Cleaning Up Your E-Mail

ederal agencies, like their private-sector counterparts, are monitoring employee use of e-mail. If you doubt it, just ask any of the 500 Navy employees who were disciplined this year for exchanging dirty jokes and other objectionable messages with co-workers.

About a year ago, a Naval Supply Systems Command employee complained anonymously about offensive "adult humor material" on a co-worker's computer screen. When command officials investigated, they found employees were sending each other such messages, in violation of federal regulations and Navy policy. Those who simply received the messages weren't punished, but a few employees were suspended for a week or so, and hundreds more were warned or reprimanded.

At the time, NAVSUP was using an e-mail screening product called Mail Sweeper to scan messages for computer viruses, security breaches and very large files sent as attachments that could clog its networks. Since late 1999, however, the command and its activities have been doing a second pass with Mail Sweeper to detect pornographic video clips and other sexual material, racist and profane language, threats and other objectionable content.

On the Smut Trail

Mail Sweeper and its competitors can be programmed to find almost any words and concepts in messages passing through a server. It isn't simply a matter of scanning for certain words. After all, words such as "breast" or "thigh" can be used quite innocently, says Wally Boos, president of Content Technologies Inc., the Washington state company that makes Mail Sweeper and other filtering products. The best such products have built-in intelligence that lets them evaluate the context in which words are used.

Boos and spokesmen for other companies also tout their products' ability to look for content that concerns the managers who buy the software. These products can police employee dissemination of sensitive or confidential information via e-mail. Besides simply looking for sensitive words, some federal agencies embed special characters in secret documents, enabling them to be flagged as they pass through servers. Another product in this category, the Messaging Management System from Tumbleweed Communications Corp., is used at the Food and Drug Administration. Besides providing content filters, Tumbleweed MMS ensures that drugmakers' proprietary and confidential information stays secure, says Shannon Hakesley, a marketing manager at the Los Angeles company. It automatically directs sensitive messages to FDA's secure server where they can be encrypted before they reach the Internet.

Once an objectionable or unauthorized message is found, these products can be programmed to respond in various ways. Almost always, they notify the mail system administrator. Some also can send the author of the message a pop-up warning or reminder about use policies. Some customers program the software to produce periodic reports on incidents.

What happens then? Even at intelligence agencies, employees often are allowed one or two slips of the keyboard, as long as it's a matter of offensive material rather than intentional threats or disclosure of sensitive information. Then someone-most likely the system administrator or a human resources representative-will counsel them to avoid further violations. Disciplinary action-reprimand or suspension, perhaps even firing-is likely to follow if the violations continue.

Keith Thurston, an IT policy specialist at the General Services Administration's Office of Governmentwide Policy, says he's aware of at least one case in which a federal employee was fired for using e-mail as a tool for sexual harassment and to threaten a subordinate. Such cases "tend to be handled quietly," Thurston says. Employees occasionally have challenged the disciplinary actions taken against them for misuse of e-mail, but the Merit Systems Protection Board and the courts have generally upheld agency sanctions.

As a preventive measure, to avoid catching employees unaware and to solidify their legal stances, many public- and private-sector employers warn their workers that e-mail is subject to monitoring. Warnings often come when employees are hired and during periodic IT, ethics or security training. Many agencies display them on computer login screens and Web pages. But in the federal government such warnings are not mandatory, experts say, before an agency begins to monitor e-mail and to use the results of its monitoring.

Recommended Policy

At a few agencies, any personal use of e-mail is a violation of policy. But agencies increasingly are taking the position that occasional personal use is acceptable, just as with federal office telephones. Thurston, who coordinates an interagency group of federal e-mail managers, says many agencies have adopted guidance issued last year by the Chief Information Officers Council. The policy, "Recommended Executive Branch Model Policy/Guidance on 'Limited Personal Use' of Government Office Equipment Including Information Technology," is on the Web at http://cio.gov/files/peruse.pdf Agencies can adopt the policy as it stands, or with modifications, or not at all.

At its core, the recommended policy says "federal employees are permitted limited use of government office equipment for personal needs if the use does not interfere with official business and involves minimal additional expense to the government. This limited personal use of government office equipment should take place during the employee's nonwork time. This privilege to use government office equipment for non-government purposes may be revoked or limited at any time."

Similar policies-though often unwritten or de facto-are the norm in corporate America, and Thurston says he has fielded queries from private-sector managers interested in borrowing language from the recommended federal policy. There are some major private-sector exceptions. For one, banks and other financial institutions tend to restrict employees' personal use of e-mail out of concern for the confidentiality of customer accounts and other sensitive data. This tendency has a counterpart in the federal government, where the Internal Revenue Service forbids its employees to make personal use of agency e-mail systems. Other agencies that forbid personal use include the FBI and intelligence agencies.

"Misuse of networks is probably the second biggest issue" in communications security these days, says Jerry Harold, president of Network Security Technologies Inc., a Herndon, Va., company that does security work for the federal government.

And agencies that don't do e-mail monitoring may have a tough time making sure their abuse policies are being followed. A recent American Management Association survey of more than 2,000 organizations found that 38 percent of major U.S. employers are reviewing employee e-mail messages, up from 15 percent in 1997. Only 42 public-sector organizations responded to the survey, but their responses indicated that the incidence of monitoring is higher in government than in the private sector.

One agency that screens e-mail for offensive and other improper content, including gambling terms, is the Corporation for National Service. James Arroyo, the information systems security officer, enforces the agency's e-mail policy. He uses a product called Message Inspector from Elron Software Inc., in Burlington, Mass., to produce an overnight report of incidents. At least two dozen objectionable e-mails turn up on a typical report. "If it happens a couple of times," Arroyo says, "I call the employee in." He gives the employee a copy of the report and the agency's policy, and "99 percent of the time, when I talk with the employee, it stops immediately," he says. Arroyo notifies the employee's supervisor only if the improper mail use persists, and that seldom happens. He's not aware of any major discipline meted out to Corporation employees for their mail use.

An Eye on the Web

Arroyo uses another Elron product, Internet Manager, to monitor employee use of the World Wide Web. Internet Manager gives him a log of employee use, minute by minute. He looks for active use of sexually oriented sites, spikes in usage that suggest there's some item of great interest on a nongovernment site and other indicators of improper use. When he calls employees in to discuss their Web use, "they're amazed that this could happen," he says. "They're very apologetic, and it stops. These are adults."

On a couple of occasions, Arroyo says, managers have sidled into his office, red-faced with embarrassment. They've come to confess that in the course of some Web use not closely related to work, they've stumbled into a pornographic site. They know he's tracking their Web activity, and they tell him, "I'm not that type of individual." Arroyo says he understands, and there are no consequences for these employees.

Another kind of software keeps track of what files employees are downloading from the Internet. With agencies' data storage systems straining at the seams, this kind of product can be a real cost-cutter, according to Steven Toole, director of marketing for W. Quinn Associates Inc. in Reston, Va. Quinn's product Storage CeNTral, which Toole says several agencies are using, allows managers of Windows NT networks to block files of certain sizes and types from being saved on the server.

The software comes with a list of file types that tend to be nonbusiness-related, especially big movie clips and MP3 music files that have no role in the work of most offices. The network manager can modify and update the list as needed. Such software can block the receipt of business-related graphics, including PowerPoint presentations, but the products can be programmed to deny access to very large files only. When Storage CeNTral is installed, Toole says, it can free up as much as 30 percent of the server's disk capacity by deleting downloaded files that aren't needed.

Looking for another reason to block receipt and storage of multimedia files? Suggestive or pornographic files are doubly offensive if they involve sound and action. Such files were among those that turned up at NAVSUP. Employees have successfully sued employers for allowing the workers to be exposed to sexual material over a period of time. And music publishers are beginning to file suit against proprietors of servers that hold files of copyrighted music. That's a potential risk for government agencies if they tolerate storage of such files.

But GSA's Thurston says the system capacity issue should be a real consideration for agency managers when they're deciding how to control e-mail abuses. Thurston says agency e-mail gateways are getting clogged with tremendous volumes of mail and files attached to mail. At one agency, external e-mail traffic increased from 28,000 a day in March 1999 to 50,200 a day in March 2000-an annual growth rate of 79 percent. Greater rates of increase have been recorded at other agencies, Thurston says. When it comes to e-mail abuse, "only half of it is the issue of misuse of time and other resources," he says. It's equally important to make way on federal networks for the important business-related mail.