Internet misuse in the workplace: a lawyer's primer.

• Author: Garrity, James

Computers are swiftly transforming the work environment, creating new opportunities and problems so quickly that keeping up is often difficult. The typical 1998 desktop business computer has more raw computing power than many mainframe computers had in 1990.[1] In many organizations, computers are used at every level--by owners, managers, and both professional and clerical staff. Computers also have finally legitimized the home office as a true equivalent of the traditional office environment. Though these advances in technology have brought many benefits to the workplace, they have also enabled employees with malicious intent and broad system access to cause grievous harm to their companies, coworkers, and clients. In fact, past studies of workplace computer crimes cited in the FBI's Law Enforcement Bulletin identified full-time employees, followed by part-time and contract employees, as the most significant threat to an organization's computer systems.[2] Why is this so? One reason is that employees have a level of access to internal networks and data that a hacker can only dream of. Another is that employees sometimes have personal interests, motives, and grievances that conflict with those of his or her employer. The Internet can satisfy those interests, and employees have not overlooked it.

Lawyers are well positioned to help clients understand Internet-related risks, to develop Internet usage policies, to conduct investigations, and to initiate civil and criminal actions when clients discover employee misconduct. This article is a primer for lawyers on those risks. It explains basic Internet features, and how employees may misuse these features. It also outlines the major laws governing Internet and computer misconduct, and discusses ways of preserving evidence. But appreciating the risks is personally important for lawyers as well. Any computer from which law firm employees can get to both client data and the Internet poses a risk. The possibility that client or law firm data can be compromised means that lawyers must for their own purposes understand how firm employees may misuse the Internet.

Scope of the Problem

The commission of crimes or civil wrongs via the Internet[3] can be subtler and more damaging than the same acts committed in traditional fashion. On the Internet, hate mail needs no paper, no envelopes, and no stamps; pornography needs no film screen, projector, or printer. Manufacturers now ship most mass-market computers Internet-ready, with sophisticated communications software that can send and receive documents, videos, photographs, audio and computer programs. Microsoft's latest operating system, Windows 98, completely integrates Internet access into the operating system itself, making it more difficult than ever to block employee access. Malicious employees can make files and records disappear with the push of a button, and distribute confidential records worldwide in a matter of minutes. Alternatively, an employee can transfer records to a personal e-mail address so the stolen data can be distributed or analyzed at a more leisurely pace. Employees also can configure their company's computer to allow remote, unauthorized users to search system directories and files, retrieving whatever data the intruder chooses.[4] Or the employee can leave data where it is, but download military-grade encryption software[5] and scramble it, making it useless. The potential for harm is especially great in organizations, including law firms, that trade in information and thus are essentially electronic "data warehouses." These entities are ripe targets for malicious employees.

Employee misuse of computers and the Internet occurs in organizations of every size, and in both the public[6] and private[7] sectors. While some employers have elaborate policies and procedures in place for preventing Internet misuse, those policies often are too vague, outdated, or not actively enforced. Managers also may overestimate employee loyalty, or their own skills in detecting computer-based misconduct. For example, many believe users can only transfer computerized files as attachments to a delivery vehicle such as e-mail. In fact, one can easily transfer files via the Internet without e-mail. Depending on the method used, there may be no physical sign on the organization's system that the transfer occurred.[8] Moreover, segregating the helpful from the harmful is no easy task. Once connected to the Internet, an organization will find it difficult to impose content-based restrictions (unlike Westlaw or Lexis and similar services, which allow selective access to content).[9]

Internet Services and Associated Risks

Given the complexity of the Internet, it can be daunting to address the opportunities that it enables. This section reviews some of its basic features, with the goal of simplifying the areas most likely to be accessed by employees using the Internet.

The World Wide Web. The web is what most people think of when they hear the term "Internet." Using the web, organizations and individuals alike make information and commodities available to anyone in the world. Employee visits to illicit sites on the World Wide Web are commonplace. Thousands of free websites contain inappropriate material that ranges from pornography to stolen software to advice on illegal activities. Such sites are usually found by using free "search engines" to track down material on a specific topic. Using any of several popular search-capable sites on the web, a user can enter desired words or phrases and retrieve a list of relevant sites. The user then can go directly to any of the listed sites, returning to the list as desired to go directly to any other site on the retrieved list. This process is sometimes referred to as "surfing" the web.

E-mail. E-mail is the most familiar method for sending and receiving information through the Internet. All major online services include e-mail functions as a standard feature. Employees can transmit e-mail to others whether or not they use the same online service and despite their location within or outside the United States. Most e-mail services allow you to"attach" computer files. E-mail attachments can include any kind of computer file, including text, photos, sound, video, or an entire computer program. This means that virtually any form of intellectual property can be compromised with e-mail.

The identity of the sender of an e-mail transmission may not be easy to figure out. A user can forge a return address on e-mail messages to conceal its origin. Several hacker sites on the Internet explain the procedure. An employee can send harassing e-mail that says the author is anyone he or she chooses, such as "YourTormentor@Forever.com." Sometimes a person skilled in Internet crime can discern the sender's identity. Computers usually relay e-mail transmissions on the Internet across several networks before they reach their destination. The transmission of an e-mail message leaves an evidence trail that may permit eventual identification. Sending truly anonymous e-mail--completely stripped of any identifying information--is possible technically, but it requires more effort than most people are willing to expend.[10]

Newsgroups. Internet newsgroups are essentially computer-era bulletin boards. Here anyone can post text, photographs, software, and full-motion videos for unrestricted, worldwide copying. Most newsgroups are part of a free, global system called the User's Network (Usenet). There are over 30,000 newsgroups on Usenet,[11] covering every imaginable topic, from the trivial[12] to the criminally deviant.[13] Newsgroups are easy to use, similar in many ways to e-mail. The main difference between the two is that e-mail messages are private messages to specific individuals, while newsgroup messages are available to the public. Newsgroup postings often contain forged e-mail return addresses. Any office computer that can reach the Internet can access Usenet.

Unlawful pornography is more likely to be found on Usenet than on the web because of Usenet's greater relative anonymity. A sample Usenet newsgroup database search[14] conducted for this article, and using the terms "pedophile," "preteen," and "girls," retrieved more than 50 sites whose newsgroup title alone suggests the availability of unlawful content. Since Usenet messages are broadcast to millions of people around the world, it is the perfect medium for employees who are trying to reach a large audience.

Chat. Live conversations between users on the Internet exist in many formats (text, audio, video, and virtual reality), on all conceivable topics, and take place 24 hours a day. IRC (Internet Relay Chat) is currently the largest chat network and can be used by anyone with Internet access. Online services such as America Online and Yahoo also offer chat rooms, but the topics of conversation found within these mainstream services tend to be far milder than those in the freewheeling Internet environment.

The IRC network is accessible using free or low cost, easy-to-use software.[15] Two of the most popular IRC software programs are mIRC and PIRCH. On IRC at any given time, there are thousands of chat rooms in operation worldwide. Many IRC chat rooms exist solely to facilitate unlawful activities, primarily through the exchange of computer files. Employees can send any type of computerized company or firm record this way. Employees can load IRC software and even allow other IRC users to access the organization's computer files directly. There generally is no record of file transfers on the IRC network or on the victimized computer. In other words, a company or firm whose data is being compromised in this way may never know it occurred.

ICQ ("I seek you") is a relatively new live chat network with a difference. Instead of gathering in chat rooms, ICQ users must seek each other out and jointly agree to have a conversation. While this...