Censys: The World of Attack Surface Management
Employee monitoring software has become a bit of a sore subject. During the pandemic, investment in these software grew exponentially as businesses endeavoured to keep tabs on their employees. However, monitoring seldom gets a warm welcome from staff, who are often left feeling distrusted.
Creating tension is just one burden to bear. A far more significant monitoring consideration is compliance, namely that with GDPR and data privacy regulations. If a software offers screen recording capabilities, is it still privacy-compliant? Where is the line between monitoring and violating regional regulations?
With monitoring and compliance being such a grey area, we thought it was time to bring in an expert, and who better than the Data Diva herself: Debbie Reynolds.
Thank you for joining us to clear the air! Firstly, we’re intrigued...what’s your take on employee monitoring software?
I’m personally not a fan of attention tracking or employee surveillance software, but I do understand that some employers feel like they need to have more visibility of people. In the office, you’d have that visibility, but now that so many people are working from home or doing things differently, some employers feel like they need to have more control over their teams.
However, I think that if you give an employee a job to do and they don’t deliver, that’s one thing, but to just start monitoring or surveilling them through technology is not a very good idea.
Of course, different software come with different features, but let’s consider the more ‘invasive’ offerings, which screen-record and take pictures through the camera. Perhaps a better way to phrase the question is: how do these not violate data privacy?
They do (laughs)! They do violate data privacy. Laws differ in different countries, so some of the things that these screen recorders are doing may be against the law in the EU, for example, because of the GDPR and other privacy regulations. However, in the US, a lot of these are not illegal, so that’s a problem. We don’t have laws that are as strong for an individual, especially an employee, so if you’re an employee in the US, you have a lot less rights. The employer can dictate a lot about how you work, and you don’t have the same level of privacy as you would in the EU.
Basically, these companies that are selling these tools provide a lot of options. The employer then buys the tool, and it becomes their responsibility to decide how to deploy it and what options you want to use. So, it really puts the onus on the employer to decide what’s legal and what isn’t. This is a problem because often, these employers might install them either not knowing that the tracking capabilities are illegal, or they might just not be all that concerned about – especially if they’re doing it in a way that their employee doesn’t know about it. They feel like they can get away with it.
Violating employee privacy is one thing, but what about people they communicate with externally? What are the dangers there?
Depending on the industry that you’re working with, a lot of companies record some conversations, such as in call centres or in highly regulated industries such as financial services. To me, if it’s targeted at those types of conversations, then it’s not as bad. However, let’s say you’re recording everything else this person is doing – I think that falls in line with what’s legal and what isn’t in your region.
If employees are using company equipment or are using the company email, employers can make policies that say “we have the right to do xyz” – but again, in the EU it’s different with the GDPR because employees have more privacy rights than in other countries.
What do you advise businesses that do want to implement employee monitoring tools while ensuring that they maintain compliance?
If a company wants to do any kind of surveillance, they really need to understand all of the options that they have and what they can turn on or off. If someone is working for you, but from home, their home is their private space, and what you can see in the background of your recording might be outside of the purview of their employment contract with you, so that’s a whole other thing. It can cross the line very quickly, beyond what you can record of an employee because they are in their private home. Even though they’re working for you, there may be things going on in the background that you should not be privy to anyway because again, they’re at their house.
I also think it’s going to become a lot harder for employers. Often, the people who are selling these tools just want to sell it; they’re not as concerned with the legality of your operation of it – they just want to sell the tool. Once they sell it, it really puts a big burden on the employer to implement it in a legal way and a lot of times, that means they’re turning features that would likely automatically occur if they didn’t make any changes.
For example, Zoom has a feature called ‘attention tracking’, and I advise my clients in the EU to turn that feature off. This feature uses your camera to track where your eyes are on the screen, and a lot of companies use that to tell whether you’re paying attention. This feature is a GDPR violation, so I always recommend that my European clients have it turned off. It’s also just not very nice, and I don’t think it’s super helpful information. If the person isn’t delivering as an employee, you’ll know. You don’t have to track their eyeballs on the screen to know that.
Any final thoughts?
I think that this is going to become such a prevalent thing. There is so much more private information in the public space. Even with COVID-19, you’re seeing people announcing that they’re positive or negative, and these are things you would have never thought you’d see in the public domain. The line has changed in terms of what is publicly acceptable.
I was saying to someone a few weeks ago that when people used to ask “how are you?”, it was a rhetorical question. Now, people actually want an answer. They want to know how your health is, and everything else. The line, in terms of being more intrusive to people about their privacy, is changing and employers need to be more vigilant about crossing those lines that go too close to their rights.