Report calls on law enforcement and policymakers to use existing tools to protect the workplace
New York, NY — A new investigation released today finds that workplace monitoring platforms are systematically sharing personal data about workers and online activity with hundreds of outside data brokers and big tech companies in ways that are not clearly disclosed and that, in some cases, may contradict the platforms’ own privacy policies. The researchers examined nine widely used workplace monitoring platforms — Apploye, Deputy, Desklog, Hubstaff, Monitask, Buddy Punch, Time Doctor 2, Vericlock, and When I Work, tracking how each app collects and shares worker data in practice.
The report was authored by researchers at the Khoury College of Computer and Information Sciences at Northeastern University; the Vanderbilt Policy Accelerator at Vanderbilt University; the Center for Consumer Law and Economic Justice at UC Berkeley Law School; and the Center for Law and the Economy at Columbia Law School. The research team included technologists, scholars, and former law enforcement officials from the Federal Trade Commission and the Consumer Financial Protection Bureau.
What Researchers Found
The research team undertook a first-of-its-kind assessment of how bossware companies collect and share data with third parties by signing up as an employer, setting up bossware services for workers, then logging in as an employee. They captured all the data sent by bossware websites and apps to third-party sites. The findings of that investigation include:
Worker data shared. All (9 of 9) workplace monitoring platforms directly shared identifying worker data including first name, last name, email, and company to third parties. The researchers recorded 121 unique instances of worker data being shared with companies including Facebook, Google, Microsoft, and AppLovin (a mobile advertising platform).
Online activity shared. The 9 workplace monitoring platforms in the sample shared information about workers' online activities (such as IP address, device information, web pages visited, unique identifiers, etc.) to a total of 145 unique third-party domains including facebook.com, linkedin.com, bing.com, google.com, googletagmanager.com, stripe.com (an online payment processing company), and yandex.com (a Russian tech company known for its search engine).
Location tracking. One third of the workplace monitoring platforms in the sample have features that track workers’ precise location at any time – even when the app is in the background or potentially when the worker is clocked out. Separately, 3 of 9 apps can be set to require giving access to motion sensor data (via accelerometer or gyroscope) to clock in.
“Our findings show workplace monitoring platforms are repeating the same failures we've seen in consumer surveillance — often with even fewer protections for the people harmed,” said Stephanie Nguyen, Senior Fellow at Columbia Law School’s Center for Law and the Economy. “Policymakers, lawmakers and regulators need to put hard limits on what can be collected, how long it can be kept, and who it can be shared with.”
"This report is a wake-up call that workers need better privacy and consumer safeguards,” said Seth Frotman, Senior Fellow at the UC Berkeley Center for Consumer Law & Economic Justice and Columbia Law School’s Center for Law and the Economy. “For too long, workplaces have been unfairly shielded from following basic consumer protection laws, and these shady practices have filled that vacuum. Working people need law enforcement to investigate these practices and policymakers to step up and create effective protections."
"'Bossware' is increasingly common in jobs of all kinds, and workers likely have no idea that their data is being systemically collected and distributed to unknown data brokers and tech companies,” said Ganesh Sitaraman, Director at Vanderbilt Policy Accelerator. “This troubling report makes it clear that policymakers and regulators must act to crack down on the sharing of sensitive employee data."
A Call for Urgent Policy Action
The report argues that protections currently in place to protect workers from employee surveillance, including sharing of their workplace data, are insufficient. It calls on policymakers, lawmakers, and regulators to act. Key recommendations include banning the sale or sharing of worker data, prohibiting unlimited data retention, and barring collection of sensitive employee information. The report also urges enforcement agencies to examine whether current practices violate existing federal and state law, including the Fair Credit Reporting Act and Unfair and Deceptive Acts & Practices (UDAP) statutes.
“This kind of worker monitoring is particularly pernicious—these workers often have no choice about data collection, no insight into when they are being monitored, and virtually no control over how their data is used,” said Dave Choffnes, Professor at Northeastern University. “There is enormous potential for harm—not just as it relates to privacy writ large, but also specifically in the context of maintaining current and future employment.”
The full report is available at: https://scholarship.law.columbia.edu/law_economy/5/. The website is available at: https://workplacemonitoring.khoury.northeastern.edu/
About Cybersecurity and Privacy Institute at Northeastern University
The Cybersecurity and Privacy Institute at Northeastern University is dedicated to the safeguarding of critical technology through research and education. Collaborating with experts in industry, government, and academia worldwide, the Institute’s faculty and students research, develop, and enhance technologies on which the world relies. Learn more at https://cyber.northeastern.edu/
About the Center for Law and the Economy at Columbia Law School
The Center for Law and the Economy at Columbia Law School advances the study, practice, and implementation of laws and policies that structure the U.S. economy. The center brings together experienced policy advisors, technologists, attorneys, researchers, and scholars to develop timely research across antitrust, consumer protection, financial regulation, tech policy, and other areas of public economic law, and to train the next generation of policy leaders. Learn more at law-and-economy.law.columbia.edu
About the Vanderbilt Policy Accelerator
The Vanderbilt Policy Accelerator(VPA) focuses on cutting-edge topics in political economy and regulation to swiftly bring research, education, and policy proposals from infancy to maturity. Follow VPA on Substack at https://vanderbiltpolicyaccelerator.substack.com/
About the UC Berkeley Center for Consumer Law & Economic Justice
The Center for Consumer Law & Economic Justice at U.C. Berkeley School of Law is dedicated to ensuring safe, equal, and fair access to the marketplace. The Center works to create a society where economic security and opportunity are available to all. Learn more at consumerlaw.berkeley.edu or follow us on Instagram @ucbconsumerlaw, LinkedIn @berkeley-center-for-consumer-law-economic-justice, BlueSky @ucbconsumerlaw.bsky.social, or X @UCBConsumerLaw