Sources and Methods
This report is only based on secondary data which means that no new information is gathered through surveys, interviews, or observations. (Locker, Kaczmarek, Braun, 2004, 415) The information is based on different kinds of secondary sources like web sites, articles, whitepapers, reports, and books. Besides GOOGLETM, the databases and catalogues provided by the Simon Fraser University library were used. In particular, databases related to the subject of business administration like ABI/INFORM, Business Source Premier, or Canadian Newsstand.
For the section “NEED FOR A POLICY”, the article "Dealing with Internet Misuse in the Workplace" was especially important. The Center for Online Addiction is internationally recognized, their articles are published in well known publications. The whitepaper “The Powerful Technologies Behind Best-of-Breed Internet Filtering”, provided by St. Bernhard SoftwareTM was used to inform about the basics regarding potential technical solutions for an internet policy in the section “TECHNICAL SPECIFICATIONS”. St. Bernhard SoftwareTM is a provider of IT security solutions and operating worldwide.
REASONS FOR NEEDING A POLICY
Lost productivity
Intensive use of Internet at workplace with private purpose also causes productivity loss. Center for Online and Internet Addiction cites following statistics:
- Online industry analysts predict that Internet misuse will cost companies an estimated 1 billion dollars in lost productivity (Newsweek).
- In a recent survey of 224 firms that utilized monitoring software, 60 percent of the managers said they had disciplined employees for online misuse, and 30 percent had fired people for such behavior, which included downloading pornography and shopping and gambling online (Websense Security Software).
- 47% of employees send up to 5 personal emails per day, and 32% send up to 10 personal emails daily, and 28% receive up to 20 personal emails per day (Vault.com).
- Almost one in five people go to cybersex sites while at work (MSNBC poll, June '98).
- Recently a major US computer manufacturer installed monitoring software and discovered that a number of employees had visited more then 1,000 sexually oriented sites in less than a month. Twenty people were fired for misusing company resources (USA Today).
- 68% of companies characterized messaging misdemeanors as widespread, with losses estimated at USD$3.7 Million per company a year (Datamation).
("Dealing with Internet Misuse in the Workplace", n.d., para.3)
Despite these concerns, full-scale computer audits are completed by less than 25% of US companies. This means that more than 75% of US companies work much less effective and don’t get additional profit because their employees use Internet at workplace with private goals instead of their direct duties.
Legal liability
When employees download various files via the Internet (e.g. software, data, music, pictures, video etc.) whether intentionally or unintentionally, they may break the intellectual property rights of third parties, causing the organization to possible legal action.
Damage to Computer System
Misuse of Internet can damage IT systems or electronic files, change or corrupt information at the computer. It’s not a secret that some Web sites, such as gambling or porno sites leave cookies, plug-in or other uninvited information or programs at user’s computer.
Other viruses are spread via uninvited e-mails with attachment. Principle of their work is a message with request to open an attachment or visit a Web site. When recipient does it, a virus is downloaded to his or her computer. Then the virus can be executed or copied to the operational system of one computer and then infect the entire network of the company.
Increasing network traffic
Personal use of the Internet may occur when employees download resource intensive Web pages or large files (e.g. software, data, music, pictures, video etc.), which take up unnecessary network bandwidth. It can have a damaging effect on business related network traffic, especially on smaller networks. No one company is obliged to pay for content, which is not useful for direct corporative activity.
TECHNICAL SPECIFICATIONS
The internet policies of an organization have to be supported by technical appliances. These are responsible for monitoring the traffic between the companies’ workstations and the internet, they filter the traffic. It exists a variety of technical solutions to the problems mentioned earlier. To find the right one, the requirements of the company have to be kept in mind. This refers for example to the size of the organization, the special kind of company, or the amount of traffic. A future product should ensure that internal users like employees or executives cannot evade a filtering system. Contemporaneously, the necessary time for sending or receiving E-mails or for accessing internet sites may not increase as the internet is essential for a lot of businesses, especially for a software company. The different solutions may differ regarding the necessary time to be implemented. Internal solutions are probably faster to realize than external ones.
The possible solutions can be separated in four different filtering systems. They analyze the traffic between the internal and external world. The information sent and received has to be in line with the rules set be the internet policies. Each filtering system should be presented briefly including illustrations for visualization.
Workstation-based systems
These filtering systems must be installed on every workstation within the company which might lead to high costs and is therefore quite often not practicable for companies. Furthermore, the user (especially technologically high-skilled employees) may configure the system. It fits rather to households.
Sniffers and Passive systems
This solution is not installed on every personal computer. One filter monitors the traffic sent between the individual workstations and the internet. Significant time problems might occur, depending on the traffic and the number of workstations. To avoid these problems, advanced (and costly) hardware may be necessary. The internet filter plays a passive role while monitoring the traffic which leads to the advantage that the systems remains stable if the filter stops running.
Figure 1 : Sniffing System
Source: St. Bernhard SoftwareTM. Retrieved November 6, 2005, from
http://www.stbernard.com/forms/whitepaper/wp_ip.asp?c=%83%A1y%89%5D%ABbW%5E%8Er%89%7F%C8v%8E%8F%82%87%8AP%B2mp
Proxy filters
Proxy filters play a more active role in the filtering process. They interact between the internet and the individual workstations. The proxy filter is put in the middle between the internal computers and the world wide web. They decide whether the traffic in question should be processed or not. As everyone has to use a proxy filter, the network traffic gets slower. As this filter system is an integrated part, a failure in it leads to problems for the whole network, a significant disadvantage to the above mentioned passive solution.
Figure 2 : Proxy Filtering
Source: St. Bernhard SoftwareTM. Retrieved November 6, 2005, from
http://www.stbernard.com/forms/whitepaper/wp_ip.asp?c=%83%A1y%89%5D%ABbW%5E%8Er%89%7F%C8v%8E%8F%82%87%8AP%B2mp
In-line filters
This filter just has to be placed between the network router and the firewall. It is placed between the companies network and the internet. Therefore, nothing has to be installed on the workstations and the network has not to be changed. As everything leaving or entering the network has to pass this in-line application, the filter examines the whole traffic and can decide about processing it or not. The decision about processing or not can be sent to the user to inform about the current traffic state.
Figure 3 : In-line Filters
Source: St. Bernhard SoftwareTM. Retrieved November 6, 2005, from
http://www.stbernard.com/forms/whitepaper/wp_ip.asp?c=%83%A1y%89%5D%ABbW%5E%8Er%89%7F%C8v%8E%8F%82%87%8AP%B2mp
LEGAL CHALLENGES
Privacy
It is clear that most employees do not want to completely sacrifice their privacy at work. Typically employees’ access to the network and computer systems is password controlled. Privacy is reached by use of non-obvious passwords and changing them frequently. Employees’ personal passwords give them access to their files, e-mail account and to web browsing. This may give the impression that no one can access their files or monitor their activities on the network. Some staff may not be aware that system administrators are usually able to access everything on the network. ("Guidelines on Workplace E-mail, Web Browsing and Privacy", 2000, para.5)
That’s why privacy issues should be clearly explained in the Internet use policy. Employees should know, in what cases their privacy is guarantied and what private information may be accessed by system administrators.
Unions’ point of view
Delbar, Mormont and Schots note that the issue of privacy and the use of new technologies at the workplace are thus becoming increasingly important for employers and unions (though to varying extents). For example, at international level, Union Network International (UNI) - the global union federation for white-collar and private sector workers' unions - and its affiliates have been campaigning for some years on the issue of the protection of workers 'on-line rights' at work (EU0210205F). At national level, unions and employers/employers' organizations in many countries are increasingly issuing or proposing guidance, policies and codes of practice on workplace ICT use (see below under 'Social partner views and initiatives' for more information on these various initiatives). An indication of the significance that these issues are gaining at the workplace is provided by a survey conducted in the UK in 2002 by the solicitors of Legal and Personnel Today magazine. It claimed that UK employers spent more time disciplining staff over Internet and e-mail abuse than any other workplace issue. The three most commonly disciplined 'cyber crimes' were excessive personal use of the Internet or e-mail, sending pornographic messages and looking at pornographic websites. In a number of cases this has led to dismissal - most commonly in relation to the exchange of pornographic e-mails.
International and European institutions’ point of view
International and European institutions are also paying increasing attention to the relationship between ICT and privacy at work, with a number of recommendations and codes drawn up by bodies such as the Council of Europe and the International Labor Organization (ILO) - for example, in 1996, the ILO issued a code of practice on the protection of workers' personal data, covering general principles of protection of such data and specific provisions regarding their collection, security, storage, use and communication. There have also been relevant recent cases in the European Court of Human Rights. Turning to the EU, in 1995 it adopted a Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data, which is relevant to the privacy issue in that electronic monitoring in the workplace can be treated as a form of collecting or processing personal data. More specifically, the European Commission has recently consulted the social partners on the protection of workers' personal data and now appears to be planning a draft Directive on the issue. At national level, a few countries have started to adopt or propose workplace-specific data protection/privacy legislation, while all countries have general data protection legislation in place (Delbar, Mormont and Schots, 2004-2005, para. 5-6)
RESISTANCE
Corporate Culture: it's still a corporate culture issue as much as a legal issue. One shouldn't impose this type of rule if it doesn't fit your corporate culture. You know your culture and no lawyer can advise you on it. This is the civil war part. You can make people feel like distrusted idiots if you suddenly impose rules that don't fit the way you've always done business.
At the other end are your executives. Presumably, you trust them and that's why they have the job they have. Telling them that they are prohibiting from taking a quick look at cnn.com during the work day or occasionally checking how the stock market is doing that day might make them feel like you aren't giving them the professional respect they have earned.
Whether it's an AUP or any other corporate issue, I don't think you want your lawyer's worst-case possible scenario to guide your every move. Legal is but one part of the business picture, albeit an important part. However, business and life are filled with risks and you can't get anywhere always choosing the least risky path
We think that as you establish your policies, you should place more emphasis on monitoring rather than prohibition. I'm suggesting that you frequently remind all employees, including your highest-ranking executives, that you monitor all Internet and computer use. You should take the position that nobody has an expectation of privacy when using the company's systems.
Where you find that balance between monitoring and prohibition is that corporate culture thing. Look at your organization's personality as you make your decisions.
Cost:
Implementing a corporate internet policy, will result in additional costs for Green Screen Software. Direct and indirect costs have to be distinguished. First of all, a network coordinator has to be hired to put the policy in place. Implementing such policy would also involve investment in software, hardware and future maintenance. One indirect cost should be noted is that the initial lose of productivity as employees may take time to adjust the new policy.
Benefit:
RECOMMENDATIONS
- To manage/monitor traffic across the company server, an external network coordinator, who can treat everyone with no partiality, should be hired. People log in with their usernames. NWC has access to a database of sites visited by the user. Can randomly check accounts and see for sites visited out of the company server. The exec’s and the employees can when formulating a policy can decide where to draw the line as in what to allow and what not to.
- Employee should be involved in the process of launching internet policies, they should be a part of the process, they don’t fell left out. Employees should believe that they had a role to play while making these policies, which will lead to higher acceptance of policies. Resistance will decrease and quality will increase, as they know everything about it.
- Consult with lawyers regarding legal issues and also consult with union leaders.
- More detailed reports regarding the different issues mentioned in this report have to follow (for instance workers union,). The purpose of this report is to give fundamental knowledge before the implementation of the policies. More Specific reports to follow for legal issues, technical issues Etc.
- Set up a pilot period of 6 month, after that, an evaluation on the policy should be followed.
- Executive management should act as a good example and follow the rules at once. Same rules for everyone. Prohibition/monitoring at the same level.
Cost:
Implementing a corporate internet policy, will result in additional costs for Green Screen Software. Direct and indirect costs have to be distinguished. First of all, a network coordinator has to be hired to put the policy in place. Implementing such policy would also involve investment in software, hardware and future maintenance. One indirect cost should be noted is that the initial lose of productivity as employees may take time to adjust the new policy.
REFERENCES
"APC Internet Rights Charter". Association for Progressive Communications (APC). 1999 - 2005. November 10, 2005 <http://rights.apc.org/charter.shtml>
Bassett, Morgan J. "An Overview of E-Mail and Internet Monitoring in the Workplace". Ford Marrin Esposito Witmeyer & Gleser, L.L.P. 2002. November 10, 2005 <http://www.fmew.com/archive/monitoring/>
"Dealing with Internet Misuse in the Workplace". Center for Online and Internet Addiction. n.d. November 10, 2005 <http://www.netaddiction.com/workplace.htm>
Delbar, Catherine, Mormont, Marinette and Schots, Marie. "New technology and respect for privacy at the workplace ". Institut des Sciences du Travail. 2004-2005. November 10, 2005 <http://www.eiro.eurofound.eu.int/2003/07/study/tn0307101s.html>
"Guidelines on Workplace E-mail, Web Browsing and Privacy". The Office of the Privacy Comissioner. March 30, 2000. November 10, 2005 <http://www.privacy.gov.au/internet/email/>
Hines, John L. Jr. and Cramer, Michael D. "Protecting Your Organization’s Reputation Against Cybersmear". Legal Report published by Society for Human recourse Management. 1800 Duke Street, Alexandria, VA 22314. May-June 2003. 1-2
APPENDIX A
Appendix A : Canadian enterprises that use the Internet
Source: Statistics Canada. Retrieved November 8, 2005 from http://www40.statcan.ca/l01/cst01/econ146b.htm?sdi=internet
APPENDIX B
Appendix B : Canadian enterprises that use electronic mail
Source: Statistics Canada. Retrieved November 8, 2005 from http://www40.statcan.ca/l01/cst01/econ146a.htm