Tools for remote employee monitoring and surveillance are on the rise. Every day, large and small companies are trusting tools like Hubstaff, Time Doctor, Activtrak, and Teramind. And these options aren’t your run-of-the-mill option to check on your employees. We’re talking about surveillance that makes you wonder where is the line between productivity and privacy.

In this piece, we will link everything: why so many people have been monitoring employees, how does it work, and how does the current legislation support it. We will also discuss the various alternatives in the market, including ourselves. Yes, we have been used as “tattleware”, too!

The birth of “tattleware”

This trend of work vigilance is not new, and for the most part, not surprising. A Gartner survey conducted in 2018 concluded that more than 50% of corporations were using some sort of “nontraditional monitoring techniques”. The number was expected to be 80% this year, and with good reason.

But surprisingly, “tattleware” isn’t the very first reason behind monitoring. As organizations grew larger, traditional “employee surveys” couldn’t create a holistic view of the workplace. That’s where the first monitoring services came to life, such as social media and sentimental analysis.

Those services paved the way for more tracking. Having full control, the office and its technologies could be used to paint employee’s data with broader strokes. Services like mail scraping and workspace tracking started to gain traction. This is the point in time where services of time tracking and organizational tools were born.

In other workspaces, such as factories, the need for other kinds of monitoring was on the rise too. Just a couple years ago, Amazon filed a patent for “monitoring bracelets”: a wristband that tracks your movements around the warehouse and measures your productivity. It seems pure observation wasn’t enough for bosses.

We discussed recently in an opinion piece about why the workplace is a place of control. As a society, we have always believed that the identity of the office is somewhat sanitized – the direct cause of dressing up for work, for example. There are also several rules in place to maintain the respect for our coworkers, such as not coming late. But the key aspect of control is supervision. We tend to believe we need someone watching us from overhead to be productive, even if several generations of remote workers have proven otherwise.

Nonetheless, this is the year where everything changed. Lockdown came around. Covid-19 changed the way we work and communicate with each other. With no real control anymore, our bosses and administrators had their tranquility shattered when remote work became mandatory. The fear created doubt. Is remote work going to keep my employees productive? What if they just watch Netflix all day, or play videogames? 

Conditions around the house aren’t ideal for employees either. The barrier between work and leisure is sometimes broken when working at home. Kids, pets and household necessities are unavoidable, human activities. For bosses and their vision of productivity and control, they are distractions.

These doubts, amongst other things, created a huge need for remote supervision.

But what about Privacy Rights?

As we stated, the birth of monitoring software as we know it was a gradual process. But in fact, legislation about employee privacy is quite old, even from before the time when computer work became the standard. An example of this is the Electronic Communication Privacy Act from 1986, updated by the USA PATRIOT Act.

The ECPA is a strong precedent for privacy in the United States. Lewis Maltby, president of the National Workrights Institute, had harsher words for it. “When you’re on your office computer, you have no privacy at all”, he declared to CNBC. “Anything and everything you do is probably monitored by your boss.”

Although if you read the ECPA, you would be surprised. The three Titles of the law regulate the interception and disclosure of electronic communication. And as any law, it has several exceptions. The business use exception allows employers to track employees as long as the former has a legitimate reason. There is also the consent exception, where the employers may monitor you if they have your consent.

The most notable exception proves Maltby’s point. This legislation state that if you work on company equipment, such as computers or telephones, your data belongs to the company, not you.

Across the Atlantic, laws tell another story. The General Data Protection Regulation (GDPR) adopted in 2016 establishes far more strict rules for privacy. Individual users working in the European Union have full control over where is their data and how it is stored. For example, if a worker marks a document as private, no employer can access it even if it resides on a work computer.

Even if Europe is leaning towards privacy, we know the surge on professional surveillance software is higher than ever. How did they get so good at it to be a business so profitable? 

How does employee monitoring work

The fear in every boss’s mind is easy to describe. I don’t know what my employees are doing in their worktime, so I may spy on them. However, that procedure may be performed in several ways, almost all of them based on information and control.

Time Tracking and Behavior Analysis

Alternatives in the time tracking business were available way before the coronavirus pandemic struck. Almost every tool available in the market uses some form of time tracking: analyzing what you do in your work computer or phone by way of behavior analysis. That usually means tracking what apps you use and what websites you visit, and cross-reference it with the goals of all employees.

Tools like Prodoscore and Time Doctor have an AI-focused approach. They scan every app and browser you’re using, looking for specific usage data. For example, Prodoscore produces a map of all actions performed in the day for every employee, such as “emails sent” or “sales calls completed”.

Some services even have the ability to transcribe your phone conversations, to deeply analyze an employee’s performance on calls from customer support and sales.

Screenshots and Keystrokes

Almost every employee monitoring software has implemented screenshot capabilities. In most cases, the service takes a screenshot from the user’s displays on coordinated time intervals –in their work hours, allegedly– trying to catch employees in the act.

Screenshot tools, while sometimes being an unnecessary invasion of privacy, also work as an employee liability service. Employers insist that screenshots are a useful way for employees to share their work with their superiors in a handy way, usually omitting the fact that accountability can be done without the micromanagement on your personal devices. 

Keystroke and copy/paste operation are the next level in surveillance. Deeply integrated monitoring software such as Teramind can record every pressed key on your keyboard. They can also save and analyze the text contents of your clipboard. Usually, the software has certain place whitelisted: banking sites, personal logins, and for the most part, places that need passwords.

One of the use cases described for these services is accountability. The insight from the software can be useful: employers using ‘unprofessional language’, or easy to guess passwords on company logins. The downside –and this is a huge one– is the absence of almost any trace of personal privacy. Casually chatting with a coworker about why your boss is a jerk? Not anymore, because he will know.

Webcam and always-on hypervigilance

If watching your employees’ screens or reading through their keystrokes isn’t enough, there is one more option: to watch them, literally. Certain monitoring software has the capability of tracking your idle time by watching you, on your laptop’s camera. These employee monitoring tools can cross-reference your computer activity with the movement on your camera to further measure your productivity.

Some services are going the extra mile, and implementing always-on cameras. The service takes a photo every five minutes to ensure you’re sitting by your laptop, and if you’re not there, they’re gonna tell on you. The service works as a “wall-of-faces” of sorts, to achieve the ultimate dream in surveillance: the Panopticon.

Subtle forms of surveillance

Not every type of surveillance has to be a service. Companies that work on software usually have ways to connect between employees, and those services can be used to survey usage and productivity.

Slack, as any other messaging service for employees, is the first one that comes to mind. Messaging services have always had statuses, such as connected/disconnected. Some creative bosses have regulated employees activity with rules about status, and your boss asking you to be connected all day in Slack is one of them.

The same can be said about enforced “remote water-cooling”. Activities that require your presence in-camera are a subtle way of surveillance. Maybe you decided to work someplace else or having that meeting in your bed, early in the morning. Anyone who has worked remotely had this issue: dressing from the waist up or putting on heavy makeup just to be on camera on a mandatory meeting.

A glasshouse: Prey used as a surveillance tool

As a product, Prey hasn’t been far from this trend. We’re not specially designed as a surveillance tool, but the ITs who use –or are contemplating to use– our service think creatively.

A couple of months ago, a prospect –which will remain nameless– contacted us to use Prey as a tool for employee monitoring. A series of Windows 10 laptops were issued to remote workers, and the company was trying to evaluate if those users had a stable internet connection, which is one of the tools of our service.

Apart from our tracking and recovery services, they wanted to ensure their workers weren’t lying to them with excuses such as “sorry, my internet connection isn’t working”. A little far-fetched, but a method of surveillance anyway.

Takeaways

Employee monitoring software can take a lot of forms. From the apparently relaxed ways of remote water-cooling, to full-on surveillance like always-on cameras and keyloggers. We also know that the trend isn’t new, and the coronavirus pandemic –and all the changes that came with it– just pushed it forward.

We also understand that legislation in the US isn’t in the best place right now in regards of employee monitoring and privacy. Any caveat in the legislation is bound to be exploited.

As a society, we have an urge to update and change. We hope the trend of surveillance software can lead to healthier, better ways to manage employees. Work relationships are based on trust and productivity, and –for the most part– the tools described today come to undermine that trust.

As a remote-forward company, Prey has always been on the side of results and trust instead of control and surveillance. We also know that it’s impossible to judge every organization equally. But at least for us, the trust model has worked. We hope it does for you, too.

What is Data Encryption?

Data Encryption is a process that can be as easy as flipping on a switch if you know what you’re looking to achieve. Let’s recap the basics of this data security asset. To encrypt data is to take a piece of information, and translate it into another piece of unrecognizable information. This end product is called a ciphertext.

To get a ciphertext, you run the information that is to be encrypted through an encryption algorithm. This algorithm takes the original information and, based on randomized rules, transforms the information into a new, undecipherable piece of data. Think of it as a ‘translation’. What the encryption algorithm does is create a new language, and hides sensitive data by transforming it into this secret code, which you can only decrypt and turn back to plaintext if you know the rules, or what’s called a key.

The key represents the mathematical steps the algorithm took to convert your text from “Hello World” into “XJtg920kl#aJFJ”%*¨*FK”. Without it, you can’t decrypt the data, and thus it is protected from unauthorized access.But, there are many different types of encryption algorithms and methods to pick from, so how do you know which one is the safest pick for your cybersecurity needs? Let’s begin with the most basic distinction: symmetric versus asymmetric encryption.

Symmetric versus Asymmetric

Encryption types can be easily divided into these two categories: symmetric encryption, or single-key encryption, and asymmetric encryption, or public-key encryption.

Symmetric Encryption

In symmetric encryption, there is only one key, and all parties involved use the same key to encrypt and decrypt information. By using a single key, the process is straightforward, as per the following example: you encrypt an email with a unique key, send that email to your friend Tom, and he will use the same symmetric-key to unlock/decrypt the email.

The perks of symmetric encryption are its faster performance and low resource consumption, but it is inherently older and less secure than its counterpart. The reason is simple: if you scale your encryption to a company-wide scale, it means you’re putting all your trust into a single key you will need to share around a lot.

For this reason, Symmetric encryption is great when working with sensitive data in bulk, or encryption tasks that intend to permanently want to hide information without the need for decryption. For example, when you activate BitLocker on a Windows computer to encrypt all hard drives. By unlocking the PC with his/her passcode, the user will decrypt data without risk of exposing its secret encryption key. Another example are VPNs, which encrypt your network traffic with a local key and don’t have the need to share that outside of your own use.

Asymmetric Encryption

Asymmetric encryption, on the other hand, was created to solve the inherent issue of symmetric encryption: the need of sharing a single encryption key around that is used both for encrypting and decrypting data. 

This newer and safer method utilizes two keys for its encryption process, the public key, used for encryption, and the private key used for decryption. These keys are related, connected, and work in the following way:

A public key is available for anyone who needs to encrypt a piece of information. This key doesn’t work for the decryption process. A user needs to have a secondary key, the private key, to decrypt this information. This way, the private key is only held by the actor who decrypts the information, without sacrificing security as you scale security.

A good example is email encryption. With asymmetric encryption, anyone can use your public key to send you an encrypted email that you only can decipher using your private key. 

Naturally, asymmetric is a more advanced encryption standard and thus is slower and resource consuming. Due to this, it is usually utilized in smaller transactions, usually to establish safe communication channels, or authenticating users.

Common Symmetric Encryption Algorithms

AES or Advanced Encryption System

AES is one of the most common symmetric encryption algorithms used today, developed as a replacement to the outdated DES (Data Encryption Standard), cracked by security researchers back in 2005. This new algorithm sought to solve its predecessor’s main weakness, a short encryption key length vulnerable to brute force.

AES encrypts information in a single block (block cipher), and does so one block at a time in what is called ’rounds’. Data is initially converted into blocks, and then these are encrypted with the key in different rounds depending on key size: 14 rounds for 256-bits, 12 rounds for 192-bits, and 10 rounds for 128-bits. The process involves a series of data manipulation and mixing steps that are done each round: substitution, transposition, mixing, column mix, sub bytes.

Why is AES one of the most frequently used algorithms? AES is fast, with a variable key length option that gives it extra security. It is ideal when handling large amounts of encrypted data.

Blowfish and TwoFish

Blowfish was another symmetric successor to DES, designed as a block cipher like AES but with a key length that goes from 32 bits to 448 bits. It was designed as a public tool, not licensed and free. This initial version was upgraded to TwoFish, an advanced version of the latter, which utilizes a block size of 128-bits, extendable up to 256-bits.

The main difference with other encryption algorithms is that it utilizes 16 rounds of encryption, independently of the key or data size. The main attractive of TwoFish is its flexibility in performance, giving you total control of the encryption speed.

The main reason why TwoFish is not considered the top symmetric algorithm is that AES gained recognition and was quickly adopted as a standard by manufacturers, meaning it had the upper technical edge.

3DES or Triple Data Encryption Standard

Finally, the direct successor to DES is 3DES, or Triple Des. This symmetric algorithm is an advanced form of the deprecated DES algorithm that uses a 56-bit key to encrypt blocks of data. Its concept is simple: it applies DES three times to each block of information, tripling the 56-bit key into a 168-bit one.

Due to applying the same process thrice, 3DES is slower than its more modern counterparts. Furthermore, by using small blocks of data, the risk of decryption by brute force is higher.

Despite its slower speeds and generally outdated status when compared to AES, it is still widely utilized in financial services to encrypt ATM PINs and UNIX passwords.

Common Asymmetric Encryption Algorithms

RSA or Rivest–Shamir–Adleman

Considered a staple of asymmetric encryption. Designed by the engineers that gave it its name in 1977, RSA uses the factorization of the product of two prime numbers to deliver encryption of 1024-bits and up to 2048-bit key length. According to research conducted in 2010, you would need 1500 years of computational power to crack its smaller 768-bit version!

However, this means that it is a slower encryption algorithm. Since it requires two different keys of incredible length, the encryption and decryption process is slow, but the level of security it provides for sensitive information is incomparable.

Since its speed isn’t convenient for processing large amounts of data, RSA encryption is mostly used in digital signatures, email encryption, SSL/TLS certificates, and browsers.

ECC or Elliptic Curve Cryptography

This method was originally pitched in 1985 by Neal Koblitz and Victor S. Miller, only to be implemented years later in 2004. ECC uses a fairly more difficult mathematical operation based on elliptic curves on a finite field, in what is called the Elliptic-curve Diffie–Hellman.

With ECC you have a curve, defined by a math function, a starting point (A), and an ending point (Z) in the curve. The key is that to get to Z, you have done a series of “hops”, or multiplications that resulted in Z. This amount of hops is the private key.

Even if you have the starting and ending point (public key), and the curve, it is nearly impossible to crack the private key. This is because ECC is what is called a “trapdoor”, or a mathematical operation that is easy and quick to complete, but extremely difficult to reverse.

ECC, or ECDH, a mathematical formula is of such strength that it can match a 1024-bit key system with security with a 164-bit key. In its highest setting, 512-bits, ECC can achieve a comparable level of security of a 15360-bit RSA key!

To paint a picture, RSA 2048-bit keys are the banking standard, yet 521-bit ECC delivers the equivalent of a 15360-bit RSA key. 

Considering the aforementioned facts, ECC is considered the future of encryption. It’s asymmetric, yet it is able to provide a security level of 256 bits at a maximum key length of 521 bits, which ensures fast encryption speeds with a high complexity of decryption to ensure sensitive data stays safe.

ECC is also extremely attractive for mobile, where processing power is low and data transfers are high. The low-cost, low-impact, high-security combination makes it the ideal standard for protecting sensitive mobiles and apps.

Takeaways

Encryption can be an intimidating endeavor. Data is everywhere, and you must consider it on all levels: data at rest, data in motion, who and where need to access this information, how it is transmitted, and what types of interactions you have involving sensitive information that must be encrypted.

You could be encrypting your enterprise’s communications, web browser information, e-commerce transactions, your company’s database, hard drives, or customer and user data. Taking the first step might seem difficult, but it is necessary to document all data interactions and make a plan. This way, you’ll understand what types of encryption you’ll need.

Fortunately, there are many straightforward encryption tools that are already at your disposal, ready to be activated quickly as you figure out the extent of your data security protocols. FileVault on macOS comes integrated and ready to encrypt your Mac computers with AES; whereas Microsoft boasts BitLocker native encryption, capable of full disk encryption with AES and AES-XTS.