I'm going to zoom out a bit. Investigate the Fortune 100 Best Companies to Work For and yearly Baldrige Award winners. You'll find a million examples of why your executives authoritarian approach to productivity will kill engagement, productivity and satisfaction.

The Three Signs of a Miserable Job is a quick read. You can probably buy it and read it tomorrow. Do so. Lencioni is HIGHLY respected in this arena.

I've done a lot of research and work at my company (a retail non-profit) to increase employee engagement and reduce turnover. What your company is proposing will be disastrous. Not instantly, but it will be a thousand tiny cuts that demolish morale.
posted by OnTheLastCastle at 9:02 PM on December 12, 2014 [7 favorites]

Instead of using the work network for 10 seconds to communicate with someone outside of work, you'll find people will go outside with their smart phones and take 10 minutes to do a bunch of catching up while they're out there.

That being said, IM at my day job (megacorp but not a tech one, though my job decidedly is) is recorded. Regulatory reasons. If you'd like to talk off-the-record, computers aren't the way to do it.
posted by Brian Puccio at 9:23 PM on December 12, 2014 [1 favorite]

Previously:
http://ask.metafilter.com/261451/Bring-Your-Own-Device-to-Play-Work
posted by chesty_a_arthur at 9:26 PM on December 12, 2014

It is my experience that if you block social sites on work computers, folks will just visit those same sites on their phones, in the bathroom if necessary.
posted by Sara C. at 9:35 PM on December 12, 2014 [8 favorites]

It might not help, but I suspect you can find Dilbert cartoons to illustrate just about any point you need to make on this topic.

If your company engages in software development, then access to things like StackExchange and Google and (many others) are a necessity. If a developer needs to code, say, a predictive type-ahead field, they don't do it from scratch. They go out and find how other people do it. This leads to higher-quality code, probably delivered faster: no wasting time discovering (or fighting) 'tricks', etc.

There's also the notion that if an employee can do their banking or order some flowers for a funeral or do a little Christmas shopping from their desk at lunch, it allows the employee to use their time more efficiently, plus it keeps the employee in the office versus popping out to run a bank errand which might take an hour with lunchtime traffic.

Hell with it - really what it comes down to is this: you can't write code to make people be honest. If someone wants to steal data, they will figure it out. Your entire company will suffer under the weight of oppressive security regulations that will in the end prove ineffective because (for instance) someone brought in a flash drive. The company would be better off if their employees are well-paid, un-oppressed, and think well of their corporate culture. And that starts with getting rid of ineffective, annoying rules and policies about network use.

If you need to have a rule, I can get behind this one: never trust company data to a third party service. Ie, don't use gmail or dropbox etc for corporate data. You'll need an exceptions policy for things like, say, phone service.
posted by doctor tough love at 9:57 PM on December 12, 2014 [4 favorites]

I work in a technology organization that is part of a larger company whose main line of business is credit reporting (Memail me for the name of the company if you're interested). Because of the credit stuff, this company is incredibly security-conscious and it used to be the case that many popular websites such as Facebook were blocked on the corporate network.

A couple of years ago this ban was lifted and I believe the reason given was they felt the ban was too restrictive and affecting employee morale. Giving employees access to banking websites, Google, Facebook, etc. is what most forward-thinking companies do these days. People will just use their phones to access this stuff if you block it on the network, so companies may as well score a few brownie points with staff by not having a draconian policy about Internet use at work. Some sites are still blocked at my company, but most of the main ones are not.

I actually don't know of many companies that block major websites these days - it was a lot more common say, 10 years ago.

Also with the increasingly long hours that many companies expect employees to work these days - including answering work emails on their phones outside office hours - the least they can do is let people do a few personal things at work once in awhile. I think many sane corporations are increasingly realising this.
posted by RubyScarlet at 9:57 PM on December 12, 2014

FWIW, I work in government and I can access most sites but I CANNOT install anything without the "admin password" aka IT. It's not all or nothing.

Our computers are also heavily tracked. An employee uploading sensitive documents to GoogleDocs needs *fired*. Said employee probably would have needed fired anyway... Now you have an easy(ish) way to know that.

My personal belief is that you are paying adults to do a job. If they're doing their job well, who cares? And if they're not...well, IT can verify what it is they *are* doing. Loader trail is HR's best friend, no? (Yep, otherwise they'll just hang out on their smartphones or whatever which is murkier and harder to prove.)

Increasing personal responsibility kind of shines a light on the cracks and helps HR weed out the less efficient.
posted by jrobin276 at 10:33 PM on December 12, 2014 [1 favorite]

I worked for one of the companies you listed above for a number of years, and never encountered a single site or service that was blocked. The machine images have some restrictions (e.g. you can't disable Filevault), but nothing at all draconian (and I had admin on my own machine). These companies generally trust their employees to do the right thing.
posted by primethyme at 12:04 AM on December 13, 2014 [1 favorite]

I may or may not work for the same organisation as RubyScarlet (if I don't, mine is a very similar org) and I can offer a +1 to everything RS said.

We've had a few new people start in my team recently and it's been interesting telling them what they can and can't do. One woman wanted to send an e-mail to her team at her previous job to ask if someone had seen the mug she'd forgotten on her last day and wasn't sure if that was OK. I said of course it was - it's a mug. Who cares. The policies at her previous place must've been pretty draconian for her to worry about that, and that just makes me sad.
posted by minsies at 12:35 AM on December 13, 2014 [2 favorites]

I work at a 300 person tech company in the UK. I could watch porn at my desk if I wanted, as long as it wasn't bothering anyone else and I got my work done (I mean, I don't, but I could). There are no restrictions on what people can browse.

It's understood that a lot of jobs - from "gotta sit here and do something while my code compiles" devs to "there is literally no one on the phone" receptionists - have occasional unavoidable downtime, and that in these instances it's much better to let people look at something that interests them online than to force them to do boring busy work or stare at the backs of their hands.

The company also has a culture of "we count the work you do, not the hours you put in" - management have made it clear that they're much more interested in output than time spent, meaning there's little incentive to stay late for show, and this also means that no one's going to think badly of you if they see you checking Twitter or whatever at your desk as long as you're pulling your weight overall. It also helps that a bunch of senior managers have an online/social media presence, and that they do this stuff during the workday as well as after hours.

I work in a support role, but there's no distinction based on job title around what's acceptable in terms of browsing - a setup where the special devs who are special and make the code that makes the money thus they can do what they like but admin staff can't would be much more toxic.

What I like about this approach is that it's based on the idea that I, as an employee, am an adult - it's taken for granted that I have the ability to manage my own time, to context switch during the day, to take mental breaks when I need them and still get my job done, etc.

Anything short of that basic assumption is kind of infantilising, and restricting people's browsing at management level suggests that there's a perception up there that the drones can't be trusted to have access to the internet and still do their jobs. Working on the basis that everyone is an adult and capable of making responsible choices strikes me as the approach least likely to induce massive resentment in the workforce. And if management don't trust their employees to behave as adults, that says a whole bunch of other things about how they perceive the humanity of the people working below them.
posted by terretu at 2:43 AM on December 13, 2014

Pick your battles. Logging of work email and chat accounts is pretty standard. You aren't going to win that one. Nor, I would argue, should you. These are your professional accounts and you should be professional on them. It made sense to mix work and personal when email and chat accounts were rare to have. But now... get GMail/Skype/FB Messanger/Hangouts/etc on your phone if you want to do some personal email/chatting while at work.

But draconian web firewall rules are something you should bring attention to. Don't frame it as a "personal stuff at work" thing, but as something you need to do your job effectively. Gather testimonials from your employees on how they use Google, Stackoverflow, et al. to be more productive. Just this week I was using YouTube to do training on a piece of IBM software because that's where IBM posted the official videos! People who use my services don't always send email to our support address; sometimes we engage them on reddit and twitter (and they like talking directly to a tech instead of Tier 1 support).

Get articles that talk about alternate ways to address the concerns. For example, clear policies that people who put work documents on unapproved cloud storage will be fired (good idea to get enterprise Box/Dropbox/whatever accounts for everyone). Invest in endpoint management, if they haven't already, to do software audits to make sure licenses are in compliance. Use the endpoint management to enforce virus scanner policies and check quarantine reports (certain problem users may have to have their internet privileges revoked).
posted by sbutler at 3:06 AM on December 13, 2014 [1 favorite]

Look at how your business development team approaches web controls, do they typically work from home or use personal devices to avoid restrictions? If so, how much is it costing your company to accommodate these employees so they work at top form? I am unable to access a lot of websites, and I know how frustrating it can be try to market when website restrictions are in place. Still, I have done $750,000 worth of business this quarter because I have settled that most restrictions won't change without a management change, also, and changed the way I work to deal with the situation meaning my work is more knowledge management when I am in the office and sales when I am out. That would be a great way to explain it: your staff may use more self-generated but not necessarily new information at the office for better or for worse; if they had access to new sources of information, even just for a part of the day designated for research it would probably improve product outcomes.
posted by parmanparman at 5:53 AM on December 13, 2014

IM recording isn't the same as website filtering in my opinion. I see IM as a work tool even if I do sometimes chat about cats with my coworkers. It's mostly for work communication, and yadda yadda "careful communication." If you work at a big company you've probably had to take training specifically on that topic. The gist: If there's something you don't want to say in email you shouldn't say it in IM either - say it in person.

Also, your team might be putting the company at risk by using other IM tools that aren't recorded. Are you sure that nothing you work on would ever be subject to litigation? The companies I've worked at get very touchy about what's discoverable in the case of a lawsuit.

One benefit of IM logging, if you can see the logs, is that it can save your bacon when there's a disagreement about what was said, or if someone really asked you to do something or not, etc. I hate that CYA aspect of the workplace, but it keeps it from being about what people can remember or did they save that transcript.

Regarding website blocking, I've always found it irritating that even in workplaces that really limit what you can do online, ESPN and other sports sites are ALWAYS unblocked. That's just my personal pet peeve - I can't check my personal email or pay my car insurance bill, but you can research your NCAA brackets all day?
posted by cabingirl at 7:07 AM on December 13, 2014 [2 favorites]

I run a technology organization within a corporate environment ... My company wants us to use corporate chat software that logs and archives every conversation. My team is against this and just finds ways around it by using other tools, installing rogue networks in the office

Honestly, if you're running a technology organization and looking the other way on rogue networks, you should be fired. It's not your place to determine what's acceptable or not (are you a lawyer with knowledge on whether your company needs SOX compliance and if so how you're approaching it? What about HIPAA and PCI compliance?).

Our energy is best spent devoting our time to training and communication.

Training helps but users will continue to do dangerous and silly things.

One reasonable suggestion is to have a guest network that users can attach their personal devices to for personal stuff online at work. Work stuff stays on the work computer and network, personal stuff stays on the personal device and network.
posted by Candleman at 10:03 AM on December 13, 2014 [1 favorite]

Working as a programmer, I use the internet almost exclusively for documentation. This is both direct -via Google-and indirect. The development environment (Visual Studio) accesses Microsoft servers for its help function. I also use StackOverflow when I'm stumped about a problem, and I've used the internet to find some useful open source utilities.

On the personal side, people are going to do what they have to do. Its quicker for the to call up their bank on the internet than on the phone, let alone going there in person. A comparison might be the company cafeteria which is there because eating is is quicker than going out.
posted by SemiSalt at 11:13 AM on December 13, 2014

At places I have been (including at least one on your list):

Logging chat: everything is logged. It's worth noting, however, the use case of those logs: if a large corporate lawsuit is filed against us (which does happen), the logs may end up in discovery for evidence of whatever. But, say, my manager does not have access to read the logs or anything like that, so random personal conversations aren't anything anyone cares about.

Personal websites: I've yet to encounter something blocked.

As someone on the dev side of a company, if you seriously blocked google at work, well, I suspect most of the good people would have left pretty quickly - or found a workaround.

Two specific issues you mention:
- uploading stuff to google drive et al: policies in several places were basically 'don't, and you will be in legal trouble if you do'. If someone is really determined, your blocking won't stop them - and this with training is enough to handle the people who do so innocently. Also, portable devices e.g. laptops all have full disk encryption or remote wipe capability.

- installing illegal software: devs/IT usually have local admin on their machines, admin usually didn't - it wasn't a noticeable problem? Once someone does do something stupid, thats when you put more restrictions on that specific person.

And if you want a big list of major tech companies, Google/Microsoft/Amazon/Facebook all operate similarly to this (I don't know to say for sure for the others, but I'd be suprised if they didn't.)
posted by Ashlyth at 12:48 PM on December 13, 2014

The other day at work, a colleague sent out a screenshot of his browser displaying a "site blocked" message. The immediate response, from one of the execs, was, "Whoops, IT guy was here today, he must have turned on some filter. We'll get that taken care of." The site? BeerAdvocate.com.

Echoing all of the above: IM storage rules don't bother me, but companies with decent work cultures don't restrict internet usage. Having worked at small, medium, and giant tech companies, including one where HIPAA compliance was a huge deal, the only occasion I've encountered blocked sites has been because security filters wrongly tagged them as security risks, and a quick email to IT gets them whitelisted.
posted by orangejenny at 2:03 PM on December 13, 2014

They are a tech company that blocks Google? A straightforward argument is that no developer who can possibly get a better job would want to work there long. It's hard enough to hire engineers right now. Do you really want to add the handicap of being the place so stuffy and corporate you can't Google something? Programmers use Google to look up documentation quite frequently, so it's a direct drain on productivity.

Personally, I'd be on my phone and Googling my way to another job pretty darn quickly.

As for services like Google Docs, I can see why they might be blocked if really necessary. The flip side of that is that the company needs to be responsible for providing a replacement tool that addresses the reason why employees want to use the blocked service in the first place. Blocking useful tools without providing quality replacements is directly saying "You've figured out a way to make your job easier and better. We're taking that away from you now."
posted by zachlipton at 2:18 PM on December 13, 2014

I think most answers here are very reasonable: advocate for a compromise that satisfies productivity and personal desires.

However, I think that you'd be well-advised to consider the possible negative outcomes for you in any policy battle. If it's to the point of 'policy', a lot of folks are already invested in it being carried out exactly the way they visualized it. These people do not want to reopen the discussion of a 'solved' issue.

If it's casual enforcement of general guidelines - nevermind. If it's *policy*, tread lightly.
posted by j_curiouser at 5:25 PM on December 13, 2014

I work at a tech company covered by your 'etc' and if I started a new job and found they blocked *any* of the sites you mention, let alone all of them, I would be looking for a new new job before lunch on my first day. We are blocked from accessing sites that our IT department have identified as serving malware - I've never tried to look at porn, so maybe that's also blocked? Nothing else is blocked to my knowledge.

If your execs expect any employee to ever check email/work outside regular work hours, then they should recognize that accessing Facebook/banks from work is the flip side of that blurring of work/personal life time boundaries.
posted by the agents of KAOS at 10:29 PM on December 13, 2014

IBM, Google, and Apple do not censor or filter Internet access. All of them have some variety of employee Internet Access Policy, but none of them are enforced technically. (At least, not in a heavyhanded or obvious way, company-wide. It's safe to say that all big companies have certain business units that are compartmentalized for various reasons.)

My take is that they don't do it because it insults the intelligence of your own employees at a tech company to think that you can implement a filter that your employees can't bypass. Therefore, people who want to violate the policy are going to just do it anyway. So, rather than waste everyone's time with an idiotic game, they just tell everyone the policy and fire people who break it. (I.e., don't look at porn at work, dumbass.)

It's kind of a red flag that you are dealing with what might be politely called a "low trust organization" (i.e. dysfunctional corporate micro-hell) when you start seeing those "Access Denied" banners all over the place. The more technically-focused the company supposedly is, if it still does that, the worse, since it implies a simultaneous reliance on the technical skills of your employees and a contempt for them. That is not a good combination. Even people who may not care about the Internet blocking per se may not want to work at a place like that. It just screams Dilbert/PHB culture.

If you're a company that recruits competitively (or likes to think that it can/should recruit competitively) with Big Tech, then everyone should know that they are really shooting themselves in the collective feet.

I have never seen any straightforward research correlating internet access barriers to engagement survey results, but I suspect very strongly that if you did the math you'd find that the companies that have the least restrictive policies are the most high-trust and engaged environments. (The companies that tend to top the 'employee engagement' lists are the ones that are known for unfettered Internet access, e.g. Google, Facebook, etc.) It would probably be incorrect to suggest that internet barriers cause low engagement (I would be careful not to suggest that); rather they're a symptom of low trust, but as far as recruiting is concerned it certainly tips people off to stuff that you probably don't want to advertise.

Unfortunately, the fact that your company has such a restrictive policy does not make me think that you will have much luck in changing it. But making the argument might be a good experience for you, so it's probably worth doing for that alone.
posted by Kadin2048 at 10:44 PM on December 13, 2014 [1 favorite]

There are two different issues in your post:

- Blocking for productivity purposes (Reddit, social media, blogs) where there's a very strong argument for just trusting your staff to do their work, and only intervening when web use interferes with their job. Particularly with sites like stackexchange, tech blogs etc it's obvious that there's a boost to productivity/efficiency/personal development by allowing (and promoting) access. I completely agree that an employer who completely blocks access to these sites is missing a trick, and may not be the most enlightened place to work.

- Blocking for security purposes (online file storage, personal webmail, proxies, software downloads, removing local admin access) which directly addresses risks to the business and which may well be required by law, software license management, mandated security standards (PCI DSS), or by client contracts.

They're two very different arguments with your exec board - one is to increase efficiency, the second potentially increases risk - and the productivity argument will be much easier to win. We block sites in the second category, but we also provide a staff wi-fi network with no filtering at all so that people can use their personal phones or tablets at their desk if they have an urgent need to check their gmail.

If you really want to pick a fight on the second category of controls, ask to see the details of what risks those controls are mitigating. Most of them should be common sense - we reduce the impact of a virus by locking down user privileges (and provide a separate admin profile for staff who need it, which is only ever used for admin tasks). We reduce the risk of breaching software license regulations by restricting the ability to install applications to the IT team. We control risks relating to data storage, backup, IP, data sharing, retention of personal data and e-discovery by preventing files being moved to non-corporate storage devices/sites.

Our highest risk suppliers are the companies who process personal or sensitive corporate data on our behalf, and we'd start looking at alternative suppliers if they didn't have these controls in place. For what it's worth, intentionally subverting security controls or installing rogue networks could be seen as gross misconduct under typical security policies.
posted by dvrmmr at 12:34 AM on December 14, 2014 [1 favorite]

PS - when we talk to new colleagues in our induction briefings about what we do as a security team, one of the commitments we make is that if any security controls, policies or decisions don't make sense, we will explain them. You should hold your security team or decision makers to that standard. The vast majority of what we do as a security team is common sense.
posted by dvrmmr at 12:39 AM on December 14, 2014

To echo the logging all chat part, I worked at a very large TV company (content, not broadcast stations) that specifically disabled the recording chat ability in Lync. Not only were they not logging chats, they did not want anyone doing it period. This was due to discovery issues with lawsuits. I think this is because they often faced lawsuits of IP, either software for their online service or content for any shows they put together.

Blocking storage sites like dropbox, google drive, etc. may not be the worst idea. I do know that not many people actually realize you can upload stuff to dropbox without installing it, so the standard restrictions on installing software may suffice.
posted by Hactar at 2:08 PM on December 14, 2014

This thread is closed to new comments.