Workplace computer monitoring

^{First posted in this form on January 18, 2010}

Introduction

The spread of powerful personal computers throughout the workplace has brought on an age of unprecedented productivity where information can be leveraged to make any task simpler, easily reproducible, or less expensive, or where knowledge can be shared more effectively to the benefit of an organization.

The explosion of employee and employer access to the increasing capabilities and capacities embodied in modern computers available anywhere in the enterprise has also brought along serious challenges - coincidentally the potential to harm productivity, but also to threaten employee and employer rights, make difficult maintaining a positive workplace environment, and raise issues with appropriate handling of all kinds of data which may be sensitive to the individual or to the institution.

In this blog, we will examine some of the issues that are raised and the most common tools being brought to bear on resolving problems and needs. We will look at the advantages and disadvantages to each tool, and we will introduce a very different approach.

Issues and concerns

The desire of an employer to know what is going on in his or her workplace in ways that are discrete and involve technology can make any employee nervous - many of us grew up reading Orwell's vision of a future where we were under the constant watchful eyes and control of tele-screens and their unseen masters.

At the same time, the term "going postal" has entered our lexicon, and those of us with children to protect or who might be responsible for the care of someone who is powerless fully understand the need to shield them and ourselves from those in our midst who would hurt us. A person who is the unwilling object of someone's affections would certainly appreciate the knowledge the company is pro-actively targeting sexual harassment with effective tools. And we all understand at some level that what grievously hurts the company we work for will ultimately affect our paycheck or the quality of our work environment.

But between the two extremes and in the absence of an immediate threat, the proper balance between an employer's need to protect his or her assets or obtain the information necessary to make the best possible business decisions and the employee's need for privacy, dignity, trust and the free rein required to do his or her job can be difficult to find.

Here are just a few of the competing interests that play into computer workplace monitoring:

For the employer

1. The need to prevent loss of assets or productivity through theft or abuse of resources;
2. The need to document and defend disciplinary actions;
3. The desire to identify, reward, and promote highly productive personnel;
4. The need to isolate good as well as bad practices, process chokepoints, and unnecessarily repeated traffic or handling issues;
5. The requirement to mitigate damages from lawsuits and other issues emanating from civil and employment rights;
6. The need to ensure compliance with government regulations and other matters of legal authority; and
7. Audit trails for documenting data-to-computer linkages and the appropriate application of tools and policies.

For the employee

1. A sense of being respected and trusted by the employer;
2. A reasonable sense of privacy (that your teenage daughter's panic e-mail to your work account revealing she is pregnant won't come to the attention of your boss or co-workers);
3. The ability to access resources you need to do your work (notably information or applications on the Internet);
4. An understanding of the changes in expectations of performance and freedom that go with breaks and other legitimate downtime;
5. Reasonable social interactions with co-workers;
6. Equitability - the balancing of attention to potentially negative discovery with the attention to (and recognition of) a positive discovery (such as effort above and beyond the call of duty); and
7. Even-handedness - that all employees are being monitored with the same rules in play. Note: It is discriminatory on its face to deploy any of these tools to target a specific group or individual without having first established and documented reasonable cause, yet virtually all of these applications are designed and optimized for focusing on a single computer. The few exceptions tend to offer servers or multiple-computer support as tacked-on options, as a means to centralized data storage, or merely as a search tool for selecting a target from multiple possibilities. None offers enterprise considerations like the ability to compare an individual metric against a real-time average or mean for the organization. Entering into a monitoring situation with a preconceived agenda or subject could potentially expose an organization to substantial risk and lead to unexpected consequences.

[For a detailed discussion of how the viewSender monitoring system specifically benefits an employee, see our blog entitled "Workplace computer monitoring can be an employee's best friend" at http://hubpages.com/hub/Workplace-computer-monitoring-your-best-friend.]

These are by no means all of the different considerations that relate to workplace computer monitoring, but as you can see there is ample room for concern and need for discussion on both sides of the subject. Perhaps more importantly, while discussions of computer software tend to evoke images of abstract technologies, workplace computer monitoring is much more a human factors problem than a technical problem, touching on social, legal, relationship, and emotional elements in the workplace.

You would think, therefore, that this is no place for clumsy or mechanical approaches.

Current tools

Unfortunately, while later in this article we will introduce technology that can accommodate empathy and adaptability, the tools now in vogue for monitoring workplace computers could best be described as fixed single-focus weapons for attacking the problem, with a far stronger relationship to the computers they are monitoring than to the users of those computers (my use of militaristic terminology is intentional - many of these tools presume any anomaly is the harbinger of an evil plot of some kind, and provide only two levels of response - shoot or don't shoot - to issues). Disclaimer: Our testing was by no means scientific. The testing was performed by reasonably intelligent people well-versed in technology with a sincere effort to apply instructions properly and to use the tools as intended. Our goal was to obtain a general sense of what the utility was meant to do and to apply some diligence in our effort to determine if the utility could perform as advertised (and whether the utility's intended purpose fit well within our understanding of workplace computer monitoring).

Monitoring application functional groups

The general term "monitoring application" includes two groups of utilities, those which passively monitor computer usage and those which control access to websites or other applications. The passive monitoring applications observe and record behaviors, while access control applications police user behaviors by using "white" lists (those websites you are allowed to visit or applications you are allowed to use) and "black" lists (those websites you are restricted from visiting or applications you cannot use).

Access control applications require making a policy choice before deployment - when users access a web site or application not already on one of the two lists, the options are:

1. Allow access to all sites unknown to either list, and then forward the unknown website address to an administrator for later review and addition to either the "white" or "black" list; or
2. Block access to all unknown sites, and require supervisory approval and addition to the "white" list before access is granted.

Organizations tend to gravitate to the first option, because it does not disrupt an employee's work flow or require immediate managerial input - they also tend to become very lax over time maintaining the lists because, especially in the case of websites, the list of unknown websites not yet added to either the black or white list can quickly become ungainly.

The distinction between a passive monitoring application and an access control application is an important one, because access control applications require ongoing human administration (that is, labor costs).

Monitoring application types

Each of the monitoring utilities (or components if several have been banded together into a single monitoring application) currently widely available has evolved in the same manner: A programmer first discovers there is some piece of information he or she could easily capture from a remote computer if given an excuse, and secondly begins a search for a problem to which the information could be applied (to supply the excuse). The adage "if a man has only a hammer, all around him begins to look like nails" has been around a long time, and may never have been more appropriate than when applied to the first generation of workplace computer monitoring tools.

You can get a better sense of this phenomenon by reviewing the list of monitoring tools commonly available and considering how well they actually relate to the lists of employee and employer interests provided in the previous section. Here is a brief list of the most common tools you might retrieve as the result of a Google search using the keywords "workplace computer monitoring applications":

1. Screen capture utilities;
2. Application usage tracking/blocking utilities;
3. Keystroke capture utilities;
4. E-mail/Messenger capture utilities (newer versions can also include social networking sites such as Facebook);
5. Website tracking/blocking utilities and firewalls; and
6. Forensic hard-drive analysis.

Your search may also turn up references to a new suite of products called "viewSender", which represent the next generation of workplace computer monitoring applications - we will describe these products in a later section of this article. Other than viewSender, none of the currently popular monitoring applications offers a truly proprietary or innovative solution, and all depend upon one or a combination of the basic components described above.

The first five items are commonly available as Internet downloads or shrink-wrapped off-the-shelf applications (or as is the case with firewalls, bundled with the operating system or other types of security software). The last item may not seem to belong to the group - it is not a software-only solution, renders the computer unusable, and does not provide a real-time response - but it has become a major factor in civil and criminal lawsuits as the most practical means to determine past activity on a computer (in large part because of the deficiencies in the other listed methods).

Recently, vendors of products like the popular Spector Pro have been combining the individual single-focus monitoring utilities into larger applications to increase sales and range of applicability - however, cobbling several underperforming utilities together does not improve the capabilities or limitations of the individual components and can actually reduce the value of the application by increasing its complexity and administrative/labor costs. In the worst case, merging a number of incompetent applications can undermine the performance of the monitored computer. In the sections below we will take an in-depth look at each of the single-purpose utilities in turn.

Before we move on, a note of caution: Many of these monitoring utilities began life as individual spyware applications meant to be snuck onto a computer's hard-drive, with clandestine visits back to the monitored computer to pick up collected data. As they have matured or been included in larger application suites, some kind of a relationship has been slapped together between the utility and a server or website for transmitting or publishing collected data. We've discovered that is many cases these linkages are not very sophisticated or well-considered - we were able to crash several by disconnecting the network cable from a notebook computer or moving out of range of a Wi-Fi antenna. Quite commonly, when configured to deliver data to a server and a network connection was unavailable, these utilities failed to collect any data during the time they were disconnected. In the few samples of each monitoring utility type that we tested, we did not find any that properly reverted to local hard disk data storage when disconnected, continued to monitor and collect data while offline, reconnected automatically without user notification when a network became available, and then automatically transmitted all data collected while offline after re-connection (in addition to newly collected data). However, we did test this feature with the beta viewSender product, and it worked flawlessly - see the section below describing viewSender products.

Screen capture utilities

Screen capture utilities are one of the earliest (in tandem with keystroke capture utilities), most primitive and certainly most ill-considered utilities in the group. These sprang up in profusion shortly after Mac and Windows graphical user interface operating systems began gaining popularity, and represent something of a kneejerk reaction to the question "what has my son/daughter/distrusted lover been doing on the computer?"

While seeing a screen capture utility advertised for download on the Internet or on an end cap at your favorite retailer might seem appealing as you are trying to figure out how all of the pictures of undressed men and women on your computer got there, it doesn't take long to discover the drawbacks to capturing screen images.

But before I get into the good and bad (mostly bad) about screen capture computer monitoring, we need to recognize one overwhelming advantage to screen captures over any other standalone monitoring utility - the screen image can at most display only what the user can actually see (obviously if the user is not at the computer, he or she may not have seen what the computer is displaying, but whether or not the user is present could be determined by capturing keystrokes and mouse activity). The importance of showing only what the user can see is critically important to the value of recorded data in disciplinary and legal proceedings. While screen capturing is insufficient on its own to withstand challenges, it can be a powerful part of a properly balanced and synchronized monitoring effort - for more information see the comments in later sections about e-mail monitoring applications and forensic hard-drive analysis.

Some final considerations before we move on to other monitoring utilities - if storage and transmission issues could be made manageable, captured screen images may serve as a backstop option of last resort and verification resource for other monitoring methods. and for some situations, there is no other recourse to detect problems. I did some consulting work for a company where one of the tech writers made a nice second income writing business plans for startups - during the work hours he was being paid by our employer. This kind of double-dipping is becoming widespread, and is very difficult to detect since the unauthorized work can often be done with the same tools as used for legitimate work and, short of forensic analysis, may leave few clues. In this case, other indicators (poor productivity, for example) would signal the need for monitoring and a screen capture utility might be appropriate (though beware the privacy and de facto discrimination concerns inherent with targeting specific individuals).

Following are lists of the good and bad considerations when deploying screen capture utilities.

Screen capturing positives

1. The screen image accurately reflects what the user sees at the moment the screen is captured; and
2. The data produced (typically JPG or GIF files) is readily visible and understandable, and doesn't require special tools for interpretation.

Screen capturing negatives

1. The sizes of the files are huge - even the smallest of modern desktop screens (1024 pixels wide by 768 pixels tall) contains over three-quarters of a million raw data points, each requiring three bytes to display full color - that's 2.36 megabytes per image. Saved as a JPEG file at moderate compression, the images will on average shrink to one-tenth their original size, or 250K. That may be acceptable for a single image, but if you captured an image every two minutes over the course of an eight-hour day, you'd consume sixty megabytes of disk space for every user in your organization every work day. If you stored just the last thirty work days of images, you'd need to store and back up 1.8 gigabytes per employee;
2. Assuming you didn't want to have to visit every individual machine separately to get its images, you'd want to store them at a central server or database. How well do you think your network would perform if each individual computer - let's say you have 500 employees - sent their JPEG images over the network every two minutes (3.75 gigabytes of extra data transfer every hour)?;
3. If I had insomnia and absolutely had to get some sleep for an important event the next day, I'd mount a slide show of 200 or so of the average shipping clerk's screen images for viewing on my laptop - that would probably get the job done. Even if that did not do the job for me, I assure you it will work for any security personnel you assign to the task!;
4. (Refer to 3.) Someone has to pay for the labor to review all of those screen captures. JPEG images at ten percent of their regular size are not of sufficient quality to process (OCR) for their text content, and there are no widely available reasonably-priced applications capable of automating the analysis and classification of screen images;
5. JPEG images have no verifiable audit trail - nothing in the operating system records when a screen capture is made or ties it in any way to a specific JPEG image. Nothing in the JPEG image tracks the computer on which it was made or whether it was edited since captured (if someone attempted to alter the image). Even the time and date a JPEG image was created are dependent on the file system on which it is stored, and those are easily changed (accidentally or intentionally);
6. Since any classification or processing of JPEG images requires a first pass by human eyes, there is no means for protecting the privacy of the monitored computer's user. Whatever was on that user's screen when the snapshot was taken will be viewed without exception by another person and subject to the vagaries of human behavior (the same problem applies to other issues that consider the content of captured information);
7. There is no means without human analysis to analyze a JPEG image with respect to another (previous) image to determine if changes between the images justify storing and transmitting the new image, so images must be stored and transmitted regardless;
8. None of the screen capture utilities we examined had any provision to accommodate employee breaks or downtime, or to respect in any way the possibility of an employee having authorized use of a company computer for personal business (for example, online education paid for by the company as part of its benefits, or booking a flight with a personal credit card to a company conference for later reimbursement as an expense);
9. JPEG images as captured by these utilities do not meet the requirements of evidentiary chain of custody or reliability; and
10. There aren't any practical search tools that can find, filter, or sort items in a screen image (one of the many reasons SPAM comes to your e-mail inbox containing much of its text in images, rather than as plain text - this makes it impossible for anti-SPAM utilities to process the content, because those utilities depend upon plain text).

Application usage tracking/blocking utilities

Application usage tracking and blocking utilities have largely fallen out of favor, although their functional behaviors have re-surfaced in the form of utilities that are tied to specific websites or Web applications (Facebook, MS or Yahoo! Messenger, and HTTP-based email sites like Hotmail).

Their intent is to track which applications are used in the course of a computer session, and for how long. In the early days of the personal computer when computers were single-tasking and generally committed to a specific purpose (a word processing application for the secretary's desk, AutoCad for an engineering workstation, or a spreadsheet for the accountant), the idea may have made some sense.

However, the information they provide on a modern multitasking computer using shared components with thousands of modules onboard is virtually useless, and with the growth of portal websites (a single conduit to a variety of activities) and cloud applications, the situation can only get worse.

A study of the screenshot of one such application tracking utility's sample data at the beginning of this section illustrates the problem - does an administrator really care about all the applications and the eleven transactions between them that were utilized so that Word could print a document out to a PDF file? In the event he or she does care, would they want to manually wade through reams of similar entries for all of their employees to find that sequence? Is a daily summary of the ratio of applications used on a particular computer really important among all of the concerns a manager might have regarding proper uses of computer assets and supervising communications and relationships between members of the staff? If so, would he or she be concerned enough to devote significant labor resources on a regular basis to interpret all of the reports the utility is churning out?

This kind of a utility has the additional capability to block access to or usage of a software application. However, modern operating systems such as Microsoft's Windows and Apple's Snow Leopard long ago rendered those features moot - the operating systems offer superior integrated security that can prevent installation of an application and/or offer fine-grained access to not only the application, but its files and other resources, all in sync with users and user groups already incorporated into the organization's network and security model. A summary of some of the good and bad aspects to application usage tracking/blocking utilities follows.

Application usage tracking/blocking positives

1. The utility can block installation of or access to software applications known to be harmful;
2. The utility can report how often and for how long applications are used by individual users, possibly for application license deployment or usage monitoring for applications mounted on a network drive.
3. Some utilities can report text input into certain applications (though those we tested could not report text loaded into those applications from other sources, such as a file).

Application usage tracking/blocking negatives

1. The information reported is restricted to a tiny subset of computer activities, tends to be verbose and is generally not useful;
2. The functions provided are better supported by other means: The operating system provides complete and sophisticated security to control installation of and access to applications and their files, and license usage applications do a better, standardized, and more reliable job tracking licensed software utilization;
3. Reports require human examination for interpretation, and though the privacy concerns raised are less than other utilities simply because they capture less personal information, there are no considerations for user privacy built into these tools;
4. Users and management can be interrupted in their normal (productive) work flow by application access denial. These utilities have an additional side effect of encouraging non-standard solutions (work-arounds) to being blocked from the use of an application. Blocking of licensed applications encourages using open-source applications which may create their own issues;
5. There are labor costs involved in the administration of the black and white lists; and
6. Audit trails and evidentiary chain of custody rules are poorly supported - when present, the methods supplied tend to be proprietary and non-standard, requiring a license to the utility itself to interpret and validate transaction data.

Keystroke capture utilities

There are hundreds, perhaps thousands, of keystroke capture utilities - many more if you count those often included with other monitoring utility application types. Most of the standalone applications have gone over to the dark side - their not-too-subtle advertising claims include meant-to-be-oblique references to their ability to capture passwords, credit card information, and e-mail addresses or other personal data.

Keystroke capture data is generally not useful in the monitoring of computer usage for business purposes. For one thing, the recorded data lacks context - you see only one side of an exchange (the side typed at the keyboard by the monitored computer user). Consider what keystroke-capture applications see in this Messenger conversation:

· Teenager: "Not much..."

· Teenager: "No"

· Teenager: "Sure, when?"

· Teenager: "OK, I'll meet you at the park"

However, the actual conversation went like this:

· Friend: "What's happening?

· Teenager: "Not much..."

· Friend: "Got any weed?"

· Teenager: "No"

· Friend: "I'm going to go over to the park and see if I can score some, wanna come?"

· Teenager: "Sure, when?"

· Friend: "Now"

· Teenager: "OK, I'll meet you at the park"

With the exception of file size, keystroke capture data has all the deficiencies of the screen capture utilities, with one additional problem - the data can be misleading and difficult to interpret correctly. A brief summary follows of some of the good and bad features of keystroke capture utilities.

Keystroke capturing positives

1. Most keystroke capture utilities do a reasonably accurate job of reporting what was typed into the keyboard; and
2. Some keystroke capture utilities offer options to clean up the reported keystroke data and make it easier to read.

Keystroke capturing negatives

1. The data does not include the other side of a conversation, or the surrounding text in the form into which it was entered, and often includes formatting and positioning characters that make interpretation of the reported data difficult;
2. Besides captured screenshots, I cannot imagine anything more boring to security personnel (or more prone to mistakes) than reading through hundreds of thousands of corporate keystrokes hour after hour throughout the business day;
3. (Refer to 2.) The manpower to review all of those captured keystrokes can be very expensive. Formatting and missing-context issues make keystroke data an unlikely target for OCR processing;
4. Keystroke capture files have no verifiable audit trail - nothing in the operating system records when a keystroke is captured or links it to a piece of keystroke data. None of the keystroke capture utilities we reviewed providing any kind of reliable verifiable means for detecting after-capture editing of the file, or could positively ensure a keystroke file was produced by only the monitored computer. The time and date a keystroke capture file was created are dependent on the file system on which it is stored, and those are easily changed (accidentally or intentionally);
5. One of the capabilities hinted at by the keystroke capture utilities is actually a shortcoming in workplace computer monitoring - the unharnessed discreet collection of private data. Since any classification or processing of keystroke capture files requires a first pass by human eyes, there is no means for protecting the privacy of the monitored computer's user. Whatever that user typed will be viewed without exception by another person and potentially exposed to the temptations to do something inappropriate with the data;
6. None of the keystroke capture utilities we examined had any provision to accommodate employee breaks or downtime, or to respect in any way the possibility of an employee having authorized use of a company computer for personal business (for example, online education paid for by the company as part of its benefits, or booking a flight with a personal credit card to a company conference for later reimbursement as an expense); and
7. Keystroke files as captured by these utilities do not meet the requirements of evidentiary chain of command or reliability.

E-mail/Messenger/Social networking site capture utilities

There are a number of monitoring utilities devoted to specific activities (e-mail and messenger applications) performed using a website browser or dedicated to a specific website (Facebook, Twitter). I have included in this group monitoring utilities focused on applications that are not properly browsers (Outlook, for example, which can run on an Ethernet backbone and utilize a dedicated server without Internet access).

I've lumped them together in part because they share the common trait that they are highly-specialized. This is the fastest-growing and changing subset of monitoring utilities, and these utilities tend to spring up in batches to address the latest threat du jour (yesterday it may have been E-bay, which remains an issue, and today the challenge is perceived to be Facebook).

It is more difficult to apply generalities to this group of monitoring utilities in part because they change rapidly but also because their features are tied so closely with the specific activity or website they monitor (some may also control access to the associated website). For that reason, I will dispense with an enumerated list of advantages and disadvantages and discuss the good and bad as they apply to groups of these applications.

Considering these utilities as a whole, Individual monitoring applications will vary a great deal in quality, and there are no overarching standards of privacy consideration, audit trail support, evidentiary integrity or even data formatting to which they adhere. Simply by dint of their specialized nature these monitoring utilities suffer from a lack of a common interface (which implies a training issue), requiring an additional application license for each narrow portion of the general monitoring problem the organization is trying to resolve.

In addition to quality unevenness and the fact they seem not to play well with others, they also share a number of common failings:

1. For those utilities we tested, we were surprised to discover how many of them misbehaved when the applications or websites they were monitoring were updated (in at least one case, via the automatic Windows Update service) or changed. It occurs to us this presents a synchronization issue for the administrator when an employee who doesn't know their activities are being discreetly monitored innocently updates an application (or a website they visit independently updates);
2. With respect to 1., we were also surprised that when there is a problem, these applications universally posted asserts and exception messages to the monitored computer's screen, thereby announcing to the user they were being monitored. I would think this would degrade the trust between employee and employer and defeat the purpose of discreet monitoring. Many of these utilities are written with Microsoft's C# language against the .Net framework, which allows a programmer to assemble an application quickly, though not necessarily well - the language also tends to hide the need to understand the environment in which you are working, which seems to be a problem with many of these utilities;
3. Most were focused on monitoring an individual computer, and server/enterprise support seemed weak (with the notable exception of some of the e-mail monitoring tools, especially those directed at Outlook - these seemed more robust and mature);
4. All seem heavily dependent upon human interpretation of recorded results, and most required a significant degree of administrator oversight;
5. These utilities demonstrate a notable lack of consideration for user privacy - all captured content is subject to first-line human review, and there is no consideration for the legitimate authorized private use of the computer (for breaks, etc.) - no "off-the-clock" mechanism (this is critically important to telecommuters who may subject their personal computers to work rules during work hours but are fully entitled to the unmonitored use of their private computers when not working). We were particularly disappointed that the e-mail monitoring applications exhibited this insensitivity, given it is a issue given much play and discussion in the academic community; and
6. Like the utilities in other groups, there is a strong tendency to gather tons of irrelevant information that is difficult to navigate with the options they provide (though many of the applications these particular tools monitor do produce text, and it would be possible to write or acquire external applications to do pattern-matching and regular expressions).

A note about message traffic monitoring in general - tools like these which do not offer the ability to extract text from images (OCR) are rapidly becoming less effective at meaningful monitoring. SPAM'ers, hackers, phishers, disgruntled employees and other malevolent message senders are increasingly sending a part or all of the body of their messages as JPEG or GIF images, which are indiscernible to utilities which can only read text.

Special e-mail considerations

When it comes to e-mail monitoring applications specifically as well as the e-mail applications themselves (and to a lesser degree, other messaging vehicles and the monitoring of applications windows in general), there are ticking time bombs inherent in the way e-mail messages are handled that can cause significant problems for an organization if not carefully considered and managed. The three especially dangerous concerns that require caution and care are:

1. Below-the-fold content;
2. Hyperlinks; and
3. Attachments;

None of these three issues are properly handled by any of the currently-available monitoring utilities we reviewed. You cannot hold the user of a computer accountable for the viewing, forwarding, saving, or even printing of any portion of the body of an e-mail or its contents unless you can demonstrate that the user actually viewed the content in question. It cannot be assumed even that the user of a computer viewed the subject line of an e-mail, given that e-mail subject lines are often truncated in e-mail application message lists and that portions of those lists can be scrolled out of the viewable area. Both of the latter statements are particularly important when computer monitoring is being done in support of disciplinary, enforcement, or litigation matters.

E-mail applications themselves have traditionally been deficient in handling the identification of e-mail messages that have been viewed - they flag any e-mail as "viewed" the moment that it has been opened in an encapsulating display window. The size of that display window is largely out of the computer user's control, and normally will contain just a portion of an e-mail body, with the balance of the body accessible by using scrollbars to bring the content into view. The e-mail content that is not initially visible when the e-mail display window is first shown is known as below-the-fold content, a term from the newspaper publishing world. E-mail applications do not track whether the scrollbars were ever utilized nor do they record in any other manner what portions of the e-mail were visible, or when.

The only means to reasonably assume that any portion of the e-mail, particularly the below-the-fold portion, was viewed by the user of the computer requires a screen capture showing that part of the e-mail displayed on the screen (see the comments in the section above pertaining to screen capture utilities), a capture of the logged-on user information in close proximity to the screen capture, and a record of keyboard and mouse activity within a reasonable time frame both before and after the screen capture.

Whether hyperlinks were ever traversed to their logical end presents similar issues - validation requires a screen capture showing the browser containing the linked page, a record of the user logged on at the time, and collected keystroke and/or mouse activity before and after the capture.

And again, the same considerations apply to attachments and whether they were opened, saved, or accessed. The challenges to validating the viewing of a given e-mail include the fact that e-mail viewing, link traversing, and attachment downloading or activation can happen at different times. You could make a believable argument that the appearance of an e-mail in an e-mail application's list of received e-mails and the email application monitoring utility's capture of that event are the most trivial elements of the monitoring transaction.

For a discussion of means to synchronize the collection of data to properly support e-mail analysis, see the section below on viewSender data collection and analysis methods.

For more information regarding meaningful analysis of e-mail information, see the section below on forensic examinations of hard drives.

Considerations regarding monitoring of non-messaging applications

While over time they may improve, all of these utilities currently lack the sophisticated parsing and analytical tools that can detect new and evolving challenges in the workplace. As examples of those challenges, let's briefly look at two popular websites, eBay and Facebook (there are many other sites that present similar issues). Neither of these sites are likely to be major importers of pornography, discriminatory or offensive language, or criminal behaviors into a workplace.

At the same time, both have the potential to fly under the radar and offer temptations that will significantly impact productivity and the bottom line. Of the two, the eBay situation is the more familiar. It is not unusual to discover employees posting and maintaining their eBay auctions on company time. At the same time, eBay references, links, and auction pages commonly turn up in search results, portal site price and product listings, e-mails and in and of themselves shouldn't be treated as red flags (unless you have a propensity for false positives). Many job responsibilities in an organization could legitimately include the need to peruse eBay auctions or auctioned items, or perhaps even to post an item for auction. The trick is to identify the elements of an auction site maintenance or status page that wouldn't ordinarily be viewed in casual use or which encompass a number of auctions for a single seller.

We didn't find any current tools with configuration options that supported making these subtle distinctions for filtering eBay pages (however, as noted in the section below on viewSender monitoring, the beta viewSender products do offer regular expression parsing of monitoring results both at the agent and at the server, and we were able to reliably distinguish pages related to power sellers and multiple auction listings for individual sellers). The problem is likely to become worse as this kind of activity has now spread to sites such as craigslist.com, where the line between legitimate work (publishing of employment ads for the organization) and personal interest (posting one's own resume) becomes fuzzier and harder to identify and the range of activities broader. Tools for post-processing monitored data with sophisticated logic patterns (compound Boolean logic or regular expressions) would seem to be mandatory for monitoring these kinds of applications and behaviors.

The same problems apply to utilities that monitor Facebook and other social networking sites, but the problems are magnified. Facebook has become a powerful and attractive tool for many organizations to advertise themselves and often, individual members of their staff. Interacting with Facebook pages on many levels has become a desirable part of an organization's daily business. However, where in the previous example eBay offenders may be identified through their roles as bulk sellers rather than casual bidders, the difference between legitimate business activity on Facebook and the employee who is merely addicted to posting family photos and writing on her friends' walls may only be detectable as a function of that employee's name or other identifying information.

These challenges are not likely to go away soon; they are more likely to get much worse. Consider that the latest rage presents all the issues described in the descriptions of eBay and Facebook monitoring, but is not associated with a specific website, application, format, or readily-identifiable pattern. You are looking at an example as you are reading this - blogs. There are dozens of blogging sites that offer free tools and publishing (including this one) to posters and it takes but a few moments to create a unique user name and password - the only other requirement is to spend the time building and importing content (and if that time comes from the portion of the day owed to the job, it can be very expensive to the employer).

As with eBay monitoring (but even more so), reliable detection of potential issues without inordinate false positives requires a very well-considered, preferably automated, post-collection process that can be tailored to intelligently react to several pieces of information and their relationships to one another (for a discussion of the viewSender solution to this and other problems, see the section below describing viewSender products).

Website tracking/blocking utilities and firewalls

As someone well familiar with the genre, I marvel at the power of marketers to render the topic of Internet/website monitoring and access control synonymous with workplace computer monitoring. I am reminded also of the power of coincidence, as the evolution of rapid application development (RAD) tools has birthed hundreds of seemingly attractive, readily available (via download), and user friendly Web monitoring tools. The stoking of the drive to ensure workplace security and the explosion of available products has created a perfect storm of supply and demand.

At the same time (and knowing the shortcomings of these kinds of utilities), I am disappointed that more technical pundits haven't discussed the king's absence of visible clothing. I have come to the conclusion that the popularity of these products comes from a combination of factors: the awe and mystique that remains linked with anything having to do with the Internet (we love the massive amounts of free information available and the access we get to all kinds of things, but we really aren't quite sure how it all works), the lack of reasonable and more effective alternatives, and a "washing of hands" attitude that goes with having thrown money, effort, and technology at a problem (along with an unwillingness to inspect the results of our investment too closely unless and until something goes dreadfully wrong). I file the latter in the same folder with the dollar I give to the bum on the street corner when I am stuck in my car at an intersection and can't comfortably avoid eye contact - a dollar isn't that much these days and I get a brief warm fuzzy feeling that I did the right thing, even as I know deep in the recesses of my mind I really didn't solve the bigger problem.

Regardless the reasons, when questioned managers and administrators will invariably mention the high costs of employees "surfing the 'Net", even as the precise dollar amounts or study methodology used to calculate their loss seem strangely lacking (love 'em or hate 'em, ya gotta give salespeople their due!)

The Internet/website tracking/monitoring utilities are all built from at least a subset of the same premises (not all are listed here):

1. That the content of website destination addresses can be quantified as "good" or "bad";
2. That the nature and content of a website at a given destination address will remain constant;
3. That time spent in a browser can be assigned a threshold value where exceeding that value is a bad thing (some utilities also track time spent by individual website);
4. That Internet activities will occur in a browser launched by the computer user;
5. That time spent on a computer with applications other than a browser is presumed authorized and safe;
6. That all potential harm to a computer comes via the Internet;
7. That no other means exists to access a "bad" website other than the one known to the utility;
8. That the user has access to just the computer being monitored;
9. (Older or primitive utilities) That the fact a browser is open means it is in use;
10. That blocking browser access to a website on the monitored computer will prevent the user from accessing that site (that is, no alternatives are available);
11. That the monitored computer user will have a positive (or at minimum, neutral) reaction to being blocked from a website (along with the realization that goes with it that their Internet usage is being monitored);
12. That the reams of tracking information collected will have value to the administrator.

Let's address each of these in turn:

1. Facebook. Hotmail. Google. Yahoo! These websites (and tens of thousands more) are portals to all kinds of information, software, or time-consuming activities which could ultimately be considered 'bad' or 'good' only after careful (read: human) consideration of the circumstances surrounding a specific instance. At the same time, each of these sites also has the potential to provide access to information and services that could be useful, even critical, to an employee's job function or to the organization as a whole;
2. The worth of this belief has gone the way of many things pre-Google. Search rankings are enhanced by frequent updates to site content, and for the most part changes are rewarded by increased viewer attention and participation. This fact has the additional implication that upon later inspection, whatever you may see at a given website address may not be what the monitored user originally saw;
3. With modern multi-tasking computers, an application (including a browser) can be launched at startup as a restoration of the user's computer profile, the browser can automatically go to a website designated as the browser home page, and the browser can sit on the screen in the background running all day long without the user ever having accessed the Internet themselves. Similarly, a user can work between two applications (for example, Microsoft Word and a browser) intermittently all day long without ever closing one of the applications or changing web pages - in fact, it could be argued that some variation of this scenario is likely the dominant way computers are used in the office;
4. Virtually all modern applications and the operating systems themselves access the Internet, with or without the browser: Microsoft Windows regularly engages the Internet sometimes with and sometimes without user interaction to download and install updates, Word and other applications download fonts, images, and templates in the background as you type, and my programming tools present their help information as a window that gets its data for the Internet but doesn't present itself as a browser;
5. The financial costs of threats to an organizations assets are an order of magnitude greater for information transferred over an Ethernet backbone than they are from Internet threats (Ethernet is the primary physical secured data transport used to transfer file data between your organization's server's and computers - it is generally much faster than your Internet connection and runs without using a browser. You probably access the Ethernet backbone without thinking or knowing about it through alias drives mapped via Windows Explorer). The number one financial threat (by far) to an organization? Employees the company doesn't know are soon departing using their secure access, the Ethernet network and a USB drive to download customer, trade secret, product, and/or marketing data and/or proprietary or licensed applications from networked servers. Lost productivity due to Web-surfing doesn't even make the same list;
6. See item 5., and add to that a.) Lost productivity from use of video and audio player applications on the computer; b.) Creation, editing, and printing (especially color) of documents for personal use (term papers and other schoolwork, resumes, personal letters, and various documents for friends and family members) using company software and equipment; c.) Copying, editing, and burning of CDs and DVDs using company computers; d.) Processing, editing, and production of movies and shorts from personal movie cameras; e.) Creation of advertising and other materials for a personal home office or business; f.) and more, much more...;
7. While it is generally true that at the time of connection the destination endpoint has a specific IP address, that address need not be fixed from one point in time to the next (more importantly, the relationships between URL name mappings and the actual destination IP address can be changed virtually at will via websites DynDNS.com). A URL name path can map to a different I/P address and an IP address can map to a virtually infinite number of URL name paths through domain parking/forwarding and private dynamic DNS servers. Porn, scam and other bad actor sites have sophisticated schemes for avoiding detection by Internet monitoring tools;
8. The fatal error that website monitoring utilities make is that they define the problem as limited to stopping website access on a computer. The problem to be solved is instead stopping the user from wasting productive time while at work. Wasted productive time can be defined as the time spent trying to defeat website blocking, or time spent accessing the website instead via his/her cell phone, or spent hooking up his personal computer to use the wire without installing the blocking application;
9. As noted previously, with multi-tasking computers the fact that a browser application has been opened is meaningless unless the user is actively typing or mousing into the browser, and no other application has primary focus;
10. See item 8.;
11. Most employees recognize on some level that an organization monitors Internet usage; they may even have signed an acknowledgment specifically detailing monitoring procedures at point-of-hire. However, an intellectual understanding of the concept and the sudden reality of "Wait, they're watching ME?!?" are two different things, and the organization is at that point in time totally dependent upon the individual's personality type as to how they are likely to react to the new information; and
12. The high volumes of irrelevant website traffic information these utilities collect tends to obfuscate any meaningful data collected - they generate so much background noise that they tend to hide relevant data.

I want to direct your attention again to item 2. of the second listing. One of the problems with website monitoring tools is that unless they captured the entire image of the page at the time the user visited the site, and updated the images as the user scrolled through the page (none of these utilities do that) there is absolutely no evidentiary or probative value to data collected by the monitoring tool. Without comprehensive image capturing, there is simply no way to recoup what the user saw when he or she saw it, and any presumptions about what may have appeared at that website then as compared to now are purely speculative.

Some recent website monitoring utility versions have begun tracking text in the web pages visited, and that presents a host of privacy, accuracy, image text extraction, and below-the-fold issues very similar to what was described in the section above that pertains to e-mail monitoring utilities.

The landscape of the Internet and it's relationships have changed radically - as noted above, most modern "desktop" applications access Internet components behind the scenes. "Software-as-a-service" applications download, install and uninstall components from the Internet with each use, according to need and their license agreements. Cloud applications run entirely on the Internet - Google provides a suite of applications with which you can support most of your office software needs and never leave the Internet. We are approaching an era where the employee most guilty of "surfing the 'Net" is also your most productive and valuable employee. While the need to monitor internet access still exists because of the sites out there that are potentially harmful to your organization, your employees, or your office work environment, the brute-force blocking of websites not yet approved by the network administrator can actually do serious harm to your bottom line and your ability to compete. The option of allowing no or very limited Internet access (except for those organizations specifically engaged in work that classified, or law enforcement, or work involving trade secrets, high finance, or highly sensitive information) has pretty much gone the way of the dodo bird. The line between legitimate Internet use and questionable or harmful use has been blurred, and website monitoring tools (which, as noted above, have never been very refined or sophisticated) have not adapted to the nuances which help signal a website's value or threat to your organization and its intended Internet usage.

Finally, website monitoring applications tend to be high-maintenance when used as intended, required significant labor resources to review data. The more common case, however, is for website monitoring utilizes become ineffective over time as their maintenance lags behind because organization labor priorities have changed.

Forensic hard-drive analysis

"Forensic hard drive analysis" is not, of course, the name or description of a workplace monitoring utility. It is instead a term describing a dark and expensive place where you can land if your workplace monitoring tools fail you or are inappropriate for the problem you were originally trying to solve.

Where workplace computer monitoring tries to detect and possibly pre-empt behaviors or events in real time (and in stream with your normal business activities) before they lead to bigger problems, forensic hard drive analysis is the option of last resort after a very significant problem has already surfaced. Typically, this means someone has filed a lawsuit or is going to file a lawsuit either against your organization or on its behalf, or that your organization has been directed by a law enforcement agency or a judicial authority to surrender data from a computer or computers for an investigation.

In other words, something bad has happened - bad enough that someone in a position of power has decided to disrupt your business (and certainly, at least one of your computers) to determine what information is on that computer or how it has been used.

Normally, the physical hard drive(s) are removed from the computer and sent to laboratory specializing in forensic hard drive analysis. There are also software options, though these generally are not acceptable to the legal community - there are usually chain of evidence rules in play regarding the physical possession of the hard drive as well as the retrieval and storage of the information on it.

There are several levels of data extraction services, each priced according to degree of difficulty. They can range from a simple certified binary copy of the hard drive contents as is, all the way through to extensive evaluations of data deletion attempts and recovery of that deleted data, reverse engineering of the encryption used to conceal data, and order-of-placement analyses that report exactly the sequence in which the original hard disk contents were written. The most common services involve collection of user-authored data items, including e-mails, documents, images, generic text, spreadsheet data, database contents, cookies and other Internet-oriented data, and file read/write activity.

Forensic hard-drive analyses are regarded as the gold standard for determining what has happened on a computer, in large part because the process mimics evidence-gathering procedures used in law enforcement - a physical entity (the hard drive) dissected in laboratory conditions with each step of the process entered into a handwritten log. However, as other areas of both computer and forensic sciences have evolved, the dependence on forensic hard-drive analysis has remained only because other alternatives have very significant problems, as noted in the preceding sections. However, forensic hard-drive analysis has its own glaring deficiencies - if your organization winds up on the wrong side of a disagreement centered on forensic hard-drive analysis, you'll want to absolutely ensure your legal representation is very familiar with all of the issues in play.

All the problems described in the section on e-mail monitoring utilities are magnified - the below-the-fold problem (was data found on the hard drive ever viewed or under the control of a user, and if so, which user when?), the link traversal issue, and the opening or viewing of attachments (except in this case, the same questions apply to all files on the hard drive).

There is an additional problem unique to forensic hard drive analysis - in the course of normal computer activity, files that are edited or changed are replaced over the top of the old version making the old version irretrievable. That means the only version of a file you can see during a forensic hard drive analysis is the last one version written. this is an obvious problem if the discovery and legal process that led to the forensic analysis took a significant period of time from the original event of interests and the computer remained in use during the interim. But there is a more general problem in the sense that you have even less context to work with (no history at all) for judging the hard drive contents than you do with any of the monitoring utilities - even the most primitive monitoring utilities provide a sequential record of past data to put the information in context. For now, forensic hard drive analysis is that compromise that dissatisfies everyone equally and is the accepted final arbiter for recording past events on a computer. As soon as a more accurate and comprehensive monitoring tool is available (and there seems to be one coming - see the sections on viewSender products below) hopefully forensic hard drive analysis for legal purposes will go the way of barbershop blood-letting.

A very different approach to computer monitoring

The viewSender product family is based on a new architecture and framework designed from the beginning with all of the foregoing in mind. Rather than re-creating a primitive technology first and then looking around for a problem to apply it to, viewSender started with an in-depth analysis of the problems with existing products. From there, viewSender staff interviewed network administrators, management staff, human resources experts, unemployment claims representatives, attorneys, Equal Employment Opportunity Commission civil rights complaint investigators, and employees of several large and small companies.

For the first design pass, technical considerations were ignored on the assumption that there was sufficient programming talent available to resolve any problems that presented themselves. The requirements of the various parties were considered along with the problems presented by earlier monitoring utilities.

Some of the design goals that emerged, in no particular order:

1. The architecture would be modeled after a time-honored, well tested, socially accepted managerial practice that balances the needs of the organization against the concerns for employee privacy and dignity: the supervisory look-in. Throughout the history of organized workplaces, human supervisors have been walking the factory floors and cubicle farms in regular patterns (and on occasion, randomly) checking in on workers as they perform their tasks. When and if during the routine look-in a supervisor sees or hears something that is a cause for concern, he or she exercises their discretion to examine a situation more closely. Rather than attempt to record everything on a computer screen or to track all of the traffic to and from a given computer, the Agent will periodically (typically every two to fifteen minutes) look at the monitored computer's visible screen (no more than a human being would see passing by the cubicle and looking over the user's shoulder) and analyze what it finds there, recording the information if, after comparison to rules provided by the organization, the information is deemed relevant;
2. The design had to be completely automated, for two reasons - first, to reduce or eliminate if possible any on-going labor and administrative costs, and secondly, to ensure no human contact with the collected data when first gathered to respect privacy issues;
3. An automated progression must be a part of the monitoring process, so that when conditions indicate a need for closer inspection, all accelerations or enhancements to the monitoring process are applied equally across all monitored computers experiencing similar conditions, without regard to the specific computer or user of that computer. When the system detects a certain number of alerts (matches to conditions the administrator has earmarked as being of interest) for a given monitored computer, it should automatically increase the frequency of monitoring or add optional data to be collected as configured by the administrator. If the system continues to receive alerts for that computer at the new level, it should step up to a third level. And, when no alerts are received at a new monitoring level, the system should back the level down to the previous level, and if no alerts are received at that level, back down again to the default level.
4. Every step of the process must produce an audit trail to track and eliminate where possible any subjective changes to the normal automated processes;
5. The component performing the work (called the Agent) must be able to perform all required tasks both independently of and in cooperation with the Server component, and seamlessly transfer any data collected between connections when a connection is re-established - the independent and/or cooperative capabilities of the Agent must be configurable to support distributed network models (where the Agent does the bulk of the monitored data analysis) and centralized network models (where the monitored data is transferred to a Server for analysis);
6. The analysis work to be done immediately after collection of data must be able to be performed either at the Agent or at the Server, to allow supporting either a centralized or distributed module as appropriate to and as chosen by the organization;
7. Analysis of collected data must be performed as close to the original collection time and point as possible to determine suitability of the data for later use, to avoid unnecessary transportation and storage of irrelevant data;
8. The data ultimately filtered and reported to management must be relevant, as minimalist as possible while still conveying the highest quality information in an understandable and user friendly format, and as free of noise, unnecessary repetition, and false positives as practical;
9. The Agent must accept and react to employee break start and stop signals from an optional external utility;
10. The Agent must be automatically self-updating, retrieving potentially new configuration instructions or updated components from the Server each time it has contact with the Server (i. e., when dropping off captured data or analysis results);
11. The Agent will be a pure monitoring approach, and must run completely silently at the monitored computer, gracefully handle any errors within itself, and in no case impede or hinder the work being done by the monitored computer user - this means that viewSender products will not, by design and by intent, block access to websites;
12. The system must be easily and securely configurable form a central location, but must support highly individualized Agent configurations as appropriate and required;
13. The primary data unit stored must accurately reflect no more and no less than what the monitored user actually sees (more information may be reported, but must be optional and clearly marked as potentially not visible within the computer screen area);
14. Once collected, the primary captured data unit must at all times be stored as encrypted and read-only, will be wholly-integrated with any optional data collected (such as keystrokes), and will contain an accurate time and data stamp normalized to GMT, the logged-on user information, computer and domain name, and an encoded hardware identification key (to log changes to the underlying computer);
15. The analysis of the captured data, whether performed at the Agent or at the Server, must be configurable and adaptable on a capture by capture basis to the needs of the Administrator, and the analysis must accept between captures and without limitation very sophisticated instructions to support pattern matching, filtering, conditional logic and Boolean operations;
16. All storage and transfer operation will be on the basis of assured delivery - storage and transmission attempts will be retried until the existence of the data at the ultimate destination is verified;
17. Transported and stored data must not tax network performance or impose unreasonable data capacity or storage issues for servers - in other words, file sizes must be small and the rate of collection and transfer reasonable, such that the existing network infrastructure and an existing or new off-the-shelf server could be used to support the system;
18. The system should offer intelligent and sophisticated searching and reporting tools for both current and historical captured data;
19. The option should be provided at the Server to make certain data in the system available to external third party or custom tools on a controlled and secured basis - this would include the automated submission of images and reports to third-party high-speed/bulk optical-character recognition (OCR) systems and/or document management systems; and
20. If possible, to provide all of the functionalities described (excluding optional features) while keeping the client organization's annualized costs per employee (including Agent and Server) below the cost to purchase a single-seat license for just one of the lesser monitoring utilities described in the sections above.

From the design that emerged and over the course of four years to the date of this writing, the technical challenges were identified and the necessary solutions invented (four utility patent applications have been filed so far). In order to support all of the requirements listed above, some unique and proprietary features have been incorporated into the design - some of these include:

1. The requirement to capture only what the viewer actually sees presented significant challenges, primarily the need to radically reduce transmission and storage sizes without reducing image quality. A means of capturing only pixels in the screen image that had been changed within a tolerance range and an accompanying means to then substantially compress that data was invented and refined, and a patent application was submitted. To further reduce the number of images actually processed, the idea of "ignore zones" was introduced where during configuration an administrator could choose areas on the borders to ignore when looking for changed pixels, and could also set a minimum number of pixels that must have changed in order for further processing to occur. This technology reduced a typical 2.5 megabyte 1024 by 768 pixel raw color image to an average stored size of between 25 kilobytes and 35 kilobytes (one to one and a half percent of the original raw data size). The resulting file when expanded and reassembled after storage is of sufficient quality to use as a source file for viewSender's patent-pending optical character recognition enhancement techniques (described below), and can produce OCR'ed text exceeding 99% accuracy against the original image;
2. The need to produce data that is searchable, can be sorted and filtered, and is a viable candidate for sophisticated analysis techniques created a series of challenges. OCR tools used to extract text from high-quality scanned images performed very poorly when the image source was instead captured from the screen (scanned images suitable for text extraction are 3.5 to 4.5 times the resolution, or quality, that a computer monitor produces). The conventional wisdom would have been to upgrade the quality of the OCR component to handle the lower-quality image, but even run-of-the-mill OCR tools such as OmniPage, Abbyy FineReader, ReadIRIS, or TextBridge charge around $100 per seat for their licenses - this violated the need and desire to keep costs for viewSender customers to the bare minimum, and there was no means to subsidize those costs for the numbers of Agents viewSender hopes to deploy. The decision was made to bring the mountain to Mohammed - instead of upgrading the OCR engine, viewSender bet the farm that their extensive programming resources could create ways to make the coarse text more presentable to even the least expensive of OCR tools. After significant travails and work, the viewSender team was successful in their quest and rang up three more patent applications. In fact, they were so successful that they are now able to embed OCR technology directly into the Agent without passing on additional costs to the user, satisfying another design goal (the need to perform any required processing at either the Agent or at the Server as desired).
3. To satisfy the desire to determine as immediately after capture as possible whether data in an image was suitable for downstream processing (to avoid unnecessarily transporting or storing irrelevant data or support files), viewSender created two different mechanisms to allow an Administrator to pass configuration information to an Agent so that the Agent could analyze captured image contents before transport. These techniques can be intermixed or used independently. The first method allows the passing of one or many 'bad' word or phrase lists to the Agent, which the Agent can then compare to the extracted screen image text looking for matches. The second technique allows the passing of one or more regular expressions strings in order to the Agent. "Regular expressions" is a term referring to a very powerful parsing method which allows the application of Boolean and conditional logic to text based on a text string containing the operations to be performed. A quick example of how this might be useful: Suppose you wanted to know about someone accessing the eBay site for the purposes of managing ongoing auctions as a power seller (but don't want to inhibit a user from bidding on an item for sale in an eBay auction). You might create a regular expression which looks for the combination of the word "eBay" and the presence of some combination of the words "submit", "edit", "buyer", or "accept bid" on the page (the latter would be captured as the text or labels for buttons appearing on the page in the screen image) that would not appear on a bidder's web page. This specific combination of words is only for illustration (you'd have to go to the appropriate current eBay web pages and select text that makes sense) but you can certainly create regular expressions (or combinations of regular expressions) that would successfully detect virtually any situation;
4. The viewSender team is currently working on the Server component, and is experimenting with a number of add-on features that would do some very cool things with either after-Agent-analysis text or from the raw text first extracted from the captured image. Some of the future optional capabilities will include: From unique message contents, track e-mails as they are forwarded and replied to during their life on the network and identify key players, influential contributors and bottlenecks. Identify emerging anger management issues and growing sexual harassment problems as changing patterns in individual behaviors. Keep an ear to the ground as sophisticated techniques identify general mood swings throughout an organization in response to internal and external stimuli.

As the viewSender team approaches product release, it has become apparent that their products have the power and potential to revolutionize workplace monitoring in ways that are both more effective and more fair, and I would encourage you to take a look at some of their demo and trial products as they become available.

About viewSender products

The viewSender pcOversight products are engineered for small business, corporations, institutions, and government entities. These products are optimized for Ethernet backbone as well as Internet deployment, and can scale to accommodate the largest and smallest of organizations.

For more about viewSender's commercial products (including their pcTelecommute product, which turns the idea of workplace monitoring on its ear and renders telecommuting a viable option for virtually any employment situation), see our website at http://www.viewSender.com.

As the viewSender product offerings near completion, the viewSender team is actively seeking financing, distribution partnerships, and sales/marketing opportunities. If you would like to speak to someone about any of these topics, please send an e-mail to me at ScottDeaver@hotmail.com.

^{Copyright 2010 F. Scott Deaver and Two's Complement LLC - all rights reserved.}

[Scott Deaver is a software engineer and systems architect with over twenty-two years of corporate enterprise computing and consulting experience. He has authored numerous computer applications and networks requiring fail-safe operation, high performance, and/or tight security. These include the Air-to-Ground Voice System (AGVS) for NASA's space shuttle and international space station programs on behalf of Lockheed Martin as well as SOLA's satellite uplink rain-fade attenuation software. He has produced state-of-the-art software and has several utility patents pending specific to workplace computer monitoring, including two for Caller ID for E-mail and four for Two's Complement's viewSender project.]