Today it's Napster, tomorrow it's anybody's guess. Make sure employees know that come what may, company computers are governed by company rules. Lee Pender reportsAt a glance* Understand the impact of personal computer use at work * Discover how technology abuse by employees affects technological infrastructure * Learn to develop corporate policies for technology use that will satisfy legal requirementsWhen a few of his employees in the IS department at Ursus Telecom Corp started trading an episode of the bawdy comedy South Park using Napster, the popular file-sharing application that has both rocked the entertainment industry and thrilled millions of users, the company's vice president of worldwide Internet services took action.
Having read stories of high-profile lawsuits filed against Napster, a VP at Ursus Telecom, Jay Chavez decided to avert legal trouble before it came his way: he banned Napster from PCs in the company's offices.
"I figured I'd better nip it in the bud," Chavez said. "I work for a public company. I answer to the board of directors. It's a matter of the public trust."
Fortunately for Chavez, the few employees who were using file-sharing technology didn't react harshly to the Napster ban. In fact, Chavez said his feelings were hurt more than anyone else's - because nobody had sent him the infamous South Park episode. But for many IT managers, the issue of how to shape and enforce policies dealing with employees' personal use of company technology is no laughing matter. It's a problem that will become increasingly complicated as new technologies arrive, especially on the Internet.
Internet abuse in the workplace is nothing new. As soon as the Web hit the corporate desktop, it raised issues such as declining employee productivity because of Web surfing and the prospect of workers viewing pornography and other objectionable materials online. But the battle to rein in the Web has reached a new ground.
Evolving technology is forcing - and will continue to force - IT managers to re-evaluate the definition of Internet abuse and their role in developing and enforcing policies designed to prevent it.
The latest innovation to give companies fits is file-sharing applications, which can tie up bandwidth, introduce legal hassles and hinder productivity. But they are only the problem du jour. Tomorrow, it could be something else entirely. IT managers can maintain control no matter what the next day brings by taking several positive and specific steps to ensure that their companies' employee-use policies allow for reasonable personal use of technology without giving employees too much or too little leeway.
To do so, it is vital to merge risk management with empathy for employees - especially in the case of IT workers who are already in high demand. "If I were heavy-handed, they could walk out the door and have another job the next day," Chavez says. People who spend 15 hours a day in the office will need to take care of some personal business while they're there, whether it's transferring money between accounts or making airline reservations. Allowing that use without condoning abuse is critical. The current hurdle File-sharing applications are the latest challenge to corporate policies because they intensify the problems of old-fashioned Internet abuse. Although each uses a different architecture, these applications allow users to trade files with each other. Napster, for instance, turns an individual's computer into a mini-server. Users can search for and download files located in the hard drives of other users on the network. At the same time, users expose their files for search and download by other users.
Almost all the material that passes through file-sharing applications is copyrighted. Most of the applications help users search for MP3 music files, but some, such as Gnutella, are sophisticated enough to handle the transfer of bigger files such as television shows. The battle over copyright laws and file-sharing applications has led to several lawsuits against Napster, which resulted in a US federal court issuing an injunction against the service in July 2000.
With courts shaping and reshaping copyright laws, companies cannot be sure they are totally immune to lawsuits. "You are in virgin territory when you're dealing with things like Napster," says Richard Hafets, co-chair of the labour and employment practice group at law firm Piper Marbury Rudnick & Wolfe. Hafets says companies are not very likely to face a legal threat based on employee use of file-sharing applications. For a plaintiff such as a record label, or the recording industry as a whole, to win a case, it would have to prove one of two key points: that an employee who is illegally downloading music is doing so in the employer's interest, or that the employer knew of illegal activity and turned a blind eye to it.
The first situation is both difficult to prove and unlikely to happen. Most use of file-sharing applications revolves around collecting songs and other material for personal use; business use of file-sharing applications is still somewhat undefined. Hafets' second scenario is the one that could get companies into trouble. He says it is not enough for companies to simply have a personal-use policy and not enforce it. If an IT manager or other company official knows of illegal use of file-sharing applications, he should take action. Intentional ignorance of such activity will not be an acceptable excuse in the legal battlefield.
"You get much closer to holding the company liable if the company is specifically aware that copyright infringement is taking place and simply does nothing about it," Hafets says. "If you're in an office and you see people on the Internet visiting sites [such as homepages that have file-sharing downloads] that don't appear to be business related, you can't just put your hands over your eyes and your ears and say, 'Hear no evil; see no evil.' [A plaintiff] could say you have an affirmative duty to deny access to these sites."
For some companies, even flirting with the copyright issues surrounding file-sharing applications is too risky. Chavez found banning the technology outright easier and safer than working with lawyers and human resources professionals to develop a safe policy for employee usage of that particular technology.
For others, however, allowing IS employees to toy with the latest innovation is worth any potential legal risk. Ron Pollard, CIO of Specialized Bicycle, said he likes the technology behind file sharing and encourages his employees to explore it.
"Napster is really great technology," he says. "[IT workers] should be out there looking at how technology works."
Lawsuits are only one example of the problems that can be caused by personal abuse of office technology. Another more technical demon can raise its head: overworked bandwidth. File-sharing apps in particular are notorious bandwidth hogs - one MP3 can measure 5MBs alone. When users download multiple songs at once and simultaneously have multiple songs uploaded from their libraries, bandwidth can become scarce. And it's not just file-sharing applications that can cause problems. IT executives have also battled applications such as interactive games and downloadable tax-preparation programs.
Bandwidth shortages can give an IT manager a false sense of how much bandwidth his organisation needs, which ultimately can affect the bottom line.
Justin Kirsch, senior vice president and CIO at loan-servicing company Security National Servicing Corp, says his company upgraded its telecommunication connections with the thought that it needed more bandwidth to handle B2B transactions. "We've made decisions to buy more Internet bandwidth thinking that our business was using that bandwidth," he says. "In reality, [we had] employees downloading music all day long." Security National now uses software that blocks sites and applications that are bandwidth hogs and carefully enforces personal-use policies that restrict bandwidth-intensive applications.
Another red flag signalling heavy use of high-bandwidth applications that could be more immediately damaging is a slow Web site. An overload of internal traffic can, depending on the configuration of a company's network, cause an external Web site to crawl. Eventually, bandwidth problems become tech-support issues. The more users are bothered by slow connections, the more they will call on already overtaxed IT staffers to help solve problems. An outbreak of slow PCs, a result of hard drives crammed with downloaded files, and slow network access should alert IT managers that it might be time to investigate the use of file-sharing applications.
Although it has not happened yet, a real nightmare might be on the way: virus-bearing MP3 files traded from user to user. Viruses have wreaked havoc recently via e-mail, but an infected file uploaded and downloaded all over the world - and inside a company's walls - could bring a company's infrastructure to its knees. "Anytime you have data flying around and you may not necessarily know from whence it came, you introduce risk," says Steve Vonder Haar, senior Internet consultant at The Yankee Group.
Steps to avoid trouble: Potential legal problems and technology issues are not the only challenges lurking within file-sharing downloads and other new and forthcoming applications. Old-fashioned Internet-abuse concerns such as employee productivity are also potential hazards. But IT managers can follow a few simple rules in developing and enforcing fair personal-use policies:
* Be aware of technology trends
File-sharing applications are the current troublemakers; there will be more to come. IT managers constantly need to be on the lookout for the next wave. Reading about the next big thing in personal technology and chatting with employees about what is popular are easy ways to keep up with trends.
* Mention new technologies by name when updating policies Hafets says continual monitoring of technologies combined with a corresponding evolution of policy is a good idea. IT managers should both search for the next big thing and be ready to address it specifically in revised corporate policies. That approach not only sets specific limits for employees, it also helps avoid legal problems when dealing with new applications, whether a company is banning them or simply restricting them to proper, legal use. "As long as your policies are broad enough to cover all forms of communication, you'll probably be OK," he says.
This simple concept that no one has quite mastered is the key to keeping employees happy while maintaining an appropriate level of control over their ability to use applications for personal purposes. Chavez says he made his employees active participants in every step of the process that eventually led to the Napster ban.
At Ford Motor in the US, which has 110,000 users on its network, Rajan Nagarajan, director for enterprise process and IT integration, also stresses the importance of consistent and open communication. Ford conducts training sessions for all employees that cover the company's personal-use policy and frequently disseminates information about the company's mission and how it relates to each employee. "We fundamentally believe that if you expose everybody to the same information, they'll all come to the same understanding," he says.
Kirsch says, however, that IT managers should not hesitate to remind problem employees that they are working on company time - and technology. "I take this general principle: if we bought it, we own it; we control it," he says.
* Back up your policies with action
Simple communication and trust will not always be enough to handle every situation. Kirsch suggests using peer pressure. Send out a reminder notice of policies or procedures to the whole company or department if inappropriate use of technology is rumoured or noticed. "That sends a strong signal," he said.
If an employee ignores the warning, confer with HR and legal departments about the appropriate action.
* Play an active role in developing and enforcing policiesIf misuse of technology is causing problems in an organisation, the CIO must be on the front lines, monitoring usage and reminding employees of policies. Act as a member of the executive board, not just as head of the IS department.
The issue of employees' personal use of company technology did not begin with the Internet, and it won't end with the influx of file-sharing applications. But actively participating in the evolution of personal-use policies will continue to be a must, since the next kids ready to stir up trouble on the corporate block are lurking around the corner.