More bosses are using software to monitor remote workers. Not everyone is happy about it
Organizations are finding it tough to keep a tight grip on employees while working from home. As more turn to technology as a solution, what does this mean for privacy in the new remote-working landscape?
Finding effective ways of managing remote workers will be a priority of many businesses in the months to come, as new styles of working spurred by COVID-19 settle into long-term trends.
While many organizations have been able to keep teams running successfully using a hodgepodge of email, messaging apps and video-conferencing software, managers that want more visibility of their remote workers have started looking towards more comprehensive means of keeping a detailed track of what employees are up to. That means a renewed interest in remote management and monitoring software.
Remote monitoring software is often sold as a tool for helping employers track productivity and as a means to help managers identify areas where workplace processes can be improved – something high on the agenda for businesses looking to make flexible working a permanent fixture.
These technologies provide a variety of capabilities that can give employers a remarkable insight into how employees use their time while at work, including the websites they visit, the apps they use, and in some cases include the ability to record their keystrokes and desktop sessions.
According to research from Skillcast and YouGov in December 2020, as many as one in five businesses are now using technology capable of tracking workers' online activity, or have plans to do so in the future. In a separate study by the UK's Trades Union Congress (TUC) in November, one in seven employees reported that their workplace had increased monitoring and surveillance since the start of the pandemic.
While businesses may have legitimate reasons for wanting to introduce activity-tracking software, particularly in those industries that handle high-value data on a day-to-day basis, some have raised concerns over what the slow creep of this technology into the remote-working environment means for employee privacy, particularly as the boundaries that separate work and private life become even more blurred.
"I think there are huge questions around how technology is changing our relationship to work and with employers, but also the speed at which it's being introduced," says Andrew Pakes, direction of communications and research at professional trade union Prospect.
"During COVID-19, we've seen this growing interest in the use of digital technology to support remote working, and in many ways, that's been a real benefit to support and connect people. But alongside the positive use of technology, we've seen this worrying trend of intrusive surveillance, and a rush to use these new forms of software."
Prospect has been vocal in its pursuit for clearer guidance around the use of remote monitoring software, and what more widespread introduction of the technology into businesses means.
Research carried out by YouGov on behalf of Prospect last year suggested that two-thirds of employees were uncomfortable with the notion of employers recording information like screenshots and keystrokes while they were working from home.
Since then, the union has called on the UK Information Commissioner's Office (ICO) to provide further clarity on what worker's rights are when it comes to the data employers collect on them, as well as ensure that workers can have a say in the conversation around workplace technology.
Pakes calls the practice of monitoring employees "a discreet discussion that too often happens in procurement and board rooms", but far away from employees themselves.
"The law is clear that workers have a right to be informed if their data is being collected for surveillance purposes, and we have a right to be consulted. Our worry is that, too often, that consultation involvement isn't happening," says Pakes.
"We're saying two things. One, the ICO needs to provide greater and clearer guidance so that workers can see what their rights are. Secondly, we really need to start picking up and looking at where the gaps exist in existing legislation."
What does GDPR say?
The ICO's Code of Employment Practices warns that businesses risk breaching the General Data Protection Regulation (GDPR) if they begin monitoring employees without proper authority.
It also states that workers should be left with a clear understanding of when information about them is likely to be obtained, why it is being obtained, how it will be used and to whom – if anyone – it will be disclosed.
"If monitoring is to be justified on the basis that it is necessary to enforce the organization's rules and standards, [these] must be known and understood by workers," the guidance reads. And yet, in TUC's November survey, fewer than 1 in 3 (31%) employees said they were consulted when new forms of technology were introduced to the workplace.
There are six lawful bases for processing personal data under GDPR: clear consent from the individual in question; legal obligation; vital interest to the individual; public interest; contractual obligation as well as legitimate interest of the data controller.
Sarah Pearce, privacy and cybersecurity partner at global law firm Paul Hastings, says this is where things can get murky for remote monitoring tools, particularly those that collect anything that could be deemed as sensitive or personal data under GDPR.
"When it pushes into the border of special category and sensitive data, then there is more of an issue, because there are certain additional conditions in Article 9 of GDPR that need to be satisfied," she tells ZDNet.
Pearce also finds that companies are increasingly seeking to justify remote monitoring tools under the grounds of 'legitimate interest', which can be difficult for employers, as can using the consent mechanism. "There is a big issue with using consent in the employment context. Generally speaking, you cannot use the consent mechanism in an employment context, because it's seen as being an unfair balance of power," she adds.
Employees not ready
Certainly not all staff are comfortable with such monitoring. Microsoft faced criticism from privacy advocates who took issue with its Productivity Score feature for Microsoft 365. The tool analysed how users within an organization used Microsoft 365 products and then assigned them an overall "productivity score" based on how often they engaged with things like meetings, email and messaging apps.
The outcry mainly stemmed from the fact that Productivity Score showed analytics for individual employees that could potentially be used by managers to judge their performance. Microsoft subsequently pared back the tool by removing the ability for admins to view data on named employees.
Microsoft 365 corporate vice president, Jared Spataro, later clarified that Productivity Score was not designed as a tool for surveillance, but rather to help businesses identify how users were working within its software suite and help them run remote-working environments more successfully.
Regardless of employee attitudes to these kinds of tools, the fact that Microsoft is making moves in this space is enough to set alarm bells ringing for Pakes, who sees it as a sign that the technology is moving into the mainstream.
"If Microsoft is introducing tools that can be used for work-based surveillance, then lots of other software products will be offering similar forms of monitoring that employers can use," he says.
"It was sold as a really exciting product for employers, that you could check what your workers are doing. That sets alarm bells off to me. What is says is that workers don't have a seat at the table when these issues are being discussed, either by big software companies or inside businesses, and that we need to get a better understanding of what the power of these tools are."
A booming business
Both employers and employees agree that remote working, or at the very least a combination of both at-home and office-based working, is going to form the foundations of the post-COVID work economy. It stands to reason, then, that more organizations will be looking for tools that can make this sustainable in the long-term, by leveraging the kind of insights that can be enabled by analytics and reporting capabilities – particularly if it offers to fix problems that the rushed approach to remote working has created.
"What businesses want to know right now is really two things. One: what are the employees working on when they are working from home? And two: trying to bring back that level of security that they had in an office environment," says Eli Sutton, VP of operations at Teramind.
Teramind's software offers a combination of user productivity monitoring, data loss and threat detection tools for employers who need deeper insight into workplace activity. The company has customers throughout the healthcare, legal, automotive, energy, government and financial industries.
Sutton says the software ensures that workers are using company time properly. Teramind can track which websites employees visit and for how long; live-stream and record workers' desktop sessions, monitor employee keystrokes and read the contents of their email, along with any attachments.
The purpose of the software is two-fold: keeping track of productivity and performance, as well as protecting businesses from any harm they could be exposed to as a result of data leaks, fraud or, in the case of banking and finance, insider trading.
"Typically our customers in the financial sector use the solution on the security side of things: making sure that users who have access to their data don't either accidentally or maliciously leak information that could cause financial harm or harm to their credibility," says Sutton.
"On the productivity side, it's essentially monitoring of websites and applications. From there, you can drill down and see exactly how much time they spend on either these websites or applications, if there are websites or applications that don't necessarily fit within their company tasks, and how much time was spent on those."
Sutton explains that features can be enabled or disabled based on what customers want from the software. He also suggests that, for the most part, organizations aren't using Teramind's to micromanage employees or call them out for spending too much time on YouTube (although this is something the software can flag).
"The only time it really comes to discussion is if somebody's really abusing company policy. For the most part, it's more about making sure the user has all the resources necessary, especially during the work-from-home environment," he says.
"We've found that, for many of our customers, they've discovered that particular users were taking longer to complete certain tasks. Through the solution, they found that it was because they were lacking the essential tools while working at home to complete these tasks."
Whatever your take on the technology is, there is clearly an appetite for it. According to Sutton, Teramind has seen business increase three-fold since the start of the pandemic.
"Even today, with talks of vaccinations and talk of people going back to work, we're still seeing an increase," he says.
The right to disconnect
The fact that a large chunk of the professional workforce is now working from home adds another degree of complexity to the debate around remote monitoring software.
In December, the European Parliament voted in support of granting digital workers in Europe a fundamental 'right to disconnect' from work-related tasks outside of working hours, without facing consequences from their employers.
In January, MEPs called for this to be enshrined into EU law, saying it was crucial for preventing burnout among workers in a culture that pressured them to be always on – an issue that has undoubtedly been exacerbated by the pivot to working from home.
Pakes argues that the rise of remote monitoring tools, particularly as they move into the home, would make it even harder for workers to disengage from work "This creeping boundary of what is our home life and our right to a private life, I think, is going to be one of the great challenges of this decade," he says.
"This is a fundamental change, and that's why we've got to ensure that we're using the rights that we've got, but we also have an embracing conversation about, what does it look like for the future?"
Kiri Addison, head of data science for threat intelligence and overwatch at Mimecast, suggests that more invasive forms of remote monitoring and surveillance software risks eroding trust between employer and employee.
"Personally, I think to go to those extremes is probably more damaging for the relationship between the employer and the company," she tells ZDNet.
"There are cases where, particular employees see it then as a game, they're trying to get around the monitoring software, and you're introducing security risks. It's not a good dynamic, the relationship between the company and the employee, if they see the company as an enemy or someone they have to 'beat'.
Gartner analyst Whit Andrews shares a similar view, adding that workers may view monitoring attempts as a breach of the "social contract" between employer and employee.
"It's unsurprising then that we're beginning to see that workers are not particularly pleased with increased capacity to monitor them," he tells ZDNet.
"They're seriously concerned about this, and their reaction is understandably oriented towards evading the system... When you start talking about monitoring workers in their homes, I think that social contract becomes a little bit harder to defend."
ICO guidance makes clear that, in all but the most straightforward of cases, employers should perform a Data Protection Impact Assessment (DPIA) to decide if and how to carry out monitoring, and whether monitoring is justified to begin with.
A DPIA can help organizations identify and minimize any risks associated with projects that include processing personal data, particularly those that could pose a high risk to individuals, and are something that Pearce always recommends to clients that are thinking about going down the monitoring avenue.
"A DPIA really is an assessment, evaluation, and in-depth analysis of what you are anticipating doing: what are your reasons, what are your anticipations, and then equally, what is the impact on the individuals? That has to be very in-depth," she says.
"The ICO has a template standard form. It's not a requirement that you follow it in that way, but it does set out some suggestions of what you might want to include in a DPIA. Any company looking to do that would be well-advised to have a look at that."
Current guidance 'woefully outdated'
Of course, with many organizations having been forced to move to cloud-based working almost overnight, businesses have been left with little time to draw up new technology blueprints for the months and years ahead.
Reports have suggested that some organizations have had to bring forward their digital transformation plans by as many as five years, and that guidance could be slow to catch up.
Last month, Labour shadow digital minister, Chi Onwurah, warned that "guidance and regulation to protect workers are woefully outdated in light of the accelerated move to remote working and rapid advancements in technology," and called on ministers to provide better regulatory oversight of online surveillance software to ensure people have the right to privacy whether in their workplace or home, "which are increasingly one and the same."
Speaking to ZDNet, Onwurah says that neither the Government nor the ICO have responded to this dramatic change in our working lives, leaving far too many subject to exploitative practices.
"There is a woeful lack of protection for workers as they bring their work home in this pandemic, and they are also increasingly being subject to unacceptable levels of digital surveillance without their informed consent," she warns.
An ICO spokesperson told ZDNet that the organization was in the early stages of developing new employer-focused guidance, though didn't specify whether this would contain provisions for the use of remote monitoring and surveillance software.
"As this work develops, we will be engaging with organizations and seeking their views," the spokesperson said.
Pakes worries that too much of the ICO guidance is focused on employers, rather than workers themselves. "Yes, the ICO has a role to provide advice to employers, but it also has a role to provide it to workers," he says.
"The ICO never says we're going to provide clear guidance for workers so that you can see your rights. They only talk about guidance for employers, and I think we've got to redress that balance."
Technology vs Trust
Clearly, there is a balance to strike in making remote working sustainable for businesses in the long term, while respecting the rights of employees and ensuring that their homes remain safe havens from the demands of work.
Employers will undoubtedly need more visibility over staff who are working on home networks that may be less secure than corporate ones, particularly if they're regularly dealing with valuable data. But what degree of monitoring this requires – or is perhaps necessary – is another question.
You could argue that employers who are doing the work they're meant to have nothing to worry about. But the issue doesn't seem to be in employers having tools to catch workers not doing their jobs, but what it means for trust, transparency and fairness in working environments increasingly governed by analytics.
Employees have already proven that they can be trusted to work from home and still be productive. Is remote monitoring software needed to ensure it stays that way?
"We've long argued that workers should have flexibility. What we want to avoid is a return to presenteeism, where people are told they have to be in the office when they don't," says Pakes.
"We've inverted our economic model over the past year and we've proved that many of us can work safely and securely and productively from home.
"If we're going to be using digital technology to create a kind of national framework for the future of work, we've got to ensure that we are amplifying the benefits and having serious conversations about minimizing the risks. And surveillance is one of them."