Employee behaviors substantially contribute to the likelihood of a cyber-attack. Whether attributable to clicking on phishing emails, viewing porn (very common), online gambling, or dating apps, each employee represents the opportunity for a digital vulnerability within any organization.
Some businesses choose to combat the hazards presented by their employees’ digital activities by blocking certain websites, using enhanced endpoint detection software, and imposing strict firewall configurations. More aggressive employers take it a step further and install spyware, referred to as “bossware,” on their employee’s computers.
“Bossware” programs are pre-installed software that stores the employee’s keystrokes and creates a log of all activity. More invasive bossware can create videos, initiate microphone activity, and create screenshots without the computer user ever becoming aware. And, unfortunately, these bossware programs do not discriminate between personal activity and workplace activity.
Bossware is *usually* legal. Excepting audio or video recording in areas designated for employee health like restrooms, employers can monitor digital activity, watch, and eavesdrop on employees provided that the employee was given notice of this surveillance. Sophisticated employers often include a “computer use policy” or similar provisions in the employee handbook in which the employee is informed that he/she/they does/do not have a right to privacy to his/her/their computer and smartphones. While there is a generally recognized claim for “intrusion on seclusion” available against employers who consistently and intentionally track and monitor employee behavior in an “highly offensive manner,” the employer’s actions are balanced, in part, against legitimate business interests.
However, the legality of an employer’s use of spyware does not immediately guarantee its positive utility. For employers, the benefits of bossware are the ability to identify nefarious employee conduct such as the acquisition of child pornography or trade secret theft. Additionally, employers can use bossware to identify how a cyber incident originated and use of that data to enhance its cybersecurity practices and educate its employees against hazardous conduct. And in cases in which there are allegations of harassment in the workplace, digital communications can represent key items of evidence.
Alternatively, spyware comes with risks and its manufacturers are not immune from malicious activity, whether victimized themselves by bad actors or intentionally disguising their own misconduct. In WhatsApp Inc. v. NSO Grp. Techs. Ltd, WhatsApp and Facebook sued, NSO, an Israeli software company that owns Pegasus, a spyware product. Pegasus can remotely intercept test messages and exfiltrate a device’s logs and history.
WhatsApp claims NSO used WhatsApp encrypted messaging servers without authorization to distribute malware to WhatsApp users, as well as install Pegasus on WhatsApp user devices without detection. NSO claimed immunity from US-based claims under the Foreign Sovereign Immunity Act, which both the 9th Circuit Court of Appeals and the United States Supreme Court denied. NSO is expected to argue that it distributed Pegasus at the behest of U.S. law enforcement interests.
The Federal Trade Commission maintains warnings against spyware use following its enforcement action against Spyfone.com, with its website stating that these digital surveillance tools that can be misused to “steal personal information, send spam, and commit fraud.”
Regardless of the intent, good or bad, in monitoring employee activity, employers are smart to exercise caution before purchasing spyware products.