It's a fact of life in the 21st-century workplace: the boss may well be watching, especially if you use a computer. A 2005 survey by the American Management Association and the ePolicy Institute, an internationally-recognised US company specialising in e-policy development and electronic communication, found that about three out of four companies regularly track which websites their employees visit. More than half use surveillance software to scour office e-mail (looking for hot-button keywords like sex in the subject line or body of messages). More than a third extend their snooping to monitor how much time workers spend at the computer, record their keystrokes or log their downloads. And one in four companies reports firing someone for improper e-mail use.

Ismael Rodriguez is a network analyst for a small New York company that sells photocopiers. A few years ago, after a salesman took the firm's customer database when he left for a new job, Rodriguez installed a program called Spector Pro on most of the company's computers. The software, made by SpectorSoft, can track and block the websites a user tries to visit and log his or her every keystroke.

Rodriguez says that although he won't examine anyone's computer use unless his boss asks him to, most of his company's staffers know much of their desktop activity is now open to potential scrutiny.

South African companies also make use of tracking software, which although not looking directly into the employee's e-mails can pick up potential security issues. "Any mail server should be able to generate usage reports," says Dean Healy, product manager at the Johannesburg branch of SecureData, an IT security company. "You get security software that can scan e-mails – one feature of them is not only anti-malware [malicious software like worms and viruses that can infiltrate or damage a computer] but also content filtering." This is an automated process that looks at the mail for potential threats or content that is against the company's Acceptable Usage Policy, but doesn't tread on privacy issues because it is automated and not being viewed by the employers themselves.

So what shouldn't you be doing?
As the use of monitoring software grows, more of the activity that many of us consider innocent is getting caught in the net. Who hasn't opened his e-mail to find a message from a friend passing along something – a goofy YouTube clip, an off-colour joke, a link to her brother's new blog – that she's sure everyone will find hilarious? If it does get a laugh, it's probably passed along to a few more people. No big deal, right?

Frederick van Vuuren*, a manager at Toyota Manufacturing in Durban thought so – until he was fired in 2001 from his position for the distribution of racist and/or inflammatory material, violation of the company's internal policy and behaviour unbecoming of a manager. He took his case to the Commission for Conciliation, Mediation and Arbitration (CCMA) and lodged an appeal.

According to Lusanda Myoli, communications coordinator of the CCMA Head Office in Johannesburg, Van Vuuren had received an e-mail containing graphic material, which he'd passed on to certain colleagues. The message consisted of a racist cartoon. "The factory employed 3 500 black workers and 1 000 whites, and race and race-related issues were very important on the factory floor. Black employees were aware of the cartoon and were upset by it," says Myoli.

Like most companies today, Toyota's Internet and e-mail usage code specifically outlawed the internal distribution of any offensive racial, sexual, religious or political images, documents or messages. Van Vuuren had no defence and the CCMA found that the employer had fair cause for the dismissal.

There are plenty of valid reasons for companies to monitor their workers' computer use. Productivity is one. A 2003 survey of 14 countries by Hitachi Data Systems found that South Africa had the highest proportion of companies (74 percent) where more than one in five e-mails was not work- related. Improper computer use can also spell legal trouble. Downloading pirated music or movies onto a work computer can prompt a copyright-infringement suit.

Viewing pornography or sending sexually suggestive e-mails can lead to sexual harassment claims. No business wants to end up like Chevron, that had to pay $2,2 million to female employees after male workers circulated offensive e-mails. (The message contained in one: "25 Reasons why beer is better than women.") Says Helaine Leggat, Head of Business Services at Michalsons Attorneys, a law firm specialising in IT law, "In terms of the Electronic Communications and Transactions Act 25 of 2002, mail can be submitted as evidence in court and other forums such as disciplinary hearings. In most cases, however evidence is submitted in print form rather than its original electronic form."

Can simple acts get out of hand?
Security is another concern. Porn, gambling and gaming sites, for example, can harbour viruses and other malicious programmes that load onto a computer secretly and allow outsiders to damage a network or make off with sensitive information. Companies also have competitive reasons to keep tabs on workers.

Dan Geer, US vice president and chief scientist at Verdasys, a data-security company, recalls installing the company's Digital Guardian system on the network of a company that makes video games, and catching a worker trying to steal the designs for a new game before its release. This worker, Geer says, had logged in to a credit union site, ostensibly to handle personal banking. What he was actually doing was opening the door to an accomplice who had himself hacked into the credit union's network and was waiting there to swipe the game files.

Steve Roop, a vice president at Vontu, another US data-security firm, says such a sinister scenario is rare. Most workers who leak sensitive information do it by accident: "It's good people doing dumb things." Roop says one client, a cellphone maker, had an employee who got so excited about a new phone's design that he sent a prerelease graphic to a fan site, hoping to create advance buzz. "It allowed competitors to knock off that design and jeopardise the earnings flow for their own company."

Companies are using two types of spying software: network-based programs that monitor all traffic passing through a system, and programs that sit directly on an employee's desktop. Vericept Protect is an example of the first type. The software searches all correspondence for any indication that employees are accidentally or maliciously communicating sensitive data, and blocks it. Vericept also claims it can examine the tone of an e-mail to detect job dissatisfaction. Someone who sends a message saying "I hate my job" or "You're not going to believe what my idiot boss did today" could be poised to upload company files in anticipation of leaving the job. Vericept makes products to monitor other Web activities as well. Paul Pilotte, a senior product manager at the company, says it helped one client fend off a harassment suit filed by a senior employee who claimed someone had left printouts from an adult website in her office. The company planned to give her a large severance package until it used a Vericept tool to examine her Web use. That search, Pilotte says, found that the employee had printed the pages herself. On another occasion, Vericept helped catch a worker who had installed a keylogger on a manager's computer to extract the boss's passwords.

One product that monitors an individual desktop is NetVizor. It can record everything a person types, from bank passwords to the names of illnesses searched on WebMD. It also logs and monitors e-mails sent and received (including those in personal Yahoo!, Hotmail and Gmail accounts), instant message chats, and the names of documents opened or printed. It can even capture a snapshot of a computer screen, providing an employer with a replica of what the employee is seeing on his or her monitor. (Another product called Mobile Spy takes some of the same stealth surveillance to company-issued cellphones by allowing the boss to view a log of phone numbers called and see every text message sent.) The automated processes mean that no employee actually sits there reading e-mails, says Healy, but monitoring does take place according to the company policies as set up in the software – which in themselves should be legal. "Employers need to be careful about ensuring that they do not infringe on privacy," he says.

Bloggers, too, are learning they have little protection for what they say about employers on personal websites. Freedom of speech doesn't ensure job security. And some are finding that online activity can damage a career.

Journalist Llewellyn Kriel, of Johannesburg, made South African history recently when he was fired from the Sowetan newspaper for a blog entry on his personal blog. The entry in question bemoaned the state of the quality of journalism and used a company memo with a glaring spelling error as an example of this continued problem. Avusa (then known as Johnnic Communications), the owners of the Sowetan, charged Kriel with gross misconduct for bringing the name of the company into disrepute and divulging confidential information. He appeared before a disciplinary hearing and was dismissed on November 29, last year.

Kriel says that while there were policies about Internet and e-mail usage, they did not mention blogging or even cover that aspect of Internet usage. "The terms and conditions that apply to using the Internet at work related to the use of company e-mail and so forth within the company's terminals," he says.

"I wrote my blog from my home computer, in my own time. It was not my intention to bring the Sowetan into disrepute at all." Kriel wrote the blog based on actual experiences that people like himself have had. Having been a journalist for 32 years, he's taught journalism at university level and has coached and mentored young journalists. "I'm very aware of the problems young journalists face. I wanted to bring this to a public forum for debate." Kriel stresses that the issue is one he had raised numerous times before, since joining the Sowetan 18 months previously.

He also refutes the second claim, that he divulged confidential information. "The information that I did divulge is public knowledge and it had been before I spoke about the moratorium on jobs at the Sowetan," he says.

This has not deterred Kriel from blogging. "I am going to blog more than ever, and I'm going to encourage as many people as I can to blog," he says. He is appealing the decision. "I feel strongly enough about this issue to take it to the constitutional court, if that avenue becomes necessary and possible. Should my appeal fail, I will take advice as to my next step."

Kriel's appeal before Sowetan CEO Bongani Keswa, was held on December 14, and at the time of going to print, he was awaiting Keswa's decision.

Most large companies monitor overall e-mail and Internet traffic generally and only target a worker if a problem pops up, but companies don't always communicate their computer-use policies adequately. "There are very explicit things that need to be done," says Leggat, "to monitor lawfully in terms of the Regulations of Interception of Communications and Provision for Communication-related Information Act 70 of 2002 (RICA)." In addition, labour law requires employers to have valid and reasonable rules in place that employees are aware of and that are consistently applied. These policies should include e-mail and Internet policies.

Very few organisations understand the implications of RICA. The Act strictly forbids the interception of communications and makes it a criminal offence to do so, except in three circumstances: a) where participants consent to the communication being recorded; b) the person whose communication is being intercepted has given permission in writing for interception to take place at any time; c) interception for business purposes i.e. very specific circumstances need to prevail for this kind of monitoring to be lawful.

7 Rules to Live By
Some simple tips for what to do – and not do – when using your work computer: