It's not a joke: big brother really is watching you.

A recent report from Toronto's Ryerson University called "Under the Radar," asked employers about the surveillance of their employees. The results were shocking.

The report found that employers were watching closed-circuit television cameras, listening into recorded conversations, monitoring e-mails and keeping track of their employees' whereabouts within the building through scanning magnetic passes. Another larger study in the United States and Britain recently found that 40 per cent of employers read their employees e-mails regularly.

Even more shocking was the blasé attitude that employers took when asked about the privacy rights their employees expected at work. It seems that without telling them, employers just assume that employees already believe they are being monitored at work. From the surveys cited above, it's perfectly reasonable to be paranoid.

Although many companies are uncomfortable talking about spying on their employees, the OBJ spoke with Larry Trenwith, vice-president of sales and marketing for the Ottawa-based surveillance software firm Nemx Software Corp. and found that in some cases, companies are legally obliged to monitor e-mails.

OBJ: What kind of surveillance software does your company offer?

TRENWITH: Surveillance has a lot of negative connotations. It's something that police do to bad guys. What we do is a little different. It's surveillance in a sense that we are monitoring e-mail. What Nemx and our product line does, is it monitors and controls the flow of e-mail. It's not a key-stroke logger, it's not looking at what's going on in the internal network. What we do is inspect every e-mail that goes out, comes in, or circulates within the organization. The software product does it automatically. So, it's a form of surveillance. Within the company that does this, surveillance isn't the term we use because it implies that we are watching bad people do bad things. Certainly you have the ability to do that, but the bigger role with surveillance e-mail is to do something positive. The first products that did "e-mail surveillance," were anti-spam and anti-virus products and what they did was watch and monitor the contents and try to block the spam and viruses.

That's expanded now to monitor outbound e-mail traffic and e-mail between employees. We monitor what's in those e-mails and what's in those attached documents that often accompany an e-mail message.

OBJ: Why do companies use this software?

TRENWITH: What are driving companies to implement these kinds of solutions are regulatory rules and obligations to protect the privacy of clients and employees. Within the e-mail world, what we deal with is really e-mail content inspection. Its primary role is to protect the organization and the employees.

When things like Sarbanes Oxley, HIPAA (Health Insurance Portability and Accountability Act) and PIPEDA (Personal Information Protection and Electronic Documents Act) in Canada, came into effect, it became the driving factor – to develop the best practices from a business point of view. If you're a business, you don't want your development plans or your customer lists or other sensitive or confidential information leaking out of the organization. You don't want a disgruntled employee sending it to a competitor

... employees following security policy is the second highest security challenge that companies are going to face in the next 12 months. Less than 50 per cent of employees always follow corporate e-mail rules. Half of all employees have admitted to having sent or received inappropriate content. If you put that into the organization's context, court rulings have established unless the organization can show they have appropriate measures in place and they take appropriate precaution, they can be liable for the kind of content that goes across their system. If you have a case where an employee is sending racially slurring comments to another employee and they're doing that through corporate e-mail, as the employer, when you give them the right to use the corporate e-mail, you are giving them the right to do that and can be found liable in some cases. It has been shown that for whatever reason, people will say things in an e-mail message that they wouldn't say if they were talking to the person face to face or even on the phone.

More often than not, most violations are innocent or inadvertent. It could be something as simple as, now there are two John Smiths and the one you're used to dealing with used to be the first one to come up on the e-mail list and now there's two. And holy jeeze, that happens to be a guy who we deal with but he's not an employee and I just inadvertently sent something outside the company that I shouldn't have.

If you catch it you can say "hey, that has sensitive information and it's going outside the company, let's quarantine that or divert that for someone to take a good look at it and see if it going where it should be going."

OBJ: Do you have any clients who use it beyond legal security reasons and monitor for productivity?

TRENWITH: To a certain extent, you have the ability to do that. For example, George is sending an e-mail to Sally that shouldn't be sent. And I am sure that there are some entities in the marketplace that are using it for that purpose, what we would call covert surveillance on their employees so they know what their employees are doing.

I would say anecdotally, in all the thousands of customers we have, a handful have told us – and that doesn't mean that more than a handful is doing it – but a handful have told us that they're doing the kind of things you are mentioning. We hear, "Well, I'm a small business and I want to make sure that I know what my employees are doing and I want to monitor the situation." Not necessarily for compliance reasons.

OBJ: What have the results been after employers install your products? Do people use e-mail less?

TRENWITH: You have to realize there (will be) 103 billion corporate e-mail messages per day next year, that's what Radicati (an American market research firm) predicts. We have never had anyone tell us that corporate e-mail usage goes down. Everything points to the fact that e-mail use is going up and that it is the main form of business communication now. And you're seeing the same thing with corporate instant messaging systems.

OBJ: Do you warn your clients of the legal issues with using this software?

TRENWITH: We don't say, nor are we obliged to say, that there is an issue there. It's the organization's responsibility and again, in both Canada and the U.S., in court cases I am aware of, they have set precedence that this kind of software, at least the kind that we have, is absolutely within the realm of the employer's right. They have established that e-mail and e-mail systems are corporate resources and what's done on them and through them in the business place is the property of the business.

OBJ: Should employers ethically tell their employees that they are being monitored?

TRENWITH: In most cases, with our customers at least, the employees know and with large organizations, it's expected. They know about the compliance regulations and they make no secret that they have to do these things. It is their legal obligation to do these kinds of things. In any sort of company, you have to be a little naïve if you don't know that these tools are being used by the organizations.

Coming up in February: On the move

Feb 5: Location location location: Urban vs. suburban

Feb 12: Read the fine print: Leases and landlords

Feb 19: Keeping employees happy and preparing for the move

Feb 26: Anticipating growth: Is going big a gamble?

WHAT THE EXPERTS SAY

For our clients, the biggest section of our clients is business people who have internal theft problems. Internal theft is much bigger than customer theft. But you have to watch out for the privacy laws. If you put up a note that a camera is on them, then everybody knows. A lot of people can get around the regular cameras, but they don't know about the hidden cameras.

For example, if money is missing from the change room or if somebody is stealing money out of wallets because people change into uniforms and have to leave their clothes and personal belongings in certain rooms, there are other options (other than video surveillance).

We have the thief-detection powder, for example. Whoever steals the money gets some stain on their hands. At first, just some purple spots appear and it gets worse with moisture. When the person tries to wash it off, then the hands really become purple. It doesn't wash off and lasts for a few days. So then, you know who's had their fingers where they didn't belong.

And of course certain larger companies have union contracts where there is no surveillance allowed. They have to check their contracts. When clients come in, we have to tell them that of course we are not lawyers, so we tell them to consult a lawyer to find out if they can do this in their company or not.

Ursula Lebana, owner of surveillance equipment supplier Spytech

It's a balancing act between the employee's privacy rights and protection, against the employer's legitimate business interest. It's important for employers to demonstrate that the surveillance is carried out for a valid business purpose and would not breach the employee's expectation of privacy.

There are different kinds of surveillance. There is e-mail surveillance, as well as surreptitious and obvious video surveillance. With respect to e-mail surveillance, there are a number of reasons for employers to monitor e-mail. These can include safeguarding confidential information, preventing downloads of pirated software or to prevent harassment in the workplace. So the law does recognize the rights of employers to monitor e-mails, but there are indeed limits.

The general test that various tribunals and courts follow is that there must be a substantial evidence of suspicion, there must be a strong possibility that the surveillance will be effective, there must be no reasonable alternative to the surreptitious surveillance. It must actually address the problem and the surveillance must be the last possible step available.

It would be suggested that a workplace policy be created on surveillance and disseminated to employees to make sure they are aware as to how the employer will acquire information. The issue of privacy is an ever-mounting issue of importance in this country. Employers have to go through great pains to make sure that employees' privacy is not breeched and that they don't conduct themselves contrary to the (privacy) acts.

Ronald Snyder, Gowling Lafleur Henderson LLP