Legal Problem; the moment you log this crap as a company... It's discoverable. That sexual harassment lawsuit that just came up? You are legally required to now do data hold on all these keylogs and screenshots you took. Oh and now you have to explain to a jury how you don't fall into the common charge of "could have or should have known" that abuse was occuring. I mean, you had all these logs and you still let this go on!?
Any corporation that collects these logs is asking for danger. Give a good law firm that much data, they will nail you.
Not to mention if you fire someone for burning time and they sue for wrongful termination and you get an e discovery request..to see if you applied that surveillance to everyone equally. Let's request a random selection of logs from 10 staff members in the same or related roles.
This level of monitoring can get you in some huge problems.
Yes, I think the larger your company the less effective this "bossware" is. If you imagine collecting this amount of data on every sales, design, eng, product manager, director, vp, exec at a place like Google or Facebook the sheer amount of legally precarious logs would probably tilt toward liability.
I worked at a medium-sized tech company, and one employee sent an e-mail to another employee about how one of our product logos looked very similar to another logo in a similar product space. It was similar enough, and the products closely related enough, that this concern would have kicked off a re-branding effort or something like that... but since it was an e-mail, it sent off red flags all the way up to executive level. Triggered overseas flights, high-level meetings, legal involvement. Everyone working on the project immediately put on white gloves.
Made me think that more often then not, it's just better off for management to "not know", or at least have what they call plausible deniability.
> I worked at a medium-sized tech company, and one employee sent an e-mail to another employee about how one of our product logos looked very similar to another logo in a similar product space. It was similar enough, and the products closely related enough, that this concern would have kicked off a re-branding effort or something like that... but since it was an e-mail, it sent off red flags all the way up to executive level. Triggered overseas flights, high-level meetings, legal involvement. Everyone working on the project immediately put on white gloves.
> Made me think that more often then not, it's just better off for management to "not know", or at least have what they call plausible deniability.
What, what? Can you clarify?
Here's my understanding:
* employee saw a problem and sent an email to notify others about it
* management reacted with "white gloves" ???
* therefore, management should have plausible deniability of problems
I'm not sure I agree with that conclusion but I'm also having trouble understanding how that conclusion was reached.
I don't think it's reasonable for management to have plausible deniability when red flags about products are raised by employees.
Email is trivally archived by everyone, and people say stupid things that can be data mined later to demonstrate intent.
Look at social media brigading when the mob decides someone is "bad". Some evidence that <target> hates kittens will be found in an email from 2005. That happens in the office too, except it's done by attorneys instead of internet randos.
I think they’re saying it could have been handled quickly by changing their logo but because it was pointed out a lot of people who didn’t need to be involved swooped in to “do it properly” which resulted in a lot more complexity.
Rather than what it sounds like which is employees should provide cover for executives by not informing them of legal issues in a manner that means there is a record. Which sounds ethically dubious as well as a terrible idea for the individual employee.
> That sexual harassment lawsuit that just came up? You are legally required to now do data hold on all these keylogs and screenshots you took. Oh and now you have to explain to a jury how you don't fall into the common charge of "could have or should have known" that abuse was occuring. I mean, you had all these logs and you still let this go on!?
I can understand lawyers making that case, but do juries actually agree with that? Lots of organizations collect internal data en-mass but they're all siloed away and disconnected - so while the company-as-a-whole has all the data, no-one inside the company could combine them together (or more likely: no-one inside the company even considered that they could combine the data together).
Hypothetically, if a company was doing everything - including logging every keystroke, instant-message chat and recording every audio and video call - but just archived it without doing any information-extraction - or they tried but the signal-to-noise ratio was too low, would that convince a judge to instruct a jury to disregard that?
And isn't that why investigative agencies seemingly stopped asking ISPs and legislatures to record everyone's search-engine queries and DNS lookups - simply because the amount of actionable, useful data is impossible to find until some-bad-thing already happened?
I wouldn't take that bet. Though, I think it would be up to a prosecuting attorney to subpoena and present the right evidence.
One way to protect the average employee from the overreach of bossware might be to teach prosecuting attorneys to weaponize it against its users (i.e. the bosses). But that would ultimately involve shining light on data whose exposure might harm the very employees that we're trying to protect.
It probably depends on whether the legal requirements are relative or absolute, and I don't know which they are. If the law explicitly stated measures you must take, they're probably fine. If the requirements use some kind of relative phrasing like that they must take "reasonable measures" to prevent sexual harassment, having all of that data already available might shift some jurors perspective of what "reasonable measures" are.
I wouldn't expect a judge to instruct a jury to disregard it, even in the case of signal to noise. There's nothing that makes the evidence inadmissable afaik (not a lawyer, so I could very well be wrong). It would be up to the plaintiff to demonstrate that the company failed in their obligations, and up to the company to defend that what they did was adequate.
> And isn't that why investigative agencies seemingly stopped asking ISPs and legislatures to record everyone's search-engine queries and DNS lookups - simply because the amount of actionable, useful data is impossible to find until some-bad-thing already happened?
The use of that data is also very different. There are a small number of crimes where a DNS lookup or search query is a crime in and of itself. Probably none, without other evidence. At best, they're circumstantial evidence.
In the case of digital communications, there are a lot of civil crimes that can be contained entirely within the communications. Sexual harassment, unlawful trade practices, etc. Likewise, the NSA is probably far more interested in everyone's email and chat than they are DNS lookups and search queries.
would that convince a judge to instruct a jury to disregard that?
I doubt a judge would make that decision unless the data was somehow "poisoned" and can't be brought to trial.
Most likely the prosecution would bring it up, the defense would counter and it would be up to the jury to decide how relevant it is.
Saying "we strive for a harassment-free workplace, but didn't both to check the data we've been collecting for the past 5 years" wouldn't fly very well with a jury.
Many collect evidence for something after the fact. "We don't look at the data unless something has come up, because it would be a privacy violation otherwise". Which is pretty much how police is supposed to work in normal life either way.
That is still violating privacy laws in EU, potentially. You cannot even give a blanket agreement for "work related" because that does not hold under scrutiny due to simple employee mistakes. You would be collecting more data than agreed upon.
so you are tracking all of this data to ensure your employees are productive and on task, but keeping them productive and on task doesn't include stopping them from sexually harassing my client?
oh you tried to prevent sexual harassment, but it was hard because you collected to much data on your employees actions?
Leave it to hn to spin a culture problem as a compliance concern. If you're dickriding your employees every keystroke, your leadership methods and corporate governance are the fucking problems.
Employees aren't cattle.
Edit: and let me be clear, corporate spyware preys exclusively on companies with weak and incompetent management. All it does is let them buckpass to the next performance eval.
No, more like leave it to HN to have comments providing a completely different perspective and framing of the problem than what you’d expect. Some variant of the above article has been posted dozens of times across multiple message boards and link aggregators since the pandemic began, the consensus is always that the software is horrible and a huge invasion of privacy and on and on (which it is, but we already knew that). I’m thankful for the above commenter’s framing of the issue as it’s something I hadn’t considered and haven’t seen in any of the previous comment sections.
That's why I keep coming back to HN. I'll see the media coverage on some issue, then check HN where some insider actually knows whats going on and it turns out the media has no clue.
I make no claim that what I say from either end of my digestive tract has any value, but reading critically what others say is usually more interesting here than elsewhere.
Exactly, it's also an interesting perspective in that while some people may not care about the privacy of their employees, they probably care about lawsuits and their bottom line.
Fair enough, but from a utalitarian point of view the grandfather comment is the most effective way to achieve your aims.
Lots of middle management types _want_ to dickride employees- pointing this out only makes them more eager to (ab)use bossware. Pointing out that bossware can get them into trouble however is an effective way to prevent its adoption.
Who forms a company that writes this corporate spyware and proudly sells it during a pandemic? Seems like that could be the "culture problem"? Is it the "incompetent managers" who are writing this code?
I worked for a company that put stuff like this on people’s systems. Small software shop, I think one of the owners was just a control freak. The business was successful and otherwise seemingly well run, I’ve certainly worked at worse places in my life.
It's not just discovery for internal issues. Imagine the fun any law firm could have for discovery. Trademark issues? Patent violations? Any competent in-house counsel should ban this type of software.
Unfortunately a good council could easily say even with all this data, they couldn't predict the future and prevent the sexual assault from happening. Luckily though, they did have this data to inform themselves of what really happened and that allowed them to make a swift and fair decision to help victim. They even turned it over to the victim's counsel so they could bring it court.
At the end of the day, the perception of good faith can be more important than anything else. So what if they didn't prevent anything? As long as they clean up the mess afterwards they can still walk away the good guys. And it's this spyware that lets them do this.
So you had screenshots and keystrokes? Our client has printed emails where her boss made unwelcome sexual advances. Did you design this data retention policy to hide systematic sexual harassment in your company?
Also anything less than 90days is likely to raise some eyebrows. Also your not the one pulling data in all cases. In some events the court will order your cooperation with a neutral third party for ediscovery. They will come in an perform data forensics on the assets in question.
>So you had screenshots and keystrokes? Our client has printed emails where her boss made unwelcome sexual advances. Did you design this data retention policy to hide systematic sexual harassment in your company? Also anything less than 90days is likely to raise some eyebrows.
Would this be enough to convince a judge/jury? AFAIK a lot of companies/govt agencies have short retention windows specifically to frustrate discovery, so it has to be working?. Granted, they're not as low as 3 days. Is 90 days the magic period where it's long enough to plausibly say you're not doing to frustrate discovery?
>Also your not the one pulling data in all cases. In some events the court will order your cooperation with a neutral third party for ediscovery. They will come in an perform data forensics on the assets in question.
That probably isn't an issue if your third party shreds the data after the retention policy. For "security purposes", of course.
I've seen this sort of statement on technical forums (such as HN) regularly. I makes sense logically and I want to agree with it.
But I've also been in organisations big enough to have multiple full time in-house counsel, and more often than not the desire to run software like this comes from those legal people.
I don't know who is in the right but I do know that people who study law and not tech seem more likely to have argued this is a good thing for an organisation.
Not just things like sexual harassment issues, there are plenty of reasons why internal communications and activity might not look great for the company if it came to a lawsuit. Just ask Cox Communications about how their abuse team's talk about the DMCA went for them. Now it won't just be overly candid email being scrutinized, but what websites the employees visit, what posts they liked, their chats, even their workflow. Why keep all that ammo around to be used against you?
Yup. My company went with gChat and have a global setting where messages disappear after about 10 minutes.
It was exactly the reason you stated. Not necessarily that they were worried bad things would happen (but in a big enough company the chance is high), but just the compliance requirements. If someone falls under a legal hold, all of that has to be collected and retained on a schedule.
Easier just to wipe it out after a set time period a global policy.
Aside from being a testimony of bad management. If you cannot get your workers to work, change your job.
I don't really like people helping development for surveillance systems. Yes, companies have an interest to know if work is significantly affected from slacking, so maybe talk to your employees. You don't even need the legal threat.
But having all the data does not imply, you know and understand all the data.
Didn't for example the various agencies "knew" in advance of any terror attack, meaning they had data, that clearly implied person x is going to blow?
I read that in variations, to allmost any terror attack/amok so far happened.
But data analysis in hindsight is easy, you have to put that important data in context to the huge pile of other data you also have and your very limited human processing power.
(for example the dark internet is full of people threatening to blow up or kill something)
Meaning, I do not endorse worker surveillance at all, but maybe this is not the way to stop it. Also, many claim, it is for the benefit of the worker, because having that data can help improve workflows and avoid accidents/errors. Which is a valid point, I think, but I still would never agree to be in total control of my supervisors.
Any corporation that collects these logs is asking for danger. Give a good law firm that much data, they will nail you.
Not to mention if you fire someone for burning time and they sue for wrongful termination and you get an e discovery request..to see if you applied that surveillance to everyone equally. Let's request a random selection of logs from 10 staff members in the same or related roles.
This level of monitoring can get you in some huge problems.