Everyone has bad days at work. When you need to vent, you angrily type a screed to your work wife on Slack. When you need to cry (we’ve all been there), you seek out the third bathroom stall. When you need to send a quick personal email or order something on Amazon, you tilt your screen a touch to shield it from the peering eyes of your cubicle-mate. You do these things to maintain a level of privacy at the office. But in our data-driven era, how much privacy do we really have at work? For those of us working remotely, are our employers monitoring us...at home?
While the Wild West of the Internet is still largely lawless, there are a few pieces of legislation that cover the Venn diagram of our jobs and our private data: The Americans with Disabilities Act requires employers to keep medical information confidential, even if the information does not relate to an ADA-covered disability. Health information that an employer seeks as part of the benefits onboarding process may be protected by the Health Insurance Portability and Accountability Act (HIPAA) in some instances. As for protecting employee privacy in the workplace, each state has either its own laws related to employee privacy or a general consumer-protection law that covers employee privacy or both.
If an employee uses his or her company’s IT systems—whether that’s through a desktop computer at the office or a work-issued laptop—such use can most likely be monitored. That shouldn’t be surprising; cyber threats are pervasive, and a company needs to know what’s happening on its own systems. But does that mean your employer knows everything you’re doing online? Can people at the company read your vent-Slacks, scan your emails, or creep on your search history? Can they tell if you’re applying to other jobs? And if they can, can they use that information against you?
Here’s what you need to know:
“If it’s a work-issued computer, you should expect to have no privacy whatsoever,” says Rita Heimes, the general counsel and chief privacy officer of the International Association of Privacy Professionals, an education nonprofit for privacy professionals. “Many employers have policies that explicitly say: Do not have an expectation of privacy on your work-issued computer.” That’s partly for security reasons; work-issued laptops likely contain the company’s intellectual property and proprietary data, so those computers are often preloaded with security mechanisms that prevent employees from accessing certain websites or downloading malware and flag when they receive messages or emails that may contain a virus.
“To the extent that you’re using a company-issued device for the purposes of browsing the web, your entire web-browsing history is going to be accessible to the employer,” says lawyer Heather Egan Sussman, head of law firm Orrick’s Global Cyber, Privacy & Data Innovation Practice Group. “I choose that word accessible very carefully. Just because it’s available does not mean the employer is then going back and checking the sites that you’re visiting.”
You’ll enter a gray area if you start to use your personal computer for work activities, according to Ann Bartow, a professor of law at the University of New Hampshire. Her advice? “Don’t use your home computer for work activities and vice versa, because the boundaries get blurry, depending on the laws in your state and the policies of your company.”
The same goes for your work-issued cell phone. Even if it’s inconvenient, Bartow recommends carrying a second phone for personal use only, to prevent your employer from having access to your personal data, photos, and text messages.
A 2018 survey by the research firm Gartner found that 50 percent of the 239 large corporations surveyed were using monitoring techniques such as “analyzing the text of emails and social-media messages” and “scrutinizing who’s meeting with whom.” According to The Wall Street Journal, Microsoft tracks data on “the frequency of chats, emails, and meetings between its staff and clients using its own Office 365 services to measure employee productivity, management efficacy, and work-life balance”; then it allows some employees to see how they spend their time each week and offers suggestions on how to better spend their time the following week. A 2019 Accenture report found that 62 percent of C-suite execs said their organizations are using new technologies to “collect data on their people and their work” to gain insights on productivity and collaboration; only 30 percent were “very confident that they are using the data responsibly.”
Such monitoring could erode trust between employees and their companies, so it’s important that companies are honest about whether they’re watching and, if so, what they are monitoring and why, according to Harvard Business Review.
When the pandemic started, employers hunted for new ways to make sure employees were doing their work. Software like Hubstaff—which takes screenshots of worker’s screens and shares phone location data with managers (with the employee’s knowledge)—rose in popularity, according to The New York Times. At the end of the newspaper’s own three-week experiment, tech correspondent Adam Satariano and his editor Pui-Wing Tam decided it was “overly intrusive.”
It’s not illegal for employers to start monitoring their employees in real time if the employees consent (though in some states, employers do not need that consent). “Typically what we’re defaulting back to are specific laws applying to employee privacy or a general consumer-protection law,” Sussman says, explaining that most states’ consumer-protection laws read similarly to Section 5 of the Federal Trade Commission Act prohibiting unfair or deceptive acts or practices. “To the extent that the conduct of an employer is unfair or is deceptive, then it’s potentially subject to scrutiny and review by the FTC,” she adds. However, employees may unknowingly consent to surveillance when they sign their onboarding paperwork, according to Bartow. “If you get dumped with a bunch of paperwork when you start the job, you may not notice,” she says. “They’re probably not going to make a big point of it: ‘Hey, we’re tracking you!’ But probably somewhere in your contract, you’ve agreed that they’re going to track you, and they are.”
“Generally speaking, they’re not monitoring your data as it goes out through Google,” Heimes says. “Ethically, they really shouldn’t be, and most employers know that.”
“I think there’s a lot of misperception out there about the degree to which the employer is surveilling employees and their activities,” Sussman adds. “I think a lot of those [monitoring] products and services are still in a nascent form where there’s not particularly widespread adoption, and surveillance is being used for the purposes of ensuring things like productivity.” An example of this could be speed and location data of a delivery vehicle for safety monitoring and real-time package tracking. “You want to make sure when the work hours end, [employers] stop collecting that information,” she says.
There are legitimate reasons for collecting and analyzing employee data. Large corporations may study trends in employee behavior in order to make tech purchasing decisions, cut costs, or identify new ways to boost productivity. “Sometimes when we all get together, our security people will say, ‘Some of you are going to have to watch fewer YouTube videos because our bandwidth is stretched,’” says Heimes.
However, since web browsing, email, Slack, and other real-time data is typically accessible to employers, they’ll definitely take a look at your history if you’re suspected of or being investigated for fraud, violating an NDA, or sexual harassment in the workplace, and possibly if there are complaints against you.
Or, Heimes says, an employer “might actually watch you very actively for a period of time in order to gather evidence” if it has reason to believe that you were doing something nefarious, like committing a crime, stealing intellectual property, or otherwise colluding with a competitor.
Let’s say you bring your work-issued laptop home with you. If you connect your work laptop to your home Wi-Fi network, could your employer access your personal computer or your smart appliances? No, but your employer could potentially learn some things about your home and your home network, although it’s unlikely.
“They should not be able to do that. I can’t promise they can’t—there’s all kinds of skullduggery that happens—but as a legal matter, my first impression is no, that’s too far. The government can do it, but the government would probably have to get a warrant for that,” Bartow says, generally speaking. “Under basic Fourth Amendment analysis, your employer shouldn’t be able to get to your personal computer through your Wi-Fi without notice, at the very least.” (The Fourth Amendment protects “against unreasonable searches and seizures.”)
Slack, Jabber, corporate Google Chat, and other office messenger services are not private channels, even if you’re chatting 1:1 with another employee. “If you are using a corporate account, I think you need to assume that everything you put on there is accessible by the employer, and employees should conduct themselves accordingly,” Sussman says. However, in the rare case there is someone monitoring the channels for keywords, it’s probably not for water-cooler gossip. “That’s not what they’re looking for. Typically, they’re looking for fraud, insider threats, and security threats,” she adds.
“I would say that [office messenger services] should never be used for personal communication of any kind,” Heimes says. “That’s the employer’s account. It is not your account. So if you are Slacking with another employee, anything that you say could be stored, it could be discovered in litigation, it certainly could be used against you if there was a harassment suit.”
When you sign that onboarding paperwork, you’re likely signing off on your right to privacy on these platforms. “Somewhere buried in your contract or terms of service, it’s probably all been disclosed, but new hires are often rushed to sign without enough time to read through the long, dense documents,” Bartow says.
In some cases, private Slack messages have been used against employees. The most egregious example is probably Away, which implemented a company policy that nearly all communication between coworkers must happen openly on Slack, according to The Verge’s investigation. Although it was against the rules, employees created a private channel called #Hot-Topics for LGBTQ folks and people of color. #Hot-Topics was used mostly for venting and commiserating, and when CEO and cofounder Stephanie Korey found out about it, she fired six marginalized employees for “racist” language and “hate speech,” though she’s since denied using those terms.
Let’s say you’ve synced your personal and work calendars so your meetings auto-populate on your phone. Does that mean that your employer can see that therapy appointment you have booked or your date on Friday? The answer is yes, but only if your calendar settings allow it. “It is possible to configure your work calendar so that it looks blocked, but what you’re doing is not visible to others,” Heimes says. “Check your settings for your calendar within your email client and [change] to private. Set it so that it’s not possible to see your descriptions, or, if necessary, just use non-identifying descriptions of how you’re spending your time.”
If your company mandates that this isn’t an option, it makes more sense to keep your work calendar totally separate from your personal calendar, keeping your personal calendar local to your personal phone, or getting into the habit of using an old-school spiral planner.
Many employers use a virtual private network (VPN) to access their work network securely and to protect company data (including proprietary data like trade secrets and customer data) from external cyberattacks. But that doesn’t mean an individual employee’s privacy is protected from monitoring by IT within the company. “[Companies] are going to take pretty extreme measures to support the security of their network,” Heimes says. “When you're connected to your employer's VPN, it's the same as if you were sitting in your office. As is, the same level of rules and monitoring applies for activity that goes against company policy.” Even if employees have good intentions, browsing certain websites and downloading software could create a vulnerability in the company’s system. By restricting employees from accessing those sites or downloading questionable software, companies are keeping the entire network secure.
If you’ve traveled in Europe and gone on the Internet, you’ve definitely encountered pop-ups asking for permission to track your data. (Recently, we’ve started seeing them in the U.S. too.) Those consent pop-ups exist because of General Data Protection Regulation (GDPR), an all-encompassing E.U. privacy law that applies to the processing of personal data. Since it applies to the processing of all personal data, the GDPR also applies to the privacy of employees who work for European businesses, even if they don't live in Europe.
There’s no equivalent of the GDPR in the U.S. Instead, there are hundreds of state and federal laws that address privacy and cybersecurity, including a handful that apply specifically in the employment context and the general business context.
Right now, there is no federal law governing the way that employers do or do not monitor their employees in the workplace, or the way data is used once it’s gathered. Most privacy experts and consumer-rights groups agree that a federal law is long overdue. “The issue I see with having different states enacting differing laws—it’s this concept of a patchwork of laws—is that in many cases, it’s a challenge to do business and to support innovation when you have competing regulatory regimes,” Sussman says. “Data travels across state lines. Data really knows no bounds.”
At the end of the day, you should never expect privacy on your work-issued devices, and your first act of defense is to understand the way your company accesses and uses your data. Until then, write your emails and Slack messages like they’ll end up in court someday—and save your weirdest Google searches for your non-work-issued phone.