Remote monitoring software (e.g. Teramind, Time Doctor etc)

[Wolveryeti]

Not had a thread on this in a while, but I imagine that as the trend for WFH becomes more established post-pandemic that we will see more of this stuff.

Ostensibly it is a way of snooping on staff to make sure they are not slacking off, and capabilities include taking screenshots of PC screens, keystroke logging and recording time used by various apps.

I suspect (but can't prove) my workplace is using such tools already on the down low. Interested in other peoples' experiences or in discussion around how to detect/defeat such creepy measures.

I found this to be quite a useful article on detecting monitoring, but no idea whether it would pick up some of the more modern tools being used:

A Year After Lockdown: Stalkerware on the Rise

A new NortonLifeLock study details common cyber stalking tactics, while research from Norton Labs reveals a concerning rise in stalkerware

www.bullguard.com

 

[stdP]

Shouldn't any monitoring be called out in the employment contract...?

Certainly it's more of a thing now, but it's been a thing since forever to varying degrees of intrusion. If you're using company resources on company time, you should operate on the assumption that the company can and will check on what you're doing at some point. As an IT bods I've had a hand in doing this sort of stuff myself before; places I've worked have always been open about it (usually a dedicated section in the employee handbook) and it's covered by some fairly robust data protection laws. I currently work for a relatively paranoid company (due to a data exfiltration event) that uses much more in the way of monitoring and audit software than other places I've worked at; my previous company was woefully unprepared for anything of the sort and exfiltrating tonnes of financial data would have been a piece of cake. Much of this isn't driven by security though, it's mostly the age-old problem of how to measure productivity, with most companies adopting the approach of "Productivity can't be measured easily. X can be measured easily, so let's use that as a bad proxy for productivity" and you end up with stupid metrics like being told off for not spending at least 40% of your day in system Y, only making seventy-three clicks in an hour or not wearing seventeen pieces of flair.

Where it's getting "interesting" (read: dystopian) is some shitty companies not only expecting people to install spying software on their own personal devices, as well as using things like microphones and webcams to snoop on their workers' home life/work which is on very dodgy legal territory. It's becoming very common in the US; thanks to the DPA, ECHR and GDPR we're much better protected against it here although there's still plenty of companies who'll chance their arm about it (lots of US companies in particular seem to see non-US laws as an inconvenience and I once heard an American CTO ask why we couldn't just make a maximum of 14 days of holiday part of the employment contract).

Infolaw have a fairly accessible page about this topic here; the guts of the legality can be found in the second half: Employee monitoring software: is it legal? | infolaw CPD training

 

[equationgirl]

As I understand it, employees are supposed to be made aware of any monitoring software.

My employer logs website usage, for example. Mostly things get flagged if they're inappropriate content. The occasional flag is ignored (i'm on the cyber security team and we review the reports monthly) but if someone is accessing inappropriate content multiple times then we have a procedure to manage that.

Recently it was suggested that keylogger software be used. This was rejected as useless as some teams spend a large portion of the day reading documents or on phonecalls rather than constantly typing, so any attempt to set an arbitrary keystroke rate to 'prove' productivity could penalise those working without constant typing.

 

[Gerry1time]

A place I worked at a while ago had a senior person who got sold some monitoring software by a company under the guise of productivity increases, and rolled it out across all their software developers. Whilst it was announced it wouldn't be used to compare people and teams, everyone knew that it would, and news of this senior person berating line managers that there teams weren't productive according to the software soon filtered down.

However, we quickly learned that the software was tracking keyboard and mouse activity, but that it only flagged an issue if your keyboard and mouse wasn't active at a time when you didn't have a meeting in your calendar. So we immediately filled everyone's calendars with fake meetings. They then fix this loophole, at which point the software developers went one better, and bought 'mouse jigglers', USB sticks that had a small programme on that jiggled your cursor every few minutes, so you could happily walk away from your computer and still be logged as working hard.

Eventually, the senior person who led the initiative moved on, and the monitoring system quietly got turned off and abandoned.