The Wall Street Journal Home Page



Snooping E-Mail by Software
Is Now a Workplace Norm

March 9, 2005

It still isn't known how the e-mail that cost Harry Stonecipher his job as chief executive at Boeing Co. was intercepted or by whom. Boeing directors ousted the CEO earlier this week after they learned about an e-mail he had sent to a female employee with whom he was having an affair.

But what every employee ought to realize by now is how completely nonprivate their office e-mail is. In a recent survey of 840 U.S. companies by the American Management Association, 60% said they now use some type of software to monitor their employees' incoming and outgoing e-mail, up from 47% in 2001. Other workplace privacy experts place the current percentage even higher.

And in most states, companies don't have to tell employees their e-mail is being monitored. Only Connecticut and Delaware have laws requiring companies to notify employees, says Jeremy Gruber, legal director at the National Workrights Institute, a Princeton, N.J., workplace privacy advocacy organization.

Elsewhere, companies are free to monitor at will all e-mail sent and received using company equipment or company e-mail accounts, says Mr. Gruber, adding that he doesn't know of a single case where an employee has successfully challenged workplace e-mail monitoring. As an employee, "you have no rights whatsoever," he says.

There is slightly less attention paid to internal e-mail. Only 27% of employers use technology to monitor internal e-mail conversations between employees, up from 19% in 2003, according to the American Management Association.

The discrepancy reflects companies' overriding concern that sensitive information will seep out to the world through e-mail, even though the most potentially embarrassing or legally damaging e-mails tend to be those sent from one employee to another, says Nancy Flynn, director of the ePolicy Institute, a consulting firm that conducted the survey with the American Management Association. "Internal communications are where employees are most likely to play it fast-and-loose with language," Ms. Flynn says. "That's the e-mail most likely to get employees into trouble."

E-mail-scanning software has become increasingly sophisticated in recent years. In the past, the software would typically check e-mail messages against a list of keywords, such as profanity. Now, such programs can be customized for each company, and often look out for the name of a company CEO, competitors or product code names, in addition to inappropriate language, including profanity and sexual terms. The systems can also track if an employee is copying or deleting files -- or not doing much at all.

Companies can also customize monitoring systems to flag industry-specific words or phrases that might pose ethical problems: Financial-services firms might search for words like "promise," "guarantee," or "high yield," while a health-care company would watch for terms like "patient info" or "client file," says Richard Eaton, chief of TrueActive Software Inc., of Kennewick, Wash. The company's software can track every keystroke, file-download and Internet page that appears on an employee's computer screen. Its customer base of 80,000 employers has more than doubled from roughly 30,000 four years ago.



Many words that raise red flags in company emails aren't printable. Some that are:

 Sure thing
 Easy money
 Patient record
 Client file

Source: TrueActive Software





Increasingly sophisticated monitoring systems now frequently use long lists of terms and evaluate the context in which words appear. "The days of simple key-word searching have really long gone," says Stephen Purdham, chief executive officer of SurfControl. The Scotts Valley, Calif., company has about 14 ready-made lists of hundreds of words tailored to specific industries that it provides customers. In many cases, companies are on the lookout for slang terms specific to certain countries, he says.

One prominent software supplier is MessageGate -- which was started up by Boeing and was spun off as a stand-alone company since 2003. Boeing still uses MessageGate, says Bill Bunker, vice president of marketing at MessageGate, based in Seattle. He declined to say whether MessageGate software was involved in the discovery of Mr. Stonecipher's e-mails. Other MessageGate customers include Lockheed Martin and Tribune Co., Mr. Bunker says.

In addition to software, companies increasingly are hiring staffers to read individual outgoing e-mail messages, says Jonathan Penn, an analyst at Forrester Research. Of the companies that already use software to scan e-mails, 31% also have hired employees to physically monitor e-mails, according to a study the firm conducted last year. The practice was especially common at companies with more than 20,000 employees, Mr. Penn says.

Webcor Builders, a San Mateo, Calif., construction company, put in scanning tools by KVS Inc., MessageLabs and FrontBridge Technologies Inc. several years ago. The programs can search by keywords, as well as by word patterns and competitors' names, says Gregg Davis, Webcor's chief information officer. He says Webcor began using the tools to help it comply with project audits and to keep a record of e-mails for legal matters. Occasionally, though, the tools are used for other reasons similar to what occurred at Boeing, says Mr. Davis.

"Sometimes we have internal investigations, and we're asked to look into allegations," he says. So the software helps the information-technology department dig up e-mails for those purposes.

Some employees have complained that such tools are invasive, Mr. Davis says. But when employees join the company, they sign a detailed document that notes that work e-mail is used for work purposes only. "Sometimes people forget that," he says.

Recently, Webcor ramped up the amount of monitoring it does. In addition to e-mail, it now also monitors employees' instant messages, as well as blog sites, says Mr. Davis. "A lot of this is related to keeping a competitive advantage. We want to make sure proprietary information doesn't get into the wrong hands," he says. But Mr. Davis concedes that the area is "a moving target. There's a fine line between your privacy and a company's ability to do business."

With companies so clearly concerned about what employees are saying in e-mail, the market for scanning software is taking off. Forrester Research says the industry is growing at a rate of about 30% a year, hitting $250 million to $300 million today. Part of the growth is driven by companies' desire to weed out inappropriate content, says Mr. Penn. But increasingly, companies also are using software to make sure e-mails are compliant with corporate governance and regulatory demands, such as Sarbanes-Oxley.

Mr. Stonecipher isn't the first CEO to make an embarrassing e-mail gaffe. Consider Neal Patterson, the chief executive of medical software maker Cerner Corp. of Kansas City, Mo. In 2001, Mr. Patterson fired off a message to senior managers at the company, berating them for their work habits, Ms. Flynn notes. "The parking lot is sparsely used at 8 a.m.; likewise at 5 p.m.," Mr. Patterson wrote in the e-mail. "As managers -- you either do not know what your EMPLOYEES are doing; or YOU do not CARE. ... You have a problem and you will fix it or I will replace you. ... What you are doing, as managers, with this company makes me SICK."

The e-mail promptly leaked out onto the Web. Two weeks after Mr. Patterson sent the message, Cerner stock lost more than a quarter of its value after investors became concerned about the company's prospects and employee morale. Mr. Patterson has remained at the helm, however, and is still CEO of the company today. Through a Cerner spokeswoman, Mr. Patterson says he sent the e-mail to people he knew and didn't realize it would get passed around. The spokeswoman says Mr. Patterson still jokes that his e-mail is used in college courses around the world as an example of how not to manage.