Employers have several tools available to gather information about the way employees are using their devices and the applications installed on them. This information can help ensure that installed applications are up-to-date, protect against known security vulnerabilities, and identify potential productivity improvements. However, gathering certain kinds of information about employee activities can feel invasive, reduce employee morale, and possibly violate data privacy laws. It’s important for companies to understand some typical use cases and associated risks so they can make informed decisions about how to best monitor their employees’ devices. Here we’ll delve into the balance of employee monitoring and personal privacy.
Application Performance Monitoring
One common practice is to create an inventory of the applications on employee devices, and to track application performance and behavior over time. Applications that are resource-intensive or that crash often can impact user experience and business workflows. Applications that are out-of-date may be susceptible to security vulnerabilities which could expose the company to undue risk. Proactive inventory management and performance monitoring can help the company detect and address these kinds of issues before they become a real problem.
Tracking Employee Productivity
Some companies use monitoring software to gather additional information about how their employees are using their devices. Some tools can track the amount of time that employees spend on certain activities, how often they use the mouse or keyboard, and even capture periodic screenshots to see exactly what employees are doing. Mobile device monitoring software may also have access to phone calls, texts, and photos. These use cases raise important ethical questions about how much data (and which kinds of data) an employer should be allowed to gather about its employees, and what an employee’s expectation of privacy should be.
Shadow IT
In an effort to increase their personal productivity, employees will often download or access applications without involving the company’s IT team. These unauthorized technologies (also known as “Shadow IT”) can pose a major challenge since companies lack visibility, control, and security oversight.
In some cases, employees may be using applications that duplicate functionality in software that their IT team has already approved. Without realizing the company already has a tool for the job, they seek out their own solution. In other cases, employees may be trying to solve new problems that aren’t addressed by IT-approved tools. In an effort to be more productive, they look for software that can help them succeed. In both cases, the employees generally have good intentions, but the shadow applications can introduce significant security risk, and can lead to inefficiencies by having to maintain multiple solutions to the same problem. Additionally, software not purchased through IT may end up costing more per user if no one is responsible for contract negotiations.
What Should Companies Monitor?
Many companies may struggle with legal and ethical considerations when deciding what and how much to monitor. Employers generally have the right to monitor a device and associated applications if the device has been issued by the company. Similarly, companies often have access to admin consoles and other data that describes how users are accessing company resources and authorized SaaS applications.
The decisions become more complicated when companies ask employees to “Bring Your Own Device” (BYOD). In this case, the employer doesn’t own the device, and they need to expect that employees will also use their devices for non-work purposes.
In any case, if an employee connects a device to their employer’s corporate network, the employee should generally assume that the company will monitor all of the traffic to and from that device. Some technology solutions allow the company to go so far as to intercept and decrypt HTTPS traffic on their network — but even if they aren’t “in the data path”, they can still access the logs of networking devices, inspect packet headers, and use protocols like NetFlow for detailed traffic analysis.
Is Employee Monitoring Legal?
There are a number of security and privacy laws that restrict the ways in which companies can monitor employee activity. In the US, the Electronic Communications Privacy Act (ECPA) of 1986 is an important piece of legislation related to electronic monitoring. The ECPA prohibits intentional interception of an employee’s electronic communication, and violating the Act can lead to criminal and civil penalties.
However, the ECPA includes two key exceptions relevant to employee mobile app monitoring:
- The “business purpose exception” allows employers to monitor electronic communications if there is a legitimate business reason.
- The “consent exception” allows employers to monitor communications if the employee consents.
Of course, much has changed since 1986, and the ECPA doesn’t explicitly address every employee monitoring use case. There have been several calls to reform the ECPA to address the realities of modern technology.
For example, in Ontario, Canada, beginning in 2023, employers with more than 25 employees must have a written electronic monitoring policy. Employers must now disclose what data they are capturing from employees’ devices, intentionally or not. While this legislation does not provide employees with any new privacy rights, it highlights the importance of transparency in mobile app monitoring practices, and shows how legislation may vary in different regions.
Outside of North America, the European Union (EU) tends to have even stronger employee privacy laws, and employee monitoring needs to comply with legislation such as the General Data Protection Regulation (GDPR). Some things to keep in mind:
- Violating EU data privacy laws can lead to hefty fines: an H&M subsidiary was fined €41 million related to a workforce monitoring program.
- GDPR doesn’t just apply to European businesses. Even if an organization isn’t based in the EU, it must comply with GDPR if it monitors employees at any time within EU borders.
- Artificial intelligence (AI) and machine learning (ML) are built into many monitoring tools, and their use can trigger additional requirements related to GDPR article 22 (automated individual decision-making, including profiling).
Striking the Balance
Clearly, there’s a tension between employee monitoring and personal privacy. On one end of the spectrum, monitoring an employee’s every action provides deep visibility, but may violate an employee’s privacy. On the other hand, a complete lack of monitoring guards everyone’s privacy but may subject an employer to significant security and productivity risks. Neither extreme is usually the right answer; companies need to find the right balance between visibility and privacy that works for them.
Companies should investigate and consider using a variety of tools, like Application Performance Monitoring (APM), Mobile Device Management (MDM), Mobile Application Management (MAM), and SaaS discovery solutions. There’s rarely a one-size-fits-all answer in IT, and employee monitoring is no different. Employers need to clearly define the problems they are trying to solve and identify the right toolset for the job.
