38 votes

Your boss is probably spying on you: New data on workplace surveillance

33 comments

  1. [2]
    X08
    Link
    To those of you with nothing to hide: One day you might have. Because you don’t make the rules.
    40 votes
    1. elcuello
      Link Parent
      Great article. When talking about secrecy vs privacy I’ve always liked the analogy that you lock the door when you go to the bathroom. That’s privacy and have nothing to do with hiding something....

      Great article. When talking about secrecy vs privacy I’ve always liked the analogy that you lock the door when you go to the bathroom. That’s privacy and have nothing to do with hiding something. Although secrecy also has its place as the article mentions.

      13 votes
  2. [8]
    rosco
    Link
    Maybe someone wiser than myself can chime in here, because I've never understood the purpose of workplace surveillance software. Do these companies not set work plans? Do they not check in on...

    Maybe someone wiser than myself can chime in here, because I've never understood the purpose of workplace surveillance software.

    Do these companies not set work plans? Do they not check in on project progress? Do they not have teams that run sprints and have agreed upon work schedules?

    It just seems like if you are active in the development lifecycle, or at least have semi competent managers that are, there shouldn't be a need for this kind of information. There are much better metrics and indicators like what work got pushed, what bugs were fixed, what etc etc etc... Hours of butt in seat or mouse scrolling don't seem to equate to much.

    27 votes
    1. [5]
      ThrowdoBaggins
      Link Parent
      Imagine you are a manager who doesn’t particularly understand or care about “burnout” or “sustainable workloads”, but at the moment your team is meeting the targets and deadlines that you set. And...

      Do these companies not set work plans? Do they not check in on project progress? Do they not have teams that run sprints and have agreed upon work schedules?

      Imagine you are a manager who doesn’t particularly understand or care about “burnout” or “sustainable workloads”, but at the moment your team is meeting the targets and deadlines that you set. And imagine that someone in the company is worried about disgruntled employees sabotaging or stealing company info (even though your team is fine), and has this surveillance installed, mandatory for every employee in every team regardless of whether or not they actually have any disgruntled employees.

      And let’s imagine that one day, out of boredom, you start looking into the data. And you realise that your team only appears to be actively working on the projects for about three hours per day, and still meeting targets. And you know that you pay them for 8 hours per day, whether they’re working on the project for 8 hours per day or whether they’re working on the project for 3 hours and scrolling through the internet for 3 hours and in meetings for 2 hours.

      Wouldn’t you start to think about getting more bang for your buck by setting more ambitious projects or tighter deadlines? Why would you accept this wasted time, when you can see the metrics in front of you that are implying an inefficient workforce?

      I think going from surveillance systems “for the sake of security” to oppressive workplace demands is the default progression, and only particularly aware and considerate and deliberate managers would avoid the siren song of that data just sitting there, waiting to be abused.

      19 votes
      1. [4]
        rosco
        Link Parent
        All of this just sounds like bad management. I'm assuing you're playing devil's advocate, but in case you're not, I think that's kind of a losing game. You can ratchet down on your employees, and...

        All of this just sounds like bad management.

        Wouldn’t you start to think about getting more bang for your buck by setting more ambitious projects or tighter deadlines? Why would you accept this wasted time, when you can see the metrics in front of you that are implying an inefficient workforce?

        I'm assuing you're playing devil's advocate, but in case you're not, I think that's kind of a losing game. You can ratchet down on your employees, and if they are getting work done in half the time that you've agreed it will take they are likely good employees, but you're going to demotivate your team. I feel like silicon valley is all about efficiency and incentivizing correctly. By doubling their workload you've just halved their hourly and incentivized them to get another job. So now there is a role to fill (multiple months of hiring) and getting someone up to speed on your systems (multiple months of work, derailing other engineers as well), and they might perform worse.

        7 votes
        1. creesch
          Link Parent
          Well yeah, they start out their argument with this So that clearly is the context this is written in.

          All of this just sounds like bad management.

          Well yeah, they start out their argument with this

          Imagine you are a manager who doesn’t particularly understand or care about “burnout” or “sustainable workloads”,

          So that clearly is the context this is written in.

          20 votes
        2. bl4kers
          Link Parent
          Unless management only cares about short-term growth instead of the long-term sustainability of the team. This is unfortunately kinda common due to exit strategies, bonus structures, and promotion...

          I'm assuing you're playing devil's advocate, but in case you're not, I think that's kind of a losing game.

          Unless management only cares about short-term growth instead of the long-term sustainability of the team. This is unfortunately kinda common due to exit strategies, bonus structures, and promotion chasers

          4 votes
        3. ThrowdoBaggins
          Link Parent
          Yeah I certainly agree, I believe this kind of surveillance could be introduced to an organisation by piggybacking on security concerns, but it’s a tool easily misapplied by mediocre management. I...

          All of this just sounds like bad management.

          Yeah I certainly agree, I believe this kind of surveillance could be introduced to an organisation by piggybacking on security concerns, but it’s a tool easily misapplied by mediocre management. I would hope that this potential misapplication would be enough to give a well-run organisation pause to even considering implementing it, but I have heard enough stories of poorly managed organisations plodding along (if not raking in the cash) to reckon it’s too easy to sidestep these cautions and implement it anyway.

          I'm assuing you're playing devil's advocate, but in case you're not, I think that's kind of a losing game.

          I was definitely playing devils advocate, only trying to answer the question of “…because I've never understood the purpose of workplace surveillance software” from the top level comment. Apologies if my attempt at illustrating the story came across as advocacy - that was certainly not my intention!

          1 vote
    2. scojjac
      Link Parent
      There are sufficient numbers of incompetent and unethical managers who feel important by collecting and re-arranging vanity metrics (and can't be bothered to learn and use a more effective method)...

      or at least have semi competent managers

      There are sufficient numbers of incompetent and unethical managers who feel important by collecting and re-arranging vanity metrics (and can't be bothered to learn and use a more effective method) or who are impressed by how much info they can collect from unaware subordinates. I think it scratches a very primal peeping itch, it can be done under the guise of security and efficiency, and it gives people in power the same feeling that a predator might have while watching trapped prey.

      10 votes
    3. kaffo
      Link Parent
      You'd be shocked at the kinds of conversations senior and middle management can have when there is a degree of separation between them and the people actually doing the work. The moment a person...

      You'd be shocked at the kinds of conversations senior and middle management can have when there is a degree of separation between them and the people actually doing the work.
      The moment a person gets some heat for "why is this not done yet?" "What went wrong with this project?" And it's under their responsibility, then you'll find that going from "oh its just a Hick up, we'll be right on track" to "we'll its still a problem, here's some numbers to back me up" to "ok it's still a problem and the numbers still look the same so I'm gonna try something different because I might look incompetent so I'll stick some tracking on employees and report mouse use or something"
      A slippery slope for people who earn a lot of money and can't actually make things happen.

      5 votes
  3. [2]
    JXM
    Link
    I’ve always just assumed that anything I do/type on my work computer is logged and stored for later retrieval should they want it. I try to avoid doing anything non work related unless it’s...

    I’ve always just assumed that anything I do/type on my work computer is logged and stored for later retrieval should they want it.

    I try to avoid doing anything non work related unless it’s something innocuous like checking the news while I wait for a task to complete in the background.

    Unfortunately, what you don’t do on your computer can be just as telling.

    I think until there are serious legal protections in place, like the article mentions, then that’s the only safe way to operate if you don’t want your employer to know all sorts of things about you.

    18 votes
    1. DynamoSunshirt
      Link Parent
      My last couple of work computers have come straight from the Apple Store, without any company employee ever touching them. I think I have an identifying sticker on the bottom of my current one....

      My last couple of work computers have come straight from the Apple Store, without any company employee ever touching them. I think I have an identifying sticker on the bottom of my current one.

      One of the best parts of working at smaller companies (and European companies) is the complete lack of spyware, because at a certain small scale there isn't even a real IT group to do the monitoring!

      For anyone who wants a spyware-free job, avoid companies with US government contracts, especially defense. Those often mandate spyware, even for really small companies with no infra for it!

      If you work for a company of more than 500 people, you're almost guaranteed to get your hardware and spyware straight from IT, rather than computer vendors. I'm always amazed at the nonsense that my partner's computer goes through

      8 votes
  4. [4]
    scojjac
    Link
    This has always been a wise, though discouraging, view to take. Unfortunately, we live in a very surveillance-happy society. I don't only mean airport security theater, or NSA mass data...

    This has always been a wise, though discouraging, view to take. Unfortunately, we live in a very surveillance-happy society. I don't only mean airport security theater, or NSA mass data collection, or allowing corporate tracking for questionable ancillary benefits, or school spyware for digital learning platforms and school-owned devices, but also products like Life360 that allow parents to check on location and myriad other details about their children at any time.

    The linked article mentions that the motivation and usage of monitoring tools matters. If the purpose is to promote well-being and there are policies to that effect, it might not cause an immediate detrimental effect. Yet, even when such systems are marketed this way, they are often used to harass and discipline the surveilled. And even if one administration (whether government, school, or parent) may not abuse the tools, another will.

    Collectively, we are too comfortable allowing others to watch and catalog everything we do. As @x08 appropriately noted, though you may think you have nothing to hide today, someone may dig it up and use it against you someday. And that day may come sooner than you think.

    15 votes
    1. X08
      Link Parent
      Don't forget we happily send over our DNA (cheek swab) to companies to get a fun brochure which explains where your origins lie. They now own your DNA and you've given it to them and you had to...

      Don't forget we happily send over our DNA (cheek swab) to companies to get a fun brochure which explains where your origins lie. They now own your DNA and you've given it to them and you had to pay for it.

      And by extension, even if you haven't, a close relative might've and you have no idea how or what weird government might creep up in the future and just decide that you don't make the cut.

      14 votes
    2. [2]
      vord
      Link Parent
      We've deployed the largest privately owned mass surveillance network in the world because people were annoyed that their packages were being taken off their doorstep.

      We've deployed the largest privately owned mass surveillance network in the world because people were annoyed that their packages were being taken off their doorstep.

      11 votes
      1. foryth
        Link Parent
        That police don't need a warrant to view so long as they get permission from one, iirc

        That police don't need a warrant to view so long as they get permission from one, iirc

        4 votes
  5. [4]
    Eji1700
    Link
    Duh? Like lets start with a simple scenario, work computer in work environment. It's basically negligent to not be tracking/logging everything you can, ESPECIALLY if you have any sensitive...

    Duh?

    Like lets start with a simple scenario, work computer in work environment. It's basically negligent to not be tracking/logging everything you can, ESPECIALLY if you have any sensitive customer data stored.

    Just because work has moved remote doesn't mean your threat vectors give a damn.

    I'm absolutely not for the mass surveillance that has popped up, but remote is a serious security issue for just about every operation, and one that's not very well handled. Personal servers/setups get compromised, then a work device connects, and now customer data is leaked.

    The camera based monitoring for things like drivers is another side of the coin, but also boils down to "it eliminates the he said/she said". It's also used maliciously (only looking at data when an incident happens to fire someone rather than properly auditing the data beforehand to catch the problem), but that comes with all systems like this.

    11 votes
    1. [3]
      sparksbet
      Link Parent
      I don't think the type of monitoring the article describes actually prevents this from happening, but more importantly, if this is possible as you describe you're already FAR outside the realm of...

      Personal servers/setups get compromised, then a work device connects, and now customer data is leaked.

      I don't think the type of monitoring the article describes actually prevents this from happening, but more importantly, if this is possible as you describe you're already FAR outside the realm of best practices regarding how to store sensitive customer data.

      6 votes
      1. [2]
        Eji1700
        Link Parent
        You would be surprised on both accounts. Again ANY operation allowing some sort of remote work cannot sanitize the home network of the employee so personal risks quickly become company issues. The...

        You would be surprised on both accounts. Again ANY operation allowing some sort of remote work cannot sanitize the home network of the employee so personal risks quickly become company issues.

        The faster you detect any concerning behavior the better your chances of having an annoying weekend instead of a company ending lock out.

        Yes this info is used by power hungry micro managers to their own detriment but it’s not like they wouldn’t be that way anyways. The only sane security stance is as much data as possible

        1. sparksbet
          Link Parent
          I'm not disputing that there are risks, but I'm saying that a company that stores customer data the way you describe is already violating a lot of best practices. And the type of employee...

          I'm not disputing that there are risks, but I'm saying that a company that stores customer data the way you describe is already violating a lot of best practices. And the type of employee surveillance described isn't necessarily an effective way to secure customer data anyway -- certainly not on its own, but it's also just not required to have a secure system. My last workplace was fully remote and SOC2 certified but there was virtually none of this type of employee surveillance. The type of employee surveillance being discussed is not designed to prevent employees' devices or networks from getting compromised, and actually following best practices when it comes to storing customer data involves following best practices and implementing systems that are actually designed for that purpose. A company that cares about securing customer data may also employ this type of surveillance to monitor their employees' behavior, but it's absolutely not a necessary or even effective part of keeping customer data secure.

          2 votes
  6. devilized
    Link
    Our company actually gives us access to see everything that is collected from our laptop. It's pretty interesting. All file transfers and executions, all programs that are running and all websites...

    Our company actually gives us access to see everything that is collected from our laptop. It's pretty interesting. All file transfers and executions, all programs that are running and all websites we visit on any browser. Our chats are all logged as well, but those can only be retrieved for legal reasons, not by managers or security.

    I just assumed the company knows everything that goes on with our company devices. It's why I have a personal laptop for all non-work things.

    8 votes
  7. ahatlikethat
    Link
    This made me think of how many people who have been working on the common good, and the devastation they must feel. I hope someone is archiving all this offsite somewhere, because things like this...

    Within the executive branch, the U.S. Department of Labor’s Occupational Safety and Health Administration should step up enforcement activities. The Department of Labor should also immediately begin work drafting a health or safety standard that would set clear rules for employers on how to deploy automated management and surveillance tools in ways that do not threaten workers’ wellbeing. Pursuing such a measure would provide the Trump-Vance Administration an early opportunity to make good on their promises that the Republican party is now a pro-worker party. Even assuming they will not—as we have good reason to believe—beginning work now in the Biden-Harris Administration could lay the foundation for a future Administration that is more favorable to workers to hit the ground running on the proposal and carry it to completion.

    This made me think of how many people who have been working on the common good, and the devastation they must feel. I hope someone is archiving all this offsite somewhere, because things like this are likely to be wiped from government servers pretty soon.

    7 votes
  8. [11]
    Deely
    Link
    Lets imagine that I'm working remotely from my personal laptop. If bosses catch me looking at some NSFW sites... Sorry, but thats issue of my bosses, not mine.

    Lets imagine that I'm working remotely from my personal laptop. If bosses catch me looking at some NSFW sites... Sorry, but thats issue of my bosses, not mine.

    4 votes
    1. [10]
      tauon
      Link Parent
      That’s one or a few steps too late: Personal laptop and remote work (and nothing more) is fine, or company-issued device and spyware is put on it. I’m strictly against installing anything that’s...

      That’s one or a few steps too late: Personal laptop and remote work (and nothing more) is fine, or company-issued device and spyware is put on it. I’m strictly against installing anything that’s not directly a work-necessitated application onto a personal device… That’s like compromising your life on purpose.

      14 votes
      1. [4]
        DynamoSunshirt
        Link Parent
        Some employers actually try to put MDM on personal phones these days. Can you imagine? For a work phone, sure, but giving someone that kind of access to any personal device isn't just...

        Some employers actually try to put MDM on personal phones these days. Can you imagine? For a work phone, sure, but giving someone that kind of access to any personal device isn't just irresponsible, it's dangerous! From your bank details to your sex life to your family photos, some things should be private. Might as well let the company put a camera in your family bathroom as well to make sure you aren't slacking when you use the toilet.

        7 votes
        1. [3]
          Minori
          Link Parent
          At least on Android, work stuff is all sandboxed. That said, I refuse to install anything except Slack on my personal device.

          At least on Android, work stuff is all sandboxed. That said, I refuse to install anything except Slack on my personal device.

          4 votes
          1. [2]
            trim
            Link Parent
            When I went full time WFH I bought myself a second hand iPhone SE for not a lot of money, and installed the InTune stuff on there, and leave it mounted in a wall hanger next to my desk as an...

            When I went full time WFH I bought myself a second hand iPhone SE for not a lot of money, and installed the InTune stuff on there, and leave it mounted in a wall hanger next to my desk as an audible teams notifier, and for the very low number of times I need to take it out with me if I have to go out in work hours. I do not have any personal accounts or other personal information on this device.

            Appreciate not everyone can afford to do this, but really it's for my convenience, it's not mandated by the organisation, it just makes my home working that little bit more friction free. Worth a couple hundred to me to do that.

            3 votes
            1. Minori
              Link Parent
              For me, I find that my anxiety level is surprisingly lower being able to occasionally check work messages from my typical device. It's common for me to step out for lunch or take transit to work,...

              For me, I find that my anxiety level is surprisingly lower being able to occasionally check work messages from my typical device. It's common for me to step out for lunch or take transit to work, and I don't want to always carry two phones when I'm not at my desk.

      2. [5]
        pesus
        Link Parent
        Do people actually use their personal computer for work? That seems absolutely insane to me, unless you're founding a startup or small business or something. I thought companies were required to...

        Do people actually use their personal computer for work? That seems absolutely insane to me, unless you're founding a startup or small business or something. I thought companies were required to provide equipment needed for the job. Not to mention the headache IT would have...

        3 votes
        1. sparksbet
          Link Parent
          I'm pretty sure here in Germany it's straight-up not allowed for them to make you use your personal device for work, at least for normal jobs. I remember my last boss saying me having my work...

          I'm pretty sure here in Germany it's straight-up not allowed for them to make you use your personal device for work, at least for normal jobs. I remember my last boss saying me having my work slack on my personal phone was maybe technically breaking the rules (though they never bought me a work phone so I did it anyway). My wife has multiple work laptops (for different purposes) and a work phone.

          6 votes
        2. MimicSquid
          Link Parent
          You would be so surprised. IT security isn't a thing in small organizations.

          You would be so surprised. IT security isn't a thing in small organizations.

          4 votes
        3. updawg
          Link Parent
          We have one of the largest enterprises in the world and we have several ways for people to work from personal computers. We even did when everyone just had a desktop during COVID before Zero Trust...

          We have one of the largest enterprises in the world and we have several ways for people to work from personal computers. We even did when everyone just had a desktop during COVID before Zero Trust solutions started rolling out. Most people don't want to use personal devices, which definitely makes it cheaper.

          2 votes
        4. boxer_dogs_dance
          Link Parent
          I have done work where if I work from home, I log into a virtual machine. Most of the jobs I have had where I do this, I use my own laptop. This is in the US.

          I have done work where if I work from home, I log into a virtual machine. Most of the jobs I have had where I do this, I use my own laptop. This is in the US.

          1 vote