Data at Work

Cracked Labs | research track

Home » Publications » Employees as Risks

Employees as Risks

A case study on intrusive surveillance and behavioral profiling for cybersecurity, insider risk detection and “compliance”

Wolfie Christl, Cracked Labs, August 2024

This case study is part of the ongoing project “Surveillance and Digital Control at Work” (2023-2024) led by Cracked Labs, which aims to explore how companies use personal data on workers in Europe, together with AlgorithmWatch, Jeremias Prassl (Oxford), UNI Europa and GPA, funded by the Austrian Arbeiterkammer.

Download

Media

Summary

Organizations use increasingly intrusive digital monitoring and behavioral profiling to prevent cyberthreats, data leaks and other information security incidents. Employees are seen as major risks. They may enable cyberattacks through carelessness or negligence, for example, by falling victim to a phishing attack or sending information to their private email address, or they may become “insider threats” who intentionally plan to harm the employer. In recent years, organizations have begun using software that analyzes large amounts of activity log records and communications data for purposes that go well beyond cybersecurity. A variety of software systems promise to help them prevent employee misconduct, whether it be criminal, negligent, inappropriate or otherwise undesirable. The boundaries between information security, the protection of corporate information, fraud and theft prevention and the enforcement of compliance with regulatory requirements and organizational policies are becoming blurred.

This case study explores, examines and documents how employers can use software that analyzes extensive personal data on employee behavior and communication for cybersecurity, insider threat detection and compliance purposes. To illustrate wider practices, it investigates software for “security information and event management” (SIEM), “user and entity behavior analytics” (UEBA), insider risk management and communication monitoring from two major vendors. First, it looks into cybersecurity and risk profiling systems offered by Forcepoint, a software vendor that was until recently owned by the US defense giant Raytheon. Second, it investigates in detail how employers can use cybersecurity and risk profiling software sold by Microsoft, whose “Sentinel” and “Purview” systems provide SIEM, UEBA, insider risk management and communication monitoring functionality. Combined, these systems can monitor everything employees do or say, profile their behavior and single them out for further investigation. Similar to predictive policing technologies, they promise not only to detect incidents but to prevent them before they occur. While organizations can use these software systems for legitimate purposes, this study focuses on their potential implications for employees.

Based on a detailed analysis of software documentation and other corporate sources, this case study documents a wide range of data practices. Both Forcepoint and Microsoft provide far-reaching surveillance capabilities:

  • Monitoring employee behavior and communication. The systems examined in this study can monitor how employees access and modify files, how they copy them to the clipboard, the applications they use, the websites they visit and their searches, their email and chat conversations, voice calls, video meetings, how they physically access buildings and offices, their performance reviews and even keyboard and screen activity.
  • Analyzing extensive personal data across the organization. Data from employee computers is accessed via anti-virus, device management or extra monitoring software installed on their devices. Activity logs from almost any enterprise software system used in an organization provide additional information on employee behavior, from Microsoft 365 and Teams to Zoom, Salesforce, Oracle and SAP. Data sources can also include networks, firewalls, spam and web filtering software, badging systems and HR software such as Workday.
  • Singling out suspicious employees and ranking them by risk. Both Forcepoint and Microsoft offer to continuously calculate risk scores for employees, assess their behavior, rank them by risk and raise alerts about those who are considered potential “insider threats” or otherwise suspicious.
  • Detecting “anomalous” behavior. Several systems examined in this study promise to “learn” over time how employees usually behave and then try to identify “anomalous” behavior. This AI-based profiling relies on the ongoing analysis of data on past activities of employees across departments and entire organizations.
  • Intrusive inferences and assessments. Based on data on behaviors and communication, Forcepoint offers to assess whether employees are in financial distress, show “decreased productivity” or plan to leave the job, how they communicate with colleagues and whether they access “obscene” content or exhibit “negative sentiment” in their conversations. Microsoft promises to detect “insider threats” based on assessments about “risky browser usage” and “offensive language”. It suggests focusing on employees with a “predisposition” to “violate company policies” and specifically targets “disgruntled employees” who received “poor performance reviews”, were demoted, put on “performance improvement plans” or are to be terminated. Organizations can detect almost any type of behavior based on custom data sources, risk indicators and AI-based policies.
  • Pervasive communication surveillance. Microsoft offers to scan email and chat conversations, voice calls, meeting transcripts and file contents for a wide variety of purposes ranging from “acceptable use” to compliance, cybersecurity and criminal misconduct. Its communication monitoring system promises to detect “profanity”, “offensive language”, “inappropriate text”, threats, harassment and discrimination but also corporate sabotage, data leaks, bribery, money laundering, insider trading, conflicts of interest and “workplace collusion”. Employers can receive alerts when certain keywords are mentioned. They can “train” custom AI-based classifiers by providing text samples that represent the type of content they want to detect. Via third-party software, the system can access data from mobile devices, including calls and encrypted messages in WhatsApp or Signal.
  • Investigating past employee activities and screen recordings. Organizations can use the insider risk and communication monitoring systems examined in this study to further investigate suspicious employees and their past behavior, including their website visits, file and application usage, badging activity and communication contents. For “forensic” investigations, employers can access screen recordings and fine-grained user interaction data on typing activity, clipboard usage or the currently active window at a certain point in time. Forcepoint promises to provide an “over-the-shoulder view” of the employee’s computer.
  • Combining cybersecurity and risk surveillance. As Microsoft’s cybersecurity software “Sentinel” can process alerts about suspicious employees from all the other risk profiling systems, it can become a combined security and risk surveillance system. It can analyze millions of log records per second and access up to seven years of past data. Sentinel offers to detect “non-routine actions” and “non-compliant practices” including “insider threats”. It promises to help organizations understand whether a suspicious user is a “disgruntled employee who just got passed over for a promotion”. Organizations can put certain employees on “watchlists” and perform “dragnet” searches for certain behaviors according to various criteria in real time.
  • The study briefly examines other Microsoft technologies for auditing, “data loss prevention” (DLP) and “eDiscovery” and systems from two other vendors. IBM offers SIEM, UEBA and insider risk systems similar to Forcepoint and Microsoft. Its communication monitoring system promises to assess “emotions”. Teramind provides intrusive surveillance software that openly combines security, risk and productivity monitoring.

Organizations must protect themselves from cyberattacks, data loss and criminal misconduct. This is not optional, and, in several ways, mandated by law. Nevertheless, intrusive security and risk surveillance raises serious concerns about misuse by employers, disproportionate monitoring and profiling across purposes, flawed risk assessments and arbitrary suspicions. As discussed in the final section of this study, employers can potentially misuse these technologies to spy on employees, target organized labor, suppress internal dissent, apply excessive behavioral policing or impose arbitrary disciplinary action. These systems put employees under general suspicion and can undermine privacy, human dignity, autonomy, freedom of expression and trust in the workplace. When employees with “poor” performance reviews receive extra scrutiny, employers can apply more rigid performance monitoring. Surveillance generally increases the power and information asymmetry between organizations and employees.

Employers can widely customize the systems provided by Forcepoint and Microsoft. They can either limit or expand data sources and profiling capabilities and apply them either to only a few employees with access to sensitive resources or to their entire staff. They can implement more or less effective safeguards such as pseudonymization, access control and auditing. While employers are primarily responsible for deploying these systems, software vendors influence and shape how they are used. Forcepoint, whose behavioral surveillance technology was initially funded by the CIA, recommends that organizations implement intrusive profiling across all employees and suggests targeting “internal activists”. Its customers include businesses in all sectors, including in Europe. Microsoft provides similar technology, which is easily available to many employers who already use Microsoft software. As this investigation shows, Microsoft recommends that customers monitor all employee communication at least for “harassment or discrimination detection” and systematically incentivizes them to expand risk surveillance. The findings of this case study suggest that the cybersecurity and risk profiling systems offered by Forcepoint, Microsoft and other vendors help normalize pervasive employee surveillance and contribute to its expansion.

The findings will be incorporated in the main report of the ongoing project “Surveillance and Digital Control at Work” (2023-2024), led by Cracked Labs, which explores how companies use personal data on workers in Europe.