fbpx
Connect with us

Tech

Microsoft Office 365 has ability to ‘spy’ on workers

Published

on

Microsoft Office 365 has ability to ‘spy’ on workers

Businesses can use risk management tools in Microsoft Office to covertly monitor the activities of employees on work-issued computers.

The software company provides tools in its Office 365 suite that can be used by employers to read staff emails and monitor how long they spend on calls and how many meetings they attend.

The surveillance capabilities of Microsoft’s Office suite, which is widely used by businesses across the world, were disclosed in a dissertation by a researcher at University College London (UCL).

The research shows that companies continue to exploit capabilities built into Office 365 to monitor staff computers some 18 months after Microsoft took steps to protect employees’ privacy.

The disclosure has led to calls for Microsoft to change its software to alert staff when companies use its Office 365 productivity tools to monitor identified employees.

Eliot Bendinelli, senior technologist at campaign group Privacy International, which participated in the research, said Microsoft should be more transparent about the data it enables companies to collect.

“The ability for an employer or an IT administrator to read all communications and documents, and to access data about employees’ online activities without their knowledge, is one of the most problematic features of Office 365,” he told Computer Weekly.

Microsoft introduced measures to protect the privacy of employees in Office 365 in 2020 following criticism that its Productivity Score tool allowed managers monitor individual employees.

“The ability for an employer to read all communications and documents, and to access data about employees’ online activities without their knowledge, is one of the most problematic features of Office 365”
Eliot Bendinelli, Privacy International

The company replaced its reports with aggregated data measuring how much employees were sending email, collaborating on shared documents and taking part in group chats, in a way that was not traceable to individual users.

But research by UCL computer science graduate Demetris Demetriades and Privacy international shows that employers are still able to use functions in Office 365 to monitor individual employees.

Demetriades found employers can use the governance and risk management tools in Office 365 to look at the content of emails or messages sent by specific employees and identify the activities that individual users have carried out using their work computer.

Microsoft’s “content search” and “audit” tools can be used by employers to build up a detailed picture of employees’ activities, he told Computer Weekly.

“Whatever interaction is performed through business email, the audit and content search features identify it and log it. For example, they log the time of the email, the recipient and the content of the email. If the email contains attachments or a picture, the employer can see that too,” he said.

Privacy International argues in an article about Demetriades’ research that these tools can be used to build up a detailed profile of an employee.  

“Combining these two all-encompassing features, employers are able to draw a rather intimate picture of every employee, down to the finest of details. This includes not only a list of most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through email,” it said.

Monitoring Team players

IT administrators can also use the administration centre in Microsoft Teams video conference, messaging and collaboration software to assess how long employees spend on calls, how many messages they exchange and how many one-to-one meetings they take part in.

The software records which devices employees use to attend each meeting or send each message, potentially allowing employers to make inferences about employees.

For example, managers might make the assumption that an employee who joins an early morning meeting from their phone, rather than their laptop, might still be in bed.

Microsoft provides companies with aggregated data showing how employees across the organisation, or individual groups, are using Office 365 applications. It also provides them with a productivity score that shows how well employees are using Office 365 capabilities compared with similar companies.

For smaller organisations, this data can still be used to make inferences about the performance of individual employees, Demetriades and Privacy International found.

The audit and content search tools offered by Microsoft have legitimate uses, such as allowing employers to identify breaches of employment contracts, breaches of company policies on harassment and the disclosure of trade secrets.

But Demetriades and Privacy International argue there are no safeguards to protect employees from auditing tools being misused and Office 365 users are given no warning if companies choose to enable those tools.

“This lack of transparency and limitations on the employee side means they can potentially be misused and turned into a surveillance machine without employees’ full knowledge,” they claim.

‘Pseudonymised by default’

Microsoft did not contradict the UCL research, but said in a statement to Computer Weekly that it uses masked or “psuedonymised” information about users of Office 365 “by default”.

“We do not believe in using technology to spy on individual employees. Most of the Microsoft 365 analytics tools that provide insights into adoption and usage do so at the aggregate level – across groups or entire organisations”
Microsoft spokesperson

Revealing identifiable user information is treated as a logged event in the Microsoft 365 compliance centre audit log, the company added.

“We do not believe in using technology to spy on individual employees. Data-driven insights have long been a critical part of how IT professionals deploy and manage solutions, provide services, meet regulatory requirements and fix problems across their organisations,” a spokesperson said.

“Most of the Microsoft 365 analytics tools that provide insights into adoption and usage do so at the aggregate level – across groups or entire organisations. These tools are an important part of helping organisations run effectively and get the most out of their investment,” the spokesperson added.

Microsoft should alert employees to monitoring

Although Microsoft mentions in its privacy policy that Office 365 can be used by organisations to “access and process your data”, including “the contents of your communications and files”, it is unlikely to be noticed by employees who may have to consent to the software their company is using.

Microsoft does not limit how employers can use its “audit” and “content search” tools, which means they could potentially misuse them to spy on employees without consent.

If employers do not disclose which Office 365 capabilities are turned on, employees have no way of knowing “whether their every action with Office 365 is being monitored or even if their communications are being read by someone”, the privacy group argued.

Screenshot from Microsoft’s privacy policy section

Demetriades said Microsoft could do more to prevent employees being spied on by their employer, such as introducing a dedicated dashboard accessible to all employees that lists which productivity apps have been enabled or disabled and what data the organisation is collecting and under what circumstances.

Microsoft should also notify Office 365 users when companies turn the “audit” and “content search” features on, and if administrators disable the option to conceal usernames in Office 365 to generate reports about named individuals, he added.

“I am not saying these features should be removed completely, because they are good for productivity, but they should be used to provide aggregate information,” said Demetriades.

There are other ways to see whether individual employees are being productive rather than using these metrics, he added.

Employers have legal responsibilities

Under UK data protection law, employers are responsible for ensuring they comply with the law when using software to monitor employees.

Companies need to ensure that monitoring employees at work is proportionate, and if it is proportionate, whether they can justify collecting data on employees without informing them first, said IT lawyer Dai Davies.

“The real problem is that there is no black and white answer. What is proportionate in one situation is not proportionate in another,” he said.

For example, it is probably proportionate and lawful for a retailer to install a hidden camera where there are grounds to suspect a staff member of pilfering from a till. However, it would not be proportionate for a company to record the key strokes made by every secretary employed by the organisation to identify the least productive typists.

“Monitoring everyone is much more problematic than monitoring a few people. One of the problems with Microsoft Office 365 is that it allows monitoring of every employee and is therefore harder to justify,” said Davis.

He said Microsoft had failed to acknowledge that employers could combine data gathered from Office 365 with other data they hol on their staff.

Legitimate reasons for monitoring employees

David Wilson, CEO of Fosway Group, an analyst specialising in the human resources industry, said there were legitimate reasons why companies might want to monitor employees.

These include monitoring workplace apps to identify patterns of use or monitoring email to identify intellectual property theft or workplace harassment.

“It is hard to argue that a company should not be allowed to access staff emails or browsing history if there are business-critical or legal reasons. The issue is more one of governance and ensuring that monitoring capabilities are not abused”
David Wilson, Fosway Group

“It is hard to argue that a company should not be allowed to access staff emails or browsing history if there are business-critical or legal reasons. The issue is more one of governance and ensuring that monitoring capabilities are not abused,” he said.  

For example, pharmaceutical companies ask employees for consent to use software to automatically screen their emails and social media to see whether rival companies are mentioned to ensure that employees do not accidently leak confidential information to a competitor.

The same software could be used to identify employers who have applied for jobs with competing companies.

Office 365 simulation

Demetriades used a trial version of Office 365 to simulate a company network made up of two users and a systems administrator as part of his research project for a masters in information security at UCL.

“I set up an admin account, which represented the employer, and I added two user accounts, which represented employees,” he told Computer Weekly. “I used my laptop and my phone, and I logged each user in on one device, and I tried to interact with simple messages and set up meetings to collect data. The platform tracked the data and it started to generate the graphs and the metrics.”

Demetriades, a software engineer, said it would be “very easy” for an employer to select and read emails sent by a particular employee.

Microsoft boosted Office 365 privacy in 2020

Microsoft announced plans to remove user names from its Productivity Score tool in a blog post in December 2020, in response to criticism that the feature could be misused by employers.

“No one in the organisation will be able to use Productivity Score to access data about how and individual user is using apps and services in Microsoft 365,” it said in the post.

The company also changed the interface of its software to make it clear the purpose of Productivity Score was to monitor the adoption of technology within the organisation rather than to monitor individual employees.

But Demetriades’s research shows that Office 365 can still be used by employers to monitor that activities of their staff.

Microsoft said in its statement that there were scenarios where IT professionals need access to “user-level information” to identify and fix problems or to track software licences.

“Access to these reports is restricted to only a few IT-focused roles. Moreover, Microsoft generally takes the step of concealing user, group and site information by default,” a spokesperson said.

Go to Source

Click to comment

Leave a Reply

Tech

Nvidia GeForce RTX 3090 vs. AMD Radeon 6950 XT: Which GPU should you buy?

Published

on

Nvidia GeForce RTX 3090 vs. AMD Radeon 6950 XT: Which GPU should you buy?

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

Go to Source

Continue Reading

Tech

Receive near instant feedback on logos, images, text, and more with Helpfull

Published

on

Receive near instant feedback on logos, images, text, and more with Helpfull

Feedback software

StackCommerce

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

Go to Source

Continue Reading

Tech

Confessions of an in-house creative strategist on feeling unfulfilled, difficulty in returning to agencies as the ‘pay is less’

Published

on

Confessions of an in-house creative strategist on feeling unfulfilled, difficulty in returning to agencies as the ‘pay is less’

The war for talent between agencies and brands’ in-house agencies has cooled. Even so, for adland talent who’ve made the move in-house, some say they are looking to go back to agencies after feeling creatively stifled. It’s not the easiest strategy to execute.

In the latest edition of our Confessions series, in which we trade anonymity for candor, we hear from an in-house creative strategist about their experience, why they want to go agency-side now and how pay is keeping them from doing so.

This conversation has been lightly edited and condensed for clarity.

What’s the in-house experience like?

I’ve been in-house for about a year. It’s very one-sided. The difference between agency and in-house is that with agencies, there [are] a lot of opinions and ideas [outside of the brand message] that go into creative. With in-house, you have the brand’s message and all creative is reflective of the brand’s message. With in-house, regardless of trends in the market, it’s a lot of ‘we’re going to stick to this one way of doing things’ mentality. It’s a lot of opinions about what the creative should be based on what it has been before. It makes it hard to introduce something fresh. It makes it hard to hire or be a new hire. If you’re not actually going to adhere to advice from new hires, what’s the point in getting new people? Are you just bringing people on board for a second opinion? That’s what it feels like.

Sounds like you don’t have the creative control you desire.

It feels like more of a second opinion role than to get something to manage or control. [Where I am now] it feels like we’re leaning more into what [our strategy] used to be than thinking about what we could be. That’s a big issue with in-house. With agencies, like I said, there’s a lot more trial and error. With in-house, a lot more of this is what we’re doing, these are the funds we have and this is what has worked in the past. In reality, a lot of what worked in the past, when you put it back into the market, it’s not going to work anymore. 

Why do you think it’s more challenging to get to a new creative strategy in-house?

With agencies, you have multiple perspectives. You’re working on multiple brands. You can see something working for another brand and talk to your client about it. You can pivot. You have the background and perspective to [pitch that pivot]. When you’re in-house, you only have the knowledge of your brand and what’s working for you. 

Are you looking to go back to agencies? 

Personally, I am looking to go from in-house to agency but I get paid a lot more being in-house than what I’ve been offered at agencies. I’ve been in interviews with agencies where they’re telling me that I’ll be learning [programs I already know how to use] so that’s why the pay is less than what it should be. There are agencies I’ve interviewed with who ask me to move to New York for less than what I make now and make that work. [With inflation,] there’s no reason why salaries aren’t also increasing. 

So you’d like to make the jump creatively but it’s hard when the compensation isn’t up to what in-house offers? 

It’s hard. I’ve been lowballed, too. They’ll post a salary for a position, go through the interviews and then offer less than what’s listed on the salary description. What was the point of putting the salary range there? I feel like people are putting salary ranges on job descriptions just to attract people with the experience that they are looking for but by the time they make the offer, it’s not what they said it would be. It’s offensive.

https://digiday.com/?p=452660

Go to Source

Continue Reading
Home | Latest News | Tech | Microsoft Office 365 has ability to ‘spy’ on workers
a

Market

Trending