My boss has us using a bossware SaaS app that tracks our work with exquisite detail. It's called GitHub. The tracking consists of our trail of commits to various repos. (Along with the resulting error logs and tickets.) He can see exactly what we're doing for the project and when. In fact he has a team that "peer reviews" the tracking data line by line and are not shy about pointing out deficiencies.
To track other things, like time on task or web surfing habits, would not even be redundant, just superfluous.
People who truly think this is any useful kind of metric are probably the ones who think # lines of code written = productive work. Or, as Bill Gates put it so nicely, they are measuring the progress on the aircraft by its weight.
Counting lines of code is definitely not a useful metric, however, you can extract a lot of information via the Github API that I believe can help with managing a tech team. It's exactly why I created getdevinsight.com as I think too many managers rely on bad metrics like lines of code and we can do better.
A good manager can often sense when someone is not doing their job, or has disconnected.
In one case, a good manager came to me and asked me to check the "bossware" software to see if a certain employee was working while "working from home".
...turns out they were not. So we terminated them.
They didn't "sense" anything, they just asked you to show them some stats on a dashboard. They didn't approach the person for an explanation or conversation.
This manager totally removed the human from the person struggling with their job. That makes them a good robot.
Just to give them the benefit of the doubt, we don't know if this is the first or tenth time this employee was slacking off, or what action (if any) had already taken place to improve things.
I can additionally imagine that koheripbal was not privy to any information regarding that employee's performance besides that one thing.
Excellent way to treat people with personal problems like depression, health problems or a failing marriage. This is really an efficient society that I don't to live on.
True enough. I should have said it's not an unreasonable thing for a manager to look at. It's not that it would be impossible to get by without management looking at git commits, and as you indicate, it's not a substitute for communication.
While I know this is possible and have done it sometimes for fun, I would never spend any appreciable amount of time doing it at a job.
If you are at the point where you need to modify commit timestamps to satisfy some micromanager, it's highly likely that there are other things wrong with them that will lead to you searching for a new job fairly soon.
All I was saying is that these two are very likely mutually exclusive.
Sure, it's hypothetically possible that I have a micromanage-y boss who only tracks my commit times and nothing else. But really? That's the same boss who's going to mentally think you're "not a team player" because you left an hour early for your son's birthday party. That's the same boss who's going to obsessively tracks how many vacation days you "accrued" and insist on you coming in when you're sick if you don't have any left. Let's not kid ourselves.
If it's already shared history it would be too late anyway - thread is about lying when you authored/committed.
Not really sure what the benefit in cheating your boss would be though? You still had to do the work at some time. Maybe you work extra hard one day but push only the first half of your commits, then give yourself a day off where all you do is check in at the end to push the fake-timed other half of them?
It'd probably be easier to find an 'unlimited holiday' job that pays you for output rather than keeping your seat warm.
I'm sure I'm getting details a little wrong here, but basically if you're paying someone a certain salary to do a task, you aren't allowed to know how long it took to do it.
Microsoft Word has an example of this: The 'Total Editing time' tracking feature is disabled in Germany (and likely other countries.)
If I'm understanding this correctly from you, you mean that in the sense that if they complete the task in the time allotted, there shall be no record of specifically how much of the deadline it took up?
That seems like a decent managerial practice for some types of workplace, and it's definitely the model I have for my direct reports; but doing it by law seems like a bit of a shortcut for some reason to my anglo brain.
I also think it's an aspect that should be explored more. Sometimes people forget that the time to complete a task does not always correlate with the cognitive load of completing a task.
I've seen orgs where 'top producers' on a team slowly get loaded up more and more, eventually having 50-100% more points on a sprint than their peers on the team. They usually wind up 50-100% more drained at the end of the day too, and it winds up impacting their quality of life.
I know someone who spent about three months on a 10-line fix, which was primarily a configuration tweak. As part of that process, they had to discover and describe emergent properties of an architecture that formed organically over several years from multiple teams building components that interacted with one another in non-trivial ways. They ended up getting a promotion due to that code’s incredible impact.
I used to work at a company that hired temps off Craigslist to do fairly sensitive healthcare work. The economics and extreme seasonality made that the only viable approach. Software like this was absolutely critical to limiting what people could do and preventing things like identity theft etc. Strong deterrent effect too- during orientation they would show people exactly what they could see. Not great in a general work environment with FTEs but these tools have legitimate uses.
Unfortunately everyone in the space does it. Hiring 200 FT with benefits that you only have work for during two months a year will quickly put you out of business.
I'm sorry, that company does what? It is absolutely insane that temps off Craigslist could be trusted with such sensitive information under any circumstances. That company is asking for a data breach and to be sued into oblivion.
The fundamental problem here is that that company is cutting corners to save money. Full stop.
Under HIPAA laws, basically any healthcare data is "sensitive" data. An "extremely seasonal" healthcare job that deals with "sensitive data" could be someone that works in a call center that answers questions about health insurance -- just my guess.
Per other note, everyone in the space does it. It’s a fairly commodity business so paying more or keeping people all year when there are only two months of work would put them out of business quickly. If anything it’s a flaw in the underlying law that creates that seasonality
A trained ape reading a script for insurance enrollment is handling "sensitive" data, but your prescription history is sold in real-time to data brokers.
They could, but since so much of healthcare sits inside Citrix these days, it's unlikely that in OP's scenario it would've mattered. It's pretty easy to find out if you are running in a VM on Windows though, so I bet they do.
I work for a HIPAA covered entity - software such as this is not even close to required to meet our compliance obligations. If I found we were trying to deploy it I would fight tooth and nail to protect the dignity of my coworkers and myself, and if they failed you better believe I would have a new position lined up within a week.
“Bossware” like this is not a security tool, it’s a way for micro-managers and ass-in-seat bosses to be more effective in their misguided management styles.
The better managers I know are pretty critical of quantifying every work metric possible. Either you get it or you don't but perhaps that separates good managers from bad ones.
If you cannot define a goal that people can work towards aside from a most uncreative KPI, it is always a management problem. At least in engineering.
It is a work culture thing, but if you have a constructive one established, these tools can do much damage.
My worry is that companies like Zoom will start offering enterprises higher paid plans that effectively install this software. So think about the next time you join a meeting you may be installing something like this. And... what if you join some of those meetings on your personal laptop?
Attention trackers sound like they would be difficult to get right.
For example, I have three monitors and one is on zoom. During the zoom conf, i've got full view of the screen, etc. But the focus is on another screen, where I continue slack/messaging/typing/coding/etc. Would an attention tracker be smart enough to realize that -- despite not being focused on the Zoom window -- that I indeed am listening and viewing it?
Gotomeeting has an "attention" metric and it's completely, utterly useless. It works by seeing if the gotomeeting window has focus. Not even attempting to track visibility, but actual window focus. It's the laziest crap imaginable, yet unchanged for years now.
Paying attention during a meeting is pretty binary. Either you're engaged or your checking emails/Slack/etc. I've yet to meet anyone who successfully multitasks in Zoom calls.
Assuming attention is binary as parent suggested, than having someone in a meeting where they listen in, but in parallel working on something else seems to me to be a problem. Maybe the meeting should be split in that case so only people who are actually required and therefore spend their full attention on, are present in the split parts.
Not saying bossware is the best (or even an acceptable) solution to that problem, but it would surely be benefitial for an organization to reduce such inefficiencies.
Micromanagement is a bad habit of insecurity that rots leadership, it affects the company health so much. One more source of emotional distress that makes good people leave.
Accountability (AKA delivery, outcome) is the best metric for me.
What makes you think this software is used for micromanagement?
In most cases, it's used for auditing. If someone is suspected of abandoning their job, or stealing, or working a 2nd job, or etc... then the logs are reviewed.
Legal Problem; the moment you log this crap as a company... It's discoverable. That sexual harassment lawsuit that just came up? You are legally required to now do data hold on all these keylogs and screenshots you took. Oh and now you have to explain to a jury how you don't fall into the common charge of "could have or should have known" that abuse was occuring. I mean, you had all these logs and you still let this go on!?
Any corporation that collects these logs is asking for danger. Give a good law firm that much data, they will nail you.
Not to mention if you fire someone for burning time and they sue for wrongful termination and you get an e discovery request..to see if you applied that surveillance to everyone equally. Let's request a random selection of logs from 10 staff members in the same or related roles.
This level of monitoring can get you in some huge problems.
Yes, I think the larger your company the less effective this "bossware" is. If you imagine collecting this amount of data on every sales, design, eng, product manager, director, vp, exec at a place like Google or Facebook the sheer amount of legally precarious logs would probably tilt toward liability.
I worked at a medium-sized tech company, and one employee sent an e-mail to another employee about how one of our product logos looked very similar to another logo in a similar product space. It was similar enough, and the products closely related enough, that this concern would have kicked off a re-branding effort or something like that... but since it was an e-mail, it sent off red flags all the way up to executive level. Triggered overseas flights, high-level meetings, legal involvement. Everyone working on the project immediately put on white gloves.
Made me think that more often then not, it's just better off for management to "not know", or at least have what they call plausible deniability.
> I worked at a medium-sized tech company, and one employee sent an e-mail to another employee about how one of our product logos looked very similar to another logo in a similar product space. It was similar enough, and the products closely related enough, that this concern would have kicked off a re-branding effort or something like that... but since it was an e-mail, it sent off red flags all the way up to executive level. Triggered overseas flights, high-level meetings, legal involvement. Everyone working on the project immediately put on white gloves.
> Made me think that more often then not, it's just better off for management to "not know", or at least have what they call plausible deniability.
What, what? Can you clarify?
Here's my understanding:
* employee saw a problem and sent an email to notify others about it
* management reacted with "white gloves" ???
* therefore, management should have plausible deniability of problems
I'm not sure I agree with that conclusion but I'm also having trouble understanding how that conclusion was reached.
I don't think it's reasonable for management to have plausible deniability when red flags about products are raised by employees.
Email is trivally archived by everyone, and people say stupid things that can be data mined later to demonstrate intent.
Look at social media brigading when the mob decides someone is "bad". Some evidence that <target> hates kittens will be found in an email from 2005. That happens in the office too, except it's done by attorneys instead of internet randos.
I think they’re saying it could have been handled quickly by changing their logo but because it was pointed out a lot of people who didn’t need to be involved swooped in to “do it properly” which resulted in a lot more complexity.
Rather than what it sounds like which is employees should provide cover for executives by not informing them of legal issues in a manner that means there is a record. Which sounds ethically dubious as well as a terrible idea for the individual employee.
> That sexual harassment lawsuit that just came up? You are legally required to now do data hold on all these keylogs and screenshots you took. Oh and now you have to explain to a jury how you don't fall into the common charge of "could have or should have known" that abuse was occuring. I mean, you had all these logs and you still let this go on!?
I can understand lawyers making that case, but do juries actually agree with that? Lots of organizations collect internal data en-mass but they're all siloed away and disconnected - so while the company-as-a-whole has all the data, no-one inside the company could combine them together (or more likely: no-one inside the company even considered that they could combine the data together).
Hypothetically, if a company was doing everything - including logging every keystroke, instant-message chat and recording every audio and video call - but just archived it without doing any information-extraction - or they tried but the signal-to-noise ratio was too low, would that convince a judge to instruct a jury to disregard that?
And isn't that why investigative agencies seemingly stopped asking ISPs and legislatures to record everyone's search-engine queries and DNS lookups - simply because the amount of actionable, useful data is impossible to find until some-bad-thing already happened?
I wouldn't take that bet. Though, I think it would be up to a prosecuting attorney to subpoena and present the right evidence.
One way to protect the average employee from the overreach of bossware might be to teach prosecuting attorneys to weaponize it against its users (i.e. the bosses). But that would ultimately involve shining light on data whose exposure might harm the very employees that we're trying to protect.
It probably depends on whether the legal requirements are relative or absolute, and I don't know which they are. If the law explicitly stated measures you must take, they're probably fine. If the requirements use some kind of relative phrasing like that they must take "reasonable measures" to prevent sexual harassment, having all of that data already available might shift some jurors perspective of what "reasonable measures" are.
I wouldn't expect a judge to instruct a jury to disregard it, even in the case of signal to noise. There's nothing that makes the evidence inadmissable afaik (not a lawyer, so I could very well be wrong). It would be up to the plaintiff to demonstrate that the company failed in their obligations, and up to the company to defend that what they did was adequate.
> And isn't that why investigative agencies seemingly stopped asking ISPs and legislatures to record everyone's search-engine queries and DNS lookups - simply because the amount of actionable, useful data is impossible to find until some-bad-thing already happened?
The use of that data is also very different. There are a small number of crimes where a DNS lookup or search query is a crime in and of itself. Probably none, without other evidence. At best, they're circumstantial evidence.
In the case of digital communications, there are a lot of civil crimes that can be contained entirely within the communications. Sexual harassment, unlawful trade practices, etc. Likewise, the NSA is probably far more interested in everyone's email and chat than they are DNS lookups and search queries.
would that convince a judge to instruct a jury to disregard that?
I doubt a judge would make that decision unless the data was somehow "poisoned" and can't be brought to trial.
Most likely the prosecution would bring it up, the defense would counter and it would be up to the jury to decide how relevant it is.
Saying "we strive for a harassment-free workplace, but didn't both to check the data we've been collecting for the past 5 years" wouldn't fly very well with a jury.
Many collect evidence for something after the fact. "We don't look at the data unless something has come up, because it would be a privacy violation otherwise". Which is pretty much how police is supposed to work in normal life either way.
That is still violating privacy laws in EU, potentially. You cannot even give a blanket agreement for "work related" because that does not hold under scrutiny due to simple employee mistakes. You would be collecting more data than agreed upon.
so you are tracking all of this data to ensure your employees are productive and on task, but keeping them productive and on task doesn't include stopping them from sexually harassing my client?
oh you tried to prevent sexual harassment, but it was hard because you collected to much data on your employees actions?
Leave it to hn to spin a culture problem as a compliance concern. If you're dickriding your employees every keystroke, your leadership methods and corporate governance are the fucking problems.
Employees aren't cattle.
Edit: and let me be clear, corporate spyware preys exclusively on companies with weak and incompetent management. All it does is let them buckpass to the next performance eval.
No, more like leave it to HN to have comments providing a completely different perspective and framing of the problem than what you’d expect. Some variant of the above article has been posted dozens of times across multiple message boards and link aggregators since the pandemic began, the consensus is always that the software is horrible and a huge invasion of privacy and on and on (which it is, but we already knew that). I’m thankful for the above commenter’s framing of the issue as it’s something I hadn’t considered and haven’t seen in any of the previous comment sections.
That's why I keep coming back to HN. I'll see the media coverage on some issue, then check HN where some insider actually knows whats going on and it turns out the media has no clue.
I make no claim that what I say from either end of my digestive tract has any value, but reading critically what others say is usually more interesting here than elsewhere.
Exactly, it's also an interesting perspective in that while some people may not care about the privacy of their employees, they probably care about lawsuits and their bottom line.
Fair enough, but from a utalitarian point of view the grandfather comment is the most effective way to achieve your aims.
Lots of middle management types _want_ to dickride employees- pointing this out only makes them more eager to (ab)use bossware. Pointing out that bossware can get them into trouble however is an effective way to prevent its adoption.
Who forms a company that writes this corporate spyware and proudly sells it during a pandemic? Seems like that could be the "culture problem"? Is it the "incompetent managers" who are writing this code?
I worked for a company that put stuff like this on people’s systems. Small software shop, I think one of the owners was just a control freak. The business was successful and otherwise seemingly well run, I’ve certainly worked at worse places in my life.
It's not just discovery for internal issues. Imagine the fun any law firm could have for discovery. Trademark issues? Patent violations? Any competent in-house counsel should ban this type of software.
Unfortunately a good council could easily say even with all this data, they couldn't predict the future and prevent the sexual assault from happening. Luckily though, they did have this data to inform themselves of what really happened and that allowed them to make a swift and fair decision to help victim. They even turned it over to the victim's counsel so they could bring it court.
At the end of the day, the perception of good faith can be more important than anything else. So what if they didn't prevent anything? As long as they clean up the mess afterwards they can still walk away the good guys. And it's this spyware that lets them do this.
So you had screenshots and keystrokes? Our client has printed emails where her boss made unwelcome sexual advances. Did you design this data retention policy to hide systematic sexual harassment in your company?
Also anything less than 90days is likely to raise some eyebrows. Also your not the one pulling data in all cases. In some events the court will order your cooperation with a neutral third party for ediscovery. They will come in an perform data forensics on the assets in question.
>So you had screenshots and keystrokes? Our client has printed emails where her boss made unwelcome sexual advances. Did you design this data retention policy to hide systematic sexual harassment in your company? Also anything less than 90days is likely to raise some eyebrows.
Would this be enough to convince a judge/jury? AFAIK a lot of companies/govt agencies have short retention windows specifically to frustrate discovery, so it has to be working?. Granted, they're not as low as 3 days. Is 90 days the magic period where it's long enough to plausibly say you're not doing to frustrate discovery?
>Also your not the one pulling data in all cases. In some events the court will order your cooperation with a neutral third party for ediscovery. They will come in an perform data forensics on the assets in question.
That probably isn't an issue if your third party shreds the data after the retention policy. For "security purposes", of course.
I've seen this sort of statement on technical forums (such as HN) regularly. I makes sense logically and I want to agree with it.
But I've also been in organisations big enough to have multiple full time in-house counsel, and more often than not the desire to run software like this comes from those legal people.
I don't know who is in the right but I do know that people who study law and not tech seem more likely to have argued this is a good thing for an organisation.
Not just things like sexual harassment issues, there are plenty of reasons why internal communications and activity might not look great for the company if it came to a lawsuit. Just ask Cox Communications about how their abuse team's talk about the DMCA went for them. Now it won't just be overly candid email being scrutinized, but what websites the employees visit, what posts they liked, their chats, even their workflow. Why keep all that ammo around to be used against you?
Yup. My company went with gChat and have a global setting where messages disappear after about 10 minutes.
It was exactly the reason you stated. Not necessarily that they were worried bad things would happen (but in a big enough company the chance is high), but just the compliance requirements. If someone falls under a legal hold, all of that has to be collected and retained on a schedule.
Easier just to wipe it out after a set time period a global policy.
Aside from being a testimony of bad management. If you cannot get your workers to work, change your job.
I don't really like people helping development for surveillance systems. Yes, companies have an interest to know if work is significantly affected from slacking, so maybe talk to your employees. You don't even need the legal threat.
But having all the data does not imply, you know and understand all the data.
Didn't for example the various agencies "knew" in advance of any terror attack, meaning they had data, that clearly implied person x is going to blow?
I read that in variations, to allmost any terror attack/amok so far happened.
But data analysis in hindsight is easy, you have to put that important data in context to the huge pile of other data you also have and your very limited human processing power.
(for example the dark internet is full of people threatening to blow up or kill something)
Meaning, I do not endorse worker surveillance at all, but maybe this is not the way to stop it. Also, many claim, it is for the benefit of the worker, because having that data can help improve workflows and avoid accidents/errors. Which is a valid point, I think, but I still would never agree to be in total control of my supervisors.
I've heard a few stories about how Japanese companies are using these. There's one company which deployed a webcam app on their employees laptop to "track attentiveness" and dock pay for periods of time where they take their eyes off the screen. Another company is asking employees to wear a device (with camera and sensors) around their necks in order to track their overall "happiness". Stuff right out of 1984.
The fact there are people in my profession working on such things troubles me.
Hmm when I was visiting Japan they had a serious problem with work exhaustion related suicides. The workload and pressure to perform at higher and higher levels was too much so they ended it. That was just a few years ago.
So, to hear that there is a new level of control for this already judgemental and “honor” based society is just appalling.
Couldn't you also solve this through better management? If someone isn't hitting their targets I don't think you need that kind of evidence to begin the dismissal process.
This is a cardinal rule for me. I have a personally-owned PC that is used for my work, but it is exclusively used for that purpose. The only extent of personal use on my work PC is this website. Everything else I will RDP from my work PC to a personal machine, or physically go use it. I've extended this ideology to other areas. I have a separate physical machine I use only for banking and stock transactions. It's kinda like a shitty DIY Bloomberg terminal in my kitchen.
I find that having multiple physical computers, each with a very specific purpose, is an excellent way to context switch and maintain that psychological isolation between duties. There are definitely security/privacy benefits as well, but I hesitate to delve into that rabbit hole of a discussion here.
Everything else I will RDP from my work PC to a personal machine
Even that would make me nervous, given keyloggers.
One benefit of working from home for the last few months is that there's no temptation to do anything non-work related on my company machine when my personal machines are right there.
I strongly agree. I go one level further. As an independent consultant, I have multiple clients (usually around 3-4 at any given time). I use a different laptop and mobile device for every client. I would take to them to client site -- when travel was a thing. I also use different VPCs on the cloud for each of them. And I have a different set of machines for my own business. This allows clients to specify whatever software policy they like on machines that connect to their network, wit out affecting anything else I do. I wipe the hard disks of the the relevant machines clean after end of the engagement. None of my clients has demanded that I install any 'bossware', primarily because I'm only paid on outcomes, not effort. So they don't really care how I do the work.
I've increasingly heard of places requiring that you put it on your personal phone for working class jobs. BYOD gone horribly wrong. The same app will also be the only way to get your timesheets, clock in, or trade shifts, etc.
I think a lot of middle managers for working class jobs see the inability to separate work life from personal as a critical feature. The ability to peer into their employees' lives gives them new levels of power over the employer/employee relationship.
If the app did give the employees the tools to separate their lives, the employer would churn to another app.
that a no for me. my phone is my phone. i am
betting this is grounds for a class-action lawsuit if you indeed have no other option than to install crapware on you PERSONAL phone
I hope that it's grounds for a class action given how abhorrent of a practice it is, but I bet as long as there's relevant language in your employment contract, it's kosher.
Sorry, I don't understand really. You are questioning to be required thinking about work during the time you are paid for to work? Again sorry if I failed to see sarcasm if intended.
You also don’t get to control how you process the info and what you remember.
In fact, skilled advertisers and psychologists and the kind of people who develop dark patterns for social media companies[1] likely have more control over it than you have.
[1] and your company’s glorious loyalty oath parade, logos on mugs on your desk, anti-union propaganda posters, slogan you recite on the phone, etc. It is all changing you one way or another.
I think I may just have a tainted perspective on this. I’ve worked in digital forensics/incident response for >10 years, so I have an appreciating for the level in which businesses need to protect themselves, and I’ve grown a fondness in never seeing my personal data end up under a litigation hold. It’s the same reason why I’m a strong believer in making sure to have different email accounts for work, personal, different side projects, etc.
Yeah that's definitely fair. I'm a bit paranoid and jump through more security hoops for myself than any employer has ever required... so if you're not the type of person that enables 2FA and uses password managers at a minimum, just do everyone a favor and use a separate device.
I could do that at my current company (long term relationship). But I feel safer by not doing that. I don't take care of every security risk on my private systems. I probably should but that is another matter.
For security purposes we route all internet request through our company VPN to scan for malware. Company notebooks are required to use the VPN tunnel and they do if you don't have admin rights and change that behavior. I think it would be really bad if all netflix traffic from employees gets routed through our companies internet connection. I don't want to put that on netflix support to figure out the problem people are having...
Without their knowledge? The use of these tools should be outlined during employee onboarding or explained during implementation/roll out. There is no good reason for them to be a secret.
That said, my statement was about helping people protect themselves. These systems will be used, and for legitimate reasons in many cases. Why not protect yourself from allowing them to overreach into your personal life?
That's not what a reasonable objection is about, and you're being intellectually dishonest when you attack this, the weakest argument. Here is a stronger argument, for your benefit:
Working requires us to form social relationships with our coworkers to get work done. Oftentimes, we're establishing shared language, and working tempo with coworkers through "inside" jokes, and other human forms of camaraderie. Not only would it be unethical to stamp the social aspect out of our working lives–which make up the majority of our waking hours, and a gross majority of our social ties–but it would also be imprudent, since removing social elements from working relationships would cripple them. It is necessary, and desirable, that we socialize with our coworkers to some extent.
The firm pits individuals–and groups–against one another in competition. Even in an ostensibly friendly, collegial workplace, the zero-sum reality of budgets and headcount encourage workers to jockey for position and push difficult, or unprofitable work onto others. Surveillance like this enables the most manipulative to exploit secret knowledge of the social relationships that are, again, necessary throughout the firm. A secondary effect of surveillance is the chilling effect: trust and camaraderie are hampered by the knowledge that one's every word can be used against them without recourse.
Firms regularly use information freely given to prioritize workers for layoffs. Decades of "employee satisfaction" surveys have facilitated the efficient firing of dissatisfied, burnt-out or mistreated workers. Surveillance offers the same facility, at higher fidelity.
If you are an executive, and you want to maintain dehumanizing working conditions, surveillance is a necessity and a boon. As surveillance increases, our working life becomes more prison-like, and our society progresses towards private autocracy. What astonishes me is how giddily those who profess to love Liberty readily shed it at work.
You bring up a lot of important points and I do agree with you on many. I’d love to hear your perspective when sensitive data is involved, what takes priority? Is it the privacy of the employee, or the customer? Can there be a balance that respects both?
You put me in mind of the debt peonage Europeans forced upon indigenous Americans in 1907:
> It was the agents and overseers sent into the region who were, much like the conquistadors, deeply indebted—in their case, to the Peruvian company that had commissioned them, which was ultimately receiving its own credit from London financiers. These agents had certainly arrived with every intention of extending that web of credit to include the Indians, but discovering the Huitoto to have no interest in the cloth, machetes, and coins they had brought to trade with them, they’d finally given up and just started rounding Indians up and forcing them to accept loans at gunpoint, then tabulating the amount of rubber they owed.
> In reality, then, the Indians had been reduced to slavery; it’s just that, by 1907, no one could openly admit this. A legitimate enterprise had to have some moral basis.
I'd be interested in a tool or list of reliable detection methods for the presence of these programs. Do regular antivirus programs that can be user added detect these by default? I woud assume the one supplied in the company configuration has these whitelisted.
I'm almost inspired enough to create an open source "killer" of these background programs. "Bossware" is one of the most infuriating things I've seen wrt employment in a little while.
Depending on your definition of bossware, this may or may not be practically impossible. If you consider carbon black to be bossware, you would have to exploit the operating system vuln to get around it.
Every once in a blue moon, our security team runs a p99-latency scan on my laptop, that basically bricks it. I’ve tried and failed to kill it, but I’m open to suggestions!
If you have admin on your machine, turn unload the kernel extensions and turn it off. One dirty secret is that many IT departments wont notice or wont care.
Unlike HN readers, most employees do not have admin on their work computer, and for good reason. Doesn't mean they should suffer 'bossware' and most certainly not without informed and explicit consent.
Had a teammate do something similar but much simpler in the past (think limiting execution and FS permissions). This is unlikely to end with management appreciating your initiative.
I would start with presence detection. Removal might be in this specific cases better handled through a process that forces the company to remove it based on rules and regulations if possible. Most employees will not just want to start a tech war with the company admins.
In a contract between two parties, no party has any kind of legally elevated position over the other.
Many employment contracts are written by employers though, so this culture that the employer is some kind of gentle but strict super entity pervades through the language of employment contracts.
The company is just another Joe, and you have just as much right to dictate the terms of your employment as they do, just as you have equal standing in any contract you enter into with your mom, your husband, or your church.
One thing that helps pick apart the engrained culture of faux company superiority is to imagine they are a church instead.
Quoting the following part of EFF’s article makes me feel like they are still toeing the line.
> [the state] must also establish protections for churchgoers: surveillance of parishioners should be necessary and proportionate [and] parishioners should have the right to know what exactly their priests are collecting.
Just because two parties are legally at the same position doesn't mean there isn't a power imbalance. Without collective bargaining, any employment negotiation is going to be lopsided, since not having a job hurts a worker a lot more than having one employee fewer hurts an employer.
I think I am pretty good at my job. I get great feedback from all sides and complete my work on time and with high quality. We are also looking hard for more people because we have too much work. Getting people up to speed also is a big issue, so my employer invested a decent amount in me. In all, I have a dang good bargaining position.
And yet if I were to quit my job, that would hurt me a lot more than it would hurt my employer. I would lose 100% of my income, which is essentially catastrophic. I would run massive risk in needing to find another decent job, would probably have to move, and wouldn't know whether I would like my new job.
Meanwhile, for my employer, a few projects would be slightly delayed, and we'd have to be more held-back in accepting new work. Nothing really impactful. Hence my employer holds a lot more bargaining power than I do.
In practice, the employer holds most of the power in the relationship. Yes, even if you are a Rock Star™. They'll just fire you and find someone else. The only way for employees to actually negotiate their contracts is through collective bargaining.
Ok now that I'm reading I'm wondering if I'm wrong, but I'm seeing some posts about it having an idle tracker and that lurkfromhome website exists which is what really solidified my decision. I'm looking around more, I'll post if I find anything, let me know if you do, because I was pissed when I found out.
Skype for Business, Lync, and in the dark ages Office Communicator even had it. If you left IM open and your PC unlocked but you weren't using it, after a user set delay your status would turn to idle. You can't set the timeout in Teams anymore, IIRC.
Does Slack not have this? I'm 99% sure Zoom does as well.
I admined slack long long before it had any Enterprise bolts so I'm sure it has stuff like that now. Teams makes it front and center so you can track your employees interactions and chats, calls (not emails like I thought).
Like, I’m stuck on solving a problem. I look and I look. I can’t find it. I walk away, thinking about it. Still nothing. I drive home, then, I get my a-hah! moment.
I solve the problem. And it was a one liner, to fix the problem.
> Let’s be clear: this software is specifically designed to help employers read workers’ private messages without their knowledge or consent. By any measure, this is unnecessary and unethical.
I am too European to understand how this can be legal.
In the US and Canada, this has been upheld in court as legal numerous times.
Any activity done on the company equipment/software is considered work product and is accessible for audit/reviews.
In our case, we only open these logs if a manager has an issue with an employee (either a complain against their conduct, or drop in attendance/work product).
Often, the metrics show that the employee is just doing other work that the manager isn't aware of, but sometimes it's clear that the employee has either abandoned their job entirely and is just doing nothing - and the logs give us legal grounds for termination.
We tell everyone that the system is monitored - we're very transparent about that, and remind them that person comms should be done from their phones. I honestly don't understand the controversy.
This transparency has saved good employees, highlighted bad managers, and helped us remove bad apples.
Many years ago I spied on employees (of my client). Specifically, there were always few sales guys who'd spend hours a day lost in games, dating sites, etc.
Who hasn't gotten lost on the internet? However, these guys were at it every day. From my perspective, they were caught in a trap that wasn't good for them or the company. I wanted was to help them find their way back to doing what they were good at.
I setup a squid proxy, got good at regex & category blocking.
After hitting my proxy, the sales guys would get a little frustrated but they invariably redirected themselves and that'd be the end of it. No need to involve management.
Non-stupid employers know that what employees need are duties they can care about & opportunities to make something better.
What employees don't need, to excel at their jobs, is to be surveilled, micromanaged or tightly restricted. (Granted, a few might hit a dark patch & need some guidance. A rare few might be beyond guiding and have to be let go.)
tl;dr: Don't be a crapty employer & you won't have an imaginary need to spy on your employees.
I worked at a small company and got sick of the monitoring/time-wasting complaints from managers. Installed a squid proxy and published the daily reports on an internal intranet page that everyone in the company could view. There was an explicit "internet is for work use only" policy, so there was no expectation of privacy, and I gave everyone in the company a lot of notice that it was happening. Our #1 user was very into Days-of-our-lives forum sites, and the sales guys still went to porn sites, but at least I wasn't the internet police any more.
I worked at a place once that had a similar policy. The head of IT had a background in mind-games. So, he had fun with it.
Blocked websites would get you a nastygram page, along with a warning that repeated attempts would result in an email to your manager.
If you tried to use one of those 'proxy' sites that would try to get around blockers, You got an extra-special-nastygram. Told you that an email was immediately sent to your boss, and his boss, and the Director of IT.
Well, I tripped -that- warning once, (trying to do a task at my manager's request,) so I let him know I couldn't and he was going to get an e-mail about it.
"What? I don't see one... Go talk to IT and tell them we need it."
I pondered this as I walked to the IT office. Thankfully I had a great rapport with them, so as they went to put in an exception I asked.
One guy installed Ultrasurf. First time I'd seen it. I didn't come up w/ a way to defeat it at the edge so I added a reg entry that redirected the output of the exe to NULL. It's a fairly obscure hack; I had been using it to offline malware.
One of my coworkers at my last job was involved on writing a piece of such "bossware" (although nothing as extreme as the examples in the article). It used some WMI interfaces to track what users were doing. He seemed to express at least some level of uncomfort with it, but ultimately wrote it anyway.
With a key/screen logger on your personal, or corporate device, what happens to your gmail login (assuming you're permitted personal email at work)? The company where I work permits a small amount of time for personal affairs, checking bank/email if required, I've never personally done this as I'm fully aware of a MITM proxy.
All that aside, if you were to log into your personal bank account, or personal email, what are the restrictions around where the data is logged, or who has access to the data. This should extend to the disk storage replacement, if a disk is upgraded, or becomes faulty, where does the data centre remote hands put the faulty/old disk once popped from the tray?
Lets hope that gmail account didn't provide MFA for another site login.
Should this type of software be announced in employment terms?
The thought that apparently some employers think it is a good idea to spy on their employees on such an invasive and unethical level makes me sick. Not to mention that the lack of trust in such a company has probably eroded productivity a long time ago.
I deleted my org’s off my computer since I have root privs. They asked to put it back and I’ve been ignoring them. I signed an NDA, if that’s not good enough... idk what to tell you.
This article resonates with me. I feel very strongly about spyware (Bossware is too kind). Views expressed here are my own, not those of my employer.
I work for a company that makes an automated time tracking product (WiseTime [1]). We migrated our infrastructure to EU/Germany because we wanted to fall under a jurisdiction that is one of the strictest when it comes to privacy. This is how we think about the problem.
- Many professionals (lawyers, contractors, ...) get paid for the time that they bill their clients
- Manual time tracking (start/stop stopwatch) sucks
- Automated time tracking is an order of magnitude more convenient
- If you are going to automate the problem away, make sure that the system cannot be abused to spy on people
- Otherwise no one will want to use it!
We view privacy as one of our most important features, and our systems were designed from the ground up to protect it.
- Your activity is captured into a private timeline that only you can see
- To make your time available to your team, you must select the activities that you want to share, and explicitly post them to the team. It's like sending an email. Your draft is private, but once you send it off, then your recipient has a copy of it.
- We allow you to anonymise your posted activity data when you leave a team
- We allow you to specify filters around what activities should and shouldn't be captured. Of course you can delete anything you want off of your private timeline.
- We provide user-level and team-level data retention settings. We automatically purge data that falls outside of your desired retention period.
- We silo our data layer so that we don't store any personal information with user activity data. User activity data is siloed away from posted team data, and so on.
- We take GDPR seriously and we even have automated processes to purge data from our Sales team's CRM
We are a remote-first team, and we wanted to build a system that we personally dogfood without any qualms.
I often find myself thinking about problems in the shower or out on walks, and that's also when I have big breakthroughs. How does WiseTime ensure I'm paid for that time too, not just when my butt is in my seat?
That's a tough one to automate. Right now, it involves logging a manual time entry to your timeline (then posting it). If you walk away from your computer and come back, WiseTime will ask whether you want to log the time (or part of it).
If you wake up in the morning, jump into the shower, solve a problem there, and hop onto your computer, WiseTime will then offer to log the last several hours including your sleep time. Edit down to 10 minutes (or however long your shower was) and log it. A bit contrived, but that's the best I got at this time. It's a tough problem to solve ;)
I'll share my experience, even though it's on the pro-monitoring side:
I run a small e-commerce company. It's myself, and two customer service/operations team members that I have hired out of the Philippines. I live in Indonesia (I'm American) and my company serves those in the US.
I made my first hire back in November 2019, and originally just had her paid salary and an expectation of 40/hours a week.
After a while, she started occasionally disappearing for a day or two at a time. Always having some excuse - which I try to understand. But when I'm running a business on US-hours and my only person working in that timezone disappears, it gets hectic quick.
She was doing phenomenal work, but these gaps caused me extreme stress and were affecting my business. I also felt my trust for her disappearing every time left and then came back with an excuse, that sounded legitimate enough, but nevertheless - it was becoming unacceptable. I felt like my payment was not being justified, and that I also was beginning to resent her as my business would suffer and my own mental health was deteriorating. I couldn't rely on her. We had multiple discussions, but when there's an excuse - it's hard to debate that.
In addition, I was finding that some tasks that I could complete very quickly myself - would take her forever or be incomplete.
But I also wanted to be understanding - I wanted to give the benefit of the doubt, and assume her excuses were legitimate.
So I had a two-fold plan:
1) Setup time-tracking software and switch her pay to hourly. I gave a small raise, as well as paid vacation time based on hours worked, as an incentive. I wanted to make the switch, but still make it fair - and if anything, for her to come out ahead.
2) Begin to make headway on hiring a second person so that when these legitimate use-cases pop up, that we're still covered.
I ended up choosing HubStaff - which looking at the chart on the article, appears the least invasive - which makes me happy with my decision.
I have it configured to track applications and websites monitored, screenshoot every 5 minutes or so, and logs keyboard and mouse activity levels, but not actual data. 99% of what I use it for is just the time-tracking, but sometimes when things aren't completed on time - I can take a quick peak and see that yes, it does appear she was busy all day (Or enough - I don't expect people to hammer out 100% productivity - her activity levels usually hang between 30-60%) and was being honest. In addition, now that I've hired a second employee - I can compare their activity levels together to get a better idea on what's normal.
And as for my original experience of her disappearing. She still does that on occasion. But now, since she's not logging in - she's not getting paid, so I can assume it's legitimate. And I have another employee logging on later during the day to ensure there's not a backlog.
I guess my point here is that the tools are only as nefarious as your employer. I'm not looking to infringe on privacy, or micromanage. I very rarely even bother looking at the information it tracks - but it's a reassurance I'm not getting cheated when something awry pops up.
To put it bluntly: That would defeat the purpose of outsourcing to other countries.
I asked what salary she wanted, and I pay about 20% over that. She's able to support herself, put her sister through school, and help family when in need.
The management at Intel itself are also highly paranoid. They have been using "bossware" for over a decade before COVID. It's just known as a paranoid company.
Although, probably a lot of large corps aren't too different.
I experienced this 20 years ago when working on a collaborative project with engineers at Intel. They searched me on leaving the building every day. And this was just an office building, not a final assembly plant where it might be reasonable to want to look for theft of production units. It was like exiting Fry's. I made a mental note then never to work for Intel.
Does this really happen, or would it ever? Seems like a contrived scenario for employees to have enough access and knowledge to detect and defeat a userspace or kernel-resident solution that doesn’t want to be found. Plus, if you’re going that far, you’d want to make sure it wasn’t easily detectable by analyzing network traffic.
I’m sure such a thing is out there, but I doubt it’s being used by employers to spy on workers. More like governments spying on workers with access to sensitive IP.
Perhaps the ethical qualms could be settled if the tracing of workers were handled by a neutral third party. Being tracked by parties you are affiliated with opens a whole can of worms.
How can they be a neutral third party when they're paid by, and report to, the employers and not the employees? Their incentive would be to find problems, because that makes their service look worthwhile.
They could make the data for all levels of the organization public within the organization. Doing this would allow for time tracking to be had for the scared middle management, but also give any employees the chance to view any unfair treatment.
Of course this would never happen, but honestly, I would probably be ok with it.
I worked at a company that made software that could record employee phone calls and the video of their screens. It was a source of great fun to watch some of the videos where the employees got busted watching porn. One guy even used a customer credit card to order a bed off Amazon.
If you’re dealing with hourly employees that are bottom of the barrel, this kind of monitoring is absolutely necessary to keep them in line.
As a recently ex-hourly "bottom of the barrel" employee, I would ask you to reconsider your position.
We are people too. If you have good management, you really don't need to worry about it. Also, anything useful that you described, sans credit card fraud, could be accomplished by network logging, without any need to invade the privacy of your employees.
In the case of the guy who used the customer CC to order a bed, you would have been alerted whenever they were sued for credit card fraud, unless I'm deeply misunderstanding the system here.
edits: Remove personal attack and increase clarity. Although I still feel justified, I appreciate the quality of discussion on HN to much to risk polluting it.
To track other things, like time on task or web surfing habits, would not even be redundant, just superfluous.