When COVID-19 hit, remote work was a life saver. With the click of a mouse organizations were back in business. Employees ditched their commute times, set up home offices and went to work.
It seemed to be the perfect solution, but a few years later the honeymoon was over.
Citing a need to track productivity, many organizations implemented surveillance tools, often called bossware. Business leaders say the technology allows them to monitor productivity and identify specific areas for improvement through targeted training. Employees, on the other hand, say such scrutiny elevates anxiety levels and undermines morale.
Workplace surveillance is not new. Camera or facial recognition devices are commonplace in restricted areas to ensure that only authorized personnel enter. Many offices also use security cameras to enhance workplace safety and monitor efficiency. But newer technologies, from monitoring software to biometric devices, enable employers to track keystrokes, location and mouse movement, as well as monitor texts, screenshots and browser history.
As hybrid and remote work models become more commonplace, AI tools are increasingly used to track employee productivity, monitor communications and secure company data. An estimated 74 percent of organizations now report using bossware – from audio recording to keystroke counting – to monitor their employees. More than half of those organizations are using AI-powered analytics that use algorithms to evaluate employee performance.
The fast-shifting legal landscape
As generative AI leads the charge in advancing monitoring software, business leaders are left to navigate a constantly changing landscape of federal and state regulations governing the use of monitoring tools.
The Electronic Communications Privacy Act of 1986 is still the federal baseline, said Alan Heimlich, president of Heimlich Law. It allows for monitoring by employers with a legitimate business purpose or consent. States are left to tighten the laws in their own jurisdictions. Connecticut and Delaware require written notice for any monitoring to be undertaken. California and Illinois added even more privacy protections. New York section 52-C addresses email and internet communications with mandatory written disclosure.
This patchwork of state and federal laws is constantly evolving on issues of employee privacy, surveillance and monitoring, said Mark Goldstein, partner at Reed Smith. He recommends that employers operating in multiple states, or even multiple localities within a singular state, review these developments and update their policy handbooks accordingly.
Companies depending on third-party vendors to provide surveillance software should examine the contract clauses involving indemnification or limitations of liability to ensure there are representations from the vendor requiring them to comply with all applicable laws, Goldstein said.
Companies should work with bossware vendors to learn how they intend to stay on top of legal developments to remain compliant, he said. The need for legal oversight will grow as monitoring technologies continue to advance.
“This is a topic that continues to be and will continue to be top of mind for U.S. businesses, for businesses all around the world,” Goldstein said.
The talent cost is underestimated
While employers deem digital surveillance tools as necessary to track productivity, efficiency, performance and safety, workers often take a different view. Privacy concerns and the potential for bias or discrimination were frequently raised in a 2023 report conducted by the White House Office of Science and Technology. Respondents in that study also said the monitoring could be an inaccurate measure because some tasks are completed offline and not easily traced.
The report also indicated that monitoring employees to perform non-essential work to appear busy or take fewer breaks. Some respondents also felt that monitoring made workers feel distrusted by management, decreased morale and could discourage unionization.
Workplace surveillance is typically viewed as a tool for risk management rather than as a tool for control over employees, Heimlich said. Still, it’s a fine line between acceptable levels of monitoring and invading employees’ right to privacy. Overuse of monitoring has the potential to create legal challenges, as well as damage employee trust, which can lead to retention problems with talented employees, he said.
A policy that permits excessive monitoring may create an atmosphere of suspicion that may hinder the retention of valuable employees for the long term.
This leads to a trade-off for businesses, as using surveillance software may improve security, but this may come at the expense of employee morale and trust, Heimlich said.
"Businesses that can successfully navigate these complications develop strong policies for legal compliance and transparency,” he said.
Not all monitoring is created equal
When creating a surveillance program, organizations should start by considering the environment where the surveillance will be used. It is not a choice between 100 percent security or 100 percent privacy, said Simon Randall, CEO of Pimloc. It’s finding a balance that protects employees and corporate data without invading personal privacy.
“It’s not aways ‘shall we implement this or not,’” Randall said. “It’s ‘how do we implement this in a way that’s safe and responsible and will give benefits to the organization.’”
For example, remote monitoring can inadvertently capture background information, including about family members. Many organization have not yet addressed this secondary privacy risk, Randall said.
Many remote meeting software applications can also record, transcribe and summarize what was discussed. This data could easily find its way into a language model summarizing what was discussed.
“What is the governing structure around those new sorts of data?” Randall asked.
Organizations should be transparent about what data is captured, who has access and under what conditions, he said. Organizations may also look at anonymization versus raw data, so operations teams could view videos where people can’t be identified while only security teams investigating specific incidents can access the raw footage.
Organizations that outsource their monitoring should be clear on where that data resides or whether the vendor could use that data to train their own AI models, Randall said.
Businesses need to think about where they want to be in the risk continuum, be very clear about what they’re doing and why they’re doing it and put themselves in good stead when something goes wrong.
Simon RandallCEO, Pimloc
Executives need to spend time on risk assessment before implementing a monitoring system, but events such as data breeches can occur. If that happens management should be ready to explain what went wrong, how the risk was mitigated and how it was fixed, Randall said.
“Businesses need to think about where they want to be in the risk continuum, be very clear about what they’re doing and why they’re doing it and put themselves in good stead when something goes wrong,” he said.
When COVID hit, Alen Prasevic, lead test engineer at NoMachine, was worried that productivity would suffer as they implemented a remote work system. His organization chose surveillance that protects the system but is not used to monitor the employees.
Heavy monitoring adds friction by signaling mistrust and encouraging performance behavior over meaningful work, Prasevic said. His system allows remote access with permission and promotes teamwork.
“When productivity is measured by activity rather than outcomes, technology can start to feel intrusive instead of enabling,” he said.
Building a monitoring policy that holds up
When implementing employee monitoring, organizations should identify the minimum level of surveillance required to achieve their business goal. Considerations should include whether the need is for security, whether productivity can be measured in any other way or a compliance-related issue that requires proof that the work is being performed a specific way, said Susan Snipes, head of people at Remote People.
“You should be asking ‘what is the least intrusive way we can achieve what we need to achieve?’”, Snipes said.
With the goal clearly defined, management has to build a strong business case for the need to monitor people before implementing a monitoring policy because ultimately the policy needs to be justified to the employees, Snipes said.
She recommends the following when implementing a new policy:
Involve an attorney to review applicable federal and state laws.
Access to the collected data should be on a need-to-know basis to protect employee privacy.
Build a strong business case for why monitoring is necessary that can be easily explained to employees. Being open will help prevent trust issues.
Get signed acknowledgement forms from employees confirming that they have been trained on the policy and agree to abide by it.
Review the policy as part of the onboarding process for new employees.
Occasionally retrain existing employees on the policy to keep them informed on what’s being monitored and why.
Once implemented, organizations should roll out the policy in a positive way that clearly explains the need for it and enforce it fairly and consistently across people with the same job description, Snipes said.
Strategic recommendations
Organizations need to choose employee monitoring policies and applications based on their needs. In most cases less is better, they should only collect data needed for the organization’s business purpose.
Plan in advance what data will be collected, who will have access and how it will be disposed of when it’s no longer needed, said Peter Cassat, technology and labor employment attorney and partner at CM Law.
Organizations should implement policies in non-discriminatory ways and have good reasons for distinctions between groups of employees. If using AI insights for employee performance ratings, make sure no bias exists in the algorithm, Cassat said.
Above all, stay aware of local and state regulations to keep your organization in compliance and communicate the policies clearly to employees.
“It’s of paramount importance that employers have clear and consistent policies on the scope of the surveillance that they’re conducting, the devices that are subject to that surveillance and the manner in which they’re conducting that surveillance,” said Mariah Berry, senior associate with Muskat Devine.
Offices that have “bring your own device to work” policies need to be clear that if employees conduct business on personal devices, employers have the right to search those devices, Berry said. The policies should be written and notices posted.
The organization should conduct annual audits to ensure the policies remain in compliance with frequently changing regulations.
Julie Hanson is a freelance writer who has reported on local news across Massachusetts and New Hampshire.
