It almost goes without saying in 2018 that you don't have any privacy at work, especially on your company computer. In order to keep you off Twitter or even record your every keystroke, many IT departments install monitoring software to keep tabs on workplace activity.
Depending on what they’re looking for and which monitoring software they use, IT techs could be capturing a lot of information about your activities. So, how much could your IT department potentially know about you?
Are Companies Really Looking?
In order to look at the possibility of workplace device monitoring, let’s first look at the reality. Though large enterprises may have a vested interest in keeping tabs on their many worker bees, most workplaces are not large companies.
Jon Apter, a Technical Operations Manager at IT provider Ntiva, says that the small-to-medium businesses he works with don’t really use device monitoring much. He says that, “while a lot of companies have some form of device monitoring implemented either via email logging or mobile device management etc., a lot of them don’t really use it. So, when it comes to, say, ‘Is my employee working? How can I check on what work they’ve done?’, that’s really infrequent.” Apter went on to say that monitoring is usually carried out in companies that have compliance requirements to meet, such as medical organizations and law firms.
If monitoring is utilized within a typical business, it is usually for the purpose of counteracting information leaks. Alerts can be set up to find keywords in outgoing email, or to notify IT when certain files have been opened; companies that worry about corporate espionage are interested in this type of monitoring.
But let’s say that you are working at one of those large companies that worries about its employees leaking information or wasting company time (ie. one that does use any of the many monitoring products available). To what extent can your company’s IT department learn your personal information?
Common Items to Track
The intent of computer monitoring software falls into roughly three categories: activity monitoring, content restriction and time management. To manage what you do on your company device, IT can use activity monitoring software to both actively see what’s happening on your screen and take periodic screenshots for review. Through this type of observation, techs can create a log of your entire workday and reference your saved screens in case of a mistake or management issue. They could know that you’re reading this article at this very second.
Employers can also observe which sites you visit and restrict the content you can access. IT can then learn your personal preferences through search engine queries and favorite websites, while also keeping a record of how many times you attempted to use a blocked website or browsed off task. A few common software offerings also track idling time to keep a record of how long your work appears to have paused (so, yes, they know how long your lunch really was).
Email correspondence is arguably the most valuable thing to be monitored. Both outgoing and incoming email are subject to prying eyes. Reasons for this are to make sure confidential information is not leaked and really just to see what you’re talking about at work. Also, according to the American Bar Association, “proponents of monitoring argue that employers must take a proactive approach to ensure the work environment is free from hostile and harassing activity.” Especially at this point in history, IT and legal are both interested in internal email sleaze.
Something that may be surprising is that your personal email can be observed as well. Although its use is rare, with keylogging software your IT department can see what you’re writing to both professional and personal contacts. Through this method, IT techs can glean information about your personal life that you’d rather keep private--if you access it from a company device. More worryingly though, active keylogging means that your employer could also know your passwords. But if they're smart, they will think twice about doing anything with your password information.
Legality and Ethics
Thinking about your employer watching your every move you make on company computers can be anxiety-producing. However, most employer spying is perfectly legal. The line confining your IT department to legality lies in what your company does with your information.
The aforementioned keylogging practices have sparked lawsuits by employees whose information was monitored, logged and used by an employer to commit a crime. For example, in a 2011 case an employee filed against her employer, the company installed a keylogging program on an on-site company computer that she used for professional and personal needs. The software “periodically emailed the information to company managers, who used the information to determine the plaintiff’s password to her personal email account and personal checking account and to access them."
Through these keyloggers, your company’s IT could easily log such sensitive passwords. Keep in mind that Ntiva's Apter says that “in supporting IT in six years, I’ve only had two requests to install a keylogger on an employee's workstation.” So it happens, but rarely. The potential for your banking, email, etc. to be wrongly accessed firmly lies in the ethics of your company.
Your personal email information is not necessarily personal on a work computer, but there are some legal protections to keep at least some of your correspondence private. The Stored Communications Act (SCA) allows employers to monitor internal email services because they are the “provider” of that service. This protection does not hold up when it comes to web-based email (most likely a personal email), so you can hold your employer accountable if they take issue with something you wrote on your Gmail. There are a few other state-level protections for employees as well.
While monitoring is completely legal as long as you keep it kosher, how does an IT department that uses monitoring software reconcile legality with ethics and trust within an organization? Should they tell employees that their work computers are monitored and risk a level of distrust and feelings of malcontent? Or should they use a discrete install feature available through some monitoring software, so workers never know they’re being watched? Employees are likely accepting of a certain level of observation, and every program has its own intention and degree of intrusion.
How Companies Monitor Corporate Computers
These approaches to corporate device monitoring by IT and higher-ups may have you wondering: which software does my employer use to monitor me? The answer depends on what your employer is worried about. Different monitoring products are marketed for accessing various types of information a company would want.
Here are five products your employer could be using, based on a a list of recommendations for popular monitoring software by Business.com.
- Activity Monitor by SoftActivity: This product is directly marketed towards employer anxiety and a desire to “take back control!” It is installed quietly and only functions in discrete mode, with no notification to the employee. This program allows employers to compile reports to use as a sort of ‘gotcha’ file to scare workers into compliance. If your employer is using this, you won’t know it until they show you the info they’ve sourced--and I wouldn’t want to be in that meeting.
- ContentWatch: This one is standard Internet blocker fare. Email monitoring, website restriction, site logs. If your employer uses this, they want to know where you’re surfing and whether or not you’re being productive.
- Veriato: This program is geared towards companies that are worried about keeping proprietary info in-house. It monitors file transfers, document tracking and logins and can generate alerts if sensitive information is accessed or discussed in email. Your employer may use this product if they really care about keeping trade secrets.
- Sentry PC: An all-around workhorse, this product hits all three monitoring categories (activity monitoring, content restriction and time management). Your employer can customize Sentry PC to monitor some or all criteria, and one of these includes keylogging. This is also a stealth program, so you may not know if your employer is using it on your computer.
- Teramind: This software is different because it uses machine learning to establish an office baseline and then detect anomalies. Your employer can also create computer “rules” and set up alerts for when you break them. If your company likes to be hands-off and is less of a micromanager, then they may be using this offering.
So, depending on your workplace and culture, you may know that your employer is monitoring your work computer (if they are at all) or you may not. The program they choose somewhat reflects their attitude toward your information and how they could potentially use it.
Depending on which monitoring program your employer uses, the IT department could learn a good deal about you through your work computer, including your personal interests, password information, break time and email contents. Consider the types of information you access on your company computer and whether you are comfortable with your employer knowing about it. Your company may not care and may not be watching you at all, but we wouldn't bank on that.
EDIT: TL;DR - Don't do anything that would make your manager need to spy on you.
(Even if I weren't, I would still not use any of my personal accounts, worktime is for work)
Can IT remotely turn on your webcams to do a little secret spying, don't use your cell phone while in the bathroom.
it would be good to know what rights workers have here that companies are not allowed to violate.
And in that time, I've never been requested to spy on any employee ever. If an IT guy is asked to do that, there is something fishy going on, maybe something illegal (that the employee is doing).
BUT--as anyone with admin power knows, they can record, find, and do anything they want. I can see any web site they visit, completely monitor every single email, see every printed document--basically anything. And if for whatever reason me, or any IT staff wanted to, we could monitor keystrokes or take screen shots or install monitoring software.
This includes any data or activities on company provided cell phones.
There's nothing that an employee does at work that can't be found out by the IT guy. That's just the reality of it.
But here's the thing--it all sounds like we have a lot of power---and true, we do. But the truth is--we don't care!
I have much, much better things to do than to monitor what websites people go to, or look at print queues, or spy on what people do on their lunch break. If the IT guys working for me had some creepy inclinations to spy on co-workers, I would replace them.
The bottom line is this: just because we can do it, it doesn't mean we're remotely interested in doing it, or that it is time well spent. It's just a waste of time, in virtually all cases.
The only FUNCTIONAL use I have found by having admin power to see what people are up to--is to see who is printing out 20,000 color pages/month for personal reasons, or on occasion, who is attempting to put pirated software on their PC's, or consuming copious amounts of bandwidth.
Apart from that, if your employees are doing such nefarious things that require professional spying to divine the nature of such deeds---then it's probably time for a new employee.
Anecdotally--there was this one time that we had suspicions that our after hours contracted security staff was eating lots of food from our company kitchen, so I setup a laptop in the kitchen, disguised as a carboard box, and installed some motion sensing software--and sure enough! There was this big ass security guy who would come in each night and completely gorge himself on the food in the kitchen. He'd then pack up some beers and sodas and head home :D
Anywho! On topic: anyone who has been in the trenches in IT would probably say the same: we've got better ways to spend our time.
Normally we do firewall logging to a log server. Then review logs from time to time to make sure users arnt trying to bypass our filters etc...
However, I do have a few clients that wanted more then just that. So there are a few I have installed switch port mirroring tied to Colasoft or other software that can monitor almost everything about any system.
There I have also installed Veriato products at some of these sites instead. It screencaptures months worth of data, can also see browsing history, emails etc...
So in theory, they can know A LOT.