"Indeed, a recent {2002} survey by the American Management Association shows that about 78% of companies in the U.S. monitor their employees in some way. Sixty-three percent monitor employee Internet use, 47% store and review employee e-mail messages, 15% view employees by video, 12% review and record phone messages, and 8% review voice-mail messages." ~ Eric J. Sinrod
"To a large degree, the issues that an AUP addresses are not all that different from what happens in the school bathrooms, on the playground, and when walking in line when the teacher is not looking. ... It's really no different for a child to call another a jerk via e-mail than it is to write that same message on a piece of paper and give it to the "jerk." It just seems that when behaviors we see everyday occur on a computer we are not as sure of things." ~ Rob Reilly
"The impact on morale from such close and direct technical monitoring of user activities can have a very negative impact on an organization's productivity. Users tend to be a little nervous in an environment where Big Brother is watching every keystroke and mouse click." ~ Keith Morgan
Companies "are far more aggressive that they ever have been in the past. Virtually every minute of every day they can tell what you are doing. With all the monitoring, it is turning into an electronic sweatshop." ~ George Walls
From a 2003 Washington Post article abstract, "An FBI survey found that employees at 78 percent of companies has misused the Internet, and a study by IDC estimates that 30 to 40 percent of Internet surfing during work hours is not work related."
"Undertime is the time that an employee takes off work to perform non-work-related tasks; the salary or wages earned while performing such tasks." ~ Paul McFedries
"It may be the worst-kept secret in the workplace: people are working more undertime -- stealing time off during the day to compensate for heavier workloads and more stress. Undertime can take many forms, from hours spent away from the office on errands or shopping to chunks of time spent at your desk surfing the Internet." ~ Sue Shellenbarger
"To get Federal aid, a crucial source of funding, libraries must install filters on every terminal with Internet access. They cannot maintain adults-only terminals without filters, or rely on alternative methods, such as monitoring by librarians, to keep children from looking at inappropriate websites." New York Times
"Can a filter apply 'community standards' or assess if a work is 'patently offensive' or has 'literary or artistic value'? How will a filter know if a particular site is harmful to minors"? ~ Julie Hilde
"Almost 40 percent of workers in the United States, the United Kingdom and Germany spend an hour or more every day e-mailing their friends and relatives or swapping jokes and other ephemera via the company e-mail system during working hours." ~ Silcon Valley/ San Jose Business Journal
Harvard Law School has an interesting filtering site that hopes to eventually development an application for Internet users to retrieve information from a blocked website [focus is on authoritative countries that block political and other information].
The Virginia Department of Education, Technology Division, provides a handbook on acceptable use policies.
Acceptable Use Policy for Information Technology Resources at the University of New Hampshire
Statement on Library use of Filtering Software
Necessity of a K-12 Internet Acceptable Use Policy
Writing an Acceptable Use Policy
In libraries and other information agencies, AUP for Acceptable Use Policy is the favored term. In business and government, you are likely to encounter IAUP or Internet Acceptable Use Policy. IAUP is more specific and is the better term. In either case, the policy serves as a legal document and should be reviewed by counsel before implementation. As a legal document, employees or clients need to be informed of the policy and should sign an agreement that they understand and will follow the policy.
There are two dimensions to acceptable use or "access management" which is a more neutral phrase for the same issue. The larger dimension is the use of information technology by employees. The smaller dimension, and the one often visible to librarians, is the use of information technology by clients.
Although "acceptable use" is often associated with school and public
library access to the Internet, the problem is much broader than that.
Acceptable use policies are important in any organization that provides
computer work stations to staff. One study found that employees went
online
an average of 41 times a day and many of these are for personal rather
than
work-related needs. Another study found that about 30 percent of the
e-mail
leaving a corporate site were personal. In response, an increasing
number of
employers (much more than 50 percent) monitor e-mail, voice mail,
computer files, phone calls, and WWW use via spot checks. A recent
survey found that three out of four of the largest firms in the U.S.
monitor employee email, Internet use, and computer files.
For example, is it acceptable to use the work computer to play games? To access personal email messages? To visit a web site to check on the score for a ball game? To visit Amazon.com and order a book for leisure reading? To send a message to a colleague with negative comments about the boss? To add a neat little utility that makes printing go better? Phone calls to family and friends?
Many work environments have created policies and procedures for acceptable use and that includes checking employee web and email use via server transaction logs. The consequences of violating an acceptable use policy can be substantial. Litigation concerns and the use of digital evidence in lawsuits and regulatory investigations has encourage more and more strict policies. About 20 percent of U.S. employers has had email subpoenaed by courts and regulators.
Another major concern is opening corporate computers to viruses, spyware, and other security problems arising from inappropriate use of corporate work stations. For example, one estimate for the annual cost of spyware downloads is $265 per user per year. Instant messaging, peer-to-peer file sharing, and IP telephony pose some risk.
Policies are enforced. Edward Jones & and Company fired 19 employees for sending inappropriate material over its email network. Xerox fired 40 employees after software recorded them visiting shopping or pornographic websites or spending inordinate time online. Recent studies found that about 25 percent of U.S. companies have fired employees for Internet and email misuses. Corporate surveillance of employee email, web use, and telephone use has doubled since 1997 with about 75 percent of larger firms monitoring employee website connections and blocking access to those considered inappropriate. About 55 percent retain and review email messages. Surveillance software is being more widely used. There is also a movement from spot checking to systematic checking, usually based on software searching for specified key words. Another example, Investigator 2.0 from WinWhatWhere monitors each keystroke on the computer and e-mails a report to the supervisor.
Before the Internet, acceptable use policies were often created to limit telephone use or the use of a company car. These issues, plus those associated with use of corporate credit cards continue.
With the advent of the Interned and the web, increasing attention has been placed on acceptable use of information technology. The focus is on improving worker productivity and minimizing computer training, repair, and assistance costs. Issues to be discussed in an employee policy on acceptable use of information technology would include:
The Privacy Commissioner of Canada recommends these basic rules for respecting employee privacy:
Typical problem areas are:
The two major areas are "cyber loafing" and acts that risk legal liability such as sexual harassment. Too, inappropriate use of the Internet can degrade bandwidth and expose the local network to viruses, worms, and the like.
Too often, the policy emphasis is on unacceptable use rather than acceptable use. Better to begin with and focus on the acceptable first. The policy should clearly define the degree to which individuals may expect privacy in their use of company information technology. Employees should be asked to read the policy and sign a statement indicating that they are familiar with it as part of their initial orientation. Policies should be widely available and should be reviewed on a regular basis (every three years seems reasonable).
To state the obvious, policies are of little value if they are not enforced. Enforcement requires effort and patience. Typically, staff prefer not to do it so it requires continued determination on the part of middle level management.
Although somewhat expensive for many publicly funded agencies, monitoring software is widely available. It can capture messages sent and received as well as each website visited. The fact that email is deleted on an employee's computer is of little importance when it is captured and retained elsewhere in the organization. This software is increasingly sophisticated. For example, it may allow employees to visit a sports site between 12.00 and 1.00 only. Managers receive via email reports of policy violations.
An alternative to monitoring software with its privacy and morale issues, is blocking software. Filtering software designed for corporate use is available and blocks websites by category with reasonable success.
Most of the concern here is about access to inappropriate websites by children. The key question is: how to protect children from harm without limiting the rights of adults to access material that is legally accessible for them? One obvious response is to limit children's use to children with parents. Another would be to have filtered work stations in the children's department and unfiltered machines in the adult department (teens remain a problem). Again, appropriate and inappropriate behavior need to be defined and the consequences of inappropriate behavior must be clearly stated.
Four categories are responsible for most of the pressure to do something about public client access to the Internet:
Clearly, there are substantial definitional problems associated with
each
of these categories. Community members will differ in the degree to
which
this material is offensive. Courts appear to support the right of
adults to
access sites that are legal. Courts do not appear to support the right
of
children to access sites that are controversial but legal. The key to
this problem is the
ability to protect children while preserving the rights of adults.
Internet access to pornographic materials can also be a staff issue.
Librarians in the Minneapolis library system were successful in a suit
that argued that the library created a hostile work environment [sexual
harassment as well] by allowing patrons to view porn sites and print
pornographic content.
If we limit access to a collection, it is part of collection management. There is a substantial tradition in many libraries and museums of limiting access to certain collections and services by user category. For example, undergraduate students are often denied access to distant collections via inter-library-loan. Access to special collections may be limited to "serious" researchers. Licensing arrangements may limit use of digital collections to one person at one place at one work station. Users may be able to view documents, but not print them. Companies and government agencies limit access to protect secrets. "Need to know" has a long history. The collection developer/manager may be legally responsible for managing access to collections to insure that contractual and legal obligations are met.
Since access management is intrusive and creates barriers to collection use, it needs to be handled thoughtfully and in as limited a manner as possible. While digital collections allow easy restriction via passwords and the like, our mission, as much as possible, is to facilitate use and make life easier for users. This means that access management policies need to have clearly written and persuasive rationales to justify access restrictions.
If access to a collection cannot be limited, it may be necessary to select only those items appropriate for the larger audience. For example, censors have long suggested that if children have access to the adult collection that collection should only contain material appropriate for children.
Clearly, the Internet creates a problem by providing clients with access to collections that we have not developed.
Many collections have policies that limit use of collections by restricting circulation. Some material may be used only in the library and sometimes under supervision. Material likely to be mutilated or stolen may require submission of firm ID before use. Special collections often limit the use of cameras, photo duplication, ink pens and other devices. Archival collections may limit use until a certain number of years have passed so that passions have cooled and the participants in certain events passed away.
If hard core pornography or obscene material is illegal and not constitutionally protected, it will not be in publicly accessible collections. Not legal remedy is needed since it is already illegal. It is unlikely that any publicly funded information agency would select this material unless there was an exceptional circumstance (for example, serious faculty research on some aspect of the impact of sexually explicit material on human behavior. No policy is needed here since this material is already illegal and will not be held.
Material that is legal, but offensive is another story. However, it is doubtful that any publicly funded information agency would select this material and add it to the collections.
As you might expect, popular definitions of what is "obscene" vary widely. A Joy of Sex book would surely be obscene to some members of the community. If the collection was limited to material that offended no member of the community, it would be a very small one. It is unreasonable and perhaps illegal to limit adult access to material that is both legal and popular. It is reasonable and legal to limit children's access to these material. How to provide access for adults but not for children is a difficult problem.
The major difference with the Internet is that local users are being provided access to distant collections without mediation. The information agency has become a gateway. With present technology, there is little control over where users go and what they do. While the agency may argue that it has no control over the Internet and is thus not responsible, this is not a popular viewpoint. It is also not one that the recent Supreme Court decision allows [at least for those libraries receiving federal funding]
While information agencies may select particular Internet destinations as worthwhile, we cannot always limit users to those destinations. We also know that there are many web sites and some lists and news groups that are offensive, some may be illegal. Disinformation is widely available on the web.
The Children's Internet Protection Act [PL 106-544] requires that schools and public libraries must employ a technology protection measure to protect against access to visual depictions that are (1) obscene, (2) contain child pornography, or (3) are harmful to minors. This includes computers in staff and administrative areas. Filtering must be disabled for any adult who requires it. Filtering may be done at the network or the individual work station. School and public librarians need to be familiar with both the Act and the regulations that implement it. Consult with legal counsel on CIPA compliance. CIPA does not apply if the library does not receive federal funding such as LSTA or E-rate funding. Librarians must inform users of limitations associated with filtering technology, including policies and procedures for unblocking upon request. Policies should also be created for patron complaints about objectionable images.
Although this may appear extreme, a few organizations and agencies simply do not allow Internet access. Without connectivity, most of the problems mentioned in the literature disappear. At some time in the future, when technology will allow the information agency to select Internet destinations and limit access to only those destinations, connectivity may take place.
Similarly, if thin clients are used instead of work stations all computer programs are mounted on a server controlled by IT staff. This eliminates concern about loading games or whatever on agency computers.
Regardless of the solution chosen, most information agencies will need an acceptable use policy to deal with client work station problems such as:
Without being a legal document (but do have your attorney approve it), the AUP must specify what behavior is appropriate and what behavior is not. While not necessarily in the policy itself, you must decide how the policy will be enforced and what the consequences of violating the policy will be. There is little point of adopting a policy if staff refuse to enforce it. It is often useful to have users sign a form indicating that they have read, understood, and will follow the policy.
While it is important to have a clear, equitable acceptable use policy (AUP), policies do not by themselves solve problems. There is a considerable literature available on AUPs with much of it easily found on the Internet. Problems are solved only when information professionals and community members work together.
Since many parents are worried and anxious, some public libraries have developed training workshops. The assumption here is that parents are responsible--not information professionals--for what their children read and view, but that parents need help in teaching their children how to use the Internet appropriately. Besides teaching identification, retrieval, and evaluation skills, such workshops are intended to lower fear.
The posted disclaimer that states that the Internet contains false and offensive information and that parents are responsible for what their children view and read. There is some question about the legal standing of this approach and it probably will not be successful in creating good public relations.
These may be combined with the disclaimers mentioned above. Here, all under legal age users are required to have a parental consent form on file before they are allowed to use unfiltered workstations. This means that information agencies will need to have a relatively quick verification process before allowing a child or teen to use a work station.
Although a violation of user privacy, some information agencies place public work stations, especially those connected to the Internet, in a place where staff can observe use. It is assumed that staff would intervene if inappropriate use was observed.
This can be a substantial legal problem if staff find themselves looking at offensive images while going about their duties. A major public library was sued by staff because of this issue and lost.
Here, work stations are only available in staff areas and users must team with a staff member to use the work station. The staff time and effort implications are substantial. Privacy issues will concern many.
By limiting work station use to adults, many problems associated with Internet access can be eliminated. Adults would be allowed to access the Internet with their own children.
Moral suasion is simply the appeal to do the right thing because it is the right thing. It is the easiest of all solutions, but there is considerable doubt about its effectiveness.
Because of court sanctioned Federal and state legislation mandating filtering on all work stations accessible by children and teens, this is the most popular solution for politicians and others wishing to protect "impressionable youth." So far, filtering by key words and address has been somewhat effective, especially with images.
The Kaiser Foundation, which studies health, media, and entertainment issues for young people reported on a 2002 study of six widely used filtering programs used with about 3,500 websites. At their least restrictive setting, 87 percent of the porn sites were blocked and all but 1.4 percent of the health information sites were available. At their most restrictive setting, 91 percent of the porn sites were blocked as were 21 percent of the health information sites. In either case, the filters did not "protect" against porn. Other studies have found a higher percentage of useful [non porn] sites blocked. This is called "overblocking."
Since much filtering software is designed for home use, it may not
contain
features important to librarians such as user control of the filter,
the
capacity to override a blocked site, and clear information on what is
blocked
and how. In selecting filtering software, librarians need to consider:
An example of machine filtering was the blocking of the website of the Flesh Public Library in Piqua, Ohio named after Leo Flesh so that patrons could not access the Library's website.
Poor quality filtering software may deny adults access to informative, quality sites (the famous "breast" cancer example). As filtering software improves, it may become a more effective solution. At the moment, it may create an additional problem because the information agency appears to provide a "safe" environment when it cannot. This could create additional liability. Consumer Reports has found that even the best filtering program failed to block 14% of objectionable sites while blocking many sites presenting legitimate but controversial information. Then too, there is the question of filtering foreign sites, such as those that might be in Spanish.
A few libraries are using a "smart card" to provide more options. After reading policy statements and signing appropriate forms, parents decide which level of Internet access is appropriate for their children. The child is then issued a "smart card" which must be inserted into the computer for Internet access and which limits access to the level selected by the parent. One level, for example, only allows the user to go to pre-selected "good" sites. The parent is clearly responsible for the access level. However, if the filtering did not work properly and the child was able to access inappropriate sites, the library would be in a difficult situation. The system is also quite expensive.
As more individuals and families have home work stations with Internet access, public access problems may decline in some information agencies. Most individuals would prefer to access the Internet in the comfort and privacy of home. However, there will likely be a core of users who will not have home access and will continue to use libraries and other public access sites.
However, the need for AUP policies for employees will remain and could become even more important as more exciting broad bandwidth applications become available on the Internet.
Select an information agency of your choice. List limits information professionals have traditionally placed on use of collections and services. Which of these seem most appropriate? Why?
Select an organization or information agency of your choice. List problems that might require an client AUP. Discuss the major elements to be included in the AUP? How effective is the AUP likely to be? Why?
Select an organization of your choice. List problems that might require an employee AUP. Discuss the major elements to be included in the AUP? How effective is the AUP likely to be? Why?
Consider the several solutions mentioned above plus others of your choice, and indicate which ones you would chose if you were in a public or school library in a community where there was much political pressure to "act now." Why?
Last major revision: January 2005.
