UK: Scanning the Staff

With a computer on most desk tops the British workforce can now communicate and organise itself more efficiently than ever before. But networked computers also provide new ways for employees to breach the terms of their contracts of employment or break the law.

Businesses must develop and enforce an effective email/internet monitoring and security policy, and simple timewasting is the least of their problems. There have been cases of employees storing illegal porn on office computer systems, instances of sexual or racial harassment via e-mail and countless defamatory statements on websites or in e-mails, all of which could put the business itself on the wrong side of the law.

One of the biggest corporate crackdowns to date came this July when a British computer company sacked two employees and suspended 150 others for sending e-mails described as offensive, unauthorised and inappropriate.

Aside from the vicarious liability of an employer for the acts of its employees, computer crime is a hot topic. Earlier this year the US House of Representatives passed the "Cyber Security Enhancement Act" to give the authorities more power to detect and investigate crimes committed via computer.

The only way to prevent computer misuse is to return to pen and paper. It is equally impractical (but far more intrusive) to listen in on every phone call that takes place or read every e-mail that is sent or received.

An employer's need to monitor abuse of computer resources must be balanced against the employee's legal rights. These rights are in part set out in the Regulation of Investigatory Powers Act 2000, the Human Rights Act 1998, the Data Protection Act 1998 and the various pieces of subordinate legislation (including the Lawful Business Practice Regulations 2000).

Contracts of employment should contain notifications from the employer and consents by the employee relating to the monitoring of e-mails and telephone calls. Even then, there is no carte blanche. Monitoring measures must be justifiable.

David Smith, assistant to the Information Commissioner, has stated that where an organisation is looking to monitor emails or internet access, the interception must be lawful and based on a risk assessment approach. Any monitoring must be proportionate to the risk posed by not monitoring, intrusion should be minimised and there should be an open, clear policy concerning the use of monitoring. This will not only meet legal obligations but also help create an atmosphere of trust and co-operation between employer and employee.

The Information Commissioner's draft Data Protection Code (available from http://www.dataprotection.gov.uk/) gives guidance for employers on e-mail monitoring in particular. As with any crime, the draft Code points out that prevention is better than detection. It is for example relatively easy to use filtering software to block access to particular websites or files. So whilst Big Brother should not be watching your staff, you could stop them watching Big Brother by barring access to that part of the Channel 4 website.

The draft Code also suggests an automated monitoring and detection process on an anonymous basis for incoming e-mails. This should reduce the potential for victimisation of individuals, as a computer would treat all employees equally. Just as importantly, it would be seen to be treating all employees equally. Automation ought also to be cheaper in the long term than having a real person do the checking. This is reflected in the increasing popularity of filtering software. But automated monitoring does not give employers an excuse simply to go on a fishing expedition for incriminating evidence using the IT systems.

E-mail filtering software scans email before passing on to its intended destination, with a delay of just one or two seconds. The software can sort incoming e-mail by the type of attachment they contain, such as spreadsheets, text files or images. This is a useful tool for file management as well as for monitoring.

Images themselves can be analysed for their colour and composition. The current generation of filters can screen for pornography or other undesirable attachments not only by looking for flesh colour tones but also by analysing the shape and position of the characters in the picture. Soon image filters will be able to scan video file attachments using the same principles.

This filtering software technology is still fairly new and so quite expensive at around £15,000 per year for 1,000 networked desktop computers (plus the staff cost of rolling it out). This would be in addition to the cost of virus scanning, also around £15,000 per annum.

No matter how sophisticated, filtering/scanning software is a blunt instrument unless used thoughtfully. Any organisation must balance its obligations to prevent, detect and deal with abuse with the rights of its employees. It is important to have a clear idea of what you want to achieve with it. For instance, scanning systems can also protect a computer system from hacking.

E-mails do not have to be simple text files. The HTML format allows the sender to produce a stylised e-mail that looks more like a web page than a text file- but also increases the amount of memory required to store it.

The increasing popularity of the HTML format is likely to lead to far greater storage demands on business servers and IT resources. A recent survey conducted by Messagelabs found that one in seven workplace e-mails were unwanted spam (which is expected eventually to rise to the current ratio in the US, one in three). When this spam is in HTML format it not only clogs up the server but can pose a virus-like threat to the integrity of the network.

Malicious computer code (script) can be embedded into the text of an HTML e-mail, which will activate when, for example, the recipient follows a hyperlink in the e-mail. Words used in this "cross-site scripting" include "eval", "mocha" and "expression". In an attempt to protect users of its free e-mail service, Yahoo! simply scanned all incoming mail for a list of these and other key words and replaced them with others. Any HTML format e-mail was automatically edited to replace "mocha" with "espresso", "expression" with "statement" and "eval" with "review". This made Yahoo!'s interference with e-mails quite obvious to any recipient of an essay on, for example, "Medireview History". Yahoo! abandoned the filter in August 2002.

Businesses will need to be careful to strike a balance between the turning of a blind eye and unjustifiable nosiness. Whatever route they decide to take, businesses would do well to remember that "intelligent" software (like the e-mail scanning packages coming onto the market) is merely a means to an end. It is no more intelligent than it is soft.