on /.
Dear diary: Today I stuffed some dolls full of dead rats I put in the blender.
My company reports the estimated time spent online and # of sites to managers that request the information, but does not report the sites themselves. The company owners are the only ones outside of IT that can view the names of sites visited ... and then only a list of blocked sites by user.
Crack - Free with every butt and set of boobs
unless there's something in the staff policy about 'not' visiting sites people might deem offensive/doing non work on computers etc etc there's not alot the managers can do.
Also pop in the managers usage as well - as someone else pointed out.
It sounds to me like the managers don't have enough to do and are wasting their time micromanaging employees.
However, word has got round to some managers that this capability exists. They are starting to ask my team to provide lists of sites that their team members have accessed over the past few weeks, claiming they are suspicious of time wasting on the Internet and need proof.
It takes real time to develop a culture in a workplace. If your culture is such that managers are looking for evidence of "slacking" to try to motivate them or replace them, then you are probably looking at a lost cause. The only thing I can recommend is a well written letter to someone high up in the company about the dangers of an adversarial workplace culture and the resulting brain drain and poor quality.
We're pushing back because of privacy concerns but the pressure is building on us. We have no experience in this area, and I'd like to ask Slashdot how other companies handle this, what the important considerations are, and where it could all go wrong?"
Any manager that needs to look at logs like this for their employees is incompetent and dragging your company down. A good manager provides positive incentives for employees and creates loyalty both to himself and to the company by treating employees like people. The only reason to consider removing an employee is if they are not getting their job done. If this is the case, then they should be able to tell him why. If he does not trust them, he should find someone else regardless of what a log says.
Treating your employees as mercenaries will make them act that way. Why should they give 2 weeks notice if they're leaving? Why shouldn't they steal office supplies if they can get away with it. Why shouldn't they make a copy of your customer database or defect to the competition? If money is all you are offering, then you can always be outbid.
One thing you might want to consider and which might be able to pull you company out of its cultural death spin is moving drastically from secret monitoring to complete openness. Make an announcement to the whole company that internet monitoring is being applied and then open the system up to everyone. Managers will be able to see what sites their employees visit, but employees will be able to see what sites their bosses visit and when and for how long. We have such a system here, and every now and again we'll announce in a meeting the person who wasted the most time on Slashdot that month.
With such a move to openness i does not seem so much like an us versus them arrangement, but rather an even playing field for all. It works for us, but then we also have a very progressive culture of treating employees well and avoiding micro management. People take on responsibilities and the only problem is if they don't live up to them. No one cares if I post on Slashdot in the middle of the day, so long as I get my work done and it is of sufficient quality. It may be too late where you work, however. You might want to seriously consider looking for an employer that is smarter.
Thank God my bosses believe me when I describe Slashdot as a tech reference site and I am in charge of any network monitoring we might do.
:)
As a manager of engineering teams, I do not look to closely at what the staff does; As long as the product works, and it is delivered in a timely manner. The company owns the equipment, so there is a need to respect its ownership. I tell the team leaders that it is not a good thing to be caught accessing the design ideas from a porn site, at work. And I do know that the porn industry is light years ahead of all of us when it comes to copyrights, revenues, downloads, and traffic monitoring. My advice for companies that have managers that need to spy on employees is to ask that manager for immediate status report on all outstanding projects. Then start increasing that managers work load. If a person has time to spy, then that person has time to work; For the good of the company. And if there is no work for that person, then maybe the Finance Department should be brought into the loop at that time.
As I read slashdot from my desk.
In a world of acronyms, the words are the real victims.
I'll say it again though.. These requests should only come from HR/Personell whatever you call them.
At a previous job I had the task of the web filter logs, as well as access to all emails and user's files. Sure, I looked at them sometimes, but only if I needed to. And yes, at times lower lever managers - supervisors - would ask for information about their direct reports.
Even though no direct policy like this existed, I told them I will only give that information to HR. One time the CEO asked for something, and I would not even give it to him. I defered him to my boss, who, probably gave it to him, but I made it very clear:
"I've been given trust by the company to access this information. What if someone went to a website that divulged information about a medical condition that they were keeping secret? Granted, they would be wrong for doing it on company time, but I am NOT going to be the one to give up that information"
I think I also gained a little respect by saying that and instituting my policy. Of course, YMMV
Don't Tread on Me
Only an incompetent manager cares whether or not their employees are goofing off, cruising the internet. A competent manager measures employee performance by measuring the employee's performance. In other words, give them work to do, and measure how well and how timely it is done.
If you give all your people the same amount of work to do, and one of them doesn't do it as well or as quickly as the rest, it doesn't matter why. He's a substandard employee, and needs to improve or leave.
By the same token, if you give all your employees the same amount of work to do, and one of them does it better and faster than the rest, and has time to goof off, does it really matter why? If he's got time to goof off, but his work is all done, give him a raise - and more work to do.
Real managers care only about results, not methods.
We were told at one company that I worked at that the supervisors had the ability to spy on our desktops to see what we're doing. A new supervisor rushed over to my cube to tell me that looking at Amazon was against company policy and he caught me red handed (it was still on the screen after being there for only a minute). I pointed out that 1) I was on my break with a breakfast burrito in hand, 2) the entire company knows I get stuff delivered from Amazon, and 3) my last supervisor gave me an Amazon gift certificate at the completion of my last project. He went off mad when I told him to bugger off. This is the same management team that couldn't find the computer that had 300+ virus/trojan horses/spyware that kept bringing down the network every three days for the past month.
:P
Besides, I did all my non-work web browsing on my PDA using the wireless link from the company next door. Do you know how hard it was to type a Slashdot comment on a tiny virtual keyboard?
From reading the post, I'm guessing you're one of the folks who actually works for a living, rather than manages other people who actually work for a living. Decisions like this usually aren't handled at the "actually do it" level. This is definitely something I'd kick up through the management chain, as this is something that should be clarified at a company policy level.
Some companies make it very clear that people who work for them are subject to monitoring, etc., and can expect no privacy. Others will have the same general policy, but have other policies in place as to who can see the logs and under what circumstances. That's what you'll have to establish, and it's a decision that should be handled at a management level high enough to make it stick.
My answer, in the absense of an established policy would be "Have your boss talk to my boss, and they can hash it out with HR and Legal."
Never attribute to malice what can as easily be the result of incompetence...
Basically, as someone else said, these sorts of things should be funnelled through your HR dept. Any investigation that could result in disicipline of an employee should go through HR. It isn't up to you guys to determine what requests are legit or not. There needs to be a central channel that all investigitory requests concerning employees has to go through. 99% of the time that's an HR dept. If a union got wiff of what's going on, you might be in the beating end of the union stick.
If an officer ever threatens to taze you, say you have a pacemaker.
The way that I would frame your response is to calculate how much these reports would cost in terms of:
Many companies (especially small ones) that I know of have cast the issue in this light and realized that it just isn't worth it. The costs both fiscal and morale-wize of building and maintining a system of reports and investigations far exceeds the value of curbing a few extra clicks. Especially if Pr0n is already being filtered out in large measure.
This is especially true if the employer is smart enough to be managing people in terms of the work they get done not the time they spend. In that event if they really get addicted to surfing online then it will show up in their work performance anyway at about the same time that any weekly TPS report would catch it. You said that this has been used in some disciplinary actions so far without the daily reports. I presume from that that "caught" the individuals through other means and then a report was run not the other way around. This is more true when the "problem" is just spending a little too much time looking at the Fantasy Football scores.
More than likely such reports, after a few initial: "You've been making fun of me online!" moments will end up sitting idle on the managers' desks and would only be read after an employee is caught anyway (Except of course for that one Boss from Hell who has nothing to do but spy). In that event all the time, money, and paper, taken to print them out weekly would be wasted.
Additionally you might calculate the expected loss of work days. There was one study performed (don't have the link right in front of me) that calculated the number of lost and sick days taken as a result of draconian internet policies. You see many workers have small errands that they like to do online during the day (e.g. gift shopping or some quick bill-paying). The study's authors found that companies where such usage was banned (or heavily monitored) had more workers taking whole sick days to "run these errands" at home rather than taking ten minutes here or there to do them at work. The net loss to the company was higher than if they had just let the errands be run at work.
Since you don't know if you should do it, I'm assuming no one has specifically given you authority to do it. Therefore, you just do the number one corporate run-around "I'm not authorized to do that." Then if they as who is, tell them you don't know.
http://www.popularculturegaming.com -- my blog about the culture of videogame players
From the description, there appears to be no policy in place governing how IT information can be used by company management. The problem lies in that fact, not the fact that someone is requesting the information.
I suspect that this is also further complicated by the fact that employment is regulated at the detail level on a state by state basis, and therefore the legal aspects of your situation will be influenced by local laws.
However, what I would do if this is the first time this has happened is to run this by the head of the HR department or someone who handles such things within the company. Where I live, if there is no policy, the employee whose information is being disclosed might have some legal rights, or could simply try to sue everyone involved if something negative happens. I suspect this could happen anywhere, as well. If HR has a discrete policy, then you are covered and the rules are clear.
Personally, I'd get someone in authority (boss, HR, legal) to give you in writing their guidelines, and perhaps take the opportunity to help create a policy if it doesn't exist.
I have worked for/with several large corporations, and each one has had very clear guidelines, spelled out in detail in the AUP for computer/internet use which employees must sign as part of the hiring paperwork. My wifes' company, for instance, (a large multinational news firm) allows any line manager to request the internet records of any employee after discussing it with their appointed HR rep (each manager has his/her own HR rep who handles such things and is involved with the managers on a daily basis). I've also worked with other organizations where only the security team, who had independent authority and worked hand-in-hand with management and HR, had direct access to the records.
However, I must mention the most brilliant and most efficient filtering scheme I've ever seen: make everything public. I worked with one of the large credit card corporations a while back, and when they first allowed general internet access, they had a website that simply logged *EVERY* employees browsing history (not urls, just domains). An employee could see his managers, the managers could see the employees. It worked brilliantly, since no one was going to risk being exposed as having gone to even questionable sites, so there were very few abuses. Plus it required no upgrades, no computers, no power, and virtually no effort. I suppose this was a good implementation of Cory Doctorow's recent suggestion about making security public. Too bad they discontinued it because of lawsuit concerns.
Any management that thinks auditing is an effective way of encouraging good work ethics is insane and grossly inept and should be fired immediately. Any manager that sees low productivity or low morale and thinks the solution is to start snooping on employee activities should give up and become a basket weaver.
http://yro.slashdot.org/comments.pl?sid=8124&cid=I would recommend, like a poster above, to read company policies, and see whether you report to department managers or to HR only. Also, look at whether employees have an expectation to privacy or not, as that is important. Personally, I would say that allowing department managers to track down their subordinates is only going to end up in a witch hunt that's going to get everyone pissed off. The managers are going to want more productivity, while the employees are going to be unhappy that there's such a "big brother", this will in turn lower the morale in the company, and with people leaving with such a bad impression, prospective workers will think twice about signing a contract. Talk it over with people higher up in the company, the HR division, and figure out what kind of atmosphere you want in the company. It's a good thing to have the logs for some cases, but you might want to try and not use them unless required to.
Just my $0.02 of opinion on this, based on the very few corporate environments I've been in so far.
---- I am certain of only one thing : I know nothing else.
I was reading an article a while back about how more and more employees are coming to either expect, or desire as a perk, unfettered internet access.
I wonder if anyone has done a study or survey of how much employees value their internet access, and what kind of pay cut they'd be willing to take for it, or what kind of pay bump they would require to move to a company that didn't offer it.
Right now it might seem like a minor issue -- in many tech fields, there are enough candidates that employers can dictate terms to their employees, and employees are sufficiently discouraged by the thought of finding a new job, that they won't tell them to suck eggs and walk away. However, in a tighter market this might not be the case. I could easily see a situation where a company might decide that it's cheaper to offer unfettered internet access (and swallow the cost of the productivity hit) rather than pay extra in order to recruit and retain people who are willing to work under more limited conditions.
I've thought about what it's worth to me, and I think I would probably accept working in a secure area (where there's no public net access) for about a 5% pay increase; any less than that, and I'd probably say no. If they just started blocking web traffic tomorrow in my current position, I probably wouldn't quit immediately, but it would certainly factor into my list of things that I don't particularly like. At some point when that list got long enough, I'd find another job.
Everything's a trade-off, both from the employer's perspective and the employee's.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I'm waiting for a batch process in the background; what's your excuse going to be?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
A few important pointers regarding the monitoring of employee usage of the network in a corporate environment.
1) First of all, do you have a security policy? Does the security policy has a section describing what is considered "normal work usage" of the infrastructure (this can vary from organization to organization) and the potential repercution of non-compliance to the security policy? Are the employees aware of this policy (have they signed it off?) If you don't have that, then doing any kind of network monitoring can be problematic, especially if you want to act on the result (it's way easier to manage on a HR standpoint if it's explicitely explained in the security policy).
2) A business has 100% control and power over the use of its communication infrastructure. Employees should have no expectation of privacy regarding their net browsing. Nevertheless, this is again something that should be explicitelly described in the company information security policy; makes things much much easier in the end.
3) Monitoring the web usage of employees should always be done throught a corporate approved incident management process (where visiting an "inapropriate" web sites is considered an incident). This also means that the same rules should apply to everyone, all the time (unless of course there is an exception - again, this should be specified in the security policy). A manager (or anyone else) shouldn't be able to request ponctual verification of the web usage of selected employees and (for example) fire them because they visited slashdot during working hours - the employee could sue for wrongful dismissal. The monitoring must be performed all the time, for everyone, and within a centralized process; you can't use it to "justify" firing someone and then turn a blind eyes to all the others employees who also don't comply to the policy.
4) IMHO, it is rarelly efficient for businesses to strictly enforce where their employees can and cannot go on the web during work hours (aside from obvious things, such as porn). What these kinds of controls can give you in term of "productivity" does not justify the cost in term of resources but also in term of employee satisfaction and confidence toward management. You'll end up spending too much energy on something that most of the time isn't really a problem.
Sure, give the lists to the managers... and then give the list of places the MANAGER goes to to the employees. And finally, go to the CEO and explain that your company employees are attempting to canabalize itself, and that he/she'd better do something quick or you are all doomed.
When I worked for the Navy, our users were expected to adhere to the Navy and DOD requirements. Locally, commanding officers could set policy regarding how much "freedom" people had to casually browse (i.e., "lunchtime" browsing desires versus mission needs and effects on badwidth). We had a happy medium and everyone complied without complaint. Based on that, here's what I would do:
1. Set a distinct, written policy regarding what's allowable and what isn't. If users can casually browse during idle moments, state this. If heavy multimedia-laden sites hurt your bandwidth, state that they're off limits. If the bosses don't want staffers wasting time working on their fantasy football rosters, make that crystal clear. Be specific about categories of sites that are off-limits.
1(a). Make sure that employees understand that there is no expectation of privacy on a corporate network, and they should avoid sites that might embarrass them. They need to understand that the company owns the network and the bandwidth, and using it is at the generosity of the company...they have no "right" to use the network for personal stuff. This covers your ass in case the company is sued and some legal demand is made for access logs and the like.
2. Demand that all requests for specific browsing history be routed through and be approved by management, at the highest possible level. This will give you the defense you need to say "no" to casual requests. Make sure those at the highest level understand the complexity of logging, sifting through and analyzing this data, and that an appearance of a domain in the logs doesn't necessarily indicate a violation of policy. Ask them to confer with you before making a decision on any request.
3. Based on the policies set in (1), provide only information regarding violations of policy on specific individuals or groups of people. If policy doesn't state that hitting ESPN is a violation, don't report it. If someone on staff is browsing medical information sites regarding erectile dysfunction medications, that should be their business and no one else's.
We had a fairly open link to the 'Net while I was at that DOD job, and this kind of policy worked very well for us. We blocked only the worst domains and those sites that gave us bandwidth headaches. We asked staffers to use common sense about 'Net use, since we frequently pulled in lots of text data and large weather images. When someone accidentially hit an adult site (mistyping an URL, for example), I would usually get an immediate call or e-mail from the user, detailing what happened. Perhaps there was a bit of fear involved, but whatever it was, it worked.
Joe Dougherty, Florida, USA
The words I thought I brought, I left behind. So, never mind.
which restrict the web sites that employees can visit [...] they are suspicious of time wasting on the Internet and need proof.
Before worrying about privacy issues (you can make those go away with the simple wave of an AUP), you should perhaps wonder if the people in question work hourly or on salary.
You have a set of sites you allow. If you then scold people for going there, you need a reason to do so. "Wasting time" simply doesn't apply to salaried employees - As the flip-side to all that unpaid overtime, their "time" belongs to them, not the company. If they can get the job done in five minutes per week and surf the web for the other 39h55m, your company can't do a hell of a lot about it (short of making them hourly).
Well put.
If your employees/team are being productive, and your project is successful and you're meeting deadlines, I question why a manager really ought to care whether people are reading Slashdot or Google News or playing the occasional Flash game.
If work's getting done, don't micromanage -- let your people do their work; the damage you'll do by creating an adversarial work culture probably greatly outweighs the very small gain in efficiency you'll get by prohibiting web browsing (and for some people, prohibiting them from doing that may result in a negative productivity change). If work isn't getting done, then maybe you need to take a look at either your recruiting, motivation, or compensation practices. You can't "beat them until morale improves," and employees who are all disinterested in work is probably a symptom of a greater problem than the browsing itself.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
at my current company for this reason. I work for a p0rn company and they have a policy against using the internet for non-work related stuff. I got a warning for reading cnn.com.
Cyberbite Networks - Web Hosting, Dedicated Servers & Colocati
It doesn't really matter what the IT Department thinks about this issue, or whether people in general think it is a good idea or not. It doesn't matter that some slashdot readers get all emotional over this and criticize all managers as idiots no matter who they are or where they work. The only thing that matters is whether a company has a legal right to do so. There are some states where employees have certain legal rights and expectations, but I guarantee you slashdot readers are not the ones who will make this determination. If it's a matter of whether or not a company has a fixed "policy" for this sort of thing, okay--that's just an internal 'legal' matter, right? Courts have consistently ruled that if an employer makes up a policy and writes it down, they then must follow that policy. A lot of successful employee lawsuits are precisely because the employee can prove the company did not follow their own written policy. The reason policy manuals grow so thick and unwieldy is because when a situation comes up that isn't written down somewhere inevitably some 'sea lawyer' employee will say, "Well, it isn't written down that I can't so you can't tell me I can't." I have personally had that happen. My boss and I took it upon ourselves to take a trip to a client one week, and the next week an offical policy came down that said no one could go on a trip without official authorization from headquarters. So as a result policy manuals start to cover how many times an employee can take a potty break and how many breaths per minute are allowed. Nothing can be relegated to common sense because there isn't any--and it's not just managers. Anyone who has been a manager in today's modern corporations knows employees' concept of entitlement is such that they make up 'rights' that don't exist and can make any manager's life miserable to the point that it ain't worth it. Maybe not at Google, but the workforce is not made up of the world's brightest engineers. the average IQ is still 100 and half the employees are below that.
Now, the company provides a computer and internet access for an employee to do his or her job. It is not required to provide Internet access so an employee can surf around anywhere he or she wants, sit on slashdot, and manage their home life from work. It doesn't matter wherther an employee is on a "break" or not--it's still a company-owned computer in a company-provided location and the employee is still on paid time. The employee is still using company resources for private use, no matter how small. In government there is a well-established legal principle called a "gift of public funds." It's not allowed, period, and the reason is to prevent you the taxpayer, from getting ripped off.
It has been well established that companies DO have the right to monitor employee e-mail. A case in Washingtson State was when an employee used state-owned computer and email for union activities. She was fired. It was upheld. There was a similar case a few years back with Epson. The employee was fired. It was upheld. It has also been well established that employers have the right to monitor internet usage and they have the right to filter internet usage. In some cases, it is required by the government.
To reiterate: It does not matter whether you agree with this or whether you think this is a good idea. There are all kinds of reasons to disagree with this and all kinds of reasons that this isn't a good idea. I'M NOT SAYING IT IS A GOOD IDEA.
Now, the IT Department is not in charge of running the company. By and large, the IT Department does not make the widgits. IT's job is to support the people who make the widgits, the people who decide which widgits to make and how many of them to make, and the people who provide the opportunity for employees to be hired and paid to make the widgits. IT has no "right" to resist or push back, and if it does just out of principle, it is WAY out of line. If an IT Department did that after being told not to, they should be fired.
However, if these requests ar
How about a moderation of -1 pedantic.
I'm a network admin at the moment, and get an ISA report sent to my inbox every day reporting employee computer usage. I usually glance over it and see if there has been any significant use of bandwidth to a non-business website. If I notice unusual use of bandwidth to a site that isn't for business, I'll tell the employee I know what they have been doing, and that the company president may too (since he gets the reports also). Maybe your team could do similar. Cram all those ISA reports down the manager's throats and see if they actually go through them every day;I'm betting after a while they wouldn't. At least in my case, they are semi-cryptic to the non computer-guy, and require a little bit more research to go as far as identifying the individual. I understand the need for monitoring, but unless they are found to be downloading illegal files or doing a significant amount of non-work browsing, I just assume it's probably just a lunch break or a small 5 minute break to relax the mind for a bit.
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
How can the logs show any consept of "time spent". They can only show hits, or am I missing something. I leave webpages open all day, but only read them briefly. How can these logs distingish these two facts?
...is a lack of results/deliverables in the expected time frame. Either your employees are producing at an acceptable level or they aren't. I don't understand why many managers feel they need to waste time with the cat and mouse games. Perhaps the real question this guy should be asking is "Why do the middle managers at my company have time available to look into this; Perhaps we should have fewer middle managers."
The fact is almost every company has a rule about browsing the internet and the content allowed. Most companies make you sign a letter about the policies, some each year, and it tends to contain the internet policy. The main reason is legal liability. If you are browsing pornographic or any objectionable material and someone spots it, they can file sexual harassment claims. It becomes a major legal battle for the company if it is not resolved immediately in-house. They prefer to prevent this from happening in the first place by putting in the protections.
Your manager wanting a record of the groups history is a very legitimate request. The manager may have known about that capability at other companies, but didn't think it existed there. He/She may be completely ignorant and didn't know about it at all. The fact is the people that get upset usually have something to hide. I have browsed Ebay, slash, game sites, etc in the past. Some companies block a lot of this access altogether to prevent you from wasting company time. Some only block questionable content to protect themselves. Honestly, this is personal time being spent during work hours. You have a job to do and you are being paid for it. Unless your job specifically relates to browsing the web all day or even a bit as a job requirement, you shouldn't be doing it. Down time, break time, and lunch, if the company allows, is the time for browsing. The truth is you are being paid to work, not play.
Either way, there is nothing you can do. They own the equipment, network, and processes. Let's just hope you have a clean record.
You're on company equipment, on company time; there should not be any expectation of privacy. At a previous employer, I boiled down the proxy logs daily to a list of sites and forwarded it to our security group. If they saw something suspicious, I was asked BY THEM to pull the detail records of IP and employee ID. In one case, it led to someone being walked out the door for surfing kiddy-pr0n sites at his desk.
Someone checking their e-mail over lunch is one thing, but someone spending half the day checking their portfolio/surfing pr0n/playing games is another. But the request *should* be coming from some group with personnel or security responsibility to avoid you being in the middle of some PHB's vendetta against some poor cube-rat.
Where I work, "incidental" personal use is tolerated. All requested URLs are logged. Our asset protection group looks at this information and pulls out those suspected of spending too much time online. They would then investigate and if it looked like the person was spending most of their day browsing non-business sites, they'd bring that information to the attention of their supervisor. We also utilize blocking software, and if employees tend to hit too many of these blocks, it's my understanding that that also triggers an informal investigation. Our blocking rules are obtained from a 3rd-party, though, and are pretty useless, so I don't know how much this is looked at anymore.
Lower-level or mid-level managers can't just request usage logs. Because we do permit incidental personal use, there are privacy implications and for that reason, only our asset protection group conducts the investigations. (I suppose it might be possible for a supervisor to request an investigation, but I've never heard of anyone doing that.)
Independently of that, though, our PC support is centralized, and if you need some work done on your PC, and they stumble across questionable content in your web cache (or anywhere else), you can bet that you'll be hearing about it. (But again, you'll either hear it from them, as a courtesy warning, or they'll take it to the asset protection group for a proper investigation, not your supervisor.)
We've done stuff like this, in many ways (including exactly this), and every time it happens it follows a very simple pattern, namely: managers get bored with reading logs very quickly. So, if you're not a huge company you probably don't have a budget to waste* on something like this, and people really have better things to do with their time. So if you're not huge, go along with it, be the model employee for a while and by the time you forget about it, odds are management has too.
But the capabilities are good to have, for when valid suspicions are raised. If people are wasting time, it's better to fire everyone who's incompentent. The incompetent people simply waste time, and the others will waste time when they're doing more (worthwhile) work than their peers.
(* a larger company can do this without actually wasting money, I suspect.)
If they only log the site and not the full URL, how do they know the supposed "visit" of a given web site wasn't from an involuntary pop-up?
---------
There is inferior bacteria on the interior of your posterior.
My company has the usual "no expectation of privacy" balderdash in place, and we log on the main access point for the company. There are a couple of things that make this information less useful: 1) Sometimes high-demand files will be mirrored by helpful nerds at suspcious domains. Just because the domain name is hot-sexy-girls.com doesn't mean that the employee isn't reading technical documents. Only use this excuse if they have you dead-to-rights -- it's weak but true. 2) If I see a whole afternoon of surfing "anonymous.com" it doesn't tell me jack. Go anonymous! 3) Servers on the DMZ have unmonitored outbound connections, and anyone with a few brain cells can X-forward from a browser running on one of those boxes. Curiously, I've never gotten around to locking this little hole down. Maybe I'm lazy. 4) For a couple of doughnuts, server logs can get corrupted or deleted. After all, computers are fallible, and this data isn't on a high-availability mount point. "Sorry boss, looks like proccess XYZ ran amok last night, and the browser logs are mangled. Have a doughnut!". 5) In extreme cases, a quick grep over the log will clean off a few of the worst violaters. May I suggest a "grep -v slashdot.org" for example?
Off into the AC void :(
I didn't see anyone mention that you should minimize the amount of logging. At my last job we could log and flag a lot of stuff. But one of the discussion points as I was implimenting some systems, was that if we log something and know about it, then that might increase liability or compel us to take action.
We were mainly concerned to try and keep users from running P2P apps and avoid receiving letters from RIAA/MPAA/etc, and to be aware of external hostile network threats, hack/probe attempts, etc. If we could start observing people's browsing habits and logging more closely, which we could have, then we might have to take action based on that additional info we collected.
I think the best policy is to maintain the minimum amount of logging as possible. 2nd, I like the other suggestions of making the information accessible and open to everyone and we can observe the boss as well as the boss observing the employee. As well as controlling who can make requests for that specific info on the other scenario, like one senior manager and HR person. You don't want to spend 1/2 your day compiling reports and statistics and dealing with these requests.
Personally I don't work so well feeling like I'm being constantly watched, and my efficiency and productivity can go into the toilet if they mount cameras behind my back, and things like that. People can say blah blah blah company's stuff and company's time... but living in a paranoid micromanaged state is highly stressful and I'd rather see companies evaluating their employees on the quality of their work, and if they're getting it done on time.
I've worked in a micro-managed call center before as a tech support employee where they could take screen captures and play back movies of your desktop and what you were doing, armed security guards, cameras, etc lots of monitoring and managers with wireless headsets that would be standing over you the moment your calltime went over a threshhold, 40-80 deep in queue for weeks at a time... It's no fun and makes people want to leave for something else ASAP. I've seen employees have heart attacks and be wheeled off in ambulances, and people just completely freak up, start throwing things, screaming across the floor "Fsck this! I can't take it anymore!". I don't think our jobs have to be so miserable...
You need to have a written policy which also informs employees that you are doing this and to make sure every knows about it. If you don't do this you your company can be sued for discrimination when it fires one employee but not another for certain uses of the internet.
For a few clients I've worked at. The only time they really want to read any logs is when they want to get rid of a specific employee. If you're not on their hit list you didn't have a worry, but it you were then they would find the smallest detail in a log to pick you out and fire you for breaking their internet use policy.
Task Mangler
The guy is right. IT serves the company, not the other way around.
He says what everyone here should know and gets marked as a Troll.
How childish.
I think there is enough technical advice/insight on /. (if you've got a good BS filter) that it could be considered at least a grey area for a lot of folks in technical jobs. Many of the "Ask Slashdot" discussions provide the insight of experienced people.
Consider this discussion. If you were newly in a position like this, getting a feel for how other people have handled the situation would be useful.
Back on topic, I have always tried to resist efforts of mid-managers to rifle through the logs. It's time-consuming, often fruitless, and usually unfairly targeted. I'm a tech, not a cop, and I don't want to participate in witch-hunts.
If the site is blocked, no harm, no foul, the person only -attempted- to access the site. If they access an inappropriate site that is not blocked, I quietly start blocking that site. You should be regularly profiling your traffic anyway, anything that has a real impact on performance will show up. Stay ahead of the game and everyone benefits.
A house divided against itself cannot stand.
I worked for an IT department that suspended 3 guys for a week because they has set up a local lan and during lunch would play a multi-player game. They only played during their lunch hour and their previous manager used to play with them. When new management takes over you have to be really careful. Many times they are just looking for someone to make an example of. Our internet access was completely restricted and all department heads were given a print out each month. They also put Gps on the work vans so everywhere the van went and stopped was tracked. I was never so happy as the day I quit! :)
Give them a form that requires their signature and the signature of the person involved. Make it quite clear that signing is voluntary. Make it also clear that both the employee and the manager will have their web sites posted.
excitingthingstodo.blogspot.com
My own concern is not as much the Internet as Instant Messaging.
... well it gets frustrating when you see projects slowly getting late.
I have witness that most employees under 25 (and many under 40) are addicted to IM. When an employee asks for my help and we sit in front of their computer, we get interrupted every 5 to 8 minutes with an IM popup from a friend or family member.
The employee dismisses it quickly when I am standing there, but after a few times, I realized that when I am not standing next to them, they take the time to answer. A quick 30 seconds or 2 minutes is not much (the shorter the answer the quicker you get an answer back), but repeated every 5-10 minutes for 8 hours of work
An employee that would spend that much time on the phone with friends and family would get a warning at any job, why is it "OK" when you cannot hear the voice, and it "looks like" you are working (typing).
But the epiphany came when our ISP went down. Productivity for these 3 days went up 10 to 15 percent.
I can definitely see a need for something like this, but the blur is the ethics of investigating what employees do on their time. I'm a student and when I took a job last year I had 2 coworkers (also students) who came to work, but I could never figure out what they were doing with their time. They made no progress, or any progress they made was illusory and/or easily accomplished at the last minute. I figured it out: They would come in and sit on myspace for FIVE HOURS and surf web sites with media like youtube or whatever. They NEVER worked. I found out the myspace page of the person and found that they would make interesting posts about thier coworkers (myself included) that well... weren't very nice. Most telling of all was the day that one of the students left: They wrote on myspace that they actually worked today! And then they listed like 5 things they actually did, while admitting they hadn't done anything in the previous MONTHS.
After reading that, I realized two things: 1) Management has a problem. They don't have adequate metrics in place to control reporting and track work accomplishments vs time. 2) If management had a tool to check up on browsing habits, and the employees knew about it, the employees might have accomplished more in their time.
I'm all for it.