Workplace surveillance, from Russia with love

By | July 2, 2020

(Part 3 of a series on post-covid remote working. Part 2 here)

Ok, so you’ve decided to install some workplace surveillance software, despite all the good reasons why you shouldn’t. Do you know exactly what you’re letting yourself in for?

Staffcop logo 3

A basic question: Who, exactly, are these companies?

Let’s take a look at one: StaffCop — the dude with the shades. It’s owned by Atom (sometimes Atomic) Security Inc (sometimes LLC), which despite its name is actually based in the Russian city of Novosibirsk, in southwest Siberia. (Here’s StaffCop’s Russian website.)

And what do they do?

A datasheet for its enterprise product promises “employee monitoring the way you couldn’t imagine!” which probably sounds better in Russian. Staffcop is refreshingly candid about what it offers — all the usual stuff, as well as a ‘wayback machine’ to rewind and see what an employee was doing at any specified period in the past.

It can even activate computer microphones to “actually hear what’s going on around specific workstations and specific times.” (It’s not clear to me whether this is part of the ‘wayback machine’s’ capabilities. The datasheet also mentions being able to activate the computer’s webcam. The latest version of its software, released on June 22, includes the following:

  • can record any audio in any application
  • can recognise faces on web-cam snapshots (presumably those photos discreetly taken by the employees’ webcam)

In short, StaffCop is basically a way to hack into your employees’ computers. And that, of course, raises not only ethical questions, but also practical ones. If a company is using StaffCop, say, what vulnerabilities might they have opened up? There are two possibilities — does the hacking software itself incorporate inadvertent vulnerabilities, or render existing software vulnerable? And secondly, where is all this data the company is collecting on its employees going, besides the boss’ console?

Well, to answer the first question, StaffCop has previous. In 2015, it was found to be using a piece of software called Redirector, which was developed by a now defunct company called Komodia, which intercepts traffic on a target computer. The software was built with the goal of snooping in mind, along with manipulating data (including decrypting it), injecting ads etc. Vulnerabilities with the software were discovered in 2015, which would have allowed third parties to conduct man-in-the-middle attacks, which are exactly what they sound like — someone grabbing data on its journey between two computers.

So what about the company name? Any time I see a company having slightly different versions of its name, I get nosy. StaffCop, it transpires, has its roots deep in the world of spam.

Atom Security Inc. was set up in 2001 and says that it is (was) a Microsoft Certified Partner. The CEO of the company is cited as one Dmitry Kandybovich, who appears to have 61% of the Russian entity LLC Atom Bezopasnost, who on his rather threadbare LinkedIn profile is also listed as chief of sales for one AtomPark Software.

AtomPark Software has a somewhat different pedigree, focused mainly on mass mail software. Indeed that’s its domain name. AtomPark has long been in the cross hairs of the anti-spam brigade: The SpamHaus Project has a whole page dedicated to them, and in particular one Evgeny Medvednikov, who it says is (or was) owner of the domains, among others. 4

Medvednikov seems to have moved on, and is now based in New York, according to his LinkedIn profile where he lists his achievements simply: “Run and scale Internet projects. Again and again. Can not disclose them all.” (AtomPark is mentioned in a recommendation he gives one of his former employees.) He has invested in several U.S. companies, mostly email marketing companies. He founded SendPulse, a company which combines multi-channel marketing with chatbots, automating much of the process. It claims amongst its clients PwC, Radisson and Swatch.

And that pretty much squares the circle. I’m definitely not saying that just because StaffCop is based in Russia that it’s not qualified or trustworthy. I’m not saying that its roots in spam and use of dubious third-party software disqualifies it. Nor am I saying that all other companies doing this kind of thing have similar backgrounds.

But it should be obvious by now, after reading these three posts, that the nature of these tools — the intent, and the technical knowhow to implement that intent — inevitably leads them into an ethically compromised world, which is where spam and hacking have long made their home. By definition and design they are snooping on a user, using subterfuge and overriding, or bypassing, existing security features of the computer system. That compromises the work computer, and it also compromises the individual.

It also, inevitably, compromises the user’s trust — in this case, in their own boss.

If as a boss you can’t trust your employee, and you go down this road, then don’t expect your employee to trust you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.