In the past, we’ve covered the dos and don’ts of using your work computer for personal business (in short: don’t). But as companies expand their use of remote-work software, there are increasing concerns about what kinds of data bosses can access through such tools. Some of these fears are overblown. But depending on the software your company uses and the type of work you do, some of your activity could be exposed. And privacy concerns aren’t the only worry, as employers are also starting to use the data extracted from these tools to gauge productivity. To what purpose depends on the type of work you do—and whom you do it for.
Employers can see everything you write in email as well as in Slack, Google Workplace, and Microsoft Teams
Let’s get this out of the way: Employers can surveil your conversations in any company-run software. Brian Kropp, chief of research for Gartner’s HR practice, put this bluntly. “Anything that you write on any company messaging platform, your employer has access to,” he said. “Either through IT or HR or someplace, anything you put on those platforms, your employer can look at.” For the most part, Kropp said, it’s impractical for an employer to read all of your messages fishing for gossip or smack talk, though, and not just anyone can go browsing through the data. “Your manager, in the vast majority of situations, does not have access to that communication unless they go through IT or HR, and unless they have a good reason,” he said.
Theoretically an administrator or manager can access messages in an employer-run messaging platform, but the process of doing so depends on the type of plan your employer has, and even then some random manager can’t just search for their name to find out if people are making jokes about them. In fact, we found that the process of getting at those messages was more convoluted than we expected. Here’s how it works for the most common workplace communications suites.
If your company uses a free or standard plan (you can see which plan your employer uses by clicking the drop-down menu under the name of your company), the administrator needs to request a one-time export from Slack. Companies with a Plus plan need approval to access messages, but once Slack authorizes that feature, your company’s management will retain access to the information. If your company has the Enterprise plan, it can more consistently store and search through messages on Slack.
This access includes use of the Discovery API, which makes it easier to search for and archive messages when required by law, as is common in certain industries like finance and in any public office. Companies with Enterprise plans can use more powerful third-party search tools with an easier-to-search interface.
Aside from viewing actual messages, any Slack user can see high-level usage data on the Analytics tab (head to workspace.slack.com/stats).
Google Workspace allows administrators to search through specific content across Drive, Gmail, Groups, Chat, Voice, Classic Hangouts, and Meet with the Vault feature. The Vault isn’t included with every subscription but is available to customers of legacy G Suite Business and G Suite Education, Google Workspace Business Plus, Enterprise Standard, Enterprise for Education, and Enterprise Plus. You need to chat with an administrator to see which plan your employer uses. Search works similarly to the function on your own Gmail account and has many options for automation and compliance. Notably, administrators can also search through drafts, even if an email was never sent.
With eDiscovery, Microsoft offers a search tool, similar to Google Workspace’s Vault, that can search through private channels and messages in Teams as well as email, Skype, and more. Privileges to do so are enabled only for the global administrator by default, though, and in most organizations only a legal or compliance team has access. Keyword searches can be automated, both for Teams and for other 365 products. There is no easy way for employees to see on their own what sorts of capabilities an employer account has; you need to speak with an IT administrator for this information.
The smartest approach is to act as if your communications may be monitored
Although it’s usually difficult for a manager to see your private messages and emails, it’s best to take any conversation you wouldn’t want an employer potentially seeing to another venue. Even if you don’t do anything that might cause an employer to look through your messages, they could be involved in a lawsuit that gathers all messages through discovery, which could lead to their being made public. Emails of Enron employees, for example, were collected for lawsuits after the company’s collapse and were used to build spam filters and other language-aware tools. This probably isn’t anyone’s expectation for shop talk and lunch plans. But even if you or the company does nothing wrong, if you leave your job in the middle of a project, for instance, the manager may need to go through your email or messages to figure out what you were working on.
Avoid using any of the software in any suite for personal projects or storage. For example, though it might be tempting to use your work account’s Word or Google Docs to write up a resume, it’s best to use other software. For one thing, theoretically a company could have a keyword search for “resume” to look for flight-risk employees. More practically, if you leave the company, you would lose access to that file.
Can your employer gauge your productivity using Google Workspace and Microsoft 365?
Screenshot from Prodoscore.
In several of their plans, Google and Microsoft each offer ways for administrators to track usage and metadata from users. Such data includes what time you sign on, how many messages you send, how many calls you join, or what devices you use.
The services can also turn the data into measurements. In Google Workspace, this feature is called Work Insights, and in Microsoft 365 it’s Workplace Analytics (there’s also a personal version that managers can’t see called MyAnalytics). In addition, Microsoft Teams has a user-activity report that offers more detailed usage information for administrators.
These tools display aggregate data about how teams use the apps included in their respective suites—details such as how much time a team spends in specific apps, or collaboration trends based on who has accessed shared documents. Microsoft recently received criticism for allowing managers to drill down to a specific user to look at their usage, but it has since removed the option to do so. Some Google and Microsoft 365 plans also support third-party tools, such as Prodoscore, which “tracks the activities of each employee and calculates a productivity score based on their activity levels.”
“In my opinion, the main risk with Microsoft 365 isn’t the data it’s collecting now, but the kind of workplace culture and expectations it will create,” said Bennett Cyphers, staff technologist at the Electronic Frontier Foundation. “Microsoft Office products are the perfect Trojan horse for this kind of workplace—they are the ultimate mundane office tools, used by everyone and feared by no one.”
“I worry that managers will get used to the data that 365 offers, and start asking for more,” Cyphers said. “On the flip side, workers will get used to the expectation that every action they take is being tracked and logged, and they will find it harder to fight back as the surveillance becomes more individualized and intrusive.”
Know what kinds of data your manager is collecting, and how your workplace might use it
If you feel comfortable doing so, ask your manager or HR department for details about how (or if) they get these reports. For now, most people on small teams don’t need to worry about this topic, but it’s possible for the situation to change in the future.
More-intrusive “bossware” takes things a step further
As COVID-19’s spread has prompted an expansion of work-from-home policies across various industries, the use of more-pervasive monitoring software, also known as “tattleware” or “bossware,” has increased. The New York Times demonstrated how this software works, but the idea is simple: Once the software is installed, an employer has deeper access and even live monitoring tools for everything you do on your computer, including which applications you open, what websites you visit, and how much time you spend doing different activities. Employers can use this data to track your attendance or periodically snap screenshots of your screen. Some software can even monitor the music you listen to, your facial expressions, your tone of voice, or your writing tone throughout the day. If all of this sounds a little familiar—and unsettling—that’s because it’s nearly identical to the behavior of stalkerware.
Gartner’s Brian Kropp noted that before the pandemic around 10% of companies the firm had surveyed said they used this type of software. “But since the start of the pandemic,” Kropp said, “about 30% of companies have purchased something like that to track employees as they work remote.” Kropp added that even in this situation, the software doesn’t give a manager access to, say, one picture that a person took at a certain point in the day. But it does often provide an aggregate analysis of an employee. For example, the bossware might say, “Thorin is not in front of his camera as often as he usually is. He’s spending 35% of his time on Twitter and 20% of his time in Google Docs.”
Many people do not consider that their every action may be recorded and possibly scrutinized months or even years in the future. As the EFF’s Bennett Cyphers noted, on a mundane level, the surveillance potential—especially for software that records your screen throughout the day—is unnerving. “I would feel uncomfortable if someone was looking over my shoulder as I compose every email that I wrote,” he said. Imagine if your boss had access to your boring daily processes, where you may delete and rewrite an email, say, or correct a minor mistake before anyone else notices.
Kropp suggested that though some employers are collecting a lot of data, turning that into useful knowledge is still difficult: “Does that improve performance? Does that improve engagement? We’re not yet there with a lot of these technologies.” A data dashboard might reveal the tasks someone is doing, but it can’t suss out why the employee was doing those things at that time, such as taking a mental break or doing research for a project. The process is not all that different from how companies collect customer behavior and buying patterns for years to track them and sell them more stuff; in a way, monitoring software is an attempt to flip that same tech inward to track employees with the goal of improving performance.
There’s also evidence that bossware doesn’t work that well. It stifles the creativity and camaraderie of an office, which is already particularly hard to maintain through a remote-work arrangement. Without the freedom to make mistakes and take time to think about things, it’s harder for people to get work done. “It really exacerbates power imbalances in the workplace,” Cyphers said. “If you’re not on 100% good trusting terms with everyone above you, then this is going to make you feel really uncomfortable.”
If your company requires this type of software, you’re stuck with it
Although such software may feel intrusive, it is legal, and in some cases, your employer doesn’t need to tell you it’s running on an employer-issued computer. The EFF has a chart detailing which software has which features, if you’re interested. If this type of software is installed on your computer, avoid using that computer for anything personal, no matter how mundane that thing may seem. If an employer asks to install monitoring software on your personal device, ask for a work-provided device, if you can.
VPNs and remote-desktop software have the same web-browsing monitoring as at a physical office
If you access your work computer through remote-desktop software such as Citrix, Splashtop, or TeamViewer, everything you do within the window of that application happens on the computer in your office. This means the IT department or company managers also have the same sort of computer access they have at a physical office. For most people, that means monitoring your internet browsing activity, but typically it also means they can see any files you’ve stored or documents you’re working on.
If you’re required to connect to a VPN, you’re funneling your entire internet connection through your work computer, but not anything else you do. In most cases, this means an employer can see high-level data about what websites you visit.
For remote desktops especially, treat them the same as you would if you were sitting at a desk in an office
If you’re required to use a VPN to connect to your office network, use the internet just as you would at your office computer. In both cases, avoid web browsing you wouldn’t want your employer to be privy to.
Didn’t I hear something about Zoom spying on me?
In early 2020, Zoom got some flack for features such as “attendee attention tracking” and the fact that some private messages were showing up in recordings. Both of those issues are fixed.
An administrator can still see some details of your Zoom usage, such as any recordings you’ve saved to the cloud, meeting names, and meeting participants. That can include people outside the company for any call you host on your work Zoom account, but not calls you join; for example, the Wirecutter administrator knows that I hosted a call in March and who was in that call. Admins for Google Meet and Microsoft’s Skype can get similar information.
Create a free personal account or use a different service altogether for personal calls. If you want to record a Zoom meeting, save it locally, to your computer.
The larger risks to privacy
The data generated from what a worker does throughout the day, whether it’s anonymized or not, represents a privacy concern, and it’s easy to imagine scenarios in which an employer might use that data impractically or unethically. Since bossware can take periodic screenshots or record video—sometimes without an employee knowing—the software may incidentally pick up all sorts of sensitive information, such as medical or banking information. Tools like CleverControl, InterGuard, and Teramind can collect everything from geolocation data to social media posts to instant messages. If the software uses machine learning to generate productivity reports, there are worries that any algorithmic recommendations stemming from it may reinforce social, gender, or racial inequalities because of biased training data. And smaller employers reliant on professional judgement may lack a wall between a middle manager with ill intent and the administrator with the keys to the communication tools.
There are certainly some jobs that require monitoring for security, compliance, financial, or intellectual-property purposes. Even then, employers can acquire bespoke tools, at a better price, that are easier to target at the information they need. One example Cyphers suggested: “If you’re trying to monitor how people access sensitive health information, then you can build a tool that only does that. And that will only alert the boss if there’s a suspected violation. It doesn’t have to monitor everything that someone does on their device and become a productivity monitoring tool in addition.”
Ideally, an employer will always make clear what data it has access to, how long the retention period is, and under what circumstances the employer would ever go through the trouble of looking at any data it collects. If you don’t have that information as an employee, it’s worthwhile to ask your employer for more details about its practices.