Unfortunately, the tools that monitor enterprise Internet usage and block access to inappropriate sitesâ€"which are commonly supplied by the same vendorâ€"are crude and easily abused. Content filtering products work by assigning categories, such as shopping, gambling, e-commerce, or pornography, to Web sites. The manager deciding which Web sites to censor simply selects a category, and each Web site assigned to that category is blocked. When the usage logs are run through the reporting tools, each Web site visited is assigned a category from the filtering database, which enables the reports to paint a picture of which categories are being visited by users. Through data-mining techniques, finely meshed analysis of user behaviour can be accomplished easily and at relatively low cost. Although there are potential benefits to be derived from a detailed understanding of employee's work-related Internet habits, confidential, private, and personal information is often also caught in the net.
This is not to minimise the importance of continuing to monitor and report employees' Internet usage. Managers who review the enterprise users' usage reports see strong reasons to put usage policies and enforcement tools in place. Users who are new to the Internet often spend days poking around Web sites like a child in a candy store.
Gartner research suggests that as many as five percent of enterprise users clearly abuse their privileges (e.g., by holding down second jobs as day traders or online auctioneers). Streaming audio and video clips and applications like Napster eat up an enormous amount of bandwidth, and employees visiting pornography sites put the enterprise at higher risk of costly and embarrassing sexual harassment suits.
Enterprises need to find the proper policy balance between total anarchy and a virtual police state. Government, enterprises in highly regulated industries, and those with hourly wage workers tend to be more restrictive, while high-tech enterprises and those with salaried workers tend to be less restrictive. Filtering policies of the less-restrictive enterprises are usually designed to block only the most inappropriate categories.
For all enterprises, policy concerning usage reports should include an audited process in which managers' requests for usage information go through the human resources or security department. Usage records should be treated as employee-confidential, and the IT staff should have only limited access to the logs or reports. (Enterprises that place a high premium on protecting individual privacyâ€"such as a school concerned about FOIA requestsâ€"should consider not keeping logs at all.)
Although laws about informing users about the technology that is being used to monitor them vary from jurisdiction to jurisdiction, it is usually appropriate to keep employees educated about the usage policy and the tools used to monitor compliance.
Privacy is important to enterprise Internet users, and enterprises can damage productivity by intruding too far on it. Although some level of Web usage reporting has its benefits, information about user behaviour should usually be on a need-to-know basis, any release of the information should be logged, and users should be clearly informed about what logging is being done and how that information is being used. There are some occupations where privacy is not expected, but for most enterprises, it is better to err on the side of trust.
