Staff Writer, CNET News.com
Big Brother is watching you at work, and making a pretty penny doing it.
As more and more companies install monitoring software to track employee activities—threatening to turn cubicles into no-privacy zones—businesses that offer workplace surveillance tools are enjoying a boomlet.
Security cameras and phone monitoring have long given bosses a view into workers' daily habits. But now employers are going further than ever, thanks to technology that can capture e-mail and instant messaging conversations, or record a worker's every keystroke.
Websense, a maker of Internet monitoring tools, has seen its stock price nearly double in the last year, though it saw some gains erased late last week. The company is scheduled to report third-quarter 2004 results on Tuesday. Other top players in the market include SurfControl and Secure Computing.
"I think all these companies are seeing great demand," said Katherine Egbert, an analyst with Jefferies & Co. "Lately, regulatory compliance issues, and deadlines for meeting those regulations, have been driving sales."
More IT news stories
Mac users face rare virus
For cell phones, it's TV to the rescue
Ballmer security pitch leaves skeptics unswayed
Most users unaware of PC infections
The regulatory factors include financial reporting rules under the Sarbanes-Oxley Act and health care privacy mandates set forth in the Health Insurance Portability and Accountability Act, also known as HIPAA.
Liability concerns regarding employee e-mails and IMs are also on the rise, as lawyers increasingly turn to computer records as evidence in sexual harassment suits and other legal actions involving the workplace. Even tech luminaries, such as Microsoft Chairman Bill Gates, have used corporate networks to send e-mail that proved embarrassing in court.
"Productivity is a concern; loss of confidential information is still a concern; security breaches are a concern. But...the No. 1 concern is liability. Employers are afraid of being sued," said Nancy Flynn, executive director of the ePolicy Institute, which, together with the American Management Association (AMA), recently published a survey on e-mail and IM surveillance in the workplace.
"In almost every workplace lawsuit being filed today, e-mail is being subpoenaed as evidence," Flynn said. "IM will soon be subpoenaed on a regular basis as well."
Aiming at IM
According to the ePolicy-AMA survey, 60 percent of U.S. companies now use software to monitor incoming and outgoing external e-mail, while 27 percent of employers use software to track internal e-mail between employees. By contrast, employers have been relatively slow to monitor instant messaging, with just 10 percent of companies surveyed indicating they have taken steps to listen in on desktop chat.
"Employers think IM is an emerging technology and they don't have to monitor it yet," Flynn said. "But if they have employees in their 20s, chances are (those employees) probably have been using IM since high school and view it as old technology. And if a company doesn't provide enterprise IM, (workers will) probably go out on the Internet and download a free version."
IM giants America Online and Yahoo launched plans two years ago to offer corporate versions of their IM products, promising better security, along with regulatory compliance features not found in their free versions. Both have since scaled back those plans, but other companies have stepped in to fill the void, including industry titans such as Sun Microsystems and IBM, which are embedding their own IM products into their existing applications, and smaller companies such as IMLogic, FaceTime Communications and Akonix.
"Industry estimates say that by the end of 2005, IM in the workplace will surpass e-mail in the workplace," Flynn said. "IM is coming on fast, and given that, employers need to take the necessary steps now with their policies and monitoring software."
Monitoring software downloads is a top issue as well, industry observers and legal experts say.
In 2002, an Arizona company paid $1 million to settle a lawsuit with the recording industry that charged copyright violations involving MP3s stored on the company's computer systems. Since then, many corporations have adopted policies banning file-swapping software in the office and installed network traffic management software to track down potential violators.
Despite hot prospects, the industry has not seen a flood of new players. Instead, it has seen a rise in consolidation, particularly this year, Jeffries analyst Egbert said. Among recent deals, Blue Coat purchased Cerberian, CyberGuard acquired Webwasher, and Internet Security Systems bought Cobion.
Websense, for one, has seen its revenue and earnings soar. Sales went from $19.5 million in the second quarter of 2003 to $26.6 million in 2004. Net income for the same period jumped from 19 cents a share to 25 cents. Analysts expect the company will generate 25 percent annual growth over the next three years.
Customers such as PepsiCo and Ford Motor use Websense software to track and report employee Internet usage, block access to some Web pages, and set temporary access windows that limit the times some sites are available.
Expectations for the company have cooled recently. JPMorgan, which served as an underwriter for Websense's IPO, downgraded the stock from "Overweight" to "Neutral" on Friday. Websense shares fell 12 percent for the day, closing at $39.70.
"We believe upside potential in September is not as great as in June, and that December will be even tougher," Sterling Autry, JPMorgan analyst, said in a research note. "With the growth rate in seats up for renewal slowing, it places even more emphasis on gaining new customers...but the number of new seats bought by each new customer declines."
And justice for all
Despite its fast growth, the industry faces some gray areas, particularly regarding the legal nuances surrounding privacy of communications.
Courts have generally found that employers have the right to monitor equipment that they own on their premises, including telephones and computer systems. Nevertheless, laws surrounding the monitoring of employees' electronic communications are not as cut-and-dried as they appear, legal experts say.
"The federal Wiretap Act says it's unlawful to intercept electronic communications like e-mail and IM. The law, on the face of it, looks like it's illegal. But the courts have ruled that viewing stored e-mail is not considered a violation of the wiretap laws," said attorney Philip Gordon, chairman of the privacy practice group for law firm Littler Mendelson.
In one U.S. Court of Appeals case, the court further detailed how it is only considered a violation of the Wiretap Act if an e-mail is intercepted while it is traveling through the network pipe and is between two points. If, as in this particular case, an e-mail is simultaneously copied before it reaches its destination, that e-mail is considered "stored" during the copying process.
Meanwhile, the Stored Communications Act prohibits unauthorized access to stored communication, such as e-mail or IM, residing in servers. But the law allows Internet service providers or employers to access information that is on their network servers, because they are considered the system administrator.
However, if an employee has a personal e-mail account, through AOL or Yahoo, for example, and uses his or her company computer to access it, the employer cannot use the employee's computer and password to gain access.
"This happens more frequently than anyone is aware of," Gordon said.
Privacy and legal experts advise companies to set aside time and formulate policies regarding e-mail, instant messaging and downloads. They note that it's better to take preventative measures to halt the problem before it happens, rather than deal with matters after the fact, such as seeing confidential information released.
"Employers should tell employees what they're doing," said John Soma, a law professor and executive director of the Privacy Foundation. "They need to provide meaningful information as to why they have a monitoring policy and ask the employee for actual consent."