Ian's (not so) technical blog

Employee Surveillance Fosters Mistrust

Posted on Aug 27, 2024

A new study titled “Employees as Risks” - released today by the Vienna-based non-profit crackedlabs - explores software from Microsoft and formerly from Forcepoint – specifically SIEM (security information and event management) and UEBA (user and entity behavior analytics) applications. This study, part of an ongoing series of reports on the Surveillance and Digital Control at Work, examine the way in which expansive information gathering in the workplace turns employees into suspects. As the report points out, employee surveillance fosters mistrust, may be disproportionate, and comes with potential problems like false positives and inaccuracies.

As a security engineer, it’s my primary responsibility to keep my customer’s data, my employee’s data, and my employer’s data and systems safe. Almost 99.9% of the time, this can be done without intrusive monitoring of employee endpoint devices. When you add on the added weight of regulatory requirements and overzealous organizational policies, the line to keep all of these items seperate become very blurred.

I think this boils down to three things:

  1. What is the amount of regulatory risk that the organization is willing to take on? Someone in the Defense sector has a completely different risk profile than an e-sports software company.
  2. What is the amount of misuse that you’re willing to tolerate? Just about every organization that I’ve worked for in the last 25 years or so have had some rules in place to ensure that employees aren’t misusing company resources, but, enforcement of those rules only really happens in extreme cases.
  3. What could possibly happen when something shitty happens? If you’re in a prison setting, and someone discovers a way to unlock their cell doors, that’s a completely different risk profile than a threat actor getting a dump of every resume in a particular region.

At my last organization, we had two modes of DLP monitoring – normal user monitoring, that reported on things like USB disk insertions, alerted us when files were copied or touched outside of their normal lifecycle, and when screenshots of specific applications where taken, and high-risk monitoring, that added much more triggers and looked at clipboard activity as well as the specific websites that the browsers were being driven to.

About two weeks before any reduction in force, we’d move the entire company to ‘high risk’ monitoring, just making sure that nobody did anything stupid in the days leading up to the RIF’s. Many times, we’d have to go back to someone who was laid off and ask them to sign something saying that they were only copying personal photos off of their laptop (more common than you’d think in 2025), or, be asked by someone’s boss to retrieve files from the backup system that were wiped after we locked/wiped their device. Most of the time, our DLP monitoring created false positives by the same backup solution it was bundled with, or, when the developer switched tools. My biggest fear as an employee is that a DLP or monitoring tool alerts to indicate that I’m doing something nefarious when I’m not…and the output of the DLP or sensor is used to convict me without even so much as an opportunity to clarify what is being done to cause these alerts.

Case in point: I use tools like amphetamine to keep my screen at a constant brightness when I’m reading items on my MBP. My coworkers messaged me asking why I had the tool on my system…and then provided a different way to keep my machine at a constant brightness, even when on battery power, without the use of the tool. If I were an hourly worker at a call center, would I have been given the same opportunity to clarify why I’m using these tools? Probably not…

I really think that employee surveillance technology belongs in the same category as child spying tools. There’s a time and a place for these technologies, but, they shouldn’t be installed everywhere without clear guidance on what’s being used and why. If I give a 12 year old access to the internet, I want them to know that I have these tools in place…not because I don’t trust them, but, because I don’t trust the other people on the internet not to be creeps. If my child wanders into a strange spot, I want to know about it…so I can have a discussion with them about what is appropriate and what isn’t appropriate behavior.

With employees, this also comes with the risk of their physical privacy (location, webcam access, microphone access), but as well as the risk of trampling on their rights as employees – would your company use a tool that would predict the risk of workers in a specific location unionizing?

There are some laws in place that protect these types of things – California, Connecticut, Delaware, New York, Illinois, Massachusetts, and (surprisingly enough,) Texas have laws in place that protect against this type of monitoring, and at the federal level, the ECPA and NLRA provide some safeguards, but, no real federal protections. If you’re an employee, it’s critical to note that you have no right to privacy on the equipment that your employer owns…even if it’s in your home. If you’re an employer, you should have a good understanding of what your obligations are at a federal as well as at an accrediation level and implement the least amount of policies to ensure that your risk tolerance is accepted.