Microsoft Office 365 has ability to 'spy' on workers – ComputerWeekly.com

Microsoft Office 365 has ability to 'spy' on workers – ComputerWeekly.com

Microsoft Office 365 has ability to 'spy' on workers – ComputerWeekly.com 1200 400 charlie

buchachon – stock.adobe.com
Businesses can use risk management tools in Microsoft Office to covertly monitor the activities of employees on work-issued computers.
The software company provides tools in its Office 365 suite that can be used by employers to read staff emails and monitor how long they spend on calls and how many meetings they attend.
The surveillance capabilities of Microsoft’s Office suite, which is widely used by businesses across the world, were disclosed in a dissertation by a researcher at University College London (UCL).
The research shows that companies continue to exploit capabilities built into Office 365 to monitor staff computers some 18 months after Microsoft took steps to protect employees’ privacy.
The disclosure has led to calls for Microsoft to change its software to alert staff when companies use its Office 365 productivity tools to monitor identified employees.
Eliot Bendinelli, senior technologist at campaign group Privacy International, which participated in the research, said Microsoft should be more transparent about the data it enables companies to collect.
“The ability for an employer or an IT administrator to read all communications and documents, and to access data about employees’ online activities without their knowledge, is one of the most problematic features of Office 365,” he told Computer Weekly.
Microsoft introduced measures to protect the privacy of employees in Office 365 in 2020 following criticism that its Productivity Score tool allowed managers monitor individual employees.
The company replaced its reports with aggregated data measuring how much employees were sending email, collaborating on shared documents and taking part in group chats, in a way that was not traceable to individual users.
But research by UCL computer science graduate Demetris Demetriades and Privacy international shows that employers are still able to use functions in Office 365 to monitor individual employees.
Demetriades found employers can use the governance and risk management tools in Office 365 to look at the content of emails or messages sent by specific employees and identify the activities that individual users have carried out using their work computer.
Microsoft’s “content search” and “audit” tools can be used by employers to build up a detailed picture of employees’ activities, he told Computer Weekly.
“Whatever interaction is performed through business email, the audit and content search features identify it and log it. For example, they log the time of the email, the recipient and the content of the email. If the email contains attachments or a picture, the employer can see that too,” he said.
Privacy International argues in an article about Demetriades’ research that these tools can be used to build up a detailed profile of an employee.  
“Combining these two all-encompassing features, employers are able to draw a rather intimate picture of every employee, down to the finest of details. This includes not only a list of most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through email,” it said.
IT administrators can also use the administration centre in Microsoft Teams video conference, messaging and collaboration software to assess how long employees spend on calls, how many messages they exchange and how many one-to-one meetings they take part in.
The software records which devices employees use to attend each meeting or send each message, potentially allowing employers to make inferences about employees.
For example, managers might make the assumption that an employee who joins an early morning meeting from their phone, rather than their laptop, might still be in bed.
Microsoft provides companies with aggregated data showing how employees across the organisation, or individual groups, are using Office 365 applications. It also provides them with a productivity score that shows how well employees are using Office 365 capabilities compared with similar companies.
For smaller organisations, this data can still be used to make inferences about the performance of individual employees, Demetriades and Privacy International found.
The audit and content search tools offered by Microsoft have legitimate uses, such as allowing employers to identify breaches of employment contracts, breaches of company policies on harassment and the disclosure of trade secrets.
But Demetriades and Privacy International argue there are no safeguards to protect employees from auditing tools being misused and Office 365 users are given no warning if companies choose to enable those tools.
“This lack of transparency and limitations on the employee side means they can potentially be misused and turned into a surveillance machine without employees’ full knowledge,” they claim.
Microsoft did not contradict the UCL research, but said in a statement to Computer Weekly that it uses masked or “psuedonymised” information about users of Office 365 “by default”.
Revealing identifiable user information is treated as a logged event in the Microsoft 365 compliance centre audit log, the company added.
“We do not believe in using technology to spy on individual employees. Data-driven insights have long been a critical part of how IT professionals deploy and manage solutions, provide services, meet regulatory requirements and fix problems across their organisations,” a spokesperson said.
“Most of the Microsoft 365 analytics tools that provide insights into adoption and usage do so at the aggregate level – across groups or entire organisations. These tools are an important part of helping organisations run effectively and get the most out of their investment,” the spokesperson added.
Although Microsoft mentions in its privacy policy that Office 365 can be used by organisations to “access and process your data”, including “the contents of your communications and files”, it is unlikely to be noticed by employees who may have to consent to the software their company is using.
Microsoft does not limit how employers can use its “audit” and “content search” tools, which means they could potentially misuse them to spy on employees without consent.
If employers do not disclose which Office 365 capabilities are turned on, employees have no way of knowing “whether their every action with Office 365 is being monitored or even if their communications are being read by someone”, the privacy group argued.
Demetriades said Microsoft could do more to prevent employees being spied on by their employer, such as introducing a dedicated dashboard accessible to all employees that lists which productivity apps have been enabled or disabled and what data the organisation is collecting and under what circumstances.
Microsoft should also notify Office 365 users when companies turn the “audit” and “content search” features on, and if administrators disable the option to conceal usernames in Office 365 to generate reports about named individuals, he added.
“I am not saying these features should be removed completely, because they are good for productivity, but they should be used to provide aggregate information,” said Demetriades.
There are other ways to see whether individual employees are being productive rather than using these metrics, he added.
Under UK data protection law, employers are responsible for ensuring they comply with the law when using software to monitor employees.
Companies need to ensure that monitoring employees at work is proportionate, and if it is proportionate, whether they can justify collecting data on employees without informing them first, said IT lawyer Dai Davies.
“The real problem is that there is no black and white answer. What is proportionate in one situation is not proportionate in another,” he said.
For example, it is probably proportionate and lawful for a retailer to install a hidden camera where there are grounds to suspect a staff member of pilfering from a till. However, it would not be proportionate for a company to record the key strokes made by every secretary employed by the organisation to identify the least productive typists.
“Monitoring everyone is much more problematic than monitoring a few people. One of the problems with Microsoft Office 365 is that it allows monitoring of every employee and is therefore harder to justify,” said Davis.
He said Microsoft had failed to acknowledge that employers could combine data gathered from Office 365 with other data they hol on their staff.
David Wilson, CEO of Fosway Group, an analyst specialising in the human resources industry, said there were legitimate reasons why companies might want to monitor employees.
These include monitoring workplace apps to identify patterns of use or monitoring email to identify intellectual property theft or workplace harassment.
“It is hard to argue that a company should not be allowed to access staff emails or browsing history if there are business-critical or legal reasons. The issue is more one of governance and ensuring that monitoring capabilities are not abused,” he said.  
For example, pharmaceutical companies ask employees for consent to use software to automatically screen their emails and social media to see whether rival companies are mentioned to ensure that employees do not accidently leak confidential information to a competitor.
The same software could be used to identify employers who have applied for jobs with competing companies.
Demetriades used a trial version of Office 365 to simulate a company network made up of two users and a systems administrator as part of his research project for a masters in information security at UCL.
“I set up an admin account, which represented the employer, and I added two user accounts, which represented employees,” he told Computer Weekly. “I used my laptop and my phone, and I logged each user in on one device, and I tried to interact with simple messages and set up meetings to collect data. The platform tracked the data and it started to generate the graphs and the metrics.”
Demetriades, a software engineer, said it would be “very easy” for an employer to select and read emails sent by a particular employee.
Microsoft announced plans to remove user names from its Productivity Score tool in a blog post in December 2020, in response to criticism that the feature could be misused by employers.
“No one in the organisation will be able to use Productivity Score to access data about how and individual user is using apps and services in Microsoft 365,” it said in the post.
The company also changed the interface of its software to make it clear the purpose of Productivity Score was to monitor the adoption of technology within the organisation rather than to monitor individual employees.
But Demetriades’s research shows that Office 365 can still be used by employers to monitor that activities of their staff.
Microsoft said in its statement that there were scenarios where IT professionals need access to “user-level information” to identify and fix problems or to track software licences.
“Access to these reports is restricted to only a few IT-focused roles. Moreover, Microsoft generally takes the step of concealing user, group and site information by default,” a spokesperson said.
 
ESG considerations add a new dimension to IT purchasing criteria and, more broadly, could help bridge the gap between business …
Climate tech success hinges on the technology’s capability, the team behind the tech, and their vision for building a viable …
The three antitrust bills passed by the U.S. House of Representatives would funnel more money to antitrust law enforcers, as well…
This podcast episode discusses conviction of former Uber CSO Joe Sullivan, who was found guilty last week of covering up the …
To retain digital trust, organizations must be transparent in the aftermath of cybersecurity attacks and data breaches. Learn …
A flaw in the API for NPM could potentially allow a threat actor to see the internal packages for corporate users — a possible …
Network documentation helps enterprises resolve problems more quickly and create more reliable networks. But documentation needs …
Zero-trust network access is touted as the solution to replace the VPN. As the potential future of network security, learn more …
In a sea of options, finding the best ZTNA vendor for your organization can pose a major challenge. Weed through the marketing …
File server reporting within File Server Resource Manager can help admins identify problems and then troubleshoot Windows servers…
Administrators who manage many users can go one step further toward streamlining license assignments by taking advantage of a new…
ServiceNow doubled down on its commitment to take the complexity out of digital transformation projects with a new version of its…
Generate accurate data analysis and predictions by mastering the six dimensions of data quality — accuracy, consistency, …
A new book lays out a strong case for data integration and guides readers in how to carry out this essential process.
The new release of the widely deployed and supported PostgreSQL platform integrates enhanced logging, data compression, SQL and …
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source

    Would you like to receive notifications on latest updates? No Yes