Big Boss

Turns out it's pretty easy to crash the lunch spread at the American Society for Industrial Security's annual convention. You just walk in, sit down, start munching on salad. I didn't set out to trespass--I only wanted to chat up some corporate dicks, ex G-men, and card-carrying government spooks when their guard was down, beef-tip gravy on their chins. The thing was, when I got busted (halfway through a stale roll), it wasn't by the so-called security specialists with the Efrem Zimbalist Jr. haircuts--it was by one of those superannuated babes with a cotton-candy coif who police the floor of the Las Vegas Convention Center.

And what better locale, by the way, for a convocation of gumshoes, rent-a-cops, drug-sniffing dogs, and keystroke monitors than surveillance-friendly Vegas, the desert home of swivel-mount ceiling cameras and heat-packing casino muscle? If you didn't immediately get the idea that the American Society for Industrial Security is a heavyweight organization to be reckoned with, the Stonehenge-size block letters dominating the lobby of the convention center might have clued you in. Looking about as foreboding as Stanley Kubrick's 2001 obelisk, they spell authority in four giant letters: "A.S.I.S." As in "kick asses."

Based in Arlington, Virginia, just a brief Beltway jaunt from the Pentagon and CIA central, ASIS is the world's largest and oldest association for security professionals.

It boasts more than 24,000 members worldwide who are dedicated to defending management and company assets from the teeming threats from within and without the modern corporation. ASIS members work for Fortune

500 companies and multinational conglomerates like Coca-Cola, Kodak, Bechtel, Ford, and Disney, and, of course, America's élite law-enforcement agencies and spook hives--from the FBI and Secret Service to the CIA and NSA. According to the latest ASIS figures, more than half of the group's members spend between US$100,000 and $5 million per year on security, much of it to set up access-control systems and TV surveillance. When the FBI needs advice on foreign moles in the workplace, it turns to ASIS "to expand our understanding of industrial espionage," as FBI Director Louis Freeh recently put it. Here in Vegas, over the course of three days, nearly

13,000 crime stoppers, tech shoppers, and amateur gawkers will fan out on the convention floor to swap war stories and hawk amazing gadgets--each more diminutive and diabolically inventive than the gizmos in the previous booth.

Oddly, it's the professionals who cover for me when my gate-crashing fails. My table neighbor, a security-fence salesman from New Jersey (razor wire, barbed wire, electrified wire--your complete line of perimeter defense products), has recovered a wayward ID badge from the floor, and it's stuffed with official meal tickets. Mr. Perimeter Defense peels a coupon off the wad and saves me the embarrassment of ejection from the ASIS gathering. "Even though our business is security," he cracks, "sometimes you gotta break the rules."

Pretty easygoing guys, these latter-day Praetorian guards. Now imagine what would have happened if I had bombed into the cherry-paneled boardroom of one of their Fortune 500 clients, or if I had been an employee hell-bent on sharing a non-reciprocal luncheon engagement with the security-conscious CEO. At best--at best--I might have been wrestled to the ground and "pacified" with pepper mace, taser guns, or hand-held lasers that can "flash blind" perpetrators ("perps") for up to two minutes. After all, business is business. (One of the door prizes in the exhibit hall? A Browning shotgun. Leave your business card in the fishbowl.)

I had come to the ASIS conference not to breach lunch-time security, but to feast on the latest technology guaranteed to repel vengeful employees--the nest-feathering, profit-skimming, paper-clip-pilfering, gold-bricking, shoplifting, ax-grinding, monkey-wrenching malcontents. That's not to say that ASIS is concerned exclusively with bad seeds in the workplace. Judging from seminars with titles like "Radical Fundamentalism: Terrorism of the Future?" and "Sue Yourself: Before Someone Else Does," security professionals are nothing if not diversified in their occupational apprehensions.

But hands down, the favorite statistic traded in the cavernous exhibit hall is this one: "Eighty to ninety percent of your business theft is internal." Among the numerous vendors who might sound this klaxon is Mike Bolte, an engineering whiz at Diamond Electronics Inc., which networks cash registers to a computer server that "looks for unusual keypunching activity" and--when it finds likely monkey business--activates surveillance videocams at many of your Wal-Mart, J.C. Penney, and Eddie Bauer outlets.

As those venerable shamuses at the Pinkerton private-eye agency warn, "$15 to 25 billion a year is lost to employee theft." And those numbers climb to $170 billion a year as soon as you stop ignoring "losses from time theft that include bogus sick days, late arrivals, early departures, and excessive socializing on the job." Richard Heffernan, a member and past chairman of the ASIS committee on safeguarding proprietary information, submits, "Fifty-eight percent of the problem of misappropriation of information involves insiders."

The second most popular factoid bandied about by the merchants of corporate defense is no less worrisome: computer-data trashing and other economic sabotage is on the rise because of employee resentment in the era of corporate "downsizing."

As one lecturer puts it, "The so-called American dream--I don't think we have that anymore in most companies." What we have instead are disgruntled ex-employees and soon-to-be-ex-employees who will "steal, vandalize, spread rumors, tamper with products, screw with your computers, and urinate in the coffee pot," he warns.

Kvetch about Big Brother in the workplace to these guys and they'll call your attention to the thin blue line protecting innocent employees like you from the thin yellow line, better known as the ol' Sanka chamber pot. "That has happened twice," our lecturer dutifully adds, "as far as I'm aware." At least twice, judging from the mileage coffee-pot crime is getting as a conversational icebreaker. That's hot factoid Number Three, in fact, and to be sure, it was a hidden surveillance camera that exposed one such culprit in the heinous act. This, in case you missed it, was broadcast to the world on Hard Copy, or so several conventioneers feel compelled to tell me.

What kind of person would stoop to such abomination? "There are 2 million schizophrenic people in this country," our vigilant lecturer states, resuming his theme after digressing briefly into the realms of caffeine and purity of essence. "Not every one of them is extreme, but you've got to be prepared."

Roboboss

Like most everything else, industrial security is feeling the tidal pull of the information age. Whereas wary employers formerly hired platoons of human watchdogs, today a whole panoply of surveillance technology can handle the business of workplace monitoring at a fraction of the cost. Thanks to high-speed modems, cell phones, and ISDN lines, the boss can now tune into surveillance video from the office on his home PC or in his car. Digital "smart-card" keys "remember" which gateways employees have swiped their cards through. Is Homer Simpson malingering with the doughnuts in the break room again? Doh! Yes, according to this handy computerized audit trail of his peregrinations throughout the building.

"You can track how long employees are in any given area," explains Sandra Wagner, a salesperson for Advantor Corp., manufacturer of one such system. You can monitor them even at their computer workstations if you have them log in with their card key. If you really want to get fancy, in a Tom Clancy kind of way, there are proximity readers that can vet your ID cards up to 8 feet away, and a whole line of "biometric" devices that can scan your retina or iris, the length of your fingers, and even your weight, to make sure an impostor doesn't suddenly take up residence in your cubicle.

Many modern factories now require workers to log in at their heavy equipment "to see how long they use it," offers Wagner's colleague, Kevin Brooks. But doesn't that fuel the kind of employee resentment that can lead to stealing, rumor spreading, screwing with computers, java tampering, the whole nine yards? I ask. "You gotta do a little PR to the employees," Brooks explains. "Tell them it's for their protection. Say you don't want outsiders hitting the vending machines in the employee lounge." Brooks is no slouch when it comes to PR. "A lot of managers don't want to install video monitors," he explains. "I tell them, 'Why don't you tell your employees it's for their protection?'"

Says Richard J. Heffernan, who runs a security consulting firm in Branford, Connecticut: "Competitive advantage--that's how you sell security to the Roseanne crowd. You tell them that if they want to have a job down the road," they'd better be prepared to accept workplace security measures, including monitoring.

But why don't you just hire trustworthy people in the first place, the kind who don't require management by high-tech stakeouts? Well, it turns out that the security professionals have got that angle covered, too. There are dozens of consultants eager to hit the infobahn and run down crucial data on a prospective employee's past record--workers' comp claims, health insurance status, criminal rap sheets, proclivity to pocket

Post-it notes, general bad attitudes, you name it. Applicants can submit computerized evaluations via phone.

Though most "reputable" security firms shun legally sticky psychological surveys like the classic Minnesota Multiphasic Personal Inventory (which asks privacy-invading true/false questions such as whether applicants are strongly attracted to members of their own sex), they nonetheless promise to weed out the kleptos, schizos, nutsos, "time thieves," and general chip-embedded-on-shoulder types. A series of rapid-fire questions about a candidate's work history gives the prospective prevaricator little time to trump up answers.

Talk about your high-octane paranoia. There's enough of it on the show floor to keep the adrenal glands of G. Gordon Liddy, H. Ross Perot, and Oliver Stone throbbing for weeks. You'd think that the proletarian rabble was about to face the guillotine first thing Monday morning--well, make that Monday afternoon, after late arrivals and excessive socializing on the job.

To be fair, though, not everyone here is obsessed with Joe Lunchbox as the crime wave of the future. There are plenty of legitimate security wares that any large employer would be smart to look into--for example, revolving door "mantraps" equipped with metal detectors, essentially a Roach Motel for gun-toting loners. (A squad of South American corporate-security jocks was especially intrigued by this technology.) Then there are the shredders and disintegrators "approved for top-secret destruction," which have a certain harmless utility. There are also sensible bulletproof plexiglass shields-cum-teleprompters just like the ones Bill Clinton uses, semiautomatic pistols small enough to holster inside a Slurpee cup, and the latest in motion-sensing alarms.

For those extra-sensitive security concerns, George Wackenhut is on hand. Wackenhut is the founder of --not a fast-food franchise, as the name might imply, but the global-security concern that has been described as the CIA's favorite dirty tricks subcontractor. In 1992, a Department of Energy investigation into the illegal use of eavesdropping equipment at plants operated by Westinghouse and other nuclear energy contractors rooted up 147 electronic surveillance devices. One of the devices could listen in on 200 company phones simultaneously. The company responsible for planting many of the bugs? Wackenhut, of course, a firm with a reputation for leaning on employee whistle-blowers.

Grand theft tempo

But we're back to employee monitoring again. All secured roads seem to lead there, even when the concern isn't grand larceny but those management bugaboos: "long breaks, lack of productivity ... time theft." Which is why I'm surprised to find neither hide nor hair of electronic-mail letter openers, keystroke-monitoring programs, or other spying paraphernalia that are becoming so commonplace in the discipline gingerly referred to as "personnel tracking." Apparently, these tech tools are not exotic enough for licensed gumshoes.

But that's just the point! The fact that these technologies have become so routine means that any manager who purchases network-operating software is probably getting built-in snoop features. In an office hardwired with a server-based local area network managed by software such as Microsoft LAN Manager, a technically inclined boss or network administrator can turn any employee workstation into a covert surveillance post. So there's no need to call in the big guns from Wackenhut.

A recent ad for Norton-Lambert's Close-Up/LAN software package tempted managers to "look in on Sue's computer screen.... Sue doesn't even know you're there!" Often, however, software makers don't even need to advertise these "remote monitoring" capabilities, which allow network administrators to peek at an employee's screen in real time, scan data files and e-mail at will, tabulate keystroke speed and accuracy, overwrite passwords, and even seize control of a remote workstation, if they find it necessary. Products like Dynamics Corp.'s Peak & Spy; Microcom Inc.'s LANlord; Novell Inc.'s NetWare; and Neon Software's NetMinder not only improve communications and productivity, they turn employees' cubicles into covert listening stations. Other software applications count the number of per minute, the employee's error rate, the time it takes a worker to complete each task, and the time a person spends away from the computer.

Not surprisingly, the Orwellian potential of such technology has privacy advocates and working stiffs a bit paranoid. But are concerns about employee monitoring irrational? Remote monitoring certainly happens more frequently and routinely than we tend to think. In 1993, Macworld magazine conducted a study of CEOs and computer-systems directors and turned up some rather unsettling statistics. Twenty-two percent of the polled business leaders admitted to searching employee voicemail, computer files, and electronic mail. The larger the company, the more the snooping. Extrapolating to the workplace at large, Macworld estimated that as many as 20 million Americans "may be subject to electronic monitoring through their computers (not including telephones) on the job."

Potholes on the surveillance highway

As is often the case, the patchwork of regulations and laws addressing such new socio-technological wrinkles aren't exactly models of clarity. Although the US Constitution addresses privacy in the First, Third, Fourth, Fifth, and Fourteenth amendments, there's no amendment specifically guaranteeing it. While the courts have ruled that employers cannot monitor their workers' personal calls, the Electronic Communications Privacy Act of 1986 grants bosses a "business-use exception," which allows supervisory and quality-control monitoring. Practically speaking, that leaves a loophole big enough to fly a Stealth bomber through.

In 1993, the Computer Systems Laboratory of the National Institute of Standards and Technology issued a bulletin titled "Guidance on the Legality of Keystroke Monitoring." The report stated that the US Justice Department "advises that if system administrators are conducting keystroke monitoring or anticipate the need for such monitoring--even for the purposes of detecting intruders--they should ensure that all system users, authorized and unauthorized, are notified that such monitoring may be undertaken."

Still, ambiguity reigns, for the courts have yet to set a clear precedent on the legality of keystroke monitoring.

"It gets even trickier when you look at e-mail privacy," says Marc Rotenberg of the Electronic Privacy Information Center in Washington, DC. I dialed Rotenberg up several days after the Las Vegas convention. "Employees often think that they should have privacy in their personal electronic-mail communications," he explains. "But in practice, there really is no legal safeguard within the organization."

Several years ago, e-mail privacy advocates lost an important test case when a California judge ruled against Alana Shoars, a former e-mail administrator at Epson America Inc. Shoars alleged that her supervisor had printed out and read messages that employees had been assured were private. After she discovered the managerial snooping, Shoars was fired for insubordination, she said. The judge dismissed the case on the grounds that state privacy statutes make no mention of e-mail or the workplace.

The ruling has left civil libertarians glum about the future of e-mail privacy at work. Says Lewis Maltby, who runs the ACLU's workplace rights project, "We had the perfect set of circumstances: we had a wonderful plaintiff, we were in California of all places, and we had a great attorney. We lost. I don't think you're going to see any more e-mail litigation. If we can't win that case in California, we can't win it anywhere."

Telephone communications and e-mail have some protections under the Electronic Communications Privacy Act, but only insofar as they are carried out through a telco common carrier or commercial system such as CompuServe or MCI Mail. Internal electronic mail in the workplace is considered company property.

Stress under surveillance

Assorted studies have found links between employee monitoring and stress--both physical and psychological. A 1990 survey of telecommunications workers conducted by the University of Wisconsin and the Communications Workers of America found that 43 percent of monitored employees said they suffered a loss of feeling in their fingers or wrists, while only 27 percent of unmonitored workers had those symptoms. More than 83 percent of monitored employees complained about high tension as opposed to 67 percent of unmonitored workers. An earlier report by the Office of Technology Assessment also concluded that monitoring "contributes to stress and stress-related illness."

These studies are hardly news on Capitol Hill, where privacy advocates and employee unions have been pushing for fair-monitoring legislation since the mid-1980s. The latest attempt (1993's Privacy for Consumers and Workers Act) expired in Washington gridlock, a victim of the legislative coma brought on by the prospect of health-care reform (but also dinged by the manufacturing lobby). Privacy advocates say the bill will be back this session. It would require employers to tell new hires that they may be monitored via phone, computer, or e-mail. It would also force managers to notify workers when they are being surveyed--possibly by a beep tone or red light--and to explain how the data will be used.

"Employees have the right to dignity," submits Lawrence Fineran of the National Association of Manufacturers, the front-line foe of the bill. "But," he says, "the employer certainly has a right to any kind of data generated by an employee on an employer's time and on an employer's equipment."

"There need to be limits on how that kind of technology is used," counters Erica Foldy, former executive director of the Massachusetts Coalition on New Office Technology.

"We shouldn't re-create the company town," says Gary Marx, a sociologist at the University of Colorado who has written extensively on technologies "that can extract personal information" and threaten privacy. Marx argues that intrusive monitoring not only invites managerial abuse--providing cover for illegal attempts to thwart unionizing efforts, for example--it also elevates inequity in the workplace.

"This stuff often increases the gap between managers and workers," he says. "If managers really believe in monitoring, let's apply it in a more universal way and require managers to be monitored electronically." The economic "damage that can be done by a few corrupt or unprofessional executives is really far greater than somebody taking a little too long on a coffee break," he adds.

According to Marx, extractive technologies have upset another fundamental balance in the workplace. "Traditionally, on an assembly line, there would be a supervisor who would walk by," he explains, "and you knew who that person was. You also knew when he or she was there. That may have generated some anxiety, but in fact, you could gear your behavior accordingly. But now with the mediated and potentially unseen nature of this, it creates a sense of fear and stress, because employees really never know when they are being watched."

In other words, Big Bro could be tuning in any time.

Panopticon redux?

The prospect of total and constant surveillance may sound a bit like science fictional overkill, but the prototype of tomorrow's monitoring has the potential to do just that. You can find it--or more accurately, it can find you--at Xerox PARC in Palo Alto, California. Security is tight at "the PARC," where, after all, the latest edgy tech is conceived and test driven. Yet the security here is rather primitive, and the visitor's badge I'm wearing is, well, positively antique. It's handwritten on paper--and this in the proving ground of the paperless office. As I'm pondering this anachronism, I'm greeted in the lobby by Roy Want, a pleasant chap of 33 years whose boyish features and arched eyebrows suggest a certain capacity for mischief.

It's more than slightly ironic that Want hails from England, the former empire that gave the world Jeremy Bentham, philosopher of utilitarianism and author of Panopticon, or The Inspection House. Published in 1791, Bentham's treatise described a polygonal prison workhouse that placed the penal/industrial overseers in a central tower with glass-walled cells radiating outward. Mirrors placed around the central tower allowed the guards to peer into each cell while remaining invisible to the prisoners--a concept Bentham referred to as "universal transparency." Knowing that they were under surveillance--but not knowing for sure whether they were being watched at any given moment--prisoners would theoretically be on their best behavior at all times.

More than 200 years later, Want, a computer engineer, has essentially reinvented the Panopticon. More accurately, his brainchild, known as the would have made Bentham proud. Want's active badge, worn by some 50 researchers and staffers in Xerox PARC's Computer Science Lab, is about a quarter of an inch thick and 2 inches by 2 inches square. Clipped to a shirt pocket or belt and powered by a lithium battery, the black box emits an infrared signal--just like a TV remote--every 15 seconds. Throughout the computer lab at the PARC, infrared detectors are velcro-mounted to the ceiling and networked into a Sun workstation. Because each employee's badge emits a unique signal, Any other staffer can access that information on his or her personal computer.

Want explains to me that he developed the hardware while working at the Olivetti Cambridge research laboratory in England. His initial idea was to build smart telephones that forwarded calls automatically to the phone extension nearest a staffer at any given moment. But since defecting to Xerox PARC and working with a team to develop the system's "Birddog" software, he's discovered sundry new uses for the technology, he says. While privacy tribunes see active badges as an ominous new development in the brave new workplace, Want and his colleagues see them as "a double-edged sword," with the potential for both benign and malignant uses. "If you can build the system correctly with the appropriate privacy, encryption, and access safeguards, then I think you've built an acceptable system." At the PARC, management and staff have an agreement that the technology will not be used as an authoritarian carrot and stick. The badges are intended as tools to help staffers locate their "friends," as one researcher puts it.

Want is eager to stress the technology's limitations and the ease with which anyone can thwart its abuse. "At any point in time, you can take your badge off and leave it on your desk and go shopping if you want. You can also put it in your desk drawer."

Potential misuse of the technology is more than an academic concern now, for Olivetti is going commercial with the badges, marketing the gizmos to insurance companies, hospitals, and other large institutions with an interest in the whereabouts of key personnel or patients. About 70 researchers at two of Digital Equipment Corporation's research labs have also given Want's badges a trial run. Dave Redell, a researcher who has been outspoken about the badges, has mixed thoughts. "There's a strong feeling around a place like this that we're all colleagues," he says, "as opposed to having a rigid management hierarchy. Use of the badge is completely voluntary. In other kinds of workplaces, though, the potential for oppression is far greater. Even in a situation where you have an official policy saying that this is completely voluntary, it would be much easier for there to be a lot of pressure to wear these things at all times." Others, including the ACLU's Maltby, see active badges in more monochrome tones. "Like rats in a maze," Maltby mutters when I call him for a comment. "They want a pager that you can't refuse to answer."

Ubiquitous computing über alles?

PARC researchers are understandably excited about some of the more benign applications. As a companion piece to the badges, Want has developed a personal digital assistant he calls the PARCTab. About half the size of an Apple Newton, Want's palm-held PDA sends and receives wireless data signals to another network of infrared detectors salted throughout the building. It's part of Xerox PARC's "ubiquitous computing" project, an attempt to banish paper from the workplace. Want can program his personal assistant to trade e-mail and other files with his workstation, and he can access the Internet through his PDA anywhere in the building (except in the bathroom).

Want sees the tabs getting thinner and lighter. Each of us would have dozens scattered around the office, in the car, and at home. Detector "cells will start appearing in public places or the home," he says. "The device will tell you where you are, wherever you are."

Of course, it might also tell them where you are. Surely, that's a concept that's hardly foreign to wired world citizens. Cell phones made it possible for LA's finest to triangulate on O.J. Simpson during his slo-mo odyssey along the Disneyland freeway. And any time you use a credit card or make a long-distance phone call, you're essentially leaving a trail of virtual bread crumbs for the telcos, Visa, and law enforcers.

"There are always these trade-offs between what's useful and what could be done to us," says Want from the belly of the kinder, gentler Panopticon. "The benefits to be had are so great; we just have to be sure that the people who are in control respect our privacy."

I keep thinking of what the block-shouldered gumshoe from one of the major security firms told me in Vegas. Are there certain technologies and techniques that you guys aren't showing me? I asked. "Some things," he said, shaking his head at the naïveté of my query, "we aren't gonna broadcast here in public."