ROBERT SIEGEL, Host:
From NPR News, this is ALL THINGS CONSIDERED. I'm Robert Siegel.
For millions of Americans, a job entails sitting in front of a computer. It's there for work. It belongs to the boss.
But in this wired world, there is an increasingly vexing question facing employers and employees alike: what is the appropriate Internet access for people at the office? And how much personal use are we or should we be permitted?
We asked some people around the country these questions. Here are Scott Kylar(ph) and Doug Sparling(ph) who work at the publishing house Andrews McMeel in Kansas City, and in Seattle, Cindy Barris(ph) of the logistics firm Expeditors International(ph), and Mike Smitken(ph) of Washington Mutual Bank.
SCOTT KYLAR: Our specific section because we're so involved in the Internet, it's pretty free. I mean we don't really have any set policy. We're kind of a, you know, do what you need to do and if it becomes a problem, then they'll crack down on us.
DOUG SPARLING: I don't know. Is there an official policy? Obviously, I don't think that you're supposed to be doing some of the things that you're not supposed to be doing. Like don't download illegal movies or go to the XXX sites or - things like that, which is more common sense than anything if you want to keep a job.
CINDY BARRIS: No, we're not allowed. They've restricted all of that. You can't have personal email, any Yahoo! email or Hotmail or any of those types of accounts are restricted.
MIKE SMITKEN: My name is Mike Smitken. I work at Washington Mutual Bank.
Yeah, I mean, I check my own personal email, look at sports scores, news, things like that. I mean, I can't just go anywhere at work and do whatever I want like view movies or stream music or whatnot. I can't do that.
There are certain - I don't know how the filters work, but there are optional - a lot of sites that are blocked and if you try to go there, it will say, you know, This site's blocked by Washington Mutual so you cannot go here from inside the network.
SIEGEL: Those filters that Mike Smitken was talking about made big news this summer in Kentucky. The governor, Republican Ernie Fletcher, blocked a variety of Web sites on state-owned computers. The publisher of an online political newsletter has filed suit amid accusations that the governor didn't like state employees reading that particular site on the job.
In fact, the governor blocked entire categories of Internet content, blogs, and auction sites, URLs that specialize in entertainment, movie reviews, and humor, and religion, and politics.
But at least one state office in Kentucky is at odds with the governor. Jonathan Miller is a Democrat and he is the state treasurer. He announced a different policy.
JONATHAN MILLER: My office, every several months, conducts an online auction of unclaimed property that we receive, and have used eBay effectively, both to sell the items and to raise money for the commonwealth and our general fund. And to me, that was an example of the problem of wholesale bans or blocking wholesale categories of Web sites. Because as the Internet grows and continues to grow, it offers so many different and unanticipated ways of promoting efficiency and responsiveness for state government.
SIEGEL: Well, is your solution then narrow, piecemeal, and specific? That is, as you discover a particular Web site that would be of use to state employees doing state business you should permit access to it or is it broad and general? Say, open up the Internet to state employees?
MILLER: Right. No, ours is broad and general, in that we want to open up the Internet to state employees with only a minimal blocking for sites such as pornography and gambling that on no occasion could ever be valid for state use.
And yet we have a policy, a very firm policy in our office, that state equipment, including the Internet, is to be used on state time only for state business.
You don't think that you want employees surfing sports sites. However, we've done projects in conjunction with some of the minor league baseball teams, in terms of promoting our unclaimed property program or our prepaid tuition program. So again, having a wholesale block on sports sites would limit our ability to communicate and do research in those areas.
And so that's why I prefer less limits on that and more interaction between employees and their supervisors to insist on compliance with our office policy.
SIEGEL: But you've managed to come up with the only utilitarian justification of visiting a baseball site that I could imagine, that there's a state charitable relationship to a minor league baseball team.
An employee comes in to work. Couldn't stay up late enough to watch the West Coast game that the Reds were playing and wants to log into majorleaguebaseball.com to see the result. It's going to take about two minutes for him to look at it, if that. Okay? Or a violation of his work rules?
MILLER: I don't see that as a problem on a break, equivalent to a smoking break and does a lot less harm to his lungs and to the environment. I am confident that our employees understand that they're not allowed to abuse that and to be looking up baseball scores or communicating about baseball during their state hours.
SIEGEL: That's Kentucky state treasurer Jonathan Miller.
So in Kentucky, there is now both a pretty wide-open approach to state employee Internet use on the treasurer's staff, and a very restrictive approach, the one announced by the governor.
We wondered, what's typical in workplaces across the country? What's the work place policy for monitoring, filtering, blocking, or just banning Internet use?
So we asked Nancy Flynn of the ePolicy Institute who surveys workplaces every year and asks precisely those questions.
NANCY FLYNN: Seventy-six percent of employers do have an email policy in place, but where employers really drop the ball is when it comes to emerging technologies. For example, only 34 percent of organizations have an instant messaging policy in place.
And then when you look at blogging, only 7 percent of companies have a policy in place that governs an employee's blog use.
SIEGEL: Now I assume that when we speak of a policy, one question is: can you do that at all while you're at work? Can you work on your blog from your workspace on the company's computer?
FLYNN: Well, it really depends on your organization. Seven percent have a policy that governs what employees may and may not post on their own home-based personal blogs.
And by the way, Robert, just to kind of expand your vocabulary here, the official blogosphere term for being fired is deuced. So if you're deuced, you have been fired for blogging.
SIEGEL: Let's go back to behavior that strikes me at least as a bit more passive and part of what's at issue in the situation in the commonwealth of Kentucky, employees in the state of Kentucky.
Does the typical American worker who sits in front of a computer screen and I assume that's an awful lot of us, generally have the right to go surfing the Web and look at whatever site one chooses to at work?
FLYNN: What employers have, under the Federal Electronic Communications Privacy Act, is the right to monitor all employee computer activity. So employers have the legal right to monitor the Web sites employees are visiting, to read their e-mail messages, to read their IM chat and blog posts.
And certainly at ePolicy Institute, we recommend employers take advantage of that right.
SIEGEL: That's a provision of a privacy act?
FLYNN: Mm hmm, that's the Federal Electronic Communications Privacy Act.
What employers are doing, is they are in fact increasingly taking advantage of that. We've got 65 percent of companies that use technology to block employees from accessing those sites that the employer has deemed as inappropriate or offensive.
SIEGEL: But what about the Google record which just shows somebody has been researching the 1958 Cincinnati Reds extensively, every day at his terminal for months. What do you make of - what's the danger with that?
FLYNN: Well, for employers, you simply don't want your employees wiling the day away online. And our 2005 survey revealed that 86 percent of employees engage at personal e-mail at work, so a lot of time could be wasted. And then any time employees are communicating with outside parties, whether they're friends of family or whomever, you know, the likelihood that confidential company information - trade secrets, financial information that shouldn't be disclosed yet - that all of that could slip out either intentionally or accidentally. And that's another big cause for concern among employers.
SIEGEL: Nancy Flynn of the ePolicy Institute says the businesses that are most regulated by government are also most typically the most restrictive about Internet access on the job; financial services, healthcare companies. In fact, here's what we heard from Lance Thompson who works for the brokerage, Smith Barney, in Kansas City. And from Jim Kadey(ph) of Kaiser Permanente Healthcare in Oakland. Do they do personal business on the office computer?
LANCE THOMPSON: Nah. I don't do a lot of that type of stuff. It's sort of frowned upon, you know, by Smith Barney. You want to keep any eye on what you're doing, you know, and that type of stuff. So it's all internal e-mail. You know, from company, to this office, to this office, you know. But my regular e-mail, like at home, no.
JIM KADEY: They don't specifically tell you they're reading your e-mail, but, you know, our policy is that it's work, you know, use and you're governed by that, you know, their policy for that.
SIEGEL: That's Jim Kadey and before him, Lance Thompson. Next, we turn to Paul Henry of the Secure Computing Corporation. His company designed and maintains the software - it's called Web Washer - that Kentucky uses to block all those Web sites. Paul Henry says his concern is network security, keeping out viruses and other unwanted digital intruders. His software blocks whole categories of Web sites.
PAUL HENRY: We feel that we do a pretty good job of it. I mean we have 74 different categories today. We have people literally all over the world that are regularly surfing sites and adding them to the specific categories. Plus we get a lot of feedback from our clientele.
Typically if an URL pops up and we haven't caught it yet and applied it to our database, we'll get e-mail from one of our customers, one of our users, requesting that we take a look at the Web site and we add it into the database.
SIEGEL: What are some kinds of categories that are among those 74? What's a typical category?
HENRY: Well, you know, you would normally have the - well, the typical ones, of course - pornography, vulgarity, shopping sites, news sites. It's just an incredible wide array of categories.
SIEGEL: Sports gambling sites?
HENRY: Oh, sports, gambling, yes. I mean you name the subject and there's probably a category that somehow, somewhere fits it.
SIEGEL: I can imagine an employer saying, when you're at the office, the computer belongs to us - that is your employer - and we will specify a few sites that relate to your work, and those you can visit on the Web. Everything else is off limits. Do you ever get an order like that? Let's specify the only things you can do.
HENRY: You know, we really don't but I wish we did as a security professional. That's referred to as a positive security model. You're only allowing known good behavior to occur across the Internet. The model that's currently used by a majority of people on the Internet is referred to a negative security model.
In a negative security model, you're attempting to block everything that can be possibly be bad that comes down across the Internet. It literally puts you at an arms race with the black cat community out there when you're trying to do that.
SIEGEL: That's Paul Henry of Secure Computing. We also heard from Kentucky State Treasurer Jonathan Miller. And the ePolicy Institute's Nancy Flynn on how much access workers should have to the Internet at work.
You can read more about this, and see the Kentucky state policy that piqued our interest in the subject, at our Web site, NPR.org.
(SOUNDBITE OF MUSIC)
SIEGEL: You're listening to ALL THINGS CONSIDERED from NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.