EFF: Inside the Invasive, Secretive “Bossware” Tracking Workers

Inside the Invasive, Secretive “Bossware” Tracking Workers

COVID-19 has pushed millions of people to work from home, and a flock of companies offering software for tracking workers has swooped in to pitch their products to employers across the country.

The services often sound relatively innocuous. Some vendors bill their tools as “automatic time tracking” or “workplace analytics” software. Others market to companies concerned about data breaches or intellectual property theft. We’ll call these tools, collectively, “bossware.” While aimed at helping employers, bossware puts workers’ privacy and security at risk by logging every click and keystroke, covertly gathering information for lawsuits, and using other spying features that go far beyond what is necessary and proportionate to manage a workforce.

This is not OK. When a home becomes an office, it remains a home. Workers should not be subject to nonconsensual surveillance or feel pressured to be scrutinized in their own homes to keep their jobs.

What can they do?

Bossware typically lives on a computer or smartphone and has privileges to access data about everything that happens on that device. Most bossware collects, more or less, everything that the user does. We looked at marketing materials, demos, and customer reviews to get a sense of how these tools work. There are too many individual types of monitoring to list here, but we’ll try to break down the ways these products can surveil into general categories.

The broadest and most common type of surveillance is “activity monitoring.” This typically includes a log of which applications and websites workers use. It may include who they email or message—including subject lines and other metadata—and any posts they make on social media. Most bossware also records levels of input from the keyboard and mouse—for example, many tools give a minute-by-minute breakdown of how much a user types and clicks, using that as a proxy for productivity. Productivity monitoring software will attempt to assemble all of this data into simple charts or graphs that give managers a high-level view of what workers are doing.

Every product we looked at has the ability to take frequent screenshots of each worker’s device, and some provide direct, live video feeds of their screens. This raw image data is often arrayed in a timeline, so bosses can go back through a worker’s day and see what they were doing at any given point. Several products also act as a keylogger, recording every keystroke a worker makes, including unsent emails and private passwords. A couple even let administrators jump in and take over remote control of a user’s desktop. These products usually don’t distinguish between work-related activity and personal account credentials, bank data, or medical information.

InterGuard advertises that its software “can be silently and remotely installed, so you can conduct covert investigations [of your workers] and bullet-proof evidence gathering without alarming the suspected wrongdoer.”

Some bossware goes even further, reaching into the physical world around a worker’s device. Companies that offer software for mobile devices nearly always include location tracking using GPS data. At least two services—StaffCop Enterprise and CleverControl—let employers secretly activate webcams and microphones on worker devices

There are, broadly, two ways bossware can be deployed: as an app that’s visible to (and maybe even controllable by) the worker, or as a secret background process that workers can’t see. Most companies we looked at give employers the option to install their software either way. 

Visible monitoring

Sometimes, workers can see the software that is surveilling them. They may have the option to turn the surveillance on or off, often framed as “clocking in” and “clocking out.” Of course, the fact that a worker has turned off monitoring will be visible to their employer. For example, with Time Doctor, workers may be given the option to delete particular screenshots from their work session. However, deleting a screenshot will also delete the associated work time, so workers only get credit for the time during which they are monitored. 

Workers may be given access to some, or all, of the information that’s collected about them. Crossover, the company behind WorkSmart, compares its product to a fitness tracker for computer work. Its interface allows workers to see the system’s conclusions about their own activity presented in an array of graphs and charts.

Different bossware companies offer different levels of transparency to workers. Some give workers access to all, or most, of the information that their managers have. Others, like Teramind, indicate that they are turned on and collecting data, but don’t reveal everything they’re collecting. In either case, it can often be unclear to the user what data, exactly, is being collected, without specific requests to their employer or careful scrutiny of the software itself.

Invisible monitoring

The majority of companies that build visible monitoring software also make products that try to hide themselves from the people they’re monitoring. Teramind, Time Doctor, StaffCop, and others make bossware that’s designed to be as difficult to detect and remove as possible. At a technical level, these products are indistinguishable from stalkerware. In fact, some companies require employers to specifically configure antivirus software before installing their products, so that the worker’s antivirus won’t detect and block the monitoring software’s activity.

A screenshot from TimeDoctor’s sign-up flow, which allows employers to choose between visible and invisible monitoring.

This kind of software is marketed for a specific purpose: monitoring workers. However, most of these products are really just general purpose monitoring tools. StaffCop offers a version of their product specifically designed for monitoring children’s use of the Internet at home, and ActivTrak states that their software can also be used by parents or school officials to monitor kids’ activity. Customer reviews for some of the software indicate that many customers do indeed use these tools outside of the office.

Most companies that offer invisible monitoring recommend that it only be used for devices that the employer owns. However, many also offer features like remote and “silent” installation that can load monitoring software on worker computers, without their knowledge, while their devices are outside the office. This works because many employers have administrative privileges on computers they distribute. But for some workers, the company laptop they use is their only computer, so company monitoring is ever-present. There is great potential for misuse of this software by employers, school officials, and intimate partners. And the victims may never know that they are subject to such monitoring.

The table below shows the monitoring and control features available from a small sample of bossware vendors. This isn’t a comprehensive list, and may not be representative of the industry as a whole; we looked at companies that were referred to in industry guides and search results that had informative publicly-facing marketing materials. 

Table: Common surveillance features of bossware products

Activity monitoring (apps, websites)

Screenshots or screen recordings

Keylogging

Webcam/ microphone activation

Can be made "invisible"

ActivTrak

confirmed

confirmed

confirmed

CleverControl

confirmed

confirmed

confirmed

confirmed

(1, 2)

confirmed

DeskTime

confirmed

confirmed

confirmed

Hubstaff

confirmed

confirmed

Interguard

confirmed

confirmed

confirmed

confirmed

StaffCop

confirmed

confirmed

confirmed

confirmed 

(1, 2)

confirmed

Teramind

confirmed

confirmed

confirmed

confirmed

TimeDoctor

confirmed

confirmed

confirmed

Work Examiner

confirmed

confirmed

confirmed

confirmed

WorkPuls

confirmed

confirmed

confirmed

Features of several worker-monitoring products, based on the companies’ marketing material. 9 of the 10 companies we looked at offered “silent” or “invisible” monitoring software, which can collect data without worker knowledge.

How common is bossware?

The worker surveillance business is not new, and it was already quite large before the outbreak of a global pandemic. While it’s difficult to assess how common bossware is, it’s undoubtedly become much more common as workers are forced to work from home due to COVID-19. Awareness Technologies, which owns InterGuard, claimed to have grown its customer base by over 300% in just the first few weeks after the outbreak. Many of the vendors we looked at exploit COVID-19 in their marketing pitches to companies.

Some of the biggest companies in the world use bossware. Hubstaff customers include Instacart, Groupon, and Ring. Time Doctor claims 83,000 users; its customers include Allstate, Ericsson, Verizon, and Re/Max. ActivTrak is used by more than 6,500 organizations, including Arizona State University, Emory University, and the cities of Denver and Malibu. Companies like StaffCop and Teramind do not disclose information about their customers, but claim to serve clients in industries like health care, banking, fashion, manufacturing, and call centers. Customer reviews of monitoring software give more examples of how these tools are used. 

Let’s be clear: this software is specifically designed to help employers read workers’ private messages without their knowledge or consent. By any measure, this is unnecessary and unethical.

We don’t know how many of these organizations choose to use invisible monitoring, since the employers themselves don’t tend to advertise it. In addition, there isn’t a reliable way for workers themselves to know, since so much invisible software is explicitly designed to evade detection. Some workers have contracts that authorize certain kinds of monitoring or prevent others. But for many workers, it may be impossible to tell whether they’re being watched. Workers who are concerned about the possibility of monitoring may be safest to assume that any employer-provided device is tracking them.

What is the data used for?

Bossware vendors market their products for a wide variety of uses. Some of the most common are time tracking, productivity tracking, compliance with data protection laws, and IP theft prevention. Some use cases may be valid: for example, companies that deal with sensitive data often have legal obligations to make sure data isn’t leaked or stolen from company computers. For off-site workers, this may necessitate a certain level of on-device monitoring. But an employer should not undertake any monitoring for such security purposes unless they can show it is necessary, proportionate, and specific to the problems it’s trying to solve.

Unfortunately, many use cases involve employers wielding excessive power over workers. Perhaps the largest class of products we looked at are designed for “productivity monitoring” or enhanced time tracking—that is, recording everything that workers do to make sure they’re working hard enough. Some companies frame their tools as potential boons for both managers and workers. Collecting information about every second of a worker’s day isn’t just good for bosses, they claim—it supposedly helps the worker, too. Other vendors, like Work Examiner and StaffCop, market themselves directly to managers who don’t trust their staff. These companies often recommend tying layoffs or bonuses to performance metrics derived from their products.

Marketing material from Work Examiner’s home page, https://ift.tt/2zvZ2oX

Some firms also market their products as punitive tools, or as ways to gather evidence for potential worker lawsuits. InterGuard advertises that its software “can be silently and remotely installed, so you can conduct covert investigations [of your workers] and bullet-proof evidence gathering without alarming the suspected wrongdoer.” This evidence, it continues, can be used to fight “wrongful termination suits.” In other words, InterGuard can provide employers with an astronomical amount of private, secretly-gathered information to try to quash workers’ legal recourse against unfair treatment.

None of these use cases, even the less-disturbing ones discussed above, warrant the amount of information that bossware usually collects. And nothing justifies hiding the fact that the surveillance is happening at all.

Most products take periodic screenshots, and few of them allow workers to choose which ones to share. This means that sensitive medical, banking, or other personal information are captured alongside screenshots of work emails and social media. Products that include keyloggers are even more invasive, and often end up capturing passwords to workers’ personal accounts. 

Work Examiner’s description of its Keylogging feature, specifically highlighting its ability to capture private passwords.

Unfortunately, excessive information collection often isn’t an accident, it’s a feature. Work Examiner specifically advertises its product’s ability to capture private passwords. Another company, Teramind, reports on every piece of information typed into an email client—even if that information is subsequently deleted. Several products also parse out strings of text from private messages on social media so that employers can know the most intimate details of workers’ personal conversations. 

Let’s be clear: this software is specifically designed to help employers read workers’ private messages without their knowledge or consent. By any measure, this is unnecessary and unethical.

What can you do?

Under current U.S. law, employers have too much leeway to install surveillance software on devices they own. In addition, little prevents them from coercing workers to install software on their own devices (as long as the surveillance can be disabled outside of work hours). Different states have different rules about what employers can and can’t do. But workers often have limited legal recourse against intrusive monitoring software. 

That can and must change. As state and national legislatures continue to adopt consumer data privacy laws, they must also establish protections for workers with respect to their employers. To start:

  • Surveillance of workers—even on employer-owned devices—should be necessary and proportionate. 
  • Tools should minimize the information they collect, and avoid vacuuming up personal data like private messages and passwords. 
  • Workers should have the right to know what exactly their managers are collecting. 
  • And workers need a private right of action, so they can sue employers that violate these statutory privacy protections.

In the meantime, workers who know they are subject to surveillance— and feel comfortable doing so—should engage in conversations with their employers. Companies that have adopted bossware must consider what their goals are, and should try to accomplish them in less-intrusive ways. Bossware often incentivizes the wrong kinds of productivity—for example, forcing people to jiggle their mouse and type every few minutes instead of reading or pausing to think. Constant monitoring can stifle creativity, diminish trust, and contribute to burnout. If employers are concerned about data security, they should consider tools that are specifically tailored to real threats, and which minimize the personal data caught up in the process.

Many workers won’t feel comfortable speaking up, or may suspect that their employers are monitoring them in secret. If they are unaware of the scope of monitoring, they should consider that work devices may collect everything—from web history to private messages to passwords. If possible, they should avoid using work devices for anything personal. And if workers are asked to install monitoring software on their personal devices, they may be able to ask their employers for a separate, work-specific device from which private information can be more easily siloed away.

Finally, workers may not feel comfortable speaking up about being surveilled out of concern for staying employed in a time with record unemployment. A choice between invasive and excessive monitoring and joblessness is not really a choice at all.

COVID-19 has put new stresses on us all, and it is likely to fundamentally change the ways we work as well. However, we must not let it usher in a new era of even-more-pervasive monitoring. We live more of our lives through our devices than ever before. That makes it more important than ever that we have a right to keep our digital lives private—from governments, tech companies, and our employers.


Comments

Popular posts from this blog

EFF: No Digital Surveillance of Iranians at the U.S. Border—or Within the U.S.

EFF: Corporate Speech Police Are Not the Answer to Online Hate

Living on the (IT) Edge: Schneider Electric at HPE Discover 2018