Missing the point

What we really should be talking about when it comes to personal Internet use at work.

As a provider of award-winning Internet access control systems, every day we face questions about the many aypects of controlling access to the Internet, including the issue of employees’ personal Internet use at work, a question that comes up time and again.

These questions aren’t usually all that easy to answer – the whole issue is a sensitive one. And the focus can be somewhat different, depending on who is asking the question.

What questions do bosses and employees ask?

If you Google “personal Internet use at work” you’ll get around 380,000 hits, “Internet browsing at work”, around 730,000. Employers don’t often ask whether they can ban employees from accessing their personal emails or social media accounts while at work. Nowadays most companies tend to allow employees to use this personal communication method to keep in touch with their families, but also with authorities and institutions.

However, there is huge uncertainty about the extent to which this is acceptable. Is the resulting lost work time too high a price for companies to pay? “Reading an email is OK, as is quickly phoning your daughter or getting a drink from the vending machine, but going out shopping during working hours isn’t – so why should it be OK for an employee to book a holiday while at work?” Employees, on the other hand, are concerned about protecting their privacy: “Should my boss be allowed check my browser history?” And both are right to ask if this could be a reason for dismissal.

The key questions can be summarised as follows:

• Should personal Internet use at work be allowed, and if so, to what extent?
• Are bosses allowed to ban it on company devices? What about personal devices brought into work?
• Is it allowed to monitor employee Internet use?

We will only briefly discuss the answers here, because, as we’ve already mentioned, they aren’t clear-cut, and neither case law nor existing legislation sees things the same way in every country. For example, personal Internet use at work is described in Austria as permitted unless expresssly forbidden but in Germany as forbidden unless expressly permitted.

A purely discretionary issue that causes additional uncertainty is the justifiable level of Internet usage. When a legislator invokes the “principle of proportionality”, this is a flexible concept that in case law only produces a predictable outcome in extreme cases, while the examination of whether an employee’s surfing behaviour falls within acceptable limits also involves potential pitfalls that must be avoided if personal rights are not to be violated. Things are clearer when it comes to devices. Bosses may be able to forbid personal Internet use on company devices, but this isn’t entirely feasible when it comes to employees’ personal devices.

But how is all this missing the point?

There’s no doubt that these are important issues. Yet one important question, which poses a significant risk for both employers and employees, is hardly ever asked. Ignoring it can prove very, very costy. And it’s this:

Who is actually liable for damage to sensitive data or the company network?

Imaging that a cryptotrojan has encrypted company data. Recovery time involves enormous costs, a great deal of trouble and lots of outages. The IT departement thinks that the virus probably arrived in an email attachment via an employee’s private web client. The company then makes a five-figure claim on its employee liability insurance, but this is rejected. This insurance “regulates the compensation of damages caused by an employee in the performance of their work to the employer or to a third party” (source: wko.at). Strictly speaking, the accessing of personal emails does not fall under this category. Private liability insurance, if held, will require conclusive proof that the insured party was actually responsible for causing the damage. Can you then prove who was on the Internet and when, and what they were doing? Possibly not, because companies don’t really want to spy on their employees – not to mention that they’re not actually allowed to.

If the employer doesn’t want to bear the costs of the damages themselves, the only remaining option is to take the matter to a civil court. Not very pleasant for either side – the employment relationship will rarely survive such a step, and, depending on the extent of the damages and the interpretation of case law, the process may even result in a situation that threatens the livelihood of the individual or the survival of the company.

So what should you do to prevent such a situation arising in the first place? By reading this article, you’ve already taken the first step. For work-related Internet use, companies already offer a range of network technology options aimed at improving security. Think about personal use and treat these users as the guests in your system that, by definition, they are:

•  Clearly define what is permitted

This includes times and maximum total duration, and possible also blocks on particular sites and activities. This can be defined in the employment contract or in a separate agreement and ideally also mapped by the network infrastructure.

•  Create separate guest access

An Internet access control system is ideal for assigning users specific time slots or quotas, data volumes, bandwidths etc. and for completely restricting access to individual areas or webpages. With IACBOX, it’s even possible to identify user devices and to encrypt the entire WLAN from access point to end device.

•  Authenticate your users

You don’t have to keep your own lists if you use IACBOX – thanks to external authentication, users can be created using the existing data.

•  Use verbose logging

If every user has their own ID, data volumes and use times can be monitored and collated. Activity can be monitored without having to sift through personal information or even search a user’s device.