Keeping track of your employees' Web activity is necessary to keep them on task, but monitoring can also cause headaches.

As Internet usage grows, enterprises have strong reasons to monitor employees' online habits. Yet, monitoring can have damaging effects on productivity and morale and can expose enterprises to legal and public relations problems.

The truth of the adage, "Knowledge is power," is clear when the knowledge concerns the Internet usage habits of enterprises.

Monitoring those habits gives enterprises knowledge that has the power to help and hurt the enterprise. Respecting users' privacy while monitoring abuse and enforcing policy requires a delicate balancing act. The optimal balance point can be determined by looking at an enterprise's culture, regulations, technical issues, and return on investment.

To understand the importance of these issues, consider the following common scenarios:

The CEO's first call of the day is from The Wall Street Journal, asking for confirmation of rumours of an upcomingâ€"and highly confidentialâ€"acquisition. How did the leak happen? The reporter got a copy of a Web usage report, probably leaked by someone in the IS department, showing all the top executives browsing a particular vendor's site.

An angry employee files a complaint with the human resources department. Why? Her manager, prompted by reports of a large number of visits to a cancer-related site, just made an inappropriateâ€"and possibly illegalâ€"comment on her health.

A company's top salesperson quits because a security administrator called about the many hours he spent browsing the Web the day before looking at luxury carsâ€"just after he brought in a million-dollar order.

More than two-dozen employees have been fired for accessing inappropriate sites. Several have filed suit, claiming they were unfairly singled out, and subpoenaed the company's Web logs. The public relations impact has been disastrous, and recruitment has been down since the story broke.

Web usage is down throughout the company. The IS department is happy, because the network bandwidth is under control, but even business use of the Web has declined. Employees are no longer browsing the Web during their lunch breaks. Instead, they have gone back to their old habitsâ€"taking 90-minute lunch "hours" and hanging out in the halls. Productivity is down, and animosity between managers and employees is up.

In each of these cases, the fundamental problem is the same: The enterprise has not respected its employees' strong desire for privacy, or it has not taken the necessary steps to protect that privacy. Most people accept that their employers have the right to monitor their private Web surfing to prevent abuse, but they nonetheless expect them to respect their privacy by not invoking that right unless there is solid reason to suspect abuse.

Moreover, the Internet is a powerful productivity tool that is useful for personal and professional purposes. As the demands of many professions blur the lines between work and private life, the Internet plays a part in managing both efficiently. As a result, more and more enterprises permit occasional personal usage.

Unfortunately, the tools that monitor enterprise Internet usage and block access to inappropriate sitesâ€"which are commonly supplied by the same vendorâ€"are crude and easily abused. Content filtering products work by assigning categories, such as shopping, gambling, e-commerce, or pornography, to Web sites. The manager deciding which Web sites to censor simply selects a category, and each Web site assigned to that category is blocked. When the usage logs are run through the reporting tools, each Web site visited is assigned a category from the filtering database, which enables the reports to paint a picture of which categories are being visited by users. Through data-mining techniques, finely meshed analysis of user behaviour can be accomplished easily and at relatively low cost. Although there are potential benefits to be derived from a detailed understanding of employee's work-related Internet habits, confidential, private, and personal information is often also caught in the net.

This is not to minimise the importance of continuing to monitor and report employees' Internet usage. Managers who review the enterprise users' usage reports see strong reasons to put usage policies and enforcement tools in place. Users who are new to the Internet often spend days poking around Web sites like a child in a candy store.

Gartner research suggests that as many as five percent of enterprise users clearly abuse their privileges (e.g., by holding down second jobs as day traders or online auctioneers). Streaming audio and video clips and applications like Napster eat up an enormous amount of bandwidth, and employees visiting pornography sites put the enterprise at higher risk of costly and embarrassing sexual harassment suits.

Enterprises need to find the proper policy balance between total anarchy and a virtual police state. Government, enterprises in highly regulated industries, and those with hourly wage workers tend to be more restrictive, while high-tech enterprises and those with salaried workers tend to be less restrictive. Filtering policies of the less-restrictive enterprises are usually designed to block only the most inappropriate categories.

For all enterprises, policy concerning usage reports should include an audited process in which managers' requests for usage information go through the human resources or security department. Usage records should be treated as employee-confidential, and the IT staff should have only limited access to the logs or reports. (Enterprises that place a high premium on protecting individual privacyâ€"such as a school concerned about FOIA requestsâ€"should consider not keeping logs at all.)

Although laws about informing users about the technology that is being used to monitor them vary from jurisdiction to jurisdiction, it is usually appropriate to keep employees educated about the usage policy and the tools used to monitor compliance.

Privacy is important to enterprise Internet users, and enterprises can damage productivity by intruding too far on it. Although some level of Web usage reporting has its benefits, information about user behaviour should usually be on a need-to-know basis, any release of the information should be logged, and users should be clearly informed about what logging is being done and how that information is being used. There are some occupations where privacy is not expected, but for most enterprises, it is better to err on the side of trust.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.