Workplace surveillance, from Russia with love

(Part 3 of a series on post-covid remote working. Part 2 here)

Ok, so you’ve decided to install some workplace surveillance software, despite all the good reasons why you shouldn’t. Do you know exactly what you’re letting yourself in for?

Staffcop logo 3

A basic question: Who, exactly, are these companies?

Let’s take a look at one: StaffCop — the dude with the shades. It’s owned by Atom (sometimes Atomic) Security Inc (sometimes LLC), which despite its name is actually based in the Russian city of Novosibirsk, in southwest Siberia. (Here’s StaffCop’s Russian website.)

And what do they do?

A datasheet for its enterprise product promises “employee monitoring the way you couldn’t imagine!” which probably sounds better in Russian. Staffcop is refreshingly candid about what it offers — all the usual stuff, as well as a ‘wayback machine’ to rewind and see what an employee was doing at any specified period in the past.

It can even activate computer microphones to “actually hear what’s going on around specific workstations and specific times.” (It’s not clear to me whether this is part of the ‘wayback machine’s’ capabilities. The datasheet also mentions being able to activate the computer’s webcam. The latest version of its software, released on June 22, includes the following:

  • can record any audio in any application
  • can recognise faces on web-cam snapshots (presumably those photos discreetly taken by the employees’ webcam)

In short, StaffCop is basically a way to hack into your employees’ computers. And that, of course, raises not only ethical questions, but also practical ones. If a company is using StaffCop, say, what vulnerabilities might they have opened up? There are two possibilities — does the hacking software itself incorporate inadvertent vulnerabilities, or render existing software vulnerable? And secondly, where is all this data the company is collecting on its employees going, besides the boss’ console?

Well, to answer the first question, StaffCop has previous. In 2015, it was found to be using a piece of software called Redirector, which was developed by a now defunct company called Komodia, which intercepts traffic on a target computer. The software was built with the goal of snooping in mind, along with manipulating data (including decrypting it), injecting ads etc. Vulnerabilities with the software were discovered in 2015, which would have allowed third parties to conduct man-in-the-middle attacks, which are exactly what they sound like — someone grabbing data on its journey between two computers.

So what about the company name? Any time I see a company having slightly different versions of its name, I get nosy. StaffCop, it transpires, has its roots deep in the world of spam.

Atom Security Inc. was set up in 2001 and says that it is (was) a Microsoft Certified Partner. The CEO of the company is cited as one Dmitry Kandybovich, who appears to have 61% of the Russian entity LLC Atom Bezopasnost, who on his rather threadbare LinkedIn profile is also listed as chief of sales for one AtomPark Software.

AtomPark Software has a somewhat different pedigree, focused mainly on mass mail software. Indeed that’s its domain name. AtomPark has long been in the cross hairs of the anti-spam brigade: The SpamHaus Project has a whole page dedicated to them, and in particular one Evgeny Medvednikov, who it says is (or was) owner of the domains staffcop.com, among others. 4

Medvednikov seems to have moved on, and is now based in New York, according to his LinkedIn profile where he lists his achievements simply: “Run and scale Internet projects. Again and again. Can not disclose them all.” (AtomPark is mentioned in a recommendation he gives one of his former employees.) He has invested in several U.S. companies, mostly email marketing companies. He founded SendPulse, a company which combines multi-channel marketing with chatbots, automating much of the process. It claims amongst its clients PwC, Radisson and Swatch.

And that pretty much squares the circle. I’m definitely not saying that just because StaffCop is based in Russia that it’s not qualified or trustworthy. I’m not saying that its roots in spam and use of dubious third-party software disqualifies it. Nor am I saying that all other companies doing this kind of thing have similar backgrounds.

But it should be obvious by now, after reading these three posts, that the nature of these tools — the intent, and the technical knowhow to implement that intent — inevitably leads them into an ethically compromised world, which is where spam and hacking have long made their home. By definition and design they are snooping on a user, using subterfuge and overriding, or bypassing, existing security features of the computer system. That compromises the work computer, and it also compromises the individual.

It also, inevitably, compromises the user’s trust — in this case, in their own boss.

If as a boss you can’t trust your employee, and you go down this road, then don’t expect your employee to trust you.

Employee snooping is big business. Expect it to get bigger

I wrote previously about how snooping on employees is going to become the norm as managers scramble to deal with a workforce that is reluctant — or unable — to return to the workplace. Enabling this will be a host of tools available for companies to do this. It’ll be impossible for a lot of bosses to resist.

There’s already a whole market — worth $4 billion by 2023 according to this report — of employee surveillance tools. Some of them sound cute (Hubstaff, Time Doctor), some less so (VeriClock, ActivTrak, StaffCop and Work Examiner).

UntitledImage

The second question asked of you before you can access Time Doctor’s home page. 

They all feed off the fear of the Manager By-Line-of-Sight, like Workpuls:

Remote work has certainly made employees more independent from their superiors, if nothing else, then because they simply aren’t in the same physical location. That means you are never quite sure if the staff is watching funny videos or actually working.

While no one expects people to work for eight hours straight, it’s important to ensure that they are working on tasks that actually have high priority, and not just answer a few emails and go out for ice-cream and rollerblading for the rest of the day.

This perception is fed by a longstanding piece of ‘data’ which claims that workers actually only work 2 hours and 53 minutes in any work day. This study is regularly cited, though its source rarely, as proof positive we’re all lazy gits when it comes to home working. I’ve written a separate piece debunking this little gem.

So what do these tools do? Well, most monitor what software you’re using and what websites you’re logged into, for a start. The idea is to virtually handcuff you to work. For example, Time Doctor will

  • ask the user if they’re still working when they visit a social media site. “Whenever an employee accesses unproductive sites like these, the app automatically sends them a pop-up asking them if they’re still working. This little nudge is usually enough to get them off the social media site and back to work.”
  • Managers will have access to a ‘Poor Time Use’ report that details what sites an employee accessed and how long they spent there. Time Doctor can also take screenshots of employees’ screens at random intervals to ensure that they’re on productive sites.
  • Some, like Keeper, will monitor employees’ browsing history, ostensibly to check they’re not venturing onto the dark web.

Workpuls, meanwhile, boasts

Our all-seeing agent captures all employee actions. From app and website usage, to words typed in a program, right down to detecting which tasks are being worked on based on mouse clicks.

The more sinister aspect to this is that managers not only don’t trust their employees to work remotely, but they don’t trust them not to steal stuff. And we’re not talking paperclips. This is called Data Loss Prevention, or DLP, and is itself big business. One estimate has the market worth $1.21 billion in 2019, rising to $3.75 billion by 2025.

These tools include (this according to a deck from Teramind)

  • machine learning which scans an employee’s workflow, ‘fingerprinting’ documents and then tracking any changes and movement
  • ‘on the fly’ content discovery
  • clipboard monitoring — everything you copy and paste will be collected
  • advanced optical character recognition: think studying images and videos watched and uploaded by employees to check for steganographic data exfiltration (steganography is when data is hidden in a supposedly harmless message, often a picture.)

It’s not so much the eye-popping technology involved, as the realisation that everything that an employee does on a work computer (or a work-related computer) can be, and probably is, being monitored.

To be fair, companies like Teramind are focusing less on employee productivity and more on catching the bad apples. But these tools still sound to me overly intrusive. And in my next post I’ll show why.

Working from home will get ugly, but don’t blame the workers

Working from home has been a relative success story of these Covid-19 times, but from here on in it’s going to get ugly.

Working from home isn’t for everyone, but that’s often because people haven’t tried it. Covid-19 has given a proverbial leg-up to those still wary of the fence. There are technology hurdles to overcome, as well as social ones. People who worked in offices and relied on pinging IT support as soon as a key started sticking, or grabbed a coffee as an excuse to chat with co-workers around the bean-grinder would inevitably face hurdles.

But surprise, surprise, turns out there are advantages of working from home, that those of us who already did it had worked out some time ago. Now the rest of the workforce is catching on. A survey in the UK (by a nursery provider, so you could argue it’s not exactly in their interest to promote this) has found that only 13% of those 1,500 surveyed ” want to go back to pre-pandemic ways of working, with most people saying they would prefer to spend a maximum of three days in the office”, according to the Guardian.

Nearly two thirds of those believe their employers would be up for it. And well over half believe it would increase their loyalty to the company.

Of course the survey shoehorns in some other stuff, which arguably strengthens their business model: parents say they have had trouble coping with younger kids (and presumably could do with a nursery should this work from home lark continue beyond Covid-19. As you can see below, employers don’t like kids.)

But I think it’s good that more people are realising that, the stresses and isolation notwithstanding, working from home has its merits. If nothing else, it wakes people up to how unproductive the workplace can be. Meetings, people dropping by to chat, open plan offices, sick buildings: all are a big distraction, a threat to health and a time-suck.

And the pandemic is bringing home another reality: most of this office stuff can be done from home. A survey by Deakin University in Australia has found that 41% of full-time and 35% of part-time jobs can be done from home. The study uses a similar methodology from a U.S. study, which reaches similar conclusions. My tuppennies’ worth: that number is extraordinarily high, if you think about the different kinds of work people do. But as countries dispense with production and move to services, and the Internet of Things improves the remote (and automated) control and monitoring of physical objects, this proportion will grow further. I’ve rarely come across someone in the services sector who couldn’t do what they do out of a Starbucks. Even, sadly, the Starbucks employees themselves.

It’s not the workers, it’s the managers who are the problem

But this isn’t where the problem lies. The problem is going to lie in managing these people. Managing a remote work force is quite different to managing a physical office. It’s about faith: do you trust the people you hired to do a good job? If so, let them do it. I had a boss at my last employer who was upset if we were in the office, quite rightly saying the way to get stories was to go out and talk to people. His successor was the opposite, what I call “managing by line of sight.” She liked to be able to see everyone at their desk and was suspicious if someone wasn’t.

This is where things are going to get problematical. You need much better bosses with a broader range of EQ to be able to support and get the best out of your crew if they’re all dispersed. If you start at the point of thinking they can’t be trusted to be working, then you’ve already lost. On June 26 Florida State University told employees working remotely that it “will no longer allow employees to care for children while working remotely.” Allowing this was in any case a ‘temporary exception to policy’ and approval for the Temporary Remote Work agreement “may be rescinded at any time if an employee:

– is unable to remotely perform the essential functions of their position; or

– is not adhering to the requirements outlined in the Temporary Remote Work Agreement; or

– remote work no longer meets the business needs of the department.1

It’s not hard to see where this is going. Companies — and particularly places like universities — that are largely agglomerations of buildings and people are going to find it hard to shift permanently to a more virtual arrangement. Universities, of course, are going to find it doubly hard because their hefty fees are largely based on the agglomeration factor. But big companies, too, are obsessed with the bricks and mortar of their self-image, and those managers who have risen through the ranks in such environments are going to be ill-disposed, and ill-equipped, to shift to anything virtual.

So expect to see some ugliness creep in. There will be less talk of ‘keeping our workers safe’ and of workplace flexibility and more like the above, as in “we’ve been extraordinarily kind and generous to our employees, but this nonsense can’t go on forever; if you want to continue play hooky you need to start filling out forms.”

Teleworkers have long been used to that kind of passive aggressive intimidation and discrimination. I would expect to see more. Workplace surveillance, possibly in the form of ensuring social distancing. And tools to monitor the user’s computer — something whose heritage I’ll argue in a future post is closely wedded to the world of spam and hacking.

  1. This announcement was ‘clarified’ on June 29 said that these terms applied only to those “whose job duties require them to be on campus full-time during normal business hours (8:00 am to 5:00 pm) and is intended to create flexible work arrangements that serve both the needs of the employee and their work unit.” It does not apply to those who were already telecommuting. ↩︎