WFH - Watched from Home: Office 365 and workplace surveillance creep

Privacy International and UCL student exposes how productivity suite like Office 365 offers features that can enable employers to access all communications and activities on Microsoft services without the employees' knowledge

Key findings
  • Working from home bolstered the use of remote surveillance software to monitor employees.
  • It's not only tools that are developed specifically for surveillance, traditional productivity suites might also enable an intrusive level of monitoring.
  • PI and UCL students looked into Office 365 and found features that can enable employers to access all communications and activities on Microsoft services
  • These features can be operated without the employees' knowledge and there seems to be a lack of transparency for users in terms of what data is collected and for what purpose
Long Read
person working from home looking back to an algorithmic black box

Imagine your performance at work was assessed directly from the amount of e-mails sent, the amount of time consumed editing a document, or the time spent in meetings or even moving your mouse. This may sound ludicrous but your boss might be doing exactly that. There are more and more stories emerging of people being called into meetings to justify gaps in their work only to find out their boss had been watching them work without their knowledge.
The Covid-19 global pandemic has reshuffled the context in which a lot of us work in. Suddenly many businesses were forced to shift from physical workplaces to remote working. For a number of companies, this transition translated into a fear that employees might not be working or performing as well as they did in the office, something they decided to fix with increased surveillance. As a consequence, the demand for employee monitoring tools soared. In 2020, global demand for employee monitoring software increased 108% by April and 70% by May 2020 compared to pre-pandemic times. At the same time, search engine queries for "How to monitor employees working from home" increased 1,705% in April and 652% in May 2020 compared to the previous year. The non-profit Coworker recently published a report titled Little Tech accompanied by a database of 550 companies including 182 that offer workplace performance monitoring, with various capabilities.
This Coworker's report illustrates a boom in the offer of online workspace platforms and monitoring tools responding to this increased demand. Such highly intrusive solutions are immensely problematic in their own right, providing access to every keystroke, mouse movement and sometimes offering features such as regular webcam access to ensure employees are in front of their computer or to monitor their "attention" and "focus". The resulting invasion of privacy is much more intensive than anything that could happen in a physical office and steps directly into the employees' private space.
Yet, these invasive practices are not solely facilitated through the deployment of dedicated employee monitoring software. If you think you are safe from this because your employer does not deploy this type of tools (yet), we might have bad news. Many so-called "productivity suites", which have been available for years and that you may be familiar with, have also started to integrate discrete and invasive features that compete with the ones offered by bossware.
Among such "productivity suites" is the well known Microsoft 365 cloud-based productivity package, which offers a wide range of tools for real-time collaboration and communication. What may be less well known about it is how it may be enabling your boss to see how you are spending your day while sitting in front of your company's device.
The following findings come from PI's investigation into the Office 365 suite as well as from the research conducted by UCL computer science graduate Demetris Demetriades titled "The rise of workplace surveillance technology in the coronavirus pandemic".

Office 365: The surveillance features you didn't expect

Whenever a worker interacts with Microsoft 365 they generate data that can be turned into metrics. These data are generated by default by people simply doing their day to day job: writing documents, sending e-mails, chatting on Teams and participating in meetings using the Office 365 Suite (Microsoft Teams, Word, Excel, Outlook etc.).
On the other side of the mirrored glass, by making use of this suite, an administrator is able to access and navigate a variety of dashboards which are automatically generated and can be extremely revealing.
One of these features, the "Microsoft Office 365 Admin Center" hopes to inform administrators about productivity and efficiency of employees within their company. Under the Admin Center one can find two organisational analytics report categories: Usage and Productivity.
Within the Usage reports, administrators will find information about the general usage of services and applications across the organisation or the number of users accessing each Office Application. Under Productivity, generated data can be found on how the company is performing when compared to similar companies that also use Office 365. The report provides estimated quantitative data and statistics that are derived from employees' behaviour inside an organisation, including how often they use a certain app and how long for. Although these reports present aggregated data, for a smaller organisation they might look a lot like as if the data was provided on an individual-level, since with a smaller number of employees it could be easier for employers to infer who spent time doing what.
Another source of far more granular employee information is the Microsoft Teams Admin Center. From there an administrator can select specific users and read individual metrics from each, including how long they spent on calls, how many messages they exchanged, how many group and 1-1 meetings they attended and more. On top of this, administrators also get access to which device (laptop, phone) a user was connected from for each action they took (attending a meeting, sending a message, etc.). This could potentially be used to infer information or raise questions about why an employee used one device over another. For example, does the fact that someone joined their morning stand-up meeting from their phone mean they were still in bed? The system cannot provide an answer, but it does provide data that allows employers to linger on such thoughts and suspicions.

Teams user activity" report displaying all user interactions within Teams, including number of messages exchanged and time spent on meetings. Source: “The rise of workplace surveillance technology in the coronavirus pandemic".

Two of the most concerning features that Office 365 offers are the tools for information governance and risk management called Audit and Content Search. These can be used to present a quite worryingly detailed amount of information to administrators. By simply introducing the right queries administrators can gain access to reading people's e-mails, documents and 1-1 messages on Teams and anywhere else actionable.

Admin view of the Content Search feature after performing a query on a specific user. The contents of the user’s e-mails are all made accessible to the administrator. Source: “The rise of workplace surveillance technology in the coronavirus pandemic”.

The Audit feature, which is not enabled by default, provides the additional option to search for individual users over a chosen period and displays all imaginable activities conducted by the user in a list format down to deletion of e-mails and password changes.

Admin view of the Audit feature after performing a query on a specific user. This view shows every action the user performed within Office 365, timestamped. Source: “The rise of workplace surveillance technology in the coronavirus pandemic”.

Combining these two all-encompassing features, employers are able to draw a rather intimate picture of every employee, down to the finest of details. This includes not only a list of pretty much most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through e-mail.
Audit and Content Search are offered by Microsoft to enable employers to flag problematic behaviors or potential breaches of employment contracts or company policies including harassment, disclosure of trade secrets, etc. But the overarching nature of these tools does not come accompanied by any sort of safeguards to protect employees. There are no limitations to how employers can use these features and there are no active prompts informing workers if they're enabled. This lack of transparency and limitations on the employee side mean they can be potentially misused and turned into a surveillance machine without the employees' full knowledge. Indeed, while Microsoft does mention that Office 365 can be used by an organisation to "access and process your data [...] including [..] the content of your communications and files", this information is buried within its privacy policy and unlikely to be noticed by employees who often have no other choice than to consent to the use of the software their company is using.

Screenshot from Microsoft’s privacy policy section titled “Products provided by your organisation – notice to end users”. Source: https://privacy.microsoft.com/en-us/privacystatement)

On the employees' side, there is little left to do but to go on their day to day without any clue about whether their boss is using these features to spy on them or not. Indeed, Office 365 does not notify users when an administrator enables the above mentioned 'Audit' feature or when dashboards are generated, and in no way discloses what features are active when an employee first joins Office 365. The opacity for employees is total.
In practice this means that if an employer does not clearly disclose which of these features are enabled, there is no way for them to know if their every interaction with Office 365 is monitored and turned into performance metrics or even if their communications are being read by someone.

Hacking productivity - Do these metrics even mean anything?

Ultimately these dashboards and monitoring features want to datafy our human experience at work, turning us all into data points and pushing our individuality to the back seat. An employer might rely on these metrics so heavily that they will forget that there is a real person behind them.
On the other hand, metrics are generated through worker behaviour, which means workers might equally choose to mess with the data to their benefit, which in itself undermines the validity of these metrics to their core. For instance, no one is stopping a worker from setting up automatic e-mails to themselves or setting up "fake" meetings with like-minded colleagues in order to increase their performance statistics. This has an impact on generated metrics such as Productivity, where it's clear how altered employee behaviour would give a company a better rating than to another for no good reason.
The end goal of these features are to increase 'measurable productivity' but it seems counter-productive to make employees care more about working for pleasing statistics than for the sake of getting work done - or actual productivity .

What has been done by Microsoft and what is lacking

The surveillance capabilities and privacy implications of some of these tools are not new to Microsoft which in 2020 introduced a few changes to the Microsoft Productivity Score with better privacy practices in mind. Following these changes, the Productivity Score stopped including individual names, only to rely on aggregated data at the organisation level.
Microsoft clearly states in their Privacy Statement that they are not responsible for the privacy or security practices of their costumers - the employers - but we believe there is more that Microsoft could commit to offer in order to protect employees from being spied on, such as amending their terms to:

  • Introduce a dedicated screen or dashboard for organisation members listing all enabled and disabled productivity and security features, including information about what data is collected and under what conditions for these features to work. Such a screen should also include Microsoft's and the organisation's privacy policy.
  • Make this screen or dashboard prominently visible to new users logging in for the first time and easily accessible for users returning users.
  • Notify organisation members when Audit and Content search features are turned on
  • Notifying Office 365 users if an account administrator disables the option to conceal usernames in order to generate reports that aren't anonymous ("Display concealed user, group, and site names in all reports").

Transparency is key, and the lack of it can easily erode trust from employees in their employers which will likely cause a decrease in actual productivity and an increase in staff resignations. Humans are hard-wired to feel uncomfortable being watched and the increase of staff surveillance by employers during the Covid-19 has also had a deeply negative effect on worker's mental health. After long years of fighting for workers rights, a global pandemic has pushed us to this new realm of surveillance which we must now push back and rebuild trust from.

We have reached out to Microsoft with our findings and recommendations, to which a spokesperson responded as follows:
*"We do not believe in using technology to spy on individual employees. Data-driven insights have long been a critical part of how IT professionals deploy and manage solutions, provide services, meet regulatory requirements, and fix problems across their organizations.”
“While the customer is the owner of their data, by default Microsoft provides restrictions and controls for organizations to limit access to sensitive information.”

  • “Most of the Microsoft 365 analytics tools that provide insights into adoption and usage do so at the aggregate level – across groups or entire orgs. These tools are an important part of helping organizations run effectively and get the most out of their investment.”
  • “There are scenarios where IT professionals require user level information to perform their jobs, from tracking license allocation to identifying and fixing problems. Access to these reports is restricted to only a few IT-focused roles. Moreover, Microsoft generally takes the step of concealing user, group, and site information by default. Revealing identifiable user information is a logged event in the Microsoft 365 compliance center audit log.”
  • “Our standards for aggregated insights, restricted role-based access controls, masking or ‘pseudonymized’ user information by default, and making the revealing of personal information an auditable event are largely consistent across the Microsoft 365 suite.”

"Hybrid work is best achieved and managed through strong communication, learning and empathy, beyond technology metrics alone. We’re committed to giving our customers the tools and information necessary to make informed decisions on how data is viewed and used. As our products and services evolve, we’re listening to customers and updating features to reflect their feedback and requirements."