38
votes
Your boss is probably spying on you: New data on workplace surveillance
Link information
This data is scraped automatically and may be incorrect.
- Authors
- Alexander Hertel-Fernandez, Jacob Hamburger, Luke Herrine, Rabea Eghbariah, Noura Erakat, Alaa Hajyahia, Darryl Li, Aslı Ü. Bâli, Diala Shamas, Maha Abdallah, Shahd Hammouri
- Published
- Nov 25 2024
- Word count
- 1675 words
To those of you with nothing to hide: One day you might have. Because you don’t make the rules.
Great article. When talking about secrecy vs privacy I’ve always liked the analogy that you lock the door when you go to the bathroom. That’s privacy and have nothing to do with hiding something. Although secrecy also has its place as the article mentions.
Maybe someone wiser than myself can chime in here, because I've never understood the purpose of workplace surveillance software.
Do these companies not set work plans? Do they not check in on project progress? Do they not have teams that run sprints and have agreed upon work schedules?
It just seems like if you are active in the development lifecycle, or at least have semi competent managers that are, there shouldn't be a need for this kind of information. There are much better metrics and indicators like what work got pushed, what bugs were fixed, what etc etc etc... Hours of butt in seat or mouse scrolling don't seem to equate to much.
Imagine you are a manager who doesn’t particularly understand or care about “burnout” or “sustainable workloads”, but at the moment your team is meeting the targets and deadlines that you set. And imagine that someone in the company is worried about disgruntled employees sabotaging or stealing company info (even though your team is fine), and has this surveillance installed, mandatory for every employee in every team regardless of whether or not they actually have any disgruntled employees.
And let’s imagine that one day, out of boredom, you start looking into the data. And you realise that your team only appears to be actively working on the projects for about three hours per day, and still meeting targets. And you know that you pay them for 8 hours per day, whether they’re working on the project for 8 hours per day or whether they’re working on the project for 3 hours and scrolling through the internet for 3 hours and in meetings for 2 hours.
Wouldn’t you start to think about getting more bang for your buck by setting more ambitious projects or tighter deadlines? Why would you accept this wasted time, when you can see the metrics in front of you that are implying an inefficient workforce?
I think going from surveillance systems “for the sake of security” to oppressive workplace demands is the default progression, and only particularly aware and considerate and deliberate managers would avoid the siren song of that data just sitting there, waiting to be abused.
All of this just sounds like bad management.
I'm assuing you're playing devil's advocate, but in case you're not, I think that's kind of a losing game. You can ratchet down on your employees, and if they are getting work done in half the time that you've agreed it will take they are likely good employees, but you're going to demotivate your team. I feel like silicon valley is all about efficiency and incentivizing correctly. By doubling their workload you've just halved their hourly and incentivized them to get another job. So now there is a role to fill (multiple months of hiring) and getting someone up to speed on your systems (multiple months of work, derailing other engineers as well), and they might perform worse.
Well yeah, they start out their argument with this
So that clearly is the context this is written in.
Unless management only cares about short-term growth instead of the long-term sustainability of the team. This is unfortunately kinda common due to exit strategies, bonus structures, and promotion chasers
Yeah I certainly agree, I believe this kind of surveillance could be introduced to an organisation by piggybacking on security concerns, but it’s a tool easily misapplied by mediocre management. I would hope that this potential misapplication would be enough to give a well-run organisation pause to even considering implementing it, but I have heard enough stories of poorly managed organisations plodding along (if not raking in the cash) to reckon it’s too easy to sidestep these cautions and implement it anyway.
I was definitely playing devils advocate, only trying to answer the question of “…because I've never understood the purpose of workplace surveillance software” from the top level comment. Apologies if my attempt at illustrating the story came across as advocacy - that was certainly not my intention!
There are sufficient numbers of incompetent and unethical managers who feel important by collecting and re-arranging vanity metrics (and can't be bothered to learn and use a more effective method) or who are impressed by how much info they can collect from unaware subordinates. I think it scratches a very primal peeping itch, it can be done under the guise of security and efficiency, and it gives people in power the same feeling that a predator might have while watching trapped prey.
You'd be shocked at the kinds of conversations senior and middle management can have when there is a degree of separation between them and the people actually doing the work.
The moment a person gets some heat for "why is this not done yet?" "What went wrong with this project?" And it's under their responsibility, then you'll find that going from "oh its just a Hick up, we'll be right on track" to "we'll its still a problem, here's some numbers to back me up" to "ok it's still a problem and the numbers still look the same so I'm gonna try something different because I might look incompetent so I'll stick some tracking on employees and report mouse use or something"
A slippery slope for people who earn a lot of money and can't actually make things happen.
I’ve always just assumed that anything I do/type on my work computer is logged and stored for later retrieval should they want it.
I try to avoid doing anything non work related unless it’s something innocuous like checking the news while I wait for a task to complete in the background.
Unfortunately, what you don’t do on your computer can be just as telling.
I think until there are serious legal protections in place, like the article mentions, then that’s the only safe way to operate if you don’t want your employer to know all sorts of things about you.
My last couple of work computers have come straight from the Apple Store, without any company employee ever touching them. I think I have an identifying sticker on the bottom of my current one.
One of the best parts of working at smaller companies (and European companies) is the complete lack of spyware, because at a certain small scale there isn't even a real IT group to do the monitoring!
For anyone who wants a spyware-free job, avoid companies with US government contracts, especially defense. Those often mandate spyware, even for really small companies with no infra for it!
If you work for a company of more than 500 people, you're almost guaranteed to get your hardware and spyware straight from IT, rather than computer vendors. I'm always amazed at the nonsense that my partner's computer goes through
This has always been a wise, though discouraging, view to take. Unfortunately, we live in a very surveillance-happy society. I don't only mean airport security theater, or NSA mass data collection, or allowing corporate tracking for questionable ancillary benefits, or school spyware for digital learning platforms and school-owned devices, but also products like Life360 that allow parents to check on location and myriad other details about their children at any time.
The linked article mentions that the motivation and usage of monitoring tools matters. If the purpose is to promote well-being and there are policies to that effect, it might not cause an immediate detrimental effect. Yet, even when such systems are marketed this way, they are often used to harass and discipline the surveilled. And even if one administration (whether government, school, or parent) may not abuse the tools, another will.
Collectively, we are too comfortable allowing others to watch and catalog everything we do. As @x08 appropriately noted, though you may think you have nothing to hide today, someone may dig it up and use it against you someday. And that day may come sooner than you think.
Don't forget we happily send over our DNA (cheek swab) to companies to get a fun brochure which explains where your origins lie. They now own your DNA and you've given it to them and you had to pay for it.
And by extension, even if you haven't, a close relative might've and you have no idea how or what weird government might creep up in the future and just decide that you don't make the cut.
We've deployed the largest privately owned mass surveillance network in the world because people were annoyed that their packages were being taken off their doorstep.
That police don't need a warrant to view so long as they get permission from one, iirc
Duh?
Like lets start with a simple scenario, work computer in work environment. It's basically negligent to not be tracking/logging everything you can, ESPECIALLY if you have any sensitive customer data stored.
Just because work has moved remote doesn't mean your threat vectors give a damn.
I'm absolutely not for the mass surveillance that has popped up, but remote is a serious security issue for just about every operation, and one that's not very well handled. Personal servers/setups get compromised, then a work device connects, and now customer data is leaked.
The camera based monitoring for things like drivers is another side of the coin, but also boils down to "it eliminates the he said/she said". It's also used maliciously (only looking at data when an incident happens to fire someone rather than properly auditing the data beforehand to catch the problem), but that comes with all systems like this.
I don't think the type of monitoring the article describes actually prevents this from happening, but more importantly, if this is possible as you describe you're already FAR outside the realm of best practices regarding how to store sensitive customer data.
You would be surprised on both accounts. Again ANY operation allowing some sort of remote work cannot sanitize the home network of the employee so personal risks quickly become company issues.
The faster you detect any concerning behavior the better your chances of having an annoying weekend instead of a company ending lock out.
Yes this info is used by power hungry micro managers to their own detriment but it’s not like they wouldn’t be that way anyways. The only sane security stance is as much data as possible
I'm not disputing that there are risks, but I'm saying that a company that stores customer data the way you describe is already violating a lot of best practices. And the type of employee surveillance described isn't necessarily an effective way to secure customer data anyway -- certainly not on its own, but it's also just not required to have a secure system. My last workplace was fully remote and SOC2 certified but there was virtually none of this type of employee surveillance. The type of employee surveillance being discussed is not designed to prevent employees' devices or networks from getting compromised, and actually following best practices when it comes to storing customer data involves following best practices and implementing systems that are actually designed for that purpose. A company that cares about securing customer data may also employ this type of surveillance to monitor their employees' behavior, but it's absolutely not a necessary or even effective part of keeping customer data secure.
Our company actually gives us access to see everything that is collected from our laptop. It's pretty interesting. All file transfers and executions, all programs that are running and all websites we visit on any browser. Our chats are all logged as well, but those can only be retrieved for legal reasons, not by managers or security.
I just assumed the company knows everything that goes on with our company devices. It's why I have a personal laptop for all non-work things.
This made me think of how many people who have been working on the common good, and the devastation they must feel. I hope someone is archiving all this offsite somewhere, because things like this are likely to be wiped from government servers pretty soon.
Lets imagine that I'm working remotely from my personal laptop. If bosses catch me looking at some NSFW sites... Sorry, but thats issue of my bosses, not mine.
That’s one or a few steps too late: Personal laptop and remote work (and nothing more) is fine, or company-issued device and spyware is put on it. I’m strictly against installing anything that’s not directly a work-necessitated application onto a personal device… That’s like compromising your life on purpose.
Some employers actually try to put MDM on personal phones these days. Can you imagine? For a work phone, sure, but giving someone that kind of access to any personal device isn't just irresponsible, it's dangerous! From your bank details to your sex life to your family photos, some things should be private. Might as well let the company put a camera in your family bathroom as well to make sure you aren't slacking when you use the toilet.
At least on Android, work stuff is all sandboxed. That said, I refuse to install anything except Slack on my personal device.
When I went full time WFH I bought myself a second hand iPhone SE for not a lot of money, and installed the InTune stuff on there, and leave it mounted in a wall hanger next to my desk as an audible teams notifier, and for the very low number of times I need to take it out with me if I have to go out in work hours. I do not have any personal accounts or other personal information on this device.
Appreciate not everyone can afford to do this, but really it's for my convenience, it's not mandated by the organisation, it just makes my home working that little bit more friction free. Worth a couple hundred to me to do that.
For me, I find that my anxiety level is surprisingly lower being able to occasionally check work messages from my typical device. It's common for me to step out for lunch or take transit to work, and I don't want to always carry two phones when I'm not at my desk.
Do people actually use their personal computer for work? That seems absolutely insane to me, unless you're founding a startup or small business or something. I thought companies were required to provide equipment needed for the job. Not to mention the headache IT would have...
I'm pretty sure here in Germany it's straight-up not allowed for them to make you use your personal device for work, at least for normal jobs. I remember my last boss saying me having my work slack on my personal phone was maybe technically breaking the rules (though they never bought me a work phone so I did it anyway). My wife has multiple work laptops (for different purposes) and a work phone.
You would be so surprised. IT security isn't a thing in small organizations.
We have one of the largest enterprises in the world and we have several ways for people to work from personal computers. We even did when everyone just had a desktop during COVID before Zero Trust solutions started rolling out. Most people don't want to use personal devices, which definitely makes it cheaper.
I have done work where if I work from home, I log into a virtual machine. Most of the jobs I have had where I do this, I use my own laptop. This is in the US.