The Starting Line: Plugging security over privacy

Palmer is the CEO of ICaughtYou, a private Bonita Springs, Fla.-based company that allows corporations to monitor their employees' Internet usage. His company has been one of the unsuspecting beneficiaries of the terrorist attacks.

Even before Sept. 11, the downturn in the economy led to a heightened interest in worker productivity and Internet security.

Now, a new emphasis on national security has put corporate security in the spotlight and has led to a quadrupling of hits on the ICaughtYou Web site.

The company was born two years ago, when a tech guru for a government agency suspected his wife was cheating on him. He recruited fellow programmers from America Online and Coca-Cola to help him figure out a way to monitor her instant message sessions. The technology fulfilled its mission and became the core product of ICaughtYou.

Speaking to CNET News.com at Giga Information Group's Infosecurity 2001 conference in New York, a jovial, talkative Palmer explained why his company has seen a huge increase in customers over the past two months--and why he believes Big Brother can be your friend.

Q: How is your brand of employee monitoring different from what's been done in the past by other companies?
If you look at SurfControl and Websense, what you see is anti-employee: "We don't trust you, and we know you're doing something wrong, and we're going to stop you." That's an incredibly negative approach that I think is very demeaning to the employee. I think most employees today really don't want to do anything wrong, but the expectation has never been set with them about what is inappropriate. Companies are just beginning to roll out Internet usage policies.

The approach we take is, "Let's provide management with information about how employees use the Internet so they can better manage employees."

We provide online, real-time reporting, by organization, location, department and individual user logged on to the network. And we present that information over the Internet to a manager in real-time graphs and charts, so they can see what Web sites have they been to, how long have they been there, what chat sessions are they doing with instant messaging, and what is the content of those chat sessions.

We provide a list of key words to filter chat sessions, but we also provide a really easy interface where a company can decide their own key words.

We're also working on an e-mail component of our product, which will be out in the first quarter of 2002.

There's so much data that's collected. How do you enable people to sort through that?
We use a very simple set of fields, and you can look at them over any slice of time: one hour, one day, one month, a year. We also offer a productivity calculator, so you can say the sales department on average makes $100 an hour--so if they were on these Web sites for X amount of time, it relates to this many dollars in the bottom line of lost productivity. We present all that info in dollar figures.

That helps employees to understand, no, you really shouldn't be spending 75 minutes a day on eBay.

You know, there was a recent Gallup Poll run that showed that the average employee spends 75 minutes a day on nonwork-related Internet activity. Seventy-five minutes a day is six hours a week, and that's almost an entire day a week. Most managers would say that's probably not appropriate. But they've never told an employee that.

You've seen a huge pickup in interest since Sept. 11. What do you attribute that to?
Fear more than anything else. Strictly from a corporate perspective, there's fear of liability, and there's fear that there could be links to terrorist activity within their corporate walls.

There's also been so much talk about the federal government using this product called Carnivore, so all of a sudden, there was a lot of talk about Internet monitoring. And companies asked themselves, "Well, what are we doing?" The answer was, "We're not doing anything," and so the interest quadrupled.

After the passing of the USA Patriot Act, now the federal government presumably has the ability to go to a company and say, "This person is a suspect of terrorist activity. We want to see all of his Internet usage activity, and we want to see all of his e-mail." Companies are wondering how they're going to provide that data. Well, we can give them that slice of data.

In the week after Sept. 11, our Web site activity quadrupled, and (it) has increased every week since then. The number of incoming phone calls doubled the week after. And the number of companies that are actually (undergoing trials of) our product is exponentially growing. In early September, we were probably adding five to 10 new trials a week. Now we're adding 15 to 20 per day.

How many of those people have become paying customers?
Over 70 percent. We're seeing people that are using Websense and SurfControl switching to our product.

Why do you think that is?
Both of those products require a database--to sit on their hardware, in their data center--which means that their IT department has to manage it, watch it, and take care of it. It requires additional hardware. For example, a very well-known company with about 2,000 Internet-enabled employees had to add a processor to its NT server once every three months just to handle the Websense database. The database was just getting larger and larger. I was talking with the CIO of this company, and he was saying that this is ridiculous; this is the perfect application to have run by an ASP. It's not mission critical, so let's get it out of our data center.

Also, everyone else in the market is trying to block and filter; they're trying to prevent employees from doing things. But there are 5 million new Web pages posted to the Internet every day. How in the world are you going to build a database that catches all 5 million of those new URLs every day? We think that's kind of a head-in-the-sand approach. So we're seeing a lot of their customers.

Editor's note: Representatives for Websense and SurfControl said Palmer's representation of their products is inaccurate. Websense said its database of Web sites is automatically updated and "downloaded to customers daily, with no effort on behalf of the IT department." It also said the company's database does not require a separate processor, as it is highly compressed.

SurfControl said its database is "automatically and effortlessly updated daily," and that it's not necessary for customers to add processors on a monthly, quarterly, or even yearly basis. In addition, the company said its product has features that can handle new sites that have not yet made it in the database.

How many customers do you have now?
Right now, we look at it more in number of people we're monitoring. Including active trials now, we're approaching 25,000 desktops--without active trials, about 7,500 desktops.

Do most of your customers disclose to their employees that they're being monitored, and what are the legal issues surrounding that?
Everybody is moving to full disclosure. We encourage it.

Every company has a right to monitor an employee while they're at work, whether it be phone or e-mail.

Do your clients usually monitor everyone at the company?
We've had executives that say, "I don't want myself to be monitored." CEOs are never going to be monitored.

When you call into a company, some people really don't want to talk to you, because they know they are going to be monitored. You have to make sure you get to the right person to talk to. Because a lot of people will say, "Oh, no way, I'm not letting you in this door."

Are there any statistics to indicate how many companies monitor their employees?
Only 30 percent of the Internet-enabled employees in America are monitored in any way today. And most of them are monitored through spot-checking.

Are there certain types of companies that are more likely to use this, such as financial firms?
Finance is a good audience. We're also seeing that health care and the pharmaceutical markets are interesting, because there's lots of confidential data.

Are most of your clients worried about employees leaking inside information or about productivity?
I think there's liability problems, productivity problems, and also a cost problem. The cost for bandwidth is growing and growing in corporate America. IT guys are going to CEOs on a regular basis and saying, "I've got to increase bandwidth." Let's look at why. Is the sales department spending all this time doing streaming video while at work? You can look at it from that cost perspective as well.

The debate between privacy advocates and those who want heightened security has been heating up since Sept. 11. Do you find you're getting more criticism, or are people more willing to be monitored in a corporate environment now?
I've had a lot of business publications call me over the past two months wanting to know whether what we do is a violation of privacy--in monitoring Internet usage. My stance is, "What have you got to hide?"

But I think people are a lot more willing to give up some of what they would perceive to be freedom for protection. According to a recent Harris poll, 63 percent of people approve of being monitored.

Frankly, we're at war in our own country. And we have terrorists that are living right here in the United States right now. The only people that have invaded America's privacy are the people who did this, that rammed the planes into the World Trade Center. And we need to think less about the ACLU and violation of privacy and our human rights and think more about how we can help our country continue to be free and enjoy what we've always had here.

Monitoring the use of the Internet I don't think is an invasion of privacy at all. The government has indicated that they want companies to work with them on helping to uncover potential terrorist suspects. The government is going to ask companies to come forward with this data. And I think companies are going to search for ways to help.

But how do you decide how closely to monitor an employee? How often an employee checks their e-mail isn't a security issue.
No, it isn't, but if an employee was going to the Web site that pointed them towards how to buy anthrax or how to build a bomb, that would be very applicable. It's up to a company management team to decide what is vital information and what isn't.

Employees can also get upset about other workers' behavior. We had conversations when we were starting the company and we were hiring people to come work for us. And we asked them how they felt about it, and a lot of them said, "I'd be pretty darn unhappy if I found out that the person sitting in the cube next to me was shopping online eight hours a day while I was doing my job." But do you know when you find out about it? When they quit. They say, you never did anything about this guy in the cube next to me. I'm leaving. And by then, you've lost a valuable asset.

How should companies decide where to draw the line with reprisals? Is it fair to punish an employee for shopping online when they work 12-hour days, or for chatting on instant messenger when they could just as well be talking with co-workers?
Well, that's why we look at content on chat. Because you're right, instant messaging is very much a productive business tool. Where it's unproductive is, we had a customer that had five people in their company, that for a solid week, were having eight-hour-a-day chat conversations with external friends.

It's all about the information. I think there are some positive ways to use this. An executive that I talked to said, "Jack, I have a couple of employees that work 12 hours a day, every day, Monday through Friday, and normally, they'll work four or five hours on the weekend from home. I am not going to punish them by monitoring their use of the Internet. If they want to refinance their house while at work, I have no problem with that.

I said, "Fantastic!" Why not look at Internet usage in a positive way and reward employees for using a tool in a way that helps move the business forward. It doesn't always have to be "I caught you!" It can be, "Ah, I caught you."