When COVID became a global pandemic, many companies which before have frowned
upon teleworking
asked its employees to work from home whenever possible.
That raised a concern: how would managers verify their underlings were
spending their work hours doing the tasks assigned to them? There are many ways to track the time of employees, but the one that has increasingly become the most popular is employee monitoring software.
A survey of 1,250 employers by Digital.com found that 6 out of 10 employees require monitoring software for its remote workers.
Why Are Employees Being Tracked?
Employers want to manage their workforce and understand how employees are
spending their time.
They
see employees taking a break from their work
tasks and using social media or dealing with their family as potential
drain on their productivity, or time theft. According to Digital.com,
more than half of the monitored employees spend more than 3 hours
every day on non-work activities on company time.
If a business offers consulting services, it has a vested interest in
logging its workers' time with a customer so it can properly bill said
customer.
Also, FLSA requires employers to have accurate records of each
hourly employee, and keep it for 3 years.
What is Being Tracked?
Even though this kind of software has been called an extension of
traditional
time-tracking systems, what it records is more expansive than simple
time-tracking:
- Random screenshots
- Location (using GPS)
- Website tracking
- Log emails
- Any sounds in the immediate area using the device's microphone
- Camera
- Anything that has been typed (keylogging) and any mouse movemens
(mouse logging).
Privacy Concerns
"Most employees are OK with (installing employee tracking software).
As long as you tell the employee
you're implementing it, it's entirely legal"
according to Enzo Logozzo, director of
sales and marketing for 365 IT Solutions, Toronto.
That is not necessarily the case.
-
Per
GDPR,
consent here is not freely given as there is the risk
a refusal to consent to have the software installed may result in the
employee being fired.
Canadian news media reported recently about a school janitor in Alberta, Canada, who refused last fall to download a mobile app that would help her employer confirm workers were on the job where and when scheduled.
She was fired weeks later.
- While the Canadian privacy law, PIPEDA, states that collection
and disclosure of personal data by a
company from its employees without their consent is allowed
on certain situations, it becomes the onus of the company to justify
the collection of data was done for a specific business purpose.
- Tradionally, American privacy laws such as
CCPA are much more
lenient towards the business. However, employee tracking software can place
companies at odds with other federal regulations.
We must expect some of those working from home will on occasion
contact their children's teacher or doctor during working hours.
Recording of these conversations conflicts with
HIPAA,
and
FERPA.
- Using a computer built-in microphone may be subject to state wiretap
and eavesdropping laws.
Other Issues
In addition to legal issues, aggressive employee monitoring negatively
affects business:
- Employees lose trust in the company.
14% of companies have not informed
employees they deployed this software.
- Once workers find out employee tracking is in use while they work at home, their stress level increased.
According to a study run by the insurance company Colonial Life,
26% of the employees said stress was making them less productive and 15%reported feeling less engaged with their job. That is no surprise,
as 88% of employers terminated workers after implementing monitoring software.
- Devices running employee surveillance
software are a juicy target for malicious individuals.
As these individuals want to collect passwords and other personal information,
attacking a computer with employee tracking software saves them
time and effort.
Living with Employee Surveilance Software
Protecting your privacy as an employee
- Ensure company issues you their computer so to minimize the chances of having personal and work data in the same system.
- Minimize using work computer for personal applications. Ideally you should just avoid, but if that is not possible, this is the next best thing. It may help to think work computer may be taken at any time for any reason; it is theirs after all.
- Ask if they will issue you a work phone. If not and also demand you to install their app
in your personal phone, here are apps to help on that. In fact, that is one of the topics we covered in our DEFCON workshop and something we recommend when dealing with IoT devices.
Otherwise, get yourself a dumb phone and show that is the phone you have.
- Put work computer/device in a separate network than your home one. This
may require technical help; VLANs are a great start but the sky is the limit.
- Create a private location for your workspace. Ideally one that has the door
in your front (behind computer). Getting a greenscreen is also recommended.
- Assume work computer's microphone and camera are always on, so once your
work hours are done, place it in a box with sound absorbing foam.
- Some companies may offer you an exercise tracker device such as
Fitbit. Politely refuse it as it records your biometric data, which violates GDPR if you are subjected to it.
Protecting your company's needs while respecting the privacy of your employees
- Have a clear policy outlining the justification for surveillance
- Ensure employess understand why they are being tracked
- Obtain consent from your employees if you are installing employee
surveilance programs in their computers and phones.
Note that if it is a requirement to work, it is not freely given.
- Ensure tracking stops after working hours.
- Hire a professional such as Privacy Test Driver to ensure you comply with relevant privacy laws
and provide an environment that fosters productivity while
protecting both your company and its employees.