And forgive us our trespasses
Agencies monitor employee Internet use to stem unauthorized surfing
In August, when information technology officials at the Interior Department's Office of Surface Mining headquarters began monitoring what sites their 150 employees visited, they wanted to ensure that the office's wide-area network bandwidth was not being sucked up by large, nonwork-related files such as movies and graphics. But the agency found much more — a handful of employees were surfing pornographic and gambling sites on agency time.
"Just a very few people were actually going to adult sites and gambling sites," said Roy Morrison, network systems support team leader at the surface mining office. "They would stay there for hours. This is a big problem, and you need to do something about it. It sucks up resources, and it's a potential embarrassment. We just don't want to go down that road."
As a result, the agency last month completed and distributed an Internet usage policy detailing how employees may use the Internet. And, armed with software from SurfControl, agency officials also have blocked adult and gambling sites for all 650 surface mining employees and are evaluating whether they should continue monitoring or just block the sites, Morrison said. "I would prefer to block and not have the problem as opposed to letting the employees go wherever and then disciplining them," he said.
With Internet access pervasive throughout federal agencies, most IT managers have crafted or begun to develop a personal use policy, and many are using blocking and monitoring software to stem unauthorized cybersurfing on agency time. Many have been encouraged by recent news reports about companies like The Dow Chemical Co., which fired 50 workers and suspended 200 for sending and storing pornographic and violent e-mail messages. They're also encouraged by the CIA investigation of 160 of its employees and contract workers for exchanging "inappropriate" and off-color messages in a covert chat room on the spy agency's classified computer network.
Bandwidth Crunch
Traditional transgressions associated with monitoring Internet usage — employees visiting adult sites or gambling online — are not the only problems. Employees shop, search for jobs, read the news and check stocks online. Internet misuse accounts for 30 percent to 40 percent of worker productivity losses, according to the IT analysis firm IDC.
According to a recent Vault.com Inc. survey of 670 employers and 451 of their employees, 25 percent use the Internet during office hours for personal reasons for at least 10 minutes each day. Another 13 percent said they surf at the office for more than two hours a day. By July 2001, 80 percent of U.S. companies will be monitoring their employees' behavior online, according to IDC.
In addition to productivity losses, agencies are concerned with unnecessary surfing gobbling up needed bandwidth by downloading applications such as music videos and family photos. Agencies also are concerned about potential legal liabilities derived from pornographic material being stored on networks.
Software that blocks or monitors certain e-mail messages and Web sites can be used by agencies to prevent employees from e-mailing confidential documents to outside recipients and to block viruses from entering agency networks, said Keith Thurston, assistant to the deputy associate administrator at the General Services Administration's Office of Governmentwide Policy. Most large U.S. government agencies use filtering and monitoring software, he said.
The Federal Aviation Administration is one of those agencies. The FAA will soon begin monitoring its employees' e-mail one day per week, said Less Dorr, FAA spokesman.
"The whole idea is not just to see who's going to what site and doing what," Dorr said. "The idea is to get engineering data on our bandwidth to understand if we need to do anything else. We don't anticipate blocking any sites. This is primarily to get a handle on not only our current Internet usage but what changes may be needed in the future."
Access Denied
The National Park Service began monitoring the Internet usage of 460 of its employees about eight months ago. Officials found that about 2 percent of the traffic went to adult Internet sites, said Don Thie, manager of information and telecommunications services at the National Park Service. Since then, the agency has been monitoring all em-ployee Internet usage with SurfControl's software and blocking all adult sites.
"It protects our management from even the possibility of a problem," Thie said. "Just one instance that got into the general press could cause you problems."
SurfControl's monitoring features will enable officials to block additional sites in the future, such as those that allow downloading of music clips, if they feel any employee abuse warrants it.
"If we see a class of Internet activity that is significant enough to cause a problem with the circuits, then we'd make the decision to do the blocking," Thie said.
SurfControl has noted many types of Internet abuse from its clients, including one employee who was running his own pornography site from a company server. Employees at other companies have been discovered watching a Victoria's Secret Web cast and a live television show via the World Wide Web, said Kevin Blakeman, president of U.S operations at SurfControl.
"Not only has that person's productivity been affected, but they can affect the productivity of other people from slowing the network," Blakeman said. An employee "may start off doing something that is work related, but five Web sites and three clicks later, they're halfway around the world."
SurfControl's software sits on the network and watches Internet traffic to build a report of which users are going where and how often (see box).
"Maybe marketing people need wide access to get competitive information, but a shipping person might only need access to FedEx and UPS," Blakeman said. "If a user tries to go to an adult site, an e-mail can be sent to human resources saying, "This person has tried to go to this site.' It's not too different in the same way the telephone system is often set up where you have to plug in a code to make a call or you're restricted from making international calls."
At the Small Business Administration, officials chose a filtering product from N2H2 Inc., with artificial intelligence that provides an extensive database of sites that the agency can choose to make inaccessible to its 6,500 employees. Instead of resorting to actively monitoring em-ployees' Web usage and having administrators cull through these reports, SBA relies on the N2H2 software to block employees from accessing inappropriate sites.
"The software is context sensitive," said Howard Bolden, agency computer security manager. "It understands the difference between the word "sex' in a porn site as opposed to medical literature. If they do go to an inappropriate site, a screen pops up saying, "This site is blocked.'"
SBA is among several agencies that allow limited personal use of government computers during nonworking hours. Websense Inc.'s filtering product is designed to incorporate this agency policy, said Andy Meyer, vice president of marketing at Websense. Because many employees are working longer hours, employers are beginning to offer at-work Internet access as a benefit so employees can shop or do research, for example, at lunch or after the workday is completed, Meyer said. The U.S. Army Reserve Information Center, U.S. Naval Submarine Support Facility and the U.S. Defense Commissary Agency are among Websense's federal customers.
Downloading: Cease and Desist
While many agencies are turning to monitoring and filtering products to prevent their employees from visiting inappropriate Web sites, others are more concerned with making sure employees don't download and store illegal material or consume too much storage space.
The Justice Department, the State Department, the U.S. Patent and Trademark Office, the Air Force and the Marines have all deployed software from W. Quinn Associates Inc. that allows administrators to track and prevent users from downloading specific files.
"It's the agency that's responsible for the content of its servers," said Steven Toole, vice president of marketing at W. Quinn. "Servers by nature are shared. If you have an employee who downloads some pornography and then another employee goes into that directory and says, "I wonder what this is?' Boom — you've got a lawsuit."
W. Quinn's software does not block users from surfing to sites, but instead bars them from downloading files with file extensions indicating they are movie files, graphic files, pornographic files or MP3 music files. Merely blocking Internet sites cannot prevent an employee from purchasing a pornographic CD-ROM and storing images on the network or scanning images from a hard-copy magazine onto the network, Toole said. Employees are assigned limited storage space on the server and notified when they reach their quota.
"While the Marine Corps band may want to record their own performances, the rest of the Marine Corps is not in the band and they don't need to store sound files on the server," he said. "Left alone, employees will take up as much space as they can on agency networks. You want to be able to watch your legitimate storage over time so you can plan for future growth."
Accepting a Watchful Eye
Most government agencies advertise their Internet personal use policies to employees and inform them that they are being monitored. Although some employee unions have expressed initial discomfort with the policies, they have since backed down, GSA's Thurston said.
Agencies are supported by the Electronic Communications Privacy Act of 1986, which gives employers the right to access employees' e-mail and voice-mail messages if they are maintained on a system provided by the government or the employer. However, employers may not access messages without the consent of either the author or the intended recipient of the message if an outside service provider owns the system — an important distinction for the government.
"Some of them feel that it's an infringement on their rights," said Interior's Morrison. "I have to remind them this is a government computer and it doesn't belong to them."
Harreld is a freelance writer based in Cary, N.C.
NEXT STORY: Bill opens access to Senate data