Watching while you work

The Labor Department employee looked busy. She clicked her computer mouse day after day, staring intently at her computer screen.

But after more than a year of turning in little work, her supervisors began monitoring her activities. What they found was shocking.

The employee was busy, all right. She had been visiting Web sites that had nothing to do with her official duties — in fact, she visited more than 7,600 sites during an 18-month period, according to Labor documents that outline the case. At her peak, she visited 599 sites in one day, not to mention receiving and storing 13,000 e-mail messages and attachments on her overloaded computer, the documents state.

Is her case unusual? Not really, federal managers said. They are trying to cope with the ongoing problem of computer abuse, which is costing the government money through lost work time and wasted bandwidth.

Although pornographic Web sites are usually cited as a big part of the problem, managers said federal employees have found many other ways to misuse their government-owned computers.

One manager discovered a worker sneaking into the office at night and on weekends to log on to online dating services. Another uncovered an employee who ran a sewing machine and computer repair service using his office PC. One worker at the Social Security Administration ran a personal finance consulting business from his office computer until he was caught and fired.

Federal workers spend a lot of time shopping online, downloading pirated music or streaming videos of live sports events, for example, and such activities eat up bandwidth.

"On a daily basis, there are new cases," said Leslie Violette, chief of the Employee/

Labor Relations and Benefits Branch at the U.S. Agriculture Department. "It's not just pornography either. People are downloading files for personal business, downloading music and snooping into government files."

In a Sept. 8 memo, Karen Evans, administrator for e-government and information technology at the Office of Management and Budget, set a Dec. 1 deadline for agency officials to create or update policies prohibiting federal employees from misusing government computers. Nevertheless, it may be an impossible directive to enforce.

"Obviously, we don't want federal workers using government equipment, specifically the Internet, for personal use on business hours," said one federal official who asked not to be identified. "You have to keep alert. But you can't just stand there and watch people all day."

If a manager suspects that an employee is misusing a computer or network resources, the manager should contact the agency's technical support department and ask someone to monitor the employee's activities, the official said. Software can be used for monitoring, and other ways exist to gather evidence of computer and network misuse, the official said.

"If you take an aggressive approach to it and don't just assume that everyone is Pollyanna, it's a good thing to be aware that this does occur, and there are support mechanisms to manage it," the official added.

But the problem is complicated because workers have rights, too, said Latonia Parham, employee and labor relations specialist at the Department of Health and Human Services.

Gathering evidence against employees without a warrant could violate their privacy rights. And after officials collect the evidence, they must form charges that will withstand a possible lawsuit.

"There is no expectation of privacy when you are using a government-owned computer," Parham said at a recent human resources conference in Baltimore sponsored by the Office of Personnel Management. "But unless you suspect it's a criminal act, you don't necessarily have the authority to gather the evidence."

A search without a warrant is permissible if it does not violate an individual's reasonable expectation of privacy, Parham said. But that leaves government managers who may not know the law in a quandary. When can managers look?

If employees are not doing their work because they are shopping online, a manager is justified in looking into the situation, she said. But if no reason exists to inspect a worker's computer, such an inspection is an unreasonable search and seizure prohibited by the Fourth Amendment.

But Paula Bruening, staff counsel at the Center for Democracy and Technology, said an employee should not have an expectation of privacy at work.

"Employers can look at what's on an employee's computer, whether it's e-mail, browsing habits or keystroke patterns," she said. "There is no law that prevents

an employer from doing this. There's no law that requires an employer to inform an employee of this."

One way to deal with the sticky problem of privacy is to make sure an agency's computers carry a banner informing users that there is no expectation of privacy. A worker must click "OK" on the banner before continuing to use the machine.

But agency policies can vary, Parham said. Do such policies apply only to federal employees, or do they apply to government contractors, too? What about using a computer after hours, like the online dating fan did?

Some agency managers are trying other tactics to stop unauthorized Web surfing. At the Portsmouth, N.H., Naval Shipyard, for example, officials are docking the pay of employees who do too much personal work on their computers. Others are policing their workers even more.

"We have a policy, and we have placed Web filters blocking [inappropriate] sites and access to these sites," said Scott Charbo, chief information officer at the USDA. "We have taken a corporate approach to management of our network assets. It has been successful and accepted well."

Homeland Security Department officials have a written policy on computer use, too, and they require employees to sign it. Among other things, it says, "Accessing Internet resources is for official use only, including research. However, limited personal use is authorized as long as this use does not interfere with official duties or cause degradation of network services."

Accessing "inappropriate sites is prohibited," according to DHS' policy. And that includes sites that are "obscene, hateful, harmful, malicious, hostile, threatening, abusive, vulgar, defamatory, profane, or racially, sexually or ethnically objectionable."

It may not be clear what constitutes hateful or obscene sites. And the threshold for personal use at agencies is rather subjective.

With no clear-cut, governmentwide policy, it is hard for managers to know exactly what to do. Army officials have issued their own rules, but some Army lawyers think the policy is too vague.

"Everyone has a problem," said Laurie Kwiedorowicz, an administrative law labor attorney at the Edgewood Arsenal in Maryland. "Computer abuse is a huge problem in the federal government, period. There are firewalls, and people find ways to get around them."

Some agency officials, however, are trying to prevent access to certain Web sites.

"We block gambling, porn, games, hate, etc., sites via content-filtering software installed at all external connections to the Internet," said Ed Meagher, deputy CIO at the Department of Veterans Affairs. "I suspect very little of that makes its way through our gateways. We deal with sites that get filtered inappropriately on a case-by-case basis."

OPM officials have their own rules. Employees can use office computers for personal use for a limited time when they are not working, such as during lunchtime. But a wide range of sites, including pornography and gambling, are prohibited at all times.

"Certain things are prohibited under any circumstances," said Clarence Crawford, OPM's chief financial officer. "When you boot up your system each day, there is a page that reminds people of this policy."

Crawford said computer misuse has not been a big problem at the agency, and little productivity has been lost because of it. Once a year, employees and contractors are reminded about not misusing their computers as part of a required refresher course on computer security, he said.

Although federal employees can be prosecuted for downloading child pornography, the legality of other activities remains vague. The bottom line, however, is that if an employee isn't working during work hours, a manager has a reason to step in, Violette said.

"A lot of these cases usually start off as performance or conduct cases," she said. "Usually, you are talking about lost productivity or conduct issues."

Employees also are getting smarter about finding ways around the rules. "Every time you put something out, someone will find a way to break them," she said.

For example, a filter can block a sex site or provocative e-mail written in English, but filters may not be programmed to obstruct something written in German or Japanese. And although filtering software may block offensive material, it does not stop an employee from excessively surfing the Web.

Jim Flyzik, a former federal CIO who is now a private consultant, said he thinks the problem has been exaggerated. He said some federal workers spend time infringing on the rules, but so do workers at private companies.

"I find it hard to believe that the government is any different from the private sector or any large organization," he said. "The amount of so-called misuse would be relatively the same across the board."

The Web-surfing Labor employee was stopped in her tracks. She lost her job after the government charged her with misusing her government computer. Although she never disputed a 20-page report listing her misconduct, she claimed she had been under stress because of a family illness. And without fighting the complaint, she retired.

No one has studied how much computer misuse costs the government in terms of of employee productivity, diversions for managers who must deal with discipline problems or shifts in computer resources being used for unauthorized purposes.

Violette said those costs are substantial. "I think a lot of it really sort of turns on how much time is being lost with people surfing on the Internet, wasting time there and managers' time," she said. "Then you have IT people spending their time sitting there building the case. You can be looking at a case that can take several months."

John Reece, former CIO at the Internal Revenue Service, said the problem is too great to curb without exhausting an agency's budget. "It is just too massive a job and too expensive to police the total network effectively," he said. "This is one situation where the cost of a tight enforcement solution may be greater than putting employees on their honor to use the tools in accord with official enterprise policy and their own good judgment about what is fair and proper."

***

Gathering evidence

According to Leslie Violette, chief of the Employee/Labor Relations and Benefits Branch at the Agriculture Department, and Latonia Parham, employee and labor relations specialist at the Department of Health and Human Services, managers who suspect that an employee is misusing computers should ask themselves the following questions:

How many computers are assigned to the worker?

How many e-mail addresses does the person have?

What are the employee's official duties?

Does the person handle sensitive information?

What is the employee's knowledge of computers?

Does the worker have access to the computer after working hours?

Tips for managers

Computer misuse at government offices is an ongoing problem, and experts say managers should take specific actions to keep federal employees from using their desktop computers for personal business. Managers should:

* Have a specific policy and make sure employees know what it is.

* Be clear about what is inappropriate activity. Yes, you can check the weather. No, you cannot visit a gambling site.

* Clearly define working hours and lunch breaks.

* If you allow limited personal use, explain exactly what that means and how much time is allowed.

* Make sure your computers have a pop-up banner that requires employees to accept usage policies before they are able to log on to the network.

* Explain to employees what misuse entails. For example, managers can perform warrantless searches as long as they do not violate expectations of privacy, which are limited when using a government computer.

* Make sure employees know what the penalties are for computer misuse, including administrative discipline and job loss.

— Judi Hasson

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above