Slashdot Mirror
Reporting on Your Employees' Internet Access?
kooky45 asks: "My team has recently installed content filters for my company which restrict the web sites that employees can visit. It also logs the sites they do visit; not whole URLs, just the site domain names. This has been useful for a couple of disciplinary investigations of employees suspected of wrongdoing. However, word has got round to some managers that this capability exists. They are starting to ask my team to provide lists of sites that their team members have accessed over the past few weeks, claiming they are suspicious of time wasting on the Internet and need proof. We're pushing back because of privacy concerns but the pressure is building on us. We have no experience in this area, and I'd like to ask Slashdot how other companies handle this, what the important considerations are, and where it could all go wrong?"
Our employee AUP specifically states that the company equipment belongs to the company, and there should be no expectation of privacy. It also states we perform monitoring of Internet and email activity. All employees are required to agree to the policy before they are granted access. Supervisors occasionally do request reports from our logs when they're trying to determine how productive their employees are. This is one of the reasons we have the logging in place.
Our simple answer:
"We don't take requests from department managers".
At our shop, requests for such information come from the HR director or the General Manager and only those people. And such information is provided to them and them alone. Such rules make our lives easier. HR and/or the GM workout what to do with the department head -- solutions which may involve IT or not.
Such requests are rare now. They are usually handled by the supervisor alone now without need of escalation.
Like all employment, everything is negotiable. For example, employers have the right to be as draconian as they wish. Some don't allow internet access at all, for example. Some do with heavy filtering, and dismissal for the slightest infraction, for ANYONE. Employees on the other hand, are not without rights themselves, chief amonst them, the right to walk away. If an employer seems unreasonable, then work for someone else. If you don't have the skills to do that, put up with it until you do. People who won't better themselves shouldn't bother to complain.
But this is slashdot. A slashdoter who didn't build his own computer is like a Jedi who didn't build his own lightsaber!
...and, as part of our corporate policy, any employee you request browsing history on will get a copy of YOUR browsing history.
I would guess that would limit requests.
- Tony
If your company pays for the internet access and for the machines the employees are using to access the internet, it would be foolish to feel they have any right to privacy. I don't like the idea of higher ups being able to see what I've been doing online, but I understand that since I'm using the company's internet connection and their computer (and their electricity, and the time I'm being paid to work) they can snoop in at any time. God save us all if they discover how much time people spend on /.
Dear diary: Today I stuffed some dolls full of dead rats I put in the blender.
My company reports the estimated time spent online and # of sites to managers that request the information, but does not report the sites themselves. The company owners are the only ones outside of IT that can view the names of sites visited ... and then only a list of blocked sites by user.
Crack - Free with every butt and set of boobs
unless there's something in the staff policy about 'not' visiting sites people might deem offensive/doing non work on computers etc etc there's not alot the managers can do.
Also pop in the managers usage as well - as someone else pointed out.
It sounds to me like the managers don't have enough to do and are wasting their time micromanaging employees.
However, word has got round to some managers that this capability exists. They are starting to ask my team to provide lists of sites that their team members have accessed over the past few weeks, claiming they are suspicious of time wasting on the Internet and need proof.
It takes real time to develop a culture in a workplace. If your culture is such that managers are looking for evidence of "slacking" to try to motivate them or replace them, then you are probably looking at a lost cause. The only thing I can recommend is a well written letter to someone high up in the company about the dangers of an adversarial workplace culture and the resulting brain drain and poor quality.
We're pushing back because of privacy concerns but the pressure is building on us. We have no experience in this area, and I'd like to ask Slashdot how other companies handle this, what the important considerations are, and where it could all go wrong?"
Any manager that needs to look at logs like this for their employees is incompetent and dragging your company down. A good manager provides positive incentives for employees and creates loyalty both to himself and to the company by treating employees like people. The only reason to consider removing an employee is if they are not getting their job done. If this is the case, then they should be able to tell him why. If he does not trust them, he should find someone else regardless of what a log says.
Treating your employees as mercenaries will make them act that way. Why should they give 2 weeks notice if they're leaving? Why shouldn't they steal office supplies if they can get away with it. Why shouldn't they make a copy of your customer database or defect to the competition? If money is all you are offering, then you can always be outbid.
One thing you might want to consider and which might be able to pull you company out of its cultural death spin is moving drastically from secret monitoring to complete openness. Make an announcement to the whole company that internet monitoring is being applied and then open the system up to everyone. Managers will be able to see what sites their employees visit, but employees will be able to see what sites their bosses visit and when and for how long. We have such a system here, and every now and again we'll announce in a meeting the person who wasted the most time on Slashdot that month.
With such a move to openness i does not seem so much like an us versus them arrangement, but rather an even playing field for all. It works for us, but then we also have a very progressive culture of treating employees well and avoiding micro management. People take on responsibilities and the only problem is if they don't live up to them. No one cares if I post on Slashdot in the middle of the day, so long as I get my work done and it is of sufficient quality. It may be too late where you work, however. You might want to seriously consider looking for an employer that is smarter.
Thank God my bosses believe me when I describe Slashdot as a tech reference site and I am in charge of any network monitoring we might do.
:)
As a manager of engineering teams, I do not look to closely at what the staff does; As long as the product works, and it is delivered in a timely manner. The company owns the equipment, so there is a need to respect its ownership. I tell the team leaders that it is not a good thing to be caught accessing the design ideas from a porn site, at work. And I do know that the porn industry is light years ahead of all of us when it comes to copyrights, revenues, downloads, and traffic monitoring. My advice for companies that have managers that need to spy on employees is to ask that manager for immediate status report on all outstanding projects. Then start increasing that managers work load. If a person has time to spy, then that person has time to work; For the good of the company. And if there is no work for that person, then maybe the Finance Department should be brought into the loop at that time.
I'll say it again though.. These requests should only come from HR/Personell whatever you call them.
At a previous job I had the task of the web filter logs, as well as access to all emails and user's files. Sure, I looked at them sometimes, but only if I needed to. And yes, at times lower lever managers - supervisors - would ask for information about their direct reports.
Even though no direct policy like this existed, I told them I will only give that information to HR. One time the CEO asked for something, and I would not even give it to him. I defered him to my boss, who, probably gave it to him, but I made it very clear:
"I've been given trust by the company to access this information. What if someone went to a website that divulged information about a medical condition that they were keeping secret? Granted, they would be wrong for doing it on company time, but I am NOT going to be the one to give up that information"
I think I also gained a little respect by saying that and instituting my policy. Of course, YMMV
Don't Tread on Me
We were told at one company that I worked at that the supervisors had the ability to spy on our desktops to see what we're doing. A new supervisor rushed over to my cube to tell me that looking at Amazon was against company policy and he caught me red handed (it was still on the screen after being there for only a minute). I pointed out that 1) I was on my break with a breakfast burrito in hand, 2) the entire company knows I get stuff delivered from Amazon, and 3) my last supervisor gave me an Amazon gift certificate at the completion of my last project. He went off mad when I told him to bugger off. This is the same management team that couldn't find the computer that had 300+ virus/trojan horses/spyware that kept bringing down the network every three days for the past month.
:P
Besides, I did all my non-work web browsing on my PDA using the wireless link from the company next door. Do you know how hard it was to type a Slashdot comment on a tiny virtual keyboard?
From reading the post, I'm guessing you're one of the folks who actually works for a living, rather than manages other people who actually work for a living. Decisions like this usually aren't handled at the "actually do it" level. This is definitely something I'd kick up through the management chain, as this is something that should be clarified at a company policy level.
Some companies make it very clear that people who work for them are subject to monitoring, etc., and can expect no privacy. Others will have the same general policy, but have other policies in place as to who can see the logs and under what circumstances. That's what you'll have to establish, and it's a decision that should be handled at a management level high enough to make it stick.
My answer, in the absense of an established policy would be "Have your boss talk to my boss, and they can hash it out with HR and Legal."
Never attribute to malice what can as easily be the result of incompetence...
Basically, as someone else said, these sorts of things should be funnelled through your HR dept. Any investigation that could result in disicipline of an employee should go through HR. It isn't up to you guys to determine what requests are legit or not. There needs to be a central channel that all investigitory requests concerning employees has to go through. 99% of the time that's an HR dept. If a union got wiff of what's going on, you might be in the beating end of the union stick.
If an officer ever threatens to taze you, say you have a pacemaker.
Since you don't know if you should do it, I'm assuming no one has specifically given you authority to do it. Therefore, you just do the number one corporate run-around "I'm not authorized to do that." Then if they as who is, tell them you don't know.
http://www.popularculturegaming.com -- my blog about the culture of videogame players
From the description, there appears to be no policy in place governing how IT information can be used by company management. The problem lies in that fact, not the fact that someone is requesting the information.
I suspect that this is also further complicated by the fact that employment is regulated at the detail level on a state by state basis, and therefore the legal aspects of your situation will be influenced by local laws.
However, what I would do if this is the first time this has happened is to run this by the head of the HR department or someone who handles such things within the company. Where I live, if there is no policy, the employee whose information is being disclosed might have some legal rights, or could simply try to sue everyone involved if something negative happens. I suspect this could happen anywhere, as well. If HR has a discrete policy, then you are covered and the rules are clear.
Personally, I'd get someone in authority (boss, HR, legal) to give you in writing their guidelines, and perhaps take the opportunity to help create a policy if it doesn't exist.
I have worked for/with several large corporations, and each one has had very clear guidelines, spelled out in detail in the AUP for computer/internet use which employees must sign as part of the hiring paperwork. My wifes' company, for instance, (a large multinational news firm) allows any line manager to request the internet records of any employee after discussing it with their appointed HR rep (each manager has his/her own HR rep who handles such things and is involved with the managers on a daily basis). I've also worked with other organizations where only the security team, who had independent authority and worked hand-in-hand with management and HR, had direct access to the records.
However, I must mention the most brilliant and most efficient filtering scheme I've ever seen: make everything public. I worked with one of the large credit card corporations a while back, and when they first allowed general internet access, they had a website that simply logged *EVERY* employees browsing history (not urls, just domains). An employee could see his managers, the managers could see the employees. It worked brilliantly, since no one was going to risk being exposed as having gone to even questionable sites, so there were very few abuses. Plus it required no upgrades, no computers, no power, and virtually no effort. I suppose this was a good implementation of Cory Doctorow's recent suggestion about making security public. Too bad they discontinued it because of lawsuit concerns.
I was reading an article a while back about how more and more employees are coming to either expect, or desire as a perk, unfettered internet access.
I wonder if anyone has done a study or survey of how much employees value their internet access, and what kind of pay cut they'd be willing to take for it, or what kind of pay bump they would require to move to a company that didn't offer it.
Right now it might seem like a minor issue -- in many tech fields, there are enough candidates that employers can dictate terms to their employees, and employees are sufficiently discouraged by the thought of finding a new job, that they won't tell them to suck eggs and walk away. However, in a tighter market this might not be the case. I could easily see a situation where a company might decide that it's cheaper to offer unfettered internet access (and swallow the cost of the productivity hit) rather than pay extra in order to recruit and retain people who are willing to work under more limited conditions.
I've thought about what it's worth to me, and I think I would probably accept working in a secure area (where there's no public net access) for about a 5% pay increase; any less than that, and I'd probably say no. If they just started blocking web traffic tomorrow in my current position, I probably wouldn't quit immediately, but it would certainly factor into my list of things that I don't particularly like. At some point when that list got long enough, I'd find another job.
Everything's a trade-off, both from the employer's perspective and the employee's.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Well put.
If your employees/team are being productive, and your project is successful and you're meeting deadlines, I question why a manager really ought to care whether people are reading Slashdot or Google News or playing the occasional Flash game.
If work's getting done, don't micromanage -- let your people do their work; the damage you'll do by creating an adversarial work culture probably greatly outweighs the very small gain in efficiency you'll get by prohibiting web browsing (and for some people, prohibiting them from doing that may result in a negative productivity change). If work isn't getting done, then maybe you need to take a look at either your recruiting, motivation, or compensation practices. You can't "beat them until morale improves," and employees who are all disinterested in work is probably a symptom of a greater problem than the browsing itself.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
at my current company for this reason. I work for a p0rn company and they have a policy against using the internet for non-work related stuff. I got a warning for reading cnn.com.
Cyberbite Networks - Web Hosting, Dedicated Servers & Colocati
...is a lack of results/deliverables in the expected time frame. Either your employees are producing at an acceptable level or they aren't. I don't understand why many managers feel they need to waste time with the cat and mouse games. Perhaps the real question this guy should be asking is "Why do the middle managers at my company have time available to look into this; Perhaps we should have fewer middle managers."
For a few clients I've worked at. The only time they really want to read any logs is when they want to get rid of a specific employee. If you're not on their hit list you didn't have a worry, but it you were then they would find the smallest detail in a log to pick you out and fire you for breaking their internet use policy.
Task Mangler