Just a quick note, I actually implemented exactly what you are detailing (although I agree it’s still pretty uncommon). The company I work for wanted to know who went where at what time on the company’s internal site, so I just used a common infrastructure management tool and some firewall rules to dump username, ip,…

They need to be sued. They would lose and it would probably be a good step in getting them to change. I don’t like the sue crazy nature of the US but this is a company that really needs to be knocked down a peg.