Is Your Workplace Spying On You?
Internal documents from Amazon estimate that about 10 percent of its staff are fired annually for lack of productivity. That productivity is not calculated by a boss, but a machine―an automated system that tracks bathroom breaks, time off task, the amount of time it takes to scan and move packages, and more. Amazon has also patented and tested out wearable technology for its employees to monitor them further.
Critics see this monitoring as overreach, advocates see it as capitalism in practice. Whichever your perspective, this aggressive monitoring and tracking system has helped Amazon manage it’s 125,000 full-time employees, making it the most valuable public company in the world.
The technology that boosted Amazon’s valuation has rapidly improved in recent years. When it was formed in 1994 that kind of technology was just an idea, not a reality. This new reality has potential implications for employees and creates a wide variety of ethical and privacy dilemmas.
Your company can track you
Victor Villa is a privacy advocate and the president at Utah Open Source. He also works in the tech field and has seen both sides of the issue. Years ago, Mr. Villa worked as a systems administrator at a Utah company. Believing in privacy, he wanted to know as few passwords as possible, and if he did know employee passwords, he asked staff to change them immediately. “I am a privacy advocate and a systems administrator at the same time,” he said at the time.
Eventually, those dual roles put him in a position that was―in his words―“tenuous at best.” The company he was working for saw their productivity decrease, and Mr. Villa was tasked with figuring out what was causing the drop. When Mr. Villa investigated, he was able to hone in on one person who was moving a lot of data back and forth. After looking closer, he could see that this person was watching movies on YouTube. He recorded several days of traffic, took an aggregate of the data, then presented it to the CEO. Soon after, the employee was fired.
This produced mixed emotions for Mr. Villa because, as he says, “I can see both sides of it.” It’s difficult to say when a company crosses the line into overreach. And overreach can be defined differently. To one person, a company tracking productivity is part of doing business. To another, it’s an unethical invasion of privacy.
When asked what the line was for employer overreach Mr. Villa replied, “I guess it depends on the company and what the company is doing. The threats manifest differently.” For example: “Fintech is a very sensitive, very delicate area of business to work with,” he says. “If I’m working on a code that is helping a bank provide software for their client… and if that code leaks out into the public, then hackers can review that code for exploits. So, a fintech company will want to do background checks on me for bribery and coercion, they’ll want to lock down my ability to write software. There are all kinds of requirements there, it’s not because they’re nosy but because the security of the company is at high, high risk.”
This is a far different scenario from that of the Amazon warehouse worker, or that of the employee who got fired for watching videos. Ethical dilemmas around privacy are subjective and the definition of overreach can be fuzzy.
And it’s legal
There are federal laws that provide clearer definitions, though laws do not typically keep up with the advanced pace of technology. In the US, private employers do have the legal right to monitor the email, computers, and phones of their employees. But they can’t listen in on calls placed to and from their locations. The Electronics Communications Privacy Act (ECPA) prohibits employers from monitoring personal phone calls on worksites.
Employers of private companies also have the right to watch their employees by camera―however, they are required to notify staff that cameras are on site. These videos cannot have audio and must have a legitimate business need. The National Labor Relations Act (NLRB) has further prohibitions on video surveillance with union activities.
Lewis Maltby, president at the National Work Rights Institute follows employee privacy closely. He says that most of the laws around employee privacy are common law, left up to judges. “There’s judge-made privacy law that comes down to, ‘does the monitoring shock the judge?’ There’s almost no law in this area.”
What differentiates what employers can record comes down to what type of communication it is. “The keywords are personal and oral,” says Mr. Maltby. “If you’re talking to your husband on the phone or your coworkers in the cafeteria or whoever in the breakroom, employers can’t deliberately record that.”
There are some legal grey areas that laws haven’t kept pace. What about facial recognition? Wearable technologies? GPS monitoring on devices? What about employee-owned devices? How is remote work affected?
Those are difficult questions to answer. Mr. Maltby shared a story of a recent call he received. An employee contacted him about his boss who wanted to put a GPS on his car. The boss said that the GPS had to be installed or the employee would be fired. “I think the judge would finally rule against the employer in that case, but we don’t know for sure,” Mr. Maltby says. Like other privacy laws, much of the enforcement would come down to an individual judge.
What can be tracked?
“Everything can be tracked,” Mr. Villa says. “If it’s a company asset, everything can be tracked.” Those assets can be phones, laptops, tablets, and the WiFi network.
An employee’s personal phone cannot legally be tracked unless it’s using the company WiFi. If an employee brings their laptop to work and uses the company WiFi legally, the employer can look at the traffic. But they cannot take the employee’s personal laptop without permission. However, if an employee refuses to turn over their device, there could be repercussions.
Internet traffic is tracked through the company router. “Routers offer features that allow for scanning so nothing malicious comes through,” says Mr. Villa. Companies use routers to provide security from both internal and external attacks. Routers work with models to join networks and allow multiple devices to use just one single network. They can establish the SSL connections with the email agency; look at the email attachments; and flag, pause, or block the email.
When a model and router are combined, it’s called a gateway router. Companies use these gateway providers to simplify their internet and provide for additional security. In a fintech company where the data needs to be additionally secure, the router can help detect internal malfeasance.
“What a company can do, even if it’s on an encrypted email server, is intercept that email,” says Mr. Villa. This can detect an email going out that might say something like “Client List” and determine if it’s within company policy. Those emails can be flagged and sent to human resources for review.
Information like work activities, time logs, search history, communication, and more are referred to as human analytics. This type of data has become simpler and cheaper to collect.
This data collected through a router or wearable tech should be aggregated with no individual information. However, it’s hard to know for sure. Even aggregate data can be pinpointed to an individual, as in the case of the YouTube watching colleague of Mr. Villa’s.
And companies can use routers to track more than just email. They can browse activities like chatting or web traffic. A particularly troubling tracking is of social networks. “This is one of the scariest ones,” says Mr. Maltby. “People are usually pretty careful about what they do or say at work. People are used to being extremely open when they’re on their Facebook page… that’s what Facebook is for, it’s supposed to be about your personal life. Unfortunately, employers aren’t always fair about what they see on there. People get fired. It happens every day.”
How to protect your privacy
Legal protections are slim, and more and more information is being collected. What’s an employee to do? It’s difficult to completely stay private but some simple activities can protect your data.
Stay off the company WiFi. Understand that any activities you do, even if it’s on your personal device, can be monitored by your employer. To completely avoid this potential problem, you must use a personal device that’s connected to a personal hotspot.
Understand your company’s monitoring practices.“Lots of employers will monitor email or internet access,” says Mr. Maltby. “Probably not as many would lie about it. Ask. See what they tell you.” Know where any potential video cameras are, policies on company devices in remote locations, and what type of information may potentially be monitored.
Protect yourself with company-issued laptops. Mr. Villa says that when he was a systems administrator, he could turn on the webcam of any company-issued laptop. That webcam may catch you at your desk working, or in your bedroom. Put a piece of tape over any webcam on company-issued devices that could view you. Also, remember that even if you are on your home WiFi network, as long as you’re using a company laptop, you can still be monitored.
Watch what you post on social media. Avoid controversial subjects on your public profiles. Also, be careful of which friend requests you accept, as they can see what you post. Keep your colleagues and bosses off your contact and friend lists.
Advice for employers
If you are an employer, employee privacy relates to you as well. While you may be able to track productivity and work activities, there are trade-offs. Mr. Maltby has this advice for employers: “One thing that I wish employers would recognize is that there are costs to monitoring that are not always visible. People know how they’re being treated, and they have a general sense that their privacy is being protected or it isn’t. People work a whole lot harder when they feel like they’re being treated well and respected… respecting employee’s privacy is one thing that factors into employee morale.”
You can see this directly at Amazon, as their changes to surveillance have caused severe unhappiness for employees. In April, Amazon employees in Germany and Spain went on strike. There were multiple strikes on Black Friday in 2018, and Amazon is currently dealing with lawsuits related to its workplace practices.
Employers should consider why they need this employee data. With technology making collection cheaper than ever before, employers should consider the message they are sending with monitoring. Why do you need to know when your employees are off duty? Why do you need to look at someone on social media? What do you expect to learn that’s beneficial to the company?
“Some things employers monitor because it ‘couldn’t hurt to know,’ says Mr. Maltby. “‘Couldn’t hurt to know’ is not the right standard.”