Sophos News

Employee surveillance – how far is too far?

Not happy with your job? Been LinkedIn-ing it up on work time, on the company’s network and your work-issued PC? Have you sent out your résumé and titled the message something straightforward? Like, say, “résumé?” Or maybe you’re smarter than that, and you move risky conversations and you-are-toast-if-they-find-out keywords to an encrypted app, like WhatsApp?

Oh, dear.

Sombody should have filled you in: you see, workplace surveillance has grown up. It’s put on its big-boy pants. It’s evolved past eyeballing email and eavesdropping on phone calls: that’s so old school.

According to a report from The Guardian, the technology has gotten to the point of a “digital panopticon” that includes tracking where employees browse online and what they say in text messages, capturing screenshots, recording keystrokes, nosing around in social media posts, surveilling “private” (ha!) messaging apps like WhatsApp, and even inserting itself into face-to-face interactions between co-workers.

Employee surveillance isn’t exactly new. As Bloomberg reported last year, companies including JPMorgan Chase and Bank of America have explored systems that monitor workers’ very emotions, all in the name of boosting performance and compliance.

In February, Bloomberg BusinessWeek reported on goings-on at the Daily Telegraph, where employees discovered mysterious “OccupEye” black boxes beneath their desks, set up to track exactly when each desk was occupied.

Another company, Humanyze, has microphone-equipped smart badges that track employee movements, creating a heat map of office activity to help companies plan more effective office redesigns. The badges don’t track conversation content, but they do track how often employees talk to each other, as well as each employee’s proportion of talking to listening.

Combined with big data technologies, Humanyze promises a whole raft of additional applications, such as better predictions of when valued employees are planning to quit, so companies can intervene to keep them.

Which gets us back to the use of that trigger word, “résumé.”

As the Guardian reports, it’s common, if old-school, for employers to use keyword detection, keeping an eye out for lists of predefined terms including swear words and slang that give off an ominous odor. Yes, it’s common for employers to set up keyword detection, in spite of the approach throwing off a good deal of false positives and being pretty easy for employees to skirt… well, except when they don’t.

That’s what happened when an All State Insurance franchise conducted a live demonstration of a package of employee monitoring tools from Awareness Technologies under the brand Interguard. The technology worked quite well in the demo. Almost immediately after starting to scan the network, it hit on an email with the words “client list” and “résumé”, the Guardian reports:

The demonstrator opened the email in front of a room full of peers to discover his best employee was plotting to move to another company.

Well, ouch. Old-school, but still, ouch.

Some of the newer, more cutting-edge employee spy apps:

Is all this intrusive as hell? Oh yes, though by and large, it’s legal in the US. California and Maine have slightly stricter laws protecting employee privacy, but for the most part, employers can track you without worrying too much that they’ll get into legal hot water – barring spying on employees via webcam. However, there is one product, WorkSmart, that snaps photos of workers every 10 minutes, combines the images with screenshots of their workstations, mixes it all up with recorded app use and keystrokes, and bakes up a “focus score” and an “intensity score” to gauge whether freelancers are worth their salt.

Where the legality (possibly) stops is when the boss starts monitoring – or even asking about – employees when they’re off the clock, according to the legal site Nolo.com. The issue came up a few years ago when a former sales executive for the money transfer service Intermex sued her employer for firing her after she disabled a 24×7 monitoring app.

Nolo says that for public employers, both monitoring or merely inquiring about employees’ off-the-job life is largely off-limit.

As far as private sector companies go, some state constitutions, including California’s, prohibit employers from taking any job-related action against a worker based on whatever (legal) activity they do when they’re not working.

That’s not the same as forbidding monitoring of off-duty workers, though.

Of course, companies that handle money have a vested interest in keeping an eye on potential rip-off artists in their work force. As the Guardian notes, that’s why most surveillance tech providers focus their attention on the financial sector: that’s where companies are required, by law, to prevent insider trading by tracking staff communications.

One of the news outlet’s sources said his employer, a large consulting firm, was pondering whether it could look at employees’ Facebook pages to see if they could sniff out fraud. Say, if a trader changes their relationship status from married to divorced: would that put somebody under financial strain, leading them to fraud or theft?

It’s quite a leap, to assume that somebody whose marriage broke up is going to be turned into a thief and should be monitored, he said.

At any rate, don’t assume you’re free and clear if you don’t work at a stock brokerage or the like. These surveillance products are increasingly being sold to monitor employee productivity, data leaks, sexual harassment or other inappropriate behavior, the Guardian reports.

Many of us will balk at this surveillance state, particularly if we think of ourselves as knowledge workers. We don’t clock on and clock off at exactly the same time. There’s no production line that’s going to blow up if we aren’t standing on it at exactly the right time of day.

As knowledge workers, we’re always on the clock. We work on weekends. We read emails on our vacations and in the wee hours of the morning. Didn’t Silicon Valley already work this out? Don’t Google and the like tell employees to take time off whenever they need it? To go ahead and work from Starbucks if you want? Isn’t work about the outcome, as opposed to simply being busy?

“Do this to programmers and watch them leave,” Naked Security’s Mark Stockley says.

We can think that way if we’re knowledge workers, and if we’re lucky, our bosses will feel the same way.

Does that make it OK to stick cameras, heat and motion sensors, klaxons set to go off when they hit on keywords, and the like on the people we consider to be non-knowledge workers?

I’m thinking that factory workers, security guards, retail workers and the like would bristle at the notion just like anyone else.

No person is a collection of body parts, running in automatic mode, with their brain shut off and their knowledge put on a shelf.

But in a tough job market, and given a non-sympathetic legal landscape, what choice do workers really have?