This could be the shortest blog post: They can see everything. If they want to.
Let me fill in some details for you.
A 2012 survey by Salary.com asked 3,200 respondents what non-work related websites they visit during work hours. The top culprit is…
Facebook. No surprise, right?
The same survey says that 64% of employees visit non-work related websites every day during work hours, with 39% reporting that they waste 1 hour or less of work time per week on non-work related activities. The upside for employers is that workers are also more likely to be completing work-related tasks outside of work hours (answering emails, firing up the laptop for an impromptu meeting, etc.)
Nevertheless, employers have taken action. The 2007 Electronic Monitoring & Surveillance Survey shows that 45% of employers track content, keystrokes, and time spent at the keyboard, and 10% monitor social networking sites.
Currently only two states (Connecticut and Delaware) require employers to notify workers when monitoring takes place, though 83% of employers elsewhere already do so.
So, what are surveillance products capable of, you ask?
Courts have ruled that, given there is a business reason, employers are free to read emails. Some email systems will copy all messages that pass through them, creating backups copies. The addition of keyloggers extends this practice to include draft emails that were never actually sent. If you think that deleting an email is the end of surveillance, you are likely incorrect. Earlier this year, Sony learned the hard way that emails never completely disappear, and are particularly not guaranteed to remain private when sent from a business account. The company’s widely-publicized hack by journalistic organization WikiLeaks revealed dozens of internal correspondences that Sony is still recovering from months later.
Packet sniffers are just one monitoring tool in the surveillance arsenal. Packet sniffers ‘sniff out’ packets of information as they are transferred over a given network. This information includes not only which websites a user visits, but where the visitor goes once on a site, contents and recipients of emails sent from business and personal accounts, downloads, and audio, video, and internet telephony.
Tools such as Cisco Identity Services Engine addresses the issue of employees inadvertently leaking such sensitive information by giving them an ‘identity’ across all of their devices, enabling the system to identify them whether they are using work machines or personal devices such as phones to access sensitive information. This security management platform enables employers to set restrictions on what information may be accessed from which device, guarding against the security gaps that personal devices provide to potential hackers and threats.
It is possible and relatively simple to install desktop monitoring software to monitor the desktop of another computer as it is being used live. This software can be installed physically or remotely, and can record every keystroke. Used maliciously, hackers can trick users into installing this software by sending the software via an email attachment. Once the user opens this attachment, it records activity and sends these recordings back to the installer; these recordings can include sensitive information such as passwords.