Businesses can use risk management tools in Microsoft Office to covertly monitor the activities of employees on work-issued computers.
The software company provides tools in its Office 365 suite that can be used by employers to read staff emails and monitor how long they spend on calls and how many meetings they attend.
The surveillance capabilities of Microsoft’s Office suite, which is widely used by businesses across the world, were disclosed in a dissertation by a researcher at University College London (UCL).
The research shows that companies continue to exploit capabilities built into Office 365 to monitor staff computers some 18 months after Microsoft took steps to protect employees’ privacy.
The disclosure has led to calls for Microsoft to change its software to alert staff when companies use its Office 365 productivity tools to monitor identified employees.
Eliot Bendinelli, senior technologist at campaign group Privacy International, which participated in the research, said Microsoft should be more transparent about the data it enables companies to collect.
“The ability for an employer or an IT administrator to read all communications and documents, and to access data about employees’ online activities without their knowledge, is one of the most problematic features of Office 365,” he told Computer Weekly.
Microsoft introduced measures to protect the privacy of employees in Office 365 in 2020 following criticism that its Productivity Score tool allowed managers monitor individual employees.
Eliot Bendinelli, Privacy International
The company replaced its reports with aggregated data measuring how much employees were sending email, collaborating on shared documents and taking part in group chats, in a way that was not traceable to individual users.
But research by UCL computer science graduate Demetris Demetriades and Privacy international shows that employers are still able to use functions in Office 365 to monitor individual employees.
Demetriades found employers can use the governance and risk management tools in Office 365 to look at the content of emails or messages sent by specific employees and identify the activities that individual users have carried out using their work computer.
Microsoft’s “content search” and “audit” tools can be used by employers to build up a detailed picture of employees’ activities, he told Computer Weekly.
“Whatever interaction is performed through business email, the audit and content search features identify it and log it. For example, they log the time of the email, the recipient and the content of the email. If the email contains attachments or a picture, the employer can see that too,” he said.
Privacy International argues in an article about Demetriades’ research that these tools can be used to build up a detailed profile of an employee.
“Combining these two all-encompassing features, employers are able to draw a rather intimate picture of every employee, down to the finest of details. This includes not only a list of most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through email,” it said.
Monitoring Team players
IT administrators can also use the administration centre in Microsoft Teams video conference, messaging and collaboration software to assess how long employees spend on calls, how many messages they exchange and how many one-to-one meetings they take part in.
The software records which devices employees use to attend each meeting or send each message, potentially allowing employers to make inferences about employees.
For example, managers might make the assumption that an employee who joins an early morning meeting from their phone, rather than their laptop, might still be in bed.
Microsoft provides companies with aggregated data showing how employees across the organisation, or individual groups, are using Office 365 applications. It also provides them with a productivity score that shows how well employees are using Office 365 capabilities compared with similar companies.
For smaller organisations, this data can still be used to make inferences about the performance of individual employees, Demetriades and Privacy International found.
The audit and content search tools offered by Microsoft have legitimate uses, such as allowing employers to identify breaches of employment contracts, breaches of company policies on harassment and the disclosure of trade secrets.
But Demetriades and Privacy International argue there are no safeguards to protect employees from auditing tools being misused and Office 365 users are given no warning if companies choose to enable those tools.
“This lack of transparency and limitations on the employee side means they can potentially be misused and turned into a surveillance machine without employees’ full knowledge,” they claim.
‘Pseudonymised by default’
Microsoft did not contradict the UCL research, but said in a statement to Computer Weekly that it uses masked or “psuedonymised” information about users of Office 365 “by default”.
Revealing identifiable user information is treated as a logged event in the Microsoft 365 compliance centre audit log, the company added.
“We do not believe in using technology to spy on individual employees. Data-driven insights have long been a critical part of how IT professionals deploy and manage solutions, provide services, meet regulatory requirements and fix problems across their organisations,” a spokesperson said.
“Most of the Microsoft 365 analytics tools that provide insights into adoption and usage do so at the aggregate level – across groups or entire organisations. These tools are an important part of helping organisations run effectively and get the most out of their investment,” the spokesperson added.
Microsoft should alert employees to monitoring
Microsoft does not limit how employers can use its “audit” and “content search” tools, which means they could potentially misuse them to spy on employees without consent.
If employers do not disclose which Office 365 capabilities are turned on, employees have no way of knowing “whether their every action with Office 365 is being monitored or even if their communications are being read by someone”, the privacy group argued.
Demetriades said Microsoft could do more to prevent employees being spied on by their employer, such as introducing a dedicated dashboard accessible to all employees that lists which productivity apps have been enabled or disabled and what data the organisation is collecting and under what circumstances.
Microsoft should also notify Office 365 users when companies turn the “audit” and “content search” features on, and if administrators disable the option to conceal usernames in Office 365 to generate reports about named individuals, he added.
“I am not saying these features should be removed completely, because they are good for productivity, but they should be used to provide aggregate information,” said Demetriades.
There are other ways to see whether individual employees are being productive rather than using these metrics, he added.
Employers have legal responsibilities
Under UK data protection law, employers are responsible for ensuring they comply with the law when using software to monitor employees.
Companies need to ensure that monitoring employees at work is proportionate, and if it is proportionate, whether they can justify collecting data on employees without informing them first, said IT lawyer Dai Davies.
“The real problem is that there is no black and white answer. What is proportionate in one situation is not proportionate in another,” he said.
For example, it is probably proportionate and lawful for a retailer to install a hidden camera where there are grounds to suspect a staff member of pilfering from a till. However, it would not be proportionate for a company to record the key strokes made by every secretary employed by the organisation to identify the least productive typists.
“Monitoring everyone is much more problematic than monitoring a few people. One of the problems with Microsoft Office 365 is that it allows monitoring of every employee and is therefore harder to justify,” said Davis.
He said Microsoft had failed to acknowledge that employers could combine data gathered from Office 365 with other data they hol on their staff.
Legitimate reasons for monitoring employees
David Wilson, CEO of Fosway Group, an analyst specialising in the human resources industry, said there were legitimate reasons why companies might want to monitor employees.
These include monitoring workplace apps to identify patterns of use or monitoring email to identify intellectual property theft or workplace harassment.
David Wilson, Fosway Group
“It is hard to argue that a company should not be allowed to access staff emails or browsing history if there are business-critical or legal reasons. The issue is more one of governance and ensuring that monitoring capabilities are not abused,” he said.
For example, pharmaceutical companies ask employees for consent to use software to automatically screen their emails and social media to see whether rival companies are mentioned to ensure that employees do not accidently leak confidential information to a competitor.
The same software could be used to identify employers who have applied for jobs with competing companies.
Office 365 simulation
Demetriades used a trial version of Office 365 to simulate a company network made up of two users and a systems administrator as part of his research project for a masters in information security at UCL.
“I set up an admin account, which represented the employer, and I added two user accounts, which represented employees,” he told Computer Weekly. “I used my laptop and my phone, and I logged each user in on one device, and I tried to interact with simple messages and set up meetings to collect data. The platform tracked the data and it started to generate the graphs and the metrics.”
Demetriades, a software engineer, said it would be “very easy” for an employer to select and read emails sent by a particular employee.
Microsoft boosted Office 365 privacy in 2020
Microsoft announced plans to remove user names from its Productivity Score tool in a blog post in December 2020, in response to criticism that the feature could be misused by employers.
“No one in the organisation will be able to use Productivity Score to access data about how and individual user is using apps and services in Microsoft 365,” it said in the post.
The company also changed the interface of its software to make it clear the purpose of Productivity Score was to monitor the adoption of technology within the organisation rather than to monitor individual employees.
But Demetriades’s research shows that Office 365 can still be used by employers to monitor that activities of their staff.
Microsoft said in its statement that there were scenarios where IT professionals need access to “user-level information” to identify and fix problems or to track software licences.
“Access to these reports is restricted to only a few IT-focused roles. Moreover, Microsoft generally takes the step of concealing user, group and site information by default,” a spokesperson said.
Nvidia GeForce RTX 3090 vs. AMD Radeon 6950 XT: Which GPU should you buy?
Receive near instant feedback on logos, images, text, and more with Helpfull
Confessions of an in-house creative strategist on feeling unfulfilled, difficulty in returning to agencies as the ‘pay is less’
The war for talent between agencies and brands’ in-house agencies has cooled. Even so, for adland talent who’ve made the move in-house, some say they are looking to go back to agencies after feeling creatively stifled. It’s not the easiest strategy to execute.
In the latest edition of our Confessions series, in which we trade anonymity for candor, we hear from an in-house creative strategist about their experience, why they want to go agency-side now and how pay is keeping them from doing so.
This conversation has been lightly edited and condensed for clarity.
What’s the in-house experience like?
I’ve been in-house for about a year. It’s very one-sided. The difference between agency and in-house is that with agencies, there [are] a lot of opinions and ideas [outside of the brand message] that go into creative. With in-house, you have the brand’s message and all creative is reflective of the brand’s message. With in-house, regardless of trends in the market, it’s a lot of ‘we’re going to stick to this one way of doing things’ mentality. It’s a lot of opinions about what the creative should be based on what it has been before. It makes it hard to introduce something fresh. It makes it hard to hire or be a new hire. If you’re not actually going to adhere to advice from new hires, what’s the point in getting new people? Are you just bringing people on board for a second opinion? That’s what it feels like.
Sounds like you don’t have the creative control you desire.
It feels like more of a second opinion role than to get something to manage or control. [Where I am now] it feels like we’re leaning more into what [our strategy] used to be than thinking about what we could be. That’s a big issue with in-house. With agencies, like I said, there’s a lot more trial and error. With in-house, a lot more of this is what we’re doing, these are the funds we have and this is what has worked in the past. In reality, a lot of what worked in the past, when you put it back into the market, it’s not going to work anymore.
Why do you think it’s more challenging to get to a new creative strategy in-house?
With agencies, you have multiple perspectives. You’re working on multiple brands. You can see something working for another brand and talk to your client about it. You can pivot. You have the background and perspective to [pitch that pivot]. When you’re in-house, you only have the knowledge of your brand and what’s working for you.
Are you looking to go back to agencies?
Personally, I am looking to go from in-house to agency but I get paid a lot more being in-house than what I’ve been offered at agencies. I’ve been in interviews with agencies where they’re telling me that I’ll be learning [programs I already know how to use] so that’s why the pay is less than what it should be. There are agencies I’ve interviewed with who ask me to move to New York for less than what I make now and make that work. [With inflation,] there’s no reason why salaries aren’t also increasing.
So you’d like to make the jump creatively but it’s hard when the compensation isn’t up to what in-house offers?
It’s hard. I’ve been lowballed, too. They’ll post a salary for a position, go through the interviews and then offer less than what’s listed on the salary description. What was the point of putting the salary range there? I feel like people are putting salary ranges on job descriptions just to attract people with the experience that they are looking for but by the time they make the offer, it’s not what they said it would be. It’s offensive.
When Will Bitcoin Bottom Out? Pi Cycle Bottom Says It Will Happen on July 9
Sky Mavis to Reimburse Axie Infinity Hack Victims and Restart the Ronin Bridge as Early as June 28th
Celsius Considers Bankruptcy, Hires More Advisors
Kyber Network Admits A Portion of Its Treasury Was Held By 3AC, But Not Significant to Affect KNC Operations
Sam Bankman-Fried’s FTX is Reportedly Planning to Acquire a Stake in BlockFi
‘Continue to ebb and flow over time’: Denny’s chief brand officer on how consumers’ moods inform brand messaging
Bitcoin hits $45K ahead of July inflation report, but one fractal hints at looming correction
Smart Marketing Token (SMT) Is on a Mission to Help Blockchain Projects Reach Their Goals
Identity management org Sailpoint unveils no-code tool
Japan crypto exchange bitbank upgrades performance of its matching engine by 4x
Ethereum3 months ago
Michael Saylor’s MacroStrategy Secures $205 Million Loan to Buy More Bitcoin
Bit Coin3 months ago
Nifty Gateway Partners With Samsung to Develop ‘First-Ever Smart TV NFT Platform’
Tech3 months ago
How ‘eQuad’ Electric Bikes Could Change UPS Delivery
Bit Coin3 months ago
Bitcoin suddenly dives to $46K as attention focuses on large CME futures gaps
Tech3 months ago
Instagram’s latest test makes it easier to support social causes
Bit Coin3 months ago
Binance launches Binance Bridge 2.0 to integrate CeFi and DeFi
Cryptocurrency3 months ago
Layer-2 aggregator platform Coinweb receives crypto exchange license from Lithuanian regulator
Bit Coin3 months ago
Axie Infinity hacked for $612M, OpenSea expands support to Solana, EU’s unhosted wallet regulations cause a stir: Hodler’s Digest, March 27-April 2