Notes from the Technology Trenches - Internet Access and Privacy Issues in Law Libraries

Cindy Curling is the Electronic Resources Librarian at Fried Frank Harris Shriver & Jacobson in Washington, D.C., a web committee member for the Law Librarian’s Society of Washington, D.C., and organizer of its Legal Research Training Focus Group.


Greetings again from the Trenches. This month’s column addresses Internet access, filtering and monitoring in law libraries, but first I’d like to thank everyone who responded to the article on technology related news monitoring resources. I heard about several interesting new sources and also about changes to a few of the services on the list. All the new information has been incorporated into last month’s column.

Also, before we get to the main event, I’d like to share some thoughts on recent technology news. “Notes from the Technology Trenches” is a particularly apt title this month since we have been plagued with the spread of a variety of malicious computer programs. We’ve seen two versions of the Code Red worm, the second of which leaves infected PCs open to the control of the attacker. Also, the Sircam virus has invaded our privacy, sending random files from our hard drives out to the world at large without regard to confidentiality. Even the previously safe Adobe file format has proven susceptible to viral infection.

What’s a PC user to do? You’ve probably heard it before, but it’s worth saying again:

  • Keep your antivirus software up to date, and use it.

  • Don’t open attached files that you didn’t expect to get.  

  • Install and maintain firewall software at home, especially if you have a high speed Internet connection. (Free firewall software is available at http://www.zonealarm.com.)  

  • Back up your files and keep them in a location separate from your computer.  

Elsewhere On the Technology News Front

Some of the responsibility for the recent death of a young Johns Hopkins research subject was attributed to the lead physician’s reliance on primarily electronic resources (from Library Journal - registration required) for background research. Though he made a “good faith effort” to research the effects of the drug used in the study, he missed information which might have prevented the tragedy. Granted, not all research is so likely to involve life and death decisions, but the lesson that print materials are still useful, still essential in some cases, is worth sharing.

That researcher isn’t alone; Internet searching is now on legal record as being difficult. An intellectual property decision - this is a zip file - from the Eastern District Court of Pennsylvania noted that the likelihood of trademark confusion among domain names on the Web was limited because, in the words of the court, “Internet users are inured to the false starts and excursions awaiting them in this evolving medium.” It seems we expect to be tripped up, so we’re becoming appropriately wary.

Judges are ringing in on some other technology issues as well, including workplace privacy. News sources reported this month that in May a group of federal circuit court judges ordered that workplace monitoring software be disconnected in their court, stating that such monitoring is likely not only an invasion of privacy, but also illegal.

Whether you agree with their claim or not, workplace keystroke and Internet monitoring, Internet filtering and Internet access restrictions are a fact of life. In the July column I asked for your feelings on the above issues and followed up with a request to law-lib. Many thanks to those who took the time to respond to my questions. The perspectives represented a range of opinion on what policy ought to be. Most surprising to me, librarians seem to know surprisingly little about whether and how filtering is handled in their work environments, but among those who did know how filtering was handled, there were a variety of approaches. It seems that we may still be in the early days of this debate, and that no one information access policy fits every environment.

My very informal survey was anything but scientific, and the number of responses too few to draw any definite conclusions, but they do provide a sampling of the current environment. All respondents asked that their contributions be kept anonymous. Most were librarians in law firms, but we did have responses from court and government libraries as well.

The questions are set out below with a summary of the responses, including selected quotes.


Does your firm/court/agency/school filter access to the Internet?

Some do, many do not, and many librarians are not sure exactly what is done. Most who reported that access was filtered in their environments were from either very large firms, or provided public access, in which case it was usually only the public access terminals that were filtered. Most law firm responses were along the following lines:

“Our firm does not filter or restrict access to the Internet, though we have a policy which discourages “abuse” of access. If you abuse your access, action can be taken against you and you can be fired. Abuse, however, isn’t defined.”

One exception to the filtering rule for public access was from a government librarian in New England:

“In our public library (the vast majority of users of which are attorneys), we do not filter access to the Internet in any way.”

Many librarians did report that while they were not actively filtered from sites on the Web, they knew or suspected that Web transactions were logged and randomly reviewed.

If access is not filtered, do you think it will happen or is it not something you see in the near future? Why or why not?

Many firm librarians don’t see this as a possibility, citing the need to be able to get to some sites for work that might not be considered appropriate, especially librarians at firms with large litigation practices. The story is different, though, for libraries with public access. This response from a government librarian from Washington State was typical:

“We do not currently filter access, but plan on implementing filtering in the fall when we start to allow public access. Since we get public funds we will HAVE to filter - or give up the funds.”

However, not all libraries with public access approached filtering the same way. The same New England library that doesn’t currently filter access has no plans to do so in the future either, unless required by law.

If access is filtered, how is it filtered?

Most report that if their access is filtered, it’s done at the network level using automated software that filters addresses by category. Some software at the desktop may also filter by keyword. If a Web page you’d like to view contains objectionable terms, or if you try to visit an inappropriate address, you are denied access, and sometimes redirected to a page which states why, e.g., “This page inaccessible due to adult content,” or, “Warning: This page contains hate related content.”

Here’s an interesting twist from a law firm:

“Our usage is not filtered. However, as of January of this year, we have had a filtering tool in place, simply to be able to monitor usage, should an issue arise. Our IT manager is very touchy about this issue. He does not want to enforce monitoring. He feels that everyone is capable of monitoring their own behavior while at work.”

Are all users barred from some sites?

When there is filtering, usually yes. However, a firm librarian in DC reports that her office has had to find a compromise between absolute exclusion from inappropriate sites and wide access:

“If there is a site that has been deemed "inappropriate" but access is needed for work reasons, users can be granted access once the reason for use (e.g., copyright infringement, trial exhibits, etc.) is known.”

Do you use a filtering program to limit access to inappropriate materials?

When there is filtering, usually it is done using a software program that excludes pages listed in an index of inappropriate sites. An interesting point of view on what is inappropriate came from the New England library with public access which does not filter:

“There is no "inappropriate" use; we have no idea what our patrons are doing.”

Because the assumption is that anyone using access is doing so for legitimate work purposes, whether or not a site is appropriate is a non-issue.

Are some users (secretaries or students) barred from using the Internet altogether?

This is another common method of limiting access:

“Included in the policy is a clause that limits the use of the Internet to certain groups within the firm. They do not provide access for most secretaries or office services staff (e.g., operators, receptionist, messengers, etc.). All attorneys, legal assistants, IT personnel, HR, librarian have unlimited Internet access. Secretaries or OS staff can only obtain access upon IT committee approval. This is becoming more common as electronic court filing is becoming more frequent.”   

I have worked in the past at a firm which limited access to legal and library staff, but which granted permission or access to any secretary whose attorney requested it. In practical terms, that meant that most secretaries had access. In our case, though, it was not so likely to happen because there was a need for the secretary to do some task specifically related to her own work. Instead, it was as likely to be because the attorneys did not have the time or, in the case of the older attorneys, the skills to use the Internet themselves.

More often, some employees do not have access to the Internet simply because they do not have a PC. From a Chicago librarian:

“Internet access is only limited with respect to certain staff who don't have their own PCs (mailroom folks are the only ones I can think of) -but they can come into the library and access the Internet through any of our public PCs.”

Whether a firm provides access through a library “public” terminal depends on several factors – budget for the extra equipment, space, policy, etc. My own firm has only recently made available several “public” terminals, but the justification was the need for extra training space. That employees without their own PCs can now use them for Internet access was incidental.

Is access filtered in any other way?

Placement and visibility can also discourage inappropriate use. One federal government librarian works in an environment that has occasional drop-in users. Staff there began to see pornography printed out from the two public terminals, despite the fact that the printers were located behind the reference desk. In an effort to deter further inappropriate surfing, the monitor and keyboards in the public areas were raised so that they would be visible from the reference desk. Users then had to stand at the terminals for access, and it was clear that whatever sites they visited would be seen over their shoulders. Recently, though, the staff was informed that the new placement makes the terminals inaccessible to the handicapped, so they’ll have to come back down. In this instance, access to the Internet for the public may be removed altogether.

Does your employer actively monitor Internet use, or does monitoring occur in response to complaints of inappropriate use?

Almost everyone who responded said that use was monitored both continuously in some way and in response to complaints. Most, however, did not know exactly how this was done. In my own firm, monitoring is passive. As users access the Internet, a log of sites and times is accumulated and saved as part of our regular system backups. A member of our Information Systems staff in our main office randomly scans the logs as time permits, which isn’t often. However, the logs are there to check back on if anyone complains that an employee has been accessing inappropriate materials – in our case, the understanding is that would mean surfing pornographic or hate sites, or spending an inordinate amount of work time using the Internet for personal reasons. Our policy does not define that explicitly, but the expectation is there because it’s the common sense assumption that those are the kinds of sites any person should be careful about visiting.

Other methods of monitoring are more active. Logging programs can be set up to notify the person who monitors access that an infraction has occurred. Logs can also be sorted by site accessed as opposed to chronologically by user.

If a user is suspected of abusing his access, it has become more common for companies to use keystroke or desktop monitoring to gather evidence of infractions.

Keystroke monitoring allows the company to see every file a user accesses and every character he types. However, it’s impractical to store that amount of information on every user, so most companies only use this method when they suspect there is a problem with a particular user.

Desktop monitoring software lets your employer “look over your shoulder” at your monitor and see exactly what you see. To store the information as evidence, it might be accumulated as data on a network drive or, as an alternative, some video cards allow monitor views to be fed directly to a VCR. The volume of data stored either way makes this impractical as a broad monitoring tool, but useful for gathering evidence when abuse is suspected.

What are the consequences for abuse or inappropriate use of Internet access?

Most times, violation of an Internet policy or abuse of access subjects an employee to appropriate disciplinary action, up to and including termination of employment. For most offices, that seems to mean that employees expect to get a warning, but know they may be fired outright.

If there is a policy, is it formal or informal?

Policies run the gamut from non-existent to unwritten but understood to formal.

Who had input/decided on the policy? Library, I.S. Department? Partner Committee? Agency or school administration?

A typical response:

“There is a policy - librarians were not involved in setting it.... I assume it was done by HR & IS with some input from top Admin folks.

I found it curious that most librarians had little or no influence on setting Internet access policy. An exception, again, was the New England government library with public access:

“I believe there is a statement in our policies somewhere about our disinterest in filtering.  The policy was set with the professional staff and with our State Librarian, who strongly supports free access.”

How do you feel about workplace privacy? Are you careful to keep personal use of the Internet and your computer to a minimum at work? Do you think it's fair to use work resources for personal reasons if you do so on your own time and there's no apparent additional expense to your employer?

Here there was a greater range of responses, though every person reported that they used their work access to the Internet for personal reasons at least some of the time:

“I don't think people abuse the privilege enough to take it away - and there's always the argument that being able to order something from Amazon during work hours actually results in less time spent away from the office.”

“With respect to personal use of the Internet, I access personal websites occasionally on my lunch break, or after hours. Doing so does not incur any additional expenses to my employer, so I don't really see a problem with it.”

“I keep personal use of the Internet and my computer to a minimum at work. I feel that there are a few cases in which an employee can use work resources for personal reasons (e.g., term papers and other degree-related activities). However, that work should be done outside of work hours (e.g., lunch or in the evening).”

“As far as work place privacy goes, I don't believe employees should expect complete privacy.  We have no objection to private use of the Internet by employees as long as it is kept to a minimum.  There is a little "slippage" in this area; some employees use the Internet for private stuff more than a minimum amount of time (we have taken no action yet...it's not that bad).”

As a librarian, how do you feel about the idea of limiting access?

Most were strongly opposed, even in a non-public environment, though there were exceptions:

“I think each person needs to be handled on an individual basis. When I first started here, I thought that it would make sense for everyone to have Internet access. However, the longer I work here, the more I appreciate the policy the way it is established. There are many people who would take advantage of it. However, I can also see the flip side - I think that firm-wide Internet access could help boost firm efficiency. I have developed a library Intranet site that would provide the secretaries, or other personnel who are not extremely web savvy, the ability to answer ready reference questions easily.”

“I honestly don't believe in filtering, at least not at a company. A public library is a different being…The recent situation in MN [where librarians in a public library are suing their employer on the ground that the unfiltered access provided there constitutes a hostile work environment] leads me to believe that some sort of effort needs to be made, like the mandatory or automatic log-off of the computers. This limits anyone else from the exposure.”

“I think access to the Internet should be limited in schools, public libraries and work environments. Children should not have an opportunity to access inappropriate materials (or see inappropriate material when others access it), regardless of our freedom of expression guaranties. In a work environment, the potential to offend others is high, and it is best to avoid conflicts whenever possible. Unfortunately, we cannot always rely on others to use their best judgment. If someone wishes to access inappropriate materials, they should make arrangements to do so from home.”

Do you have any anecdotes concerning how limits on information access may be preventing you or your patrons/clients from accessing the materials you need to do your work?

Two items here:

“One firm I worked for had a large trademark practice, and one of our clients was Playboy. We sometimes had to look at Web sites of Playboy’s competitors to see whether on not their trademark was being used without their consent. While I didn’t particularly enjoy looking at some of those sites, it was part of my job, and it would have been impractical for my firm to limit access. Our Internet policy was never so strict to prevent us from viewing whatever site we needed to see.”

“The only objection we ever received regarding what patrons were viewing came from a staff member. If she looked back over the patron's shoulder as she walked by, under the privacy hoods we have, and into the screen recessed into the desk, she was able to glimpse something she found objectionable. We changed the position of the workstation as a result. To paraphrase a Texas librarian, we never get complaints about something someone has viewed, but rather complaints about what patrons fear others may be viewing.”

____________________________________________

I found the comments and opinions above to be interesting, and more importantly, thought provoking. I was especially surprised at how few librarians had any influence in the development of their firm/school/agency’s Internet access policy. If you don’t have a policy yet, you may still be able to contribute your opinion to the debate. If you are unfamiliar with the issues, or would like more information, this list of resources should get you started.

Once more, thank you for your input on Internet access issues. If you have comments to share about these or other technology-related issues germane to your work, please let me know.

Links to related information sources:

The Boss Is Watching: Workplace Monitoring on the Rise, NewsFactor Network, June 29, 2001.

That Computer is Not Your Toy, New York Law Journal, June 14, 2001.

E-Legal: Electronic Monitoring of Employees by Employers, Law.com, April 10, 2001

Employer Liability Under the Electronic Communications Privacy Act (subscription required), The National Law Journal, July 13, 2001.

How to Avoid Liability for Monitoring Employee Use of E-Mail and the Internet (subscription required), Start-Up and Emerging Companies, February 2, 2001

Keystroke Spies: Conflicting Rights (subscription required), The National Law Journal, June 16, 2000.

Privacy - Workplace Monitoring & Employer/Employee Privacy Conflicts Archive, Electronic Frontier Foundation, last updated April 18, 2001.

Workplace Surveillance Project, Privacy Foundation, March 26, 2001.