Employees working from home worry their employers will install monitoring software that watches them while they work. Is this the start of what George Orwell prophesied? I previously talked about the extreme surveillance of tech workers that’s recently been happening in the June 21st issue of WServerNews, our popular newsletter that goes out bi-weekly to more than 180,000 IT professionals around the world. (You can join our Borg collective by clicking here.) As readers responded to my editorial, an email from one reader, in particular, sparked my interest, and I asked him to elaborate on it for an article here on TechGenix. So, without further ado, here are some balanced and well-thought-out comments by IT pro Jeffrey Harris on the idea that workplace surveillance is nothing new at all but simply same-old, same-old when it comes to being an employee of some corporate overlords. Jeffrey is an IT professional and CISSP who has more than 30 years of experience supporting private industry and government. He currently works from home for a major healthcare company leading their identity data services team, and he shares his office with his three cats, who like to check out what he does during the day.
Employee monitoring and more
When Mitch asked, “How many of our readers who work in corporate environments experience (or implement if you’re a manager) some measure of workplace surveillance?” in his newsletter, my initial thought was that just about every company does some employee monitoring. As I will discuss, most monitoring is ostensibly done for security or safety reasons, but some companies do it for other reasons.
In most cases, in my view, companies are not interested in monitoring most employees and contractors or others in their facilities for what they are there to do. They are interested in monitoring them for things outside the scope of their jobs or duties. In our current hypersensitive climate, what employees and contractors do can lead to reputational damage, financial damages (potentially running into billions of dollars), and regulatory penalties, including loss of business with governments.
This article primarily focuses on the United States but is likely largely applicable to Canadian companies, less so for companies and organizations in other areas, such as the European Union.
In this article, I discuss three types of monitoring:
- Physical employee monitoring: Identifying when people come and go from company facilities, and performing surveillance over people when in company facilities.
- Access/event employee monitoring: Logging what people do on company networks or with company equipment, such as telephones, and what they access.
- Other employee monitoring: Behavioral analytics and beyond.
Physical monitoring
Let us start with physical monitoring. Physical monitoring is probably as old as, well, companies! Even in medieval times, a blacksmith or a merchant would always verify that his apprentices and employees showed up for work and would watch them ensure they were working diligently on the tasks he assigned them. Before the computer age, and even in a number of companies today, employees punch-in/punch-out using some kind of time-clock. In prior decades, an employee would literally punch a card into a machine that recorded a date/time stamp to show when the employee started and ended for the day, and the card at the end of the week would be used to compute the employee’s pay. Now, instead of a punch card, employees are assigned badges that are waved under a time-clock to do the same thing. If you know someone who works at a Walmart or other retail store, ask them to show you their badge for clocking in and out.
Badges are used for more than clocking in and out. Most companies have access badges for physical ingress/egress of facilities, allowing access to various locations within facilities for authorized staff (wiring closets, datacenters, and even gyms onsite for users who pay to use the gym). Access cards and associated systems personally identify when employees, contractors, and visitors are in company (or government; many of these same controls apply to government) facilities and when they leave. They can track when staff members attempt to access areas they are not authorized. Generally, they cannot track where a person is in a facility at any given time.
Access badges serve several purposes:
- They allow authorized staff to enter or exit facilities without needing to check in with a guard or through controlled egress points authorized for staff access without a guard present.
- They can be quickly deactivated, if necessary, from central systems.
- Knowledge of who is in a facility can be used for safety purposes if there is a local event such as a fire or active shooter, and the facility staff needs to ensure everyone in the facility is accounted for, even visitors from outside the local area who are not normally in the facility.
Let us talk about some other uses of physical monitoring. Delivery companies and fulfillment companies (for example, Amazon, Walmart, UPS) can track how quickly packages are delivered or processed for delivery and the time employees or contractors spend delivering packages. Walmart and other retailers also track how quickly cashiers checkout customers. In some cases, mainly delivery services, this monitoring is simply done to try and cut costs, for example, to reduce miles driven or fuel used delivering packages between any two points – the famous traveling salesman problem. In others, they can be used to identify malingerers and poorly performing employees – either for additional training to try and improve performance or for termination.
Finally, we come to the all-ubiquitous camera. Most businesses have cameras in various locations, particularly datacenters, to record what users are doing in facilities. Again, these could be used for safety or law enforcement purposes not related to employee behavior or to just dissuade criminal behavior. They could also be used to minimize employee malingering.
Access/event monitoring
Now, let us discuss access and event monitoring. This is data collected on staff’s use of computers or telephones for work purposes. Every company collects events on user computer activity/phone activity, in many cases to satisfy auditing or compliance requirements imposed by industry or the government. For example, some companies have to show that after termination, an employee’s access was removed, and there were no successful logins after the date of termination. Other companies need to have a record of every change made to a financial management system that contains the company’s master financial records to show all changes were authorized.
Some of the different types of events collected include:
- Local logins/logoffs to the network (for users in a company/organizational facility).
- VPN connections or disconnections (for users connecting externally into a company/organization’s network).
- User activity (logon/logoff of various internal applications, changes to data in directories or databases), user connections to other computers or file shares, and read or write activities. These are generally collected to satisfy various auditing requirements similar to the financial management system discussed above or for troubleshooting purposes (“Why is X’s title reverting to the old title in Outlook after it was changed in HR?”).
- What I will call “edge controls.” Most companies monitor and restrict Internet access to some degree based on relationship to authorized work. Gambling sites, adult content sites, social media sites, personal email sites (Yahoo, Google, Hotmail), even competitor sites may be blocked to protect the company from employee or external lawsuits. (“Company X sued after repeated attempts to access proprietary data on Company Y’s network.”) Even when access to a site is allowed, those connections are normally still logged (for example, to track any malicious activity that occurred on the site, either by staff trying to do something malevolent or the site itself trying to attack the user’s system). In addition, to allow/block lists for worldwide websites, any external access that uses unusual ports (such as TOR) are generally blocked and any attempts to access sites using those ports are logged to identify a pattern of behavior that could identify malicious activity, user attempts to circumvent controls, or just accidental connections.
While the list above is primarily for security or prevention of damage to the company, this last type of monitoring is more performance-focused. Companies performing customer service activities collect metrics on customer service representatives and the calls made to them — customer service call times, hold times to speak with an agent, number of callbacks, and customer satisfaction (how many times have customer service representatives asked for a “5” on a customer satisfaction survey, even though they are not supposed to?). These are often to improve quality of service, but can also be used to drive customer service agents to desired behaviors (such as servicing as many customers as possible per hour or obtaining a high number of 5s). In rare cases, monitoring and recording of customer service calls can be used for legal and law enforcement purposes when a caller threatens or harasses a customer service agent.
Other employee monitoring
More extensive (extreme?) monitoring – companies do not really want to know what employees are doing within the scope of their employment. They want to know what employees (and contractors) are doing outside the scope of their employment, particularly if they have privileged access to company resources, which means they can bypass or disable security controls that most users would be unable to. They also want to know as soon as possible what employees and contractors are doing to prevent or limit damage from malicious activities (whether those are actual insider attacks or malicious software somehow introduced from the outside).
There are two general ways to do this. Active monitoring involves installing what would normally be considered spyware on systems to record user activity, keyboard strokes, mouse movements, and screenshots. However, active monitoring does not necessarily provide any insight into whether there is inappropriate behavior unless someone or something is monitoring the feeds of data from these tools and making decisions about what the data means, and it will not collect activity performed by malicious software running in the background. Passive monitoring involves “behavioral analytics” tools that collect logs from various systems and use Big Data techniques to determine a baseline for user behavior. For example, a particular user may work from 8 a.m. to 5 p.m., connect to two file shares a day, and not spend any time on the Internet. If the user’s behavior changes, it could be due to a change in job responsibilities, malware impersonating the user, or the user doing something suspicious (for example, the user is browsing the Internet for a new job or sending or trying to send proprietary data out of the company). These systems can generally send alerts to appropriate staff for review of the behavior and determination of next steps.
Another form of passive monitoring is the use of privileged session management tools (available from various companies) that automatically connect authorized users to systems for which privileged access is authorized (without sharing passwords with the user), for example, opening Remote Desktop Protocol sessions for Windows servers or secure shell sessions for Linux servers. These tools can then record all user activity during that session. Again, this would require additional tools or manual review to identify malicious or unauthorized behavior, but these tools could supplement any active or passive monitoring described above.
There are probably other mechanisms I did not discuss (physical searches of staff entering or exiting facilities, for example), but these are the most common ones I am aware of.
In the United States (and possibly Canada), all of this is perfectly legal to do for employees and contractors who support the company as a condition of employment, and as long as there are suitable notifications that connections are monitored. Legally, in the United States, this is known as “no expectation of privacy.” Employees and contractors are not legally required to be notified of the types of monitoring done other than to notify them that connections are monitored. In most cases, employees and contractors are aware of the more overt methods of monitoring (access badges, cameras, logging), but not necessarily the more subtle methods such as behavior analytics or active computer user activity collection.
If someone asks whether corporations (and governments) implement workplace surveillance, that is not the right question. The right question is to what degree. Businesses have always implemented some degree of workplace surveillance, and modern technology allows businesses to implement surveillance to a degree never before possible — and it will continue to expand as the technology expands — because no company wants to be the victim of an attack or employee behavior it could have prevented or mitigated.
Caveat: This discussion concerning the legality of workplace surveillance is my general understanding of the law. For specific legal advice on the rights of employees or contractors, contact an attorney specializing in labor law licensed to practice in your local jurisdiction. Some technologies that can be used for surveillance (for example, facial recognition, which I did not discuss above) may be prohibited or restricted in certain jurisdictions.
Featured image: Shutterstock
