Keep an Eye Out

Town employees in Bath, W. Va., needn’t worry about whether Big Brother is watching them. The government computers lack filtering and blocking technologies, and monitoring is done the old-fashioned way.

“Supervisors monitor their own employees,” says Margie Allgyer, clerk and comptroller for the town. “We haven’t run into any problems — that we know of.”

The low-tech method appears to work in Bath, which has only 10 employees. But in larger organizations, government and private enterprise alike, IT is widely employed to monitor computer usage. A host of technologies — including Web monitoring, filtering software, anti–data leakage and keystroke-logging — reveal what workers are doing on their PCs.

One-third of public and private-sector organizations today have fired employees for violating usage policies, up from 26 percent in 2005, according to the 2007 Electronic Monitoring and Surveillance Survey released in February by the American Management Association and The ePolicy Institute.

“Almost every government agency has some kind of logging, monitoring and blocking software to keep people from going to pornography sites,” says Mark Rasch, managing director of FTI Consulting’s technology practice in Washington, D.C., adding that very small organizations are the exception. “Usage policies need to be flexible enough so you can decide who are bad guys and who are really bad guys.”

Uncovering Unacceptable Usage

While most government agencies have deployed monitoring or filtering tools, they vary considerably in how aggressively they use them and in which capabilities they emphasize, Rasch says. The high-profile firing of nine District of Columbia government employees in January illustrates an organization with a flexible policy and an initial emphasis on monitoring rather than filtering.

By using Websense monitoring technology on 10,000 of its computers, the D.C. government discovered that each of the nine employees had clicked on links or images on porn sites more than 19,000 times last year. The city issued reprimands to 32 other employees who had logged more than 2,000 hits throughout the year. Following the investigation, D.C. deployed blocking tools from Websense.

In addition to reducing the time employees spend viewing inappropriate content, state and local government organizations monitor computer usage to reduce legal liability, increase productivity and conserve bandwidth. But from the IT department’s perspective, network usage monitoring is first and foremost about security.

“I don’t want to be authoritarian, I just want to administer the network,” says Tony Lucich, manager of the Network Services Division in Orange County, Calif. Like many government IT managers, Lucich leaves it to department heads to establish what content is acceptable for their own employees.

Currently, Lucich is deploying Secure Computing’s Webwasher security appliance throughout all county agencies. Powered by TrustedSource, the vendor’s global system for maintaining Web-site reputation information, Webwasher maintains and updates lists of unacceptable URLs as well as antimalware and antispam data. The system generates a uniform set of reports for all agencies, showing trends and peaks in network activity, including cache, streaming media, Web and e-mail usage.

One strength of TrustedSource, Lucich says, is that it communicates with the other devices on the network, including Webwasher and the IronMail server, which protects e-mail systems, as well as many other vendors’ products and services.

“The porn industry has no ethics, and they have all the money in the world and all the time in the world,” Lucich says. “Those guys are good at creating new doors every night. You cannot take on those guys with a point solution. With TrustedSource, you have the whole world working on your side.”

In Glenwood Springs, Colo., Information Systems Director Bruce Munroe began deploying Internet filtering and reporting tools from 8e6 Technologies about two and a half years ago as he saw security threats from the Internet grow. With the 8e6 tools, Munroe filters sites that contain spyware and malware as well as pornography and adult-humor sites. Next, he will probably start blocking video sites such as YouTube, because they hog bandwidth, and then possibly messaging sites, he says.

Munroe does not routinely review reports but instead makes them available to department heads upon request. When recently asked to produce a report on an employee for the previous six weeks, the system generated a 90-page document, including every Web site visited, time stamp and an estimate of daily Internet usage.

To date, the city isn’t using any highly sophisticated tools to prevent data leakage or loss, Munroe said, adding that he is looking into technologies for protecting outbound e-mail.

“We have considerable security placed from the outside in,” he said. “From the inside out, I think there’s a fair amount of trust involved.”

Anti–data leakage and data-loss prevention tools from Secure Computing, McAfee and other vendors can protect information from being e-mailed out or saved onto a USB stick, but more primitive monitoring methods are not uncommon, according to FTI Consulting’s Rasch.

Staff Surveillance

More invasive data-monitoring tools, such as keystroke-logging, are widely shied away from in government agencies unless used for investigations, industry experts say. Keystroke-logging, which monitors offline activity as well as online activity, raises privacy concerns that more common monitoring tools do not.

In Ohio’s state government, keystroke loggers might be used by the inspector general’s office or public-safety organizations as part of an investigation, says Sol Bermann, chief privacy officer in Ohio’s Office of Information Technology. However, they would not be used routinely.

Most, if not all, state agencies in Ohio have some form of monitoring in place, but generally filtering is done in response to a problem that has occurred, Bermann says. He adds that filters are imprecise, can be costly and are sometimes viewed by employees as a draconian measure.

“You need to look at things from a business process and a risk management/risk assessment mentality,” Bermann recommends. “Absent a significant showing of risk, do you want to spend the [money] on filtering without proving the need for it?”

It is important for agencies to decide what kind of employee dynamic and working environment they want to cultivate before deploying extensive filtering technologies, he adds.

When considering monitoring technologies for the future, government agencies of all sizes need to be mindful of questions regarding privacy rights and free-speech rights, Rasch says. “Governments have a higher burden before they can monitor their employees,” he says.