The NBC TV show “The Office” has risen to popularity by archly satirizing the general minutia of and tribulations associated with working in an office. Of course, by depicting a modern office, the show ends up frequently addressing the way information technology interacts with our daily professional lives.
An episode from the show’s second season, titled “E-Mail Surveillance,” is a prime example. It begins with the office’s regional manager, Michael Scott, played to great effect by actor Steve Carell, telling the camera, “There are certain things a boss does not share with his employees … and I am not going to tell them that I’ll be reading their e-mails.”
But after setting up the capability to access his employees’ e-mail accounts, as soon as he steps out of his office, an employee confronts him: “Hey, what’s the deal Michael? Why are you spying on our computers?” Michael attempts to humorously deflect the question, failing, and the employee shoots back: “Actually we just got a memo from IT saying you’re doing e-mail surveillance.”
Of course the whole office immediately freaks out and starts deleting everything in sight. An accountant confesses to the camera, “I gotta erase a lot of stuff. A LOT of stuff.”
This seems to be how it goes when a company decides to engage in e-mail surveillance. The employees are not supposed to know this is happening, but everybody does, and thereafter treats their e-mail accounts as nothing less than a public forum.
Whether or not you agree with the practice, the fact is that it’s fully within an employer’s rights to conduct e-mail surveillance. After all, the employer is administering the accounts, probably paid for the computers being used to access the e-mail and business being conducted on those accounts is the employer’s business. Courts have largely sided with employers in instances in which e-mail surveillance was legally challenged.
But another variant of office e-surveillance has proven to be not nearly so defensible: keystroke logging. Using this method, a software tool or hardware device is installed on an employee’s computer or administered remotely and thereafter monitors every single thing that employee types, in any program.
As far back as 1992, the U.S. Department of Justice issued a legal opinion stating that employers using keystroke monitoring should post a banner informing employees that it’s in place and installed on any machine using the technology. If a company uses such tools to monitor employees without informing them it is occurring, it is likely setting itself up for substantial liability.
The creepy thing about keylogging is that it’s essentially monitoring an employee’s thoughts. If you sit an employee in front of a computer eight hours a day, 40 hours a week, and then record everything he or she types on that keyboard, you’ve arrived somewhere between a scientific experiment and an Orwellian nightmare. Say an employee opens up a company e-mail account, or even a private one, and proceeds to write something that may be inflammatory, but then better judgment prevails and he or she deletes the e-mail, never hitting “send.” Doesn’t matter: Everything he or she just considered saying is now part of his or her permanent record.
Keylogging programs and hardware have no way to distinguish between the potential for multiple users of the same computer. If something problematic was typed on a computer in any given program, there is no reliable way to authenticate that it was a particular person who typed it.
Keystroke logging also opens up an entire other can of worms in terms of security risks. Once keystroke monitoring is in place on a machine, it can be used for malicious or criminal purposes such as identity theft. Given the prevalence of e-commerce, in the course of a workday an employee may enter many identifying details (name, address, credit card number, Social Security number) into a machine that a company does not want to store electronically. And once keystroke monitoring is in place on a machine, there’s no longer any point to an employee maintaining memorized, personal passwords to e-mail accounts or other systems. They’re all now being electronically recorded and stored. The organization is then leaving itself wide open to unauthorized access of its systems, networks and accounts.
Monitoring or at least arranging for oversight of e-mails sent through company accounts seems reasonable. But monitoring everything an employee types is not only legally suspect, it’s also enormously impractical. One large question is: Who’s going to read all this typing, and when?
– Daniel Margolis, firstname.lastname@example.org