Contents

Deep Dives

Your Company's Bossware Could Get You in Legal Trouble

Nick Moore
February 1st, 2023

On Halloween 2022, National Labor Relations Board (NLRB) General Counsel Jennifer Abruzzo released a memo that likely horrified plenty of executives. She announced her intention to “protect employees…from intrusive or abusive electronic monitoring and automated management practices.”

In other words, the NLRB declared war on bossware. And it’s not alone. Beyond Abruzzo’s memo lies an evolving, growing array of laws and regulations that seek to protect employees’ privacy rights.

Numerous countries and a handful of US states, such as California and New York, have already imposed restrictions on how companies can use bossware. Given the public sentiment swaying against bossware and toward privacy, we can likely expect more laws and tougher enforcement from regulators.

If you’re in charge of purchasing, implementing, or maintaining employee surveillance tools at your organization, this is a good time to step back and evaluate what tools you’re using and how you’re using them.

What is bossware?

“Bossware,” a term the Electronic Frontier Foundation (EFF) coined in 2020, refers to a category of technologies that companies use to monitor employees. What this looks like varies depending on the workplace.

Abruzzo’s memo cites things like wearable devices for warehouse workers and GPS cameras on truck drivers, but she pays particular attention to computer-based surveillance, calling out “keyloggers and software that takes screenshots, webcam photos, or audio recordings throughout the day.” The memo goes on to mention tools that keep watching when employees are off the clock, such as those that “track employees’ whereabouts and communications using employer-issued phones or wearable devices, or apps installed on workers’ own devices.”

Beyond such obvious types of surveillance, bossware can come in more subtle forms, like tools that aggregate employee sentiment from emails or their private social media–ostensibly to gauge their job satisfaction.

Bosses who use this technology report that their primary concern is productivity–according to a Digital.com survey, the top use cases are checking how employees spend their time (79%) and confirming whether employees are working the entire day (65%).

These reasons also overlap with security concerns. The same study shows that 50% of bosses use employee monitoring tools to check whether employees are using work devices for personal use, which touches on security and productivity. And there are plenty of tools that aren’t designed primarily for surveillance but are still prone to misuse–for instance, data loss prevention (DLP) tools that capture everything a user does.

Why Now? Remote Work and the Bossware Backlash

It would be fair for bossware vendors and customers to wonder, “why now?” The idea of remotely monitoring employees has been around for decades, and many employee monitoring software vendors have been in business for years. But three changes have made the backlash to bossware swifter and harsher than many would have expected:

  1. The development and proliferation of more advanced, automated forms of surveillance.

  2. The shift toward remote work.

  3. The rise of privacy rights and the labor movement.

Automation enables spying at scale

In the past, keeping tabs on employees required a human touch. Scientific management, sometimes called Taylorism, emerged in the early 1900s and encouraged factory supervisors to time their employees with stopwatches. Later, CCTV footage helped bosses mind the store, but even that type of surveillance was constrained by the ability of people to go over the footage.

Today, bosses don’t have to skulk around break rooms to spy on workers; they can require employees to install software that logs their keystrokes, accesses their webcam, and more. Bosses can deploy these tools at scale and run them passively. That means bosses can monitor all employees as standard procedure, not as a result of individual cases of suspicious activity.

Companies can now read emails and analyze the sentiment of their contents, track employees on social media, monitor the movements and clicks of employees’ mouses and keyboards, identify which applications employees are using and for how long, and record webcam video. Some bossware can even aggregate all of this data so bosses can make predictions before employee sentiment solidifies or employee action takes place.

These tools mark a qualitative leap over earlier forms of surveillance, and their widespread use on employees–who may not even be aware they’re being watched–makes plenty of people uncomfortable.

Remote work made bossware more intrusive

The current rebellion against bossware and workplace surveillance began with the COVID-19 pandemic, which accelerated the remote work trend.

Source. You probably already know this but it’s still helpful to see it in such a satisfyingly symmetrical graph.

The rise of remote work makes employee surveillance even more intrusive because employees are likely to be working from home or using personal devices, and bossware tools aren’t capable of recognizing those boundaries. The EFF found, for example, that many bossware products “don’t distinguish between work-related activity and personal account credentials, bank data, or medical information.”

Source. This is taken from the homepage of an employee monitoring tool. See if you can spot the really concerning part.

This failure to distinguish between professional and private life is especially stark when we consider webcams. In an office setting, requiring employees to keep their webcams on at all times might be irritating. But the same policy is much more invasive when employees work from home, and the webcam captures their non-consenting partners, roommates, or children.

The blurring of lines between the professional and personal worlds gets even more complex when you consider BYOD (Bring Your Own Device) policies. Research has shown 69% of employees have used personal laptops or printers for work activities, and 70% have used work devices for personal tasks.

Many companies offer their employees computers and phones, but might not have clear policies around whether employees can use the devices off hours and the consequences of using the device for non-work purposes.

The labor movement and the “techlash”

The fight against bossware has something of a head start because it’s piggybacking on the victories in the larger movement for consumer privacy.

When Facebook first became popular, for example, many users didn’t care–or didn’t realize they should care–where their data went. Now, after years of data misuse and breaches, many people are wary of giving companies access to their personal data. Mark Zuckerberg himself, quite symbolically, went from Time magazine’s Person of the Year in 2010 to The New Republic’s Scoundrel of the Year in 2021.

Workers might not be able to join in the privacy backlash were it not for the resurgent labor movement and a tight market that has put employers at a disadvantage for the first time in decades. Gallup Research from 2022 shows union approval is at its highest level since 1965. Though unionization in technology companies is still relatively rare, Protocol research shows 50% of tech workers are interested in joining a union.

And as interest turns into action, workers will have a greater ability to protest intrusive surveillance, especially when it’s illegally used to prevent them from organizing.

Bossware and the Law

The unspoken truth, known by many executives, is that laws are only as powerful as their enforcement mechanisms. Many of those executives have had no qualms about violating labor laws, confident that they’d never be held to account, or if they were, the punishment would amount to a speed bump.

The NLRB, referenced at the top of this article, is underfunded and understaffed, having not received a budget increase since 2014. After decades of the Reagan-inspired “starve the beast” mentality, government agencies are often weaker than the industries they are tasked with regulating.

But in the U.S., times are changing under a pro-union administration. And around the world, regulators are holding scofflaw companies to account.

Labor laws are on the cutting edge against bossware

The NLRB is taking a stand against bossware because of how frequently it is used to suppress or discourage workplace organizing. For example, a “productivity tool” that tells bosses who each employee speaks to and for how long has a clear potential for misuse.

Abruzzo writes in her memo that numerous types of bossware already run afoul of, in her words, “settled Board law.” For example, monitoring “protected concerted activity” (i.e., workplace organizing) has been illegal for decades.

This kind of monitoring was more clear-cut when it involved taking pictures of picket signs and video recording employees in break rooms, but now, the NLRB is looking into passive, virtual monitoring. And for good reason: in an interview with OneZero, the “employee listening” platform Perceptyx explains that it offers, by default, a “union vulnerability index.” With it, the company explains, employers can log into their platform and see that “20% of that group is at risk of unionization.”

Abruzzo also makes clear that if companies use tools that aren’t strictly for employee monitoring to police protected activities, then they run afoul of Section 8(a)(1). In another article, we covered Slack’s privacy policy and explained how bosses could see all of your private messages. A company could face the consequences of using Slack like bossware (such as if a manager downloaded an employee’s private messages to see whether they were comparing their salaries or considering collective bargaining).

Beyond extant law, Abruzzo also writes about using “settled labor-law principles in new ways.” This is not an uncommon legal practice because the law, notoriously slow and difficult to update, often evolves via analogy. The Interstate Commerce Act, for example, was established in 1887 to oversee the railroad industry but was an important legal framework for regulating the petroleum, trucking, civil aviation, and telecommunications industries for many decades after its establishment. Regulatory bodies compared new industries to railroads and applied previously settled regulations to new contexts.

The same pattern could play out for bossware. In 1992, the NLRB came down on Sands Hotel & Casino because management assigned guards to monitor employees using binoculars. At first glance, such a ruling might not seem to apply to you. But the courts could very well decide that keyloggers are effectively modern day binoculars–meaning a lot of bossware could suddenly become illegal without the creation of new laws.

Federal and state regulations

The NLRB isn’t alone, though it might be leading the charge. Abruzzo notes that she wants to take an “interagency approach” to bossware and work with agencies like the Federal Trade Commission, the Consumer Financial Protection Bureau, the Department of Justice, and the Department of Labor to limit the use and abuse of employee monitoring.

And that’s not all: The Center for Democracy and Technology points out that bossware could also be illegal by way of numerous other laws, such as:

  • The Occupational Safety and Health Act could punish companies for limiting bathroom breaks via monitoring and productivity quotas.

  • The Americans with Disabilities Act, could punish companies for treating disabled employees differently due to the results of employee monitoring.

  • Federal wage and hour laws could punish companies for automatically docking employee wages when they leave their workstations.

  • The Family and Medical Leave Act could punish companies for restricting employees with qualifying medical conditions from taking intermittent breaks.

So far, we’ve just covered federal laws. The laws differ from state to state: New York, Connecticut, and Delaware laws all require employers to notify employees of monitoring activities upon hiring them. And as of January 1, 2023, California updated its major data privacy law, extending some of the protections offered by the CCPA, via the CPRA, to employees.

International bossware laws

Outside the U.S., many countries are much more aggressive in balancing the rights of employees against employers. And for companies with remote workforces, this can come as a rude awakening.

A particularly good example occurred in 2022 when a Dutch court fined a Florida firm for punishing an employee who refused to keep his webcam on all day on the grounds that it made him uncomfortable.

In response, the firm fired him, citing insubordination. The court disagreed, ruling that video surveillance of an employee constituted a “considerable intrusion into the employee’s private life.” The takeaway here isn’t that companies should stay out of The Netherlands, of course–it’s that a remote, globalized world requires a different touch to managing your workforce.

As a small sample, consider a few other European laws:

  • In Austria, the Austrian Labor Constitution Act requires employers to either get the consent of all employees or of an employee work council before monitoring them.

  • In France, the French Data Protection Authority ruled that, outside of a “strong business justification,” companies cannot use keyloggers.

  • In Germany, employers can’t use much of the passive monitoring we’ve talked about so far. Instead, German employers can only implement monitoring after establishing reasonable suspicion of unprofessional behavior.

Four Questions to Ask Before Implementing Bossware

So far, we’ve sketched the broad strokes of the legal risks of bossware, but how do you assess it on an individual level if you’re a CISO, an IT administrator, or a manager?

Here’s a good place to start to assess whether a particular form of surveillance is legal or necessary.

1.Does it suppress unionization?

We’ve already talked about the potential for bossware to be a de facto union-busting tool, which is clearly illegal. So if you believe your company is investing in a tool for purely productivity or security-related purposes, then discuss how you can prevent it from being misused to suppress organizing.

It’s also worth considering how an existing union might react to surveillance. In her memo, Abruzzo not only explained how the NLRB would enforce extant laws but signaled that the NLRB would likely support unions complaining about bossware. The previously cited Digital.com research shows that 88% of employers terminated workers after implementing bossware, so new unions would undoubtedly examine these kinds of tools. A 2014 NLRB ruling shows that even giving the impression of unlawful surveillance can make companies liable.

2. Does it pose a major risk in the event of a data breach?

A major reason companies might want to limit the collection of personal information (via bossware or otherwise) is that a data breach could expose personal information to bad actors.

Companies might get punished, then, not for the usage of bossware but for poor security practices that made personal information captured by bossware vulnerable to attackers. It’s a good reason to return to the classic data security principle of data minimization and consider whether the benefits of bossware outweigh the risks of storing such sensitive data.

3. Does it open you up to personal liability?

Companies establish LLCs, as the name implies, to limit liability. Companies can collapse while individuals can slip away–often with golden parachutes. Increasingly, however, government agencies are targeting individuals.

Joe Sullivan, former chief security officer for Uber, for example, pled guilty in 2022 to covering up a data breach. Employers will want to be especially careful about implementing dubiously legal policies if they, as individuals, can be found liable.

4. Does it violate discrimination laws?

As we wrote above, Abruzzo emphasized taking an “interagency” approach to enforcing laws against workplace surveillance. That means companies have to watch out for restrictions coming from multiple directions. One very likely direction is via anti-discrimination laws.

For example, a company might discriminate against a mother by punishing her for taking breaks to breastfeed, among a host of other possibilities.

Surveil With Care

Legal threats aside, there’s a simpler reason you should push back against bossware at your organization: It’s bad for workers, and there’s compelling evidence it’s bad for employers, too.

For employees, bossware can create intense feelings of stress and anxiety. ExpressVPN research shows that 56% of monitored employees feel stress and anxiety about surveillance, and 32% take fewer breaks because of it. Are short-term productivity gains worth long-term employee unhappiness and burnout?

For employers, even if we assume that bossware increases productivity (and researchers are divided on whether it does), its overall effectiveness is doubtful. Employee paranoia and resentment come at their own costs. A Harvard Business Review study showed, for example, that monitored employees were “substantially more likely to take unapproved breaks, disregard instructions, damage workplace property, steal office equipment, and purposefully work at a slow pace, among other rule-breaking behaviors.”

As we covered at the beginning, beneath the desire to monitor employees is the desire to ensure productivity and security–both of which are reasonable goals to pursue. Bossware, however, is a blunt instrument, and likely the wrong instrument, for succeeding here.

If you want to monitor productivity, focus less on behavior and more on results. In other words: if an employee is hitting their numbers, it’s really none of your business how often they go to the bathroom.

If security is your concern, privacy should be as well–even if that seems counterintuitive at first. The more you intrude on employees, the more likely they are to try to evade surveillance altogether, which increases the likelihood of unsafe behaviors on unmanaged devices. Instead of tracking their every move, be surgical and thoughtful about the data you collect.

And if you really, really need to monitor employees: be transparent. Your employees have the right to know how you’re monitoring them and what information you’re collecting and storing. Plus, if you try to be secretive and your employees find out, the coverup can end up being much worse than the crime. You’re much better served by bringing your policies out into the light.

Here at Kolide, for example, our product collects data about employee devices, but it does so in accordance with our philosophy of Honest Security. We practice minimization; we collect only the data we need to keep our customers safe. For example, we keep track of an employee’s browser extensions–because those can present a security risk–but we deliberately don’t monitor browser history. Likewise, we practice transparency; every end user can visit our Privacy Center to see what data we collect, who can see it, and what it can reveal about them.

This approach is the best way to get your workforce on your side, while you stay on the right side of the law.

Share this story:

More articles you
might enjoy:

Deep Dives
Personal VPNs Can Be Shady, but Should Companies Ban Them?
Elaine Atwell
Deep Dives
CPRA Will Transform How Your Company Treats Employee Data
Elaine Atwell
Deep Dives
GitHub Copilot Isn't Worth the Risk
Elaine Atwell
Watch a Demo
Watch a Demo