back to article Most staffers expect bosses to snoop on them, say unions

The TUC, a federation of trade unions in England and Wales, is lobbying to gain a legal right to be consulted on surveillance in the workplace, as it opened up on staffers’ growing concerns about their bosses snooping on them. In a report published today, the TUC took aim at inappropriate surveillance, warning that intrusive …

  1. }{amis}{
    Paris Hilton

    Legal Requirements??

    I have worked in a couple of industries where keeping an eye on what the companies employees are up to is a legal requirement, how you do this is not so clearly defined but keyloggers are a seemingly standard if unpopular response.

    I do have to agree with the TUC monitoring people outside of office hours is very much not cricket what happens outside of the office is none of the companies business unless it involves criminal law.

    As an interesting aside a mate of mine has a company car which has one of those insurance trackers that plots everywhere the car goes, I wonder what the GPDR implications are for movement outside of business?

    1. big_D Silver badge

      Re: Legal Requirements??

      And over here, in Germany, it is illegal to monitor employees without their consent.

      You also can't put up CCTV cameras that would record in public areas (without making it clear that it is being recorded, E.g. shop floor, where there might be customers) or private areas (E,g, locker rooms or toilets).

      You cannot monitor email without first informing all employees and then only, when it is company policy that emails cannot be used for private communications.

      Keyloggers would definitely fall in the illegal category.

      1. Yet Another Anonymous coward Silver badge

        Re: Legal Requirements??

        >And over here, in Germany, ....

        >Keyloggers would definitely fall in the illegal category.

        Insider trading is going to be a dream when all finance moves to Frankfurt

        1. LucreLout

          Re: Legal Requirements??

          Insider trading is going to be a dream when all finance moves to Frankfurt

          The main problem with that, is that there isn't enough people in Frankfurt to ever enable that happening. Even if everyone of working age in Frankfurt worked only in financial services, there'd still be too many roles for the population to fill.

          Based on a population of 700k in Frankfurt, a ball park that half of them will be working age, gives 350k, which is rather a lot less than the 1.1 million people that work in finance. That's before we tag on the ancillary industries of accounting, law, and insurance.

      2. JohnFen

        Re: Legal Requirements??

        "And over here, in Germany, it is illegal to monitor employees without their consent."

        Is it legal to refuse to hire people who won't consent?

    2. GnuTzu
      Holmes

      Re: Legal Requirements?? -- InfoSec...

      If you work anywhere that has InfoSec requirements, then that thing slowing down your workstation is the indexer looking for things that aren't supposed to be on your workstation. It's called Data Loss Prevention (DLP). They'll also do this in the network and at the web proxy. Oh, and do you have any idea what that proxy logs and what the retention policy is for those logs? You better not be browsing porn at work. They will find you. Oh, yes they will. Maybe you might want to go back and read those forms you signed when you were hired.

      1. Charles 9

        Re: Legal Requirements?? -- InfoSec...

        "If you work anywhere that has InfoSec requirements, then that thing slowing down your workstation is the indexer looking for things that aren't supposed to be on your workstation."

        I have wondered about that. What happens when privacy laws conflict with data protection laws (say the job is at a government facility that handles other people's data). If the two types of laws conflict, which takes precedence?

        1. big_D Silver badge

          Re: Legal Requirements?? -- InfoSec...

          I worked in infosec and we set up our workstations using tightened down Linux workstations. There was no spy software on them. In fact, it was one of the most open transparent and friendly companies I ever worked for.

          1. Charles 9

            Re: Legal Requirements?? -- InfoSec...

            Then how do they safeguard against eye-to-hand copying?

          2. GnuTzu

            Re: Legal Requirements?? -- InfoSec...

            big_D: "we set up our workstations using tightened down Linux workstations. There was no spy software on them."

            I'm jealous. Yet, that sounds like you had no DLP or insider threat programs. I wonder what data assets you were required to protect.

    3. mmccul

      Re: Legal Requirements??

      In my experience, keystroke loggers violate the very rules that they claim to enforce because they always end up capturing passwords.

      It's nothing but a black hat in a management suit trying to find a way to capture people's login credentials to corporate resources that the person who setup the logger isn't authorized to access.

  2. Anonymous Coward
    Anonymous Coward

    Rule 1

    never user work equipment for personal use. Personal phone, personal table for personal use

    1. }{amis}{
      Meh

      Re: Rule 1

      Somewhat harsh, it makes sense for IT pros who can watch our own backs but don't forget the bulk of the population will just give you a confused look when you ask what virus checker/firewall they are running.

      At the end of the day which is worse looking at sensitive data on a personal system probably riddled with malware or an office system that's may be monitored but at least is secure and has legal protection against abuse of the monitoring data?

      1. big_D Silver badge

        Re: Rule 1

        We have private phones, which aren't allowed onto the company network and are not allowed to have any company data on them, including contact lists or email.

        Then, those that need a phone for business purposes have a company phone, which is allowed access to email and contact information, but which you cannot use for private purposes.

        Which is a pain on the one hand - always carrying 2 phones around at work. But on the other hand, it is great, I can turn off the company phone when I leave the office and still be contacted by family and friends on my private phone.

        1. Fatman

          Re: Rule 1

          <quote>Which is a pain on the one hand - always carrying 2 phones around at work. But on the other hand, it is great, I can turn off the company phone when I leave the office and still be contacted by family and friends on my private phone.</quote>

          You forgot the most important part of that practice: IF you leave the company, you leave their phone behind, and they do not have access to your personal information.

          My former employer was like this over a decade ago. We knew better than to jump on the BYOD1 fad.

          1 Bring Your Own Device, or Bring Your Own Disaster, as you care to see fit.

          1. Shooter

            Re: Rule 1 @ Fatman

            Quite right. A few months back my direct supervisor was walked to the door on a Friday afternoon. No more company car, cell phone, computer, or access to his accounts.

            I know he had his own car (but insurance not current as he didn't drive it), and I think he had a computer at home, but I know he used his work email for pretty much everything.

            Don't know how or if he managed to get access to his personal emails - I'm guessing he was pretty well screwed.

            All of us peons toiling away in the fields were issued smart phones last year, with an apparently unlimited data plan. A fair few have decided that they no longer need a personal phone and/or home internet connection; I don't think they realize just how vulnerable they are leaving themselves.

      2. JohnFen

        Re: Rule 1

        "don't forget the bulk of the population will just give you a confused look when you ask what virus checker/firewall they are running."

        Why would you ask? Their use of their own equipment doesn't pose a security threat to their employer.

        "At the end of the day which is worse looking at sensitive data on a personal system"

        If people are using their own equipment for company business, then they aren't actually separating work and personal equipment properly.

    2. Anonymous Coward
      Anonymous Coward

      Re: Rule 2

      I never allow the corporate laptop onto my home network. My employer is pretty transparent. They make it clear they’ll do whatever the hell they want. We’re in the middle of a corporate takeover, at the moment. I'm pretty relaxed about the possibility our IT department might be splattered in the inevitable hunger games that follow*.

      * Sorry; not terribly tolerant of those who get in the way of me doing my job. And yes, meet the new IT department....

    3. jmch Silver badge
      Joke

      Re: Rule 1

      "personal table for personal use"

      You take your own personal table into work??

  3. hmv

    Belief or Reality

    As an evil firewall admin who would be doing some of the spying, I can tell you that there can easily be a huge gap in what employees think is being monitored and what is actually being monitored. At $work there are a considerable number who believe we do a lot more monitoring than we actually do, and nosy line managers get told to go forth and procreate.

    That's not to say there shouldn't controls in this area, and I'd happily sit down with unions to talk over what we do (and don't do).

  4. 0laf
    Holmes

    Of course we can investigate your work emails and internet activity. .We need to be able to do that to investigate accusations of misconduct. But as an employee you've been told that can happen, and are reminded every time you log in and you've been told to avoid using your work email for personal use for that very reason.

    As someone who regularly carries out these investigation I'd also add that the evidence I've gather through instigating has proved innocence far more often than it has proved guilt.

    The ability to investigate is not live monitoring since that would fall foul of RIPA/RIPSA.

    I think there is a bit of confusion over active monitoring and having logs to enable investigation.

    But please, pretty please don't use your work email for personal shit. I don't want to know about any more married men hiding in the closet arranging liaisons with boyfriends, or who is humping whom in the office, or the the plans for your next coke fuelled party.

    1. }{amis}{
      FAIL

      pretty please don't use your work email for personal shit.

      I once had an employee come up to IT and totally lose his S#@t. The reason was we were moving the company from one-off os builds to a centrally controlled gold build system.

      Everyone had been emailed several times in the proceeding weeks to tell them that all data on the local system's would be wiped and to move everything off to the network.

      What this Idiot had done was he was using his work PC to hold all the documents associated with his divorce witch the rebuild had wiped.

      1. 0laf

        Re: pretty please don't use your work email for personal shit.

        Yep that's happened a few times. Not with divorce files but very important personal documents, photographs etc. Mucho tears from the employee coming in and finding the desktop wiped or replaced.

      2. ecofeco Silver badge
        Facepalm

        Re: pretty please don't use your work email for personal shit.

        Seen this many times. Local drive wiped/borked/failed and files irretrievably wiped because they were supposed to save them on the network drive.

      3. hplasm
        Happy

        Re: pretty please don't use your work email for personal shit.

        "documents associated with his divorce witch"

        I see what you did there!

  5. Anonymous Coward
    Anonymous Coward

    UK trade union the TUC ?????

    Er. the TUC is not a trade union, as the initials clearly tell you.

    1. israel_hands

      Re: UK trade union the TUC ?????

      Everyone knows Tuc is a cheesy biscuit, and massively inferior to the glory that is the Ritz biscuit and its smaller but tastier cousin, the Mini Ritz.

      OT: We have to retain e-mails, internet connection records, phone logs, everything at work. That's due to compliance and it's perfectly acceptable. We don't monitor keystrokes and our firewall only blocks P2P connections and child porn and that's because that's a requirement from our ISP. Anything else is allowed through (and where I work there are some users with legitimate requirements to view porn, the lucky bastards).

      What we don't do is expose any of our records to anyone unless there's a) a very good reason and b) written authorisation from both the Director of ICT and the Director of the employee's department. And even then our Security & Standards Manager is able to refuse anything he disagrees with.

      We do get the odd manager (aren't they all odd?) asking for web history or e-mail access for one of their staff. They get short shrift. My favourite response to one request (manager was concerned employee was spending too much time browsing the internet) was "This isn't an IT issue. Manage your staff better. If they're getting the job done who gives a shit how much time they spend online?"

      With regards to monitoring staff outside of work, I'd kick off massively if I discovered that happening. One manager admitted he checks people's Facebook profiles before interviews and won't hire them if he see's anything he doesn't like. He also stated that if they don't have a Facebook profile he doesn't trust them because "What have they got to hide?"

      My response was "Everything. Or rather, I've got nothing about my personal life I want to expose to any twat with a net connection." I've never had any form of social tedia profile and he'd hired me 2 weeks before that so I knew he was full of shit.

      1. Shooter

        "social tedia profile"

        Not sure if a typo or not, but I love it!

  6. Chairman of the Bored
    Paris Hilton

    And when you're working for nutjobs...

    ...worked for a sociopath that required everyone "friend" her on facebook and she would spend evenings prowling contacts to see who's who in the zoo. Ditto linkedin.

    Mental!

    1. 0laf
      Devil

      Re: And when you're working for nutjobs...

      You could have had some fun with that.

    2. VikiAi
      Megaphone

      Re: And when you're working for nutjobs...

      My manager/boss connected to my account on Linkedin, I would accept (if I hadn't manually purged my account, then disabled it first time they were slurped), but only because it is a business-oriented SM in the first place. Wouldn't want my boss on any other SM site (if I had one, which I don't).

      Does SM mean Social Media or Sade-Machosim? ... Yes.

  7. mmccul

    Location monitoring

    With companies sometimes providing corporate phones, or if you use your personal phone, requiring that they load their hooks into it that gives them administrative access to it, one of the most evil monitoring forms is 24/7 location monitoring.

    Especially with personal mobile devices where many users are not aware of just how many companies market as a "feature" the ability to know where every person's personal phone is at all times and their location history.

    1. VikiAi

      Re: Location monitoring

      When not at work, my work phone is on the charger in my office.

      When at work, my personal phone is in my backpack in my locker.

  8. frank ly

    Facial Recognition Objections

    I wonder why people have objections to facial recognition systems being used at work.

    If it's used for secure access then that shouldn't be a problem. If it's used to check who goes to the toilet a lot and how much time they spend in there then I can understand there would be objections.

    1. Jellied Eel Silver badge

      Re: Facial Recognition Objections

      The report suggests a few scenarios. So basic face recognition for secure access is probably ok. But that's often about all it can do, ie detect a face, but not who's face. I guess with a small staff and a large budget, training it may be more feasible.

      More objectionable are where management wants access to your laptop or phone camera so they can check that you're working. Managers don't seem to like it if you show them typical pay rates for a CCTV operator vs a decent IT manager and suggest they've missed their vocation. Report also mentioned an IPM (Impending Postal Moment) that could automatically gauge a staff member's mood, and possibly turn their frowns upside down with a cheery intervention like this!

      https://www.youtube.com/watch?v=R9t4m9dw-fI

      Or a selection hand-picked from the CEO's greatest moments from investor's Q&A. One of which may be whether machine learning can ever really match a good manager in understanding if employees really are happy here.

    2. The Nazz

      Sorry about this but ....

      wait until Faecal Recognition systems are in place.

      "You know that guy on the production line who we think is a cokehead, well the FRS says that the least of our problems."

      "The cause of the contant blocked drain problems? Oh that's Bertha in the office, she only goes every three days, saves em up and bakes em*. Tears were frequently detected too."

      * based on a true story of a now not so SO.

  9. GIRZiM

    Multiple Networks

    even in the UK staff are legally entitled to make use of private communications channels (can't remember when but that legal decision was reached many years ago).

    If you do have staff using private devices for private purposes and they're not used for work as well (so a purely private matter), as an employer you have a choice:

    1. be a complete 4r$ehole and ban them from the network (they'll have to use their own data plan)

    2. set up a second network that is isolated from the rest of the organisation, doesn't allow anything through that is illegal or likely to bring the company into disrepute and let the staff do what they like within reason.If you have any concerns about staff slacking off then all you need to do is check the logs to see when they accessed the network; how frequently for how long will let you know who was likely slacking during working hours and who was likely just communicating with their spouse/friend to make some logistic/practical arrangements, all without your needing to to know any gory details. No tracking, no spying and you know who needs a kick up the arse about how much time they're not doing what they're paid to do.Simples.

  10. Anonymous Coward
    Anonymous Coward

    I don't subscribe to "if you've nothing to hide" normally but I tend to agree with employers having the right to monitor their own devices, although I think they should be 100% upfront about it. If you don't want them looking at your personal stuff - don't use their devices.

    On my two work laptops (don't ask - stupid network access requirements) I have the thin plastic sliding covers stuck over the webcams (search on eBay/Amazon for webcam cover).

    Work mobiles are smartphones but I dumped the provided phone and stuck the sim in an old phone I had laying about as luckily I just need it to receive a sms page and make phone calls.

    We've just moved to Office 365 and they're pushing BOYD hard, they can s0d off.

    That being said I do occasionally use internet banking etc on my work laptop - but that's cause I don't care if they see that, they know how much I don't get paid anyway. However location tracking on the phone would be too far for me as I have a requirement to carry it 24/7 for 2 weeks a month and it's just a little too intrusive. This was one of the reasons to ditch the smart phone - the other was to avoid charging two phones every night.

  11. Insert sadsack pun here

    I don't want to be that guy...

    ...but half of the eye-catching statistics in this piece are about what employees THINK might be happening at their workplaces, not what is ACTUALLY happening at their workplaces.

  12. Dainese321
    Thumb Up

    Snoop dog ...

    You most definitely are being snooped. Key loggers, DLP, email scanning, website access - all common at my old place of work. However, the best snooping was checking the Blackberry SMS files. A log file containing the names of the individuals and the messages they sent was often very revealing (frankly, quite filthy), especially the day after a works night out.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon