A new investigation finds that workplace monitoring platforms are systematically sharing personal data about workers and online activity with hundreds of outside data brokers and big tech companies in ways that are not clearly disclosed and that, in some cases, may contradict the platforms’ own privacy policies.
The researchers examined nine widely used workplace monitoring platforms—Apploye, Deputy, Desklog, Hubstaff, Monitask, Buddy Punch, Time Doctor 2, Vericlock, and When I Work, tracking how each app collects and shares worker data in practice.
The report was authored by researchers at the Khoury College of Computer and Information Sciences at Northeastern University; the Vanderbilt Policy Accelerator at Vanderbilt University; the Center for Consumer Law and Economic Justice at UC Berkeley Law School; and the Center for Law and the Economy at Columbia Law School.
The research team included technologists, scholars, and former law enforcement officials from the Federal Trade Commission and the Consumer Financial Protection Bureau.
What researchers found
The research team undertook a first-of-its-kind assessment of how bossware companies collect and share data with third parties by signing up as an employer, setting up bossware services for workers, then logging in as an employee. They captured all the data sent by bossware websites and apps to third-party sites. The findings of that investigation include:
- Worker data shared. All (nine of nine) workplace monitoring platforms directly shared identifying worker data including first name, last name, email, and company to third parties. The researchers recorded 121 unique instances of worker data being shared with companies including Facebook, Google, Microsoft, and AppLovin (a mobile advertising platform).
- Online activity shared. The nine workplace monitoring platforms in the sample shared information about workers’ online activities (such as IP address, device information, web pages visited, unique identifiers, etc.) to a total of 145 unique third-party domains including facebook.com, linkedin.com, bing.com, google.com, googletagmanager.com, stripe.com (an online payment processing company), and yandex.com (a Russian tech company known for its search engine).
- Location tracking. One third of the workplace monitoring platforms in the sample have features that track workers’ precise location at any time—even when the app is in the background or potentially when the worker is clocked out. Separately, three of nine apps can be set to require giving access to motion sensor data (via accelerometer or gyroscope) to clock in.
“Our findings show workplace monitoring platforms are repeating the same failures we’ve seen in consumer surveillance—often with even fewer protections for the people harmed,” said Stephanie Nguyen, Senior Fellow at Columbia Law School’s Center for Law and the Economy.
“Policymakers, lawmakers and regulators need to put hard limits on what can be collected, how long it can be kept, and who it can be shared with.”
“This report is a wake-up call that workers need better privacy and consumer safeguards,” said Seth Frotman, Senior Fellow at the UC Berkeley Center for Consumer Law & Economic Justice and Columbia Law School’s Center for Law and the Economy.
“For too long, workplaces have been unfairly shielded from following basic consumer protection laws, and these shady practices have filled that vacuum. Working people need law enforcement to investigate these practices and policymakers to step up and create effective protections.”
“‘Bossware’ is increasingly common in jobs of all kinds, and workers likely have no idea that their data is being systemically collected and distributed to unknown data brokers and tech companies,” said Ganesh Sitaraman, Director at Vanderbilt Policy Accelerator.
“This troubling report makes it clear that policymakers and regulators must act to crack down on the sharing of sensitive employee data.”
A call for urgent policy action
The report argues that protections currently in place to protect workers from employee surveillance, including sharing of their workplace data, are insufficient. It calls on policymakers, lawmakers, and regulators to act.
Key recommendations include banning the sale or sharing of worker data, prohibiting unlimited data retention, and barring collection of sensitive employee information.
The report also urges enforcement agencies to examine whether current practices violate existing federal and state law, including the Fair Credit Reporting Act and Unfair and Deceptive Acts & Practices (UDAP) statutes.
“This kind of worker monitoring is particularly pernicious—these workers often have no choice about data collection, no insight into when they are being monitored, and virtually no control over how their data is used,” said Dave Choffnes, Professor at Northeastern University.
“There is enormous potential for harm—not just as it relates to privacy writ large, but also specifically in the context of maintaining current and future employment.”
More information
Stephanie T. Nguyen, et al. Workplace Monitoring Platforms Are Sharing Your Data: An Investigation & Roadmap to Address Data Abuses. scholarship.law.columbia.edu/law_economy/5/
Provided by
Vanderbilt University
The content is provided for information purposes only.