Euro Security Watch with Mathew J. Schwartz

Application Security , COVID-19 , Endpoint Security

Productivity Tools May Be Monitoring Workers' Productivity

Regulatory and Employee Litigation Risks Face Businesses That Violate Privacy Rules
Productivity Tools May Be Monitoring Workers' Productivity
Businesses can see "productivity scores" for users of Microsoft 365 and Office 365 products (Source: Microsoft)

Warning to workers: Your productivity tools may also be tracking your workplace productivity - and your bosses may not even know it.

See Also: New OnDemand | Reacting with Split-Second Agility to Prevent Software Supply Chain Breaches

So here's a warning for businesses: If you run tools that include workplace surveillance capabilities - whether activated on purpose or not - and they violate employees' privacy rights, expect to find yourself on the losing side of regulatory sanctions and employee lawsuits.

So-called productivity tools have long referred to any software that helps you get your job done. Venerable examples include Microsoft Word and Excel - now more often procured via cloud-based Office 365 - while more recently the likes of Zoom and Teams have joined the fray.

There's been a surge in interest in such tools, since the COVID-19 pandemic kicked off and many employees began working remotely (see: Employee Surveillance: Who's the Boss((ware))?). Even so, organizations remain responsible for ensuring any use of such tools preserves employees' privacy rights - for example, as the EU's General Data Protection Regulation safeguards.

Never Trust Default Settings

Simply put, organizations cannot and should not rely on the software to have privacy-preserving settings, straight out of the box.

"I think people make assumptions that the software they use is set to the best privacy settings by default," says Jonathan Armstrong, a partner at London-based law firm Cordery. "That's not the case. Many tools have privacy-intrusive settings out of the box, and organizations need to review these settings and make sure that they can justify them. That's even more important when they are asking people to work from home. It's not just O365 but tools like Zoom and Teams too. Some organizations are also routinely recording all team meetings - that is likely to cause issues too."

Armstrong is one of numerous legal experts that have been sounding this alert for more than a year. But some organizations - and privacy experts - only appear to have discovered these types of risks recently.

On Thursday, for example, the Guardian reported that privacy experts have been issuing warnings over newer versions of such features.

Microsoft last month began introducing a "productivity score" feature, available to businesses with a Microsoft 365 or Office 365 subscription, although restricted to access by individuals with admin, or certain types of reporting access, credentials.

How Microsoft calculates productivity scores, an optional feature for businesses that use Microsoft 365 or Office 365 (Source: Microsoft productivity score documentation)

Subsequently, researcher Wolfie Christl on Tuesday tweeted, perhaps breathlessly, that "a new feature to calculate 'productivity scores' turns Microsoft 365 into an full-fledged workplace surveillance tool."

Reached for comment, a Microsoft spokeswoman tells me: "Productivity score is an opt-in experience that gives IT administrators insights about technology and infrastructure usage. Insights are intended to help organizations make the most of their technology investments by addressing common pain points like long boot times, inefficient document collaboration, or poor network connectivity."

"We are committed to privacy as a fundamental element of productivity score," Jared Spataro, corporate vice president for Microsoft 365, wrote in an Oct. 29 blog post, announcing the feature. "Let me be clear: Productivity score is not a work monitoring tool. Productivity score is about discovering new ways of working."

Spataro added that "to help maintain privacy and trust, the user data provided in productivity score is aggregated over a 28-day period," and that organizations also have the ability to "anonymize the user info or even remove it."

'Fresh Hellhole'

Not all technology watchers have been satisfied with Microsoft's assertions.

David Heinemeier Hansson, who co-cofounded and now serves as CTO of productivity toolset Basecamp, which competes with Microsoft, tweeted: "The word dystopian is not nearly strong enough to describe the fresh hellhole Microsoft just opened up. Just as the reputation of a new and better company was being built, they detonate it with the most invasive workplace surveillance scheme yet to hit mainstream."

But applying analytics to how employees spend their time isn't new. For some organizations and managers, of course, workplace surveillance is a feature. But surveillance can cover everything from configuring tools in ways that help ensure compliance with security policies, on one end of the spectrum, to full-fledged bossware that monitors everything users do, captures video of employees sitting or being absent from workstations, and much more.

Good News - for Europeans

At least in Europe, employees have protections against more Orwellian practices. Per GDPR, organizations must demonstrate that any technical measures they have in place comply with the law. Armstrong says the mechanism for doing so is by conducting an impact assessment, via which organizations must demonstrate: "What is the harm we're trying to fix, and is the response proportionate?" Organizations must also be transparent with employees about what they are capturing, and why, except in some very specific exceptions, such as running limited surveillance of employees suspected of breaking the law.

Armstrong says every organization has a responsibility to know how the tools that it deploys are configured. In other words, if a business violates employee's privacy rights, it gets to suffer the consequences.

What H&M's GDPR Fine Says

European regulators have also made it clear that any organization that attempts to use workplace surveillance should tread very carefully. Last month, H&M learned this the hard way, after German privacy regulators slammed it with the second-largest GDPR fine in history, over its improper workplace surveillance practices (see: Clothing Retailer H&M Told to Wear $41 Million GDPR Fine).

The ongoing pandemic has also created, for many, very unusual working conditions, which will likely complicate attempts by businesses to hold workers to some arbitrary norms. "Organizations need to remember that employees will often have other distractions at home and that some people are working very different hours - for example, to cope with the demands of home schooling when children are sent home, or because their bandwidth at home causes issues," Armstrong tells me.

In other words, just because businesses can attempt to track productivity doesn't mean they should, or that they should attempt to use this data to make significant employment decisions. "Organizations need to be especially careful when using productivity data like this for redundancy or disciplinary decisions," Armstrong says. "It will be hard to make those decisions lawful if you have not been through the proper processes beforehand."

In addition, any organization that captures such data - whether it is aware of doing so - must provide that data in response to so-called subject access requests under GDPR, which allow individuals to see all personal information that an organization holds on them.

"We are likely to see more subject access requests for data like this and, I fear, more litigation," Armstrong says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.