I published a new report that shows how today's cybersecurity...

I published a new report that shows how today's cybersecurity and risk profiling systems are turning into employee mass surveillance and predictive policing tools.

Based on log, device and network data,
they let companies monitor almost everything employees do or say.

We need a serious debate about what is necessary and proportionate for what purpose and about safeguards that prevent misuse.

My 76-page report focusing on software from Forcepoint/Everfox and Microsoft:
https://crackedlabs.org/en/data-work/publications/securityriskprofiling

Like 27 August at 20:30 | Open on mastodon.social

33 comments

Wolfie Christl

The report is part of a larger project which examines how employers (mis)use worker data, funded by Austrian Arbeiterkammer:
https://crackedlabs.org/en/data-work

To illustrate wider practices, the report investigates software for cybersecurity and risk profiling from two major vendors including Microsoft. While employers can use these systems for legitimate purposes, the report focuses on potential implications for employees.

The Register's @thomasclaburn wrote about my research:
https://www.theregister.com/2024/08/27/microsoft_workplace_surveillance/

The report is part of a larger project which examines how employers (mis)use worker data, funded by Austrian Arbeiterkammer:
https://crackedlabs.org/en/data-work

Expand text...

27 August at 20:34 | Open on mastodon.social

Wolfie Christl

First, the report investigates insider risk and behavioral monitoring technology offered by Forcepoint, a major US cybersecurity vendor that is affiliated with the defense/intelligence sector.

Forcepoint promises to help organizations identify cyberattacks and employees who are considered a risk, whether by carelessness, negligence or intention.

Potential threats include “disgruntled employees” who had a “huge fight with the boss” and “internal activists” who leak information to journalists.

27 August at 20:49 | Open on mastodon.social

Wolfie Christl

Forcepoint's systems can analyze:

- data from employee computers/devices, e.g. file, web, app, clipboard, keyboard, screen activity
- employee communication contents, e.g. email, chat, voice calls
- networking data, e.g. firewall, proxy
- performance reviews from HR systems
- data on physical access to buildings and rooms via badging systems
- activity log data from many other software systems, e.g. Microsoft, Salesforce, SAP, Cisco
- external data, e.g. criminal history, financial distress

27 August at 20:59 | Open on mastodon.social

Wolfie Christl

Based on behavioral profiling, Forcepoint's technology continuously calculates risk scores for employees, singles out those who are assessed as suspicious, ranks them by risk and raises alerts.

To identify 'anomalous' behavior, it can analyze behavioral data on many or all employees, which is recommended by Forcepoint.

27 August at 21:01 | Open on mastodon.social

Wolfie Christl

The system uses 'behavioral risk models' to assess whether employees are in financial distress, show 'decreased productivity' or intend to leave the job, how they communicate with colleagues and whether they access 'obscene' content or show 'negative sentiment' in their communications.

Here's a list of built-in risk models, see p. 16 in my report:
https://crackedlabs.org/dl/CrackedLabs_Christl_SecurityRiskProfiling.pdf

27 August at 21:04 | Open on mastodon.social

Wolfie Christl

Forcepoint was until recently owned by defense giant Raytheon. Its behavioral surveillance tech was initially funded by the CIA's venture capital firm In-Q-Tel.

A co-founder of RedOwl which later became Forcepoint Behavioral Analytics is a former US army intelligence and NSA officer who was previously the CEO of Berico, which was involved in a large-scale plan to discredit labor unions in the US.

Overall, Forcepoint claims to analyze 5 billion activity records per day from 900 million devices.

27 August at 21:10 | Open on mastodon.social

Wolfie Christl

Note: The research in the report and in this thread refers to products offered by Forcepoint up until late 2023.

In late 2023, Forcepoint's government cybersecurity business was sold to a private equity firm and rebranded as "Everfox".

As of August 2024, Everfox appears to be the entity selling the user activity monitoring, behavioral analytics and insider threat systems previously offered by Forcepoint:
https://assets.everfox.com/app/uploads/2024/01/29091641/Datasheet_Insider-Risk-Solutions.pdf

27 August at 21:13 | Open on mastodon.social

Wolfie Christl

Section 2 in the report provides an overview of cybersecurity and risk profiling systems that process extensive data on employee behavior and communication, aim to detect activities that are considered suspicious and provide functionality to further investigate employees.

This includes software for “security information and event management” (SIEM), “user and entity behavior analytics” (UEBA), insider risk management and communication monitoring.

Microsoft also provides all of them, therefore:

27 August at 21:23 | Open on mastodon.social

Wolfie Christl

Second, the report investigates software offered by Microsoft, whose 'Purview' and 'Sentinel' systems provide similarly intrusive surveillance, behavioral profiling, insider threat and communication monitoring functionality - based on a detailed analysis of software documentation.

Microsoft's cybersecurity and risk profiling technology is easily available to many medium- to large-sized employers globally who already use Microsoft software.

27 August at 21:27 | Open on mastodon.social

Wolfie Christl

Microsoft Purview's 'communication compliance' module offers to monitor and scan email and chat conversations, voice calls, meeting transcripts and file contents in real time for many purposes ranging from 'acceptable use' to regulatory compliance, cybersecurity, insider threat detection and criminal misconduct.

27 August at 21:29 | Open on mastodon.social

Wolfie Christl replied to Wolfie

Microsoft's communication monitoring system promises to detect 'profanity', 'offensive language', 'inappropriate text' and harassment but also corporate sabotage, data leaks, bribery, money laundering, insider trading, conflicts of interest and 'workplace collusion'.

Very different purposes.

Employers can receive alerts when certain keywords are mentioned. They can “train” custom AI classifiers by providing a small number of text samples that represent the type of content they want to detect.

27 August at 21:36 | Open on mastodon.social

Wolfie Christl replied to Wolfie

The system can analyze communication and document contents in Microsoft 365, Exchange, Teams, Zoom, Slack, Webex and, via custom integrations, in any other system.

Via TeleMessage's on-device access and mobile carrier partnerships it can access calls/SMS from mobile phones or even encrypted messages (e.g. Whatsapp, Signal).

Section 6 summarizes data practices/sources/purposes for the systems examined in my report. Here's the summary for the Microsoft Purview 'communication compliance' module.

27 August at 21:47 | Open on mastodon.social

Wolfie Christl replied to Wolfie

Purview also provides a dedicated 'insider risk management' solution.

Microsoft suggests focusing on employees with a 'predisposition' to 'violate company policies', and on 'disgruntled employees' who received 'poor performance reviews', were demoted or are to be terminated.

27 August at 21:55 | Open on mastodon.social

Wolfie Christl replied to Wolfie

Like Forcepoint/Everfox, Microsoft's insider risk tech promises to detect suspicious employee behavior and communication.

It calculates risk scores for employees and ranks them by risk. To detect 'unusual' behavior, it can profile behavior across many employees, and over time.

A lot of personal data processing and profiling.

27 August at 21:58 | Open on mastodon.social

Wolfie Christl replied to Wolfie

In addition to employee communication, the system can access device and browser data on file/app/web activity, meetings, 'employee profile data', performance rating from HR systems, badging data, and activity data from other software provided by Microsoft (e.g. Exchange, Teams, OneDrive, Entra, Defender) and other vendors (e.g. Salesforce, Dropbox, SIEM systems).

Section 6 in my report summarizes the data practices/sources/purposes identified for the Purview insider risk management system.

27 August at 22:04 | Open on mastodon.social

Wolfie Christl replied to Wolfie

Employers can then use Microsoft Purview's communication monitoring and insider risk systems to further investigate 'suspicious' employees and their past behavior, including their website visits, file and application usage, badging activity and communication contents.

For 'forensic' investigations, employers can access screen recordings and fine-grained user interaction data.

27 August at 22:06 | Open on mastodon.social

Wolfie Christl replied to Wolfie

Indicators that contribute to assessing employees as potential 'insider threats' can include "unacceptable web usage" or "risky browser usage".

Microsoft explains that “workplace stress may lead to uncharacteristic or malicious behavior” by employees that could “surface as potentially inappropriate behavior” in employee communication.

It suggests to use the system to address a wide range of "risks from illegal, inappropriate, unauthorized, or unethical behavior and actions" by employees.

27 August at 22:09 | Open on mastodon.social

Wolfie Christl replied to Wolfie

While Microsoft Purview combines various tools for security, risk profiling and compliance, Microsoft Sentinel specifically promises to help organizations prevent cyberattacks, including by 'insiders'.

At its core, Sentinel is a 'security information and event management' (SIEM) system. It analyzes log data on device, file, process, network and mail activity, up to millions of log records per second, including activity logs from Office, Exchange, Teams, Salesforce, SAP, Confluence/Jira, Zoom...

27 August at 22:13 | Open on mastodon.social

Wolfie Christl replied to Wolfie

Sentinel can analyze log data from an organization's entire IT infrastructure.

As it can process alerts about suspicious employees from Purview (communication compliance, insider risk), Forcepoint/Everfox and other systems, it becomes a combined security and risk surveillance system.

Section 6 in my report summarizes the data practices/sources/purposes identified for Microsoft Sentinel.

27 August at 22:16 | Open on mastodon.social

Wolfie Christl replied to Wolfie

Like the insider systems from Microsoft and Forcepoint/Everfox, the Sentinel cybersecurity system can calculate risk scores for employees, single out those who are assessed as suspicious, detect 'anomalous' behavior, and put employees on 'watchlists'.

Organizations can then investigate their activity in detail to understand whether a suspicious user is an "engineer who often performs unusual activities as part of their job" or a "disgruntled employee who just got passed over for a promotion".

27 August at 22:28 | Open on mastodon.social

Wolfie Christl replied to Wolfie

Organizations can use Microsoft Sentinel also to perform 'dragnet' searches for certain behaviors across log data sources according to various criteria in real time.

Via the query language KQL, they can search, for example, for employees who access certain resources or use 'noisy language' in emails.

Almost any functionality in Sentinel, including pre-built detections and reports, is based on KQL. Employers can search up to seven years of log data and 'bring' their 'own' ML models to Sentinel.

27 August at 22:39 | Open on mastodon.social

Wolfie Christl replied to Wolfie

Yes, organizations must protect themselves from cyberattacks, data loss and criminal misconduct. This is not optional, and, in several ways, mandated by law (which itself may be problematic in some cases, e.g. NIS-2).

Nevertheless, intrusive security and risk surveillance raises serious concerns about misuse by employers, disproportionate monitoring and profiling across purposes, flawed risk assessments and arbitrary suspicions.

27 August at 22:42 | Open on mastodon.social

Wolfie Christl replied to Wolfie

The systems examined in the report can be considered corporate mass surveillance systems. Similar to predictive policing tech, they promise not only to detect incidents but to prevent them before they occur.

Employers can potentially misuse them to spy on employees, target organized labor, suppress internal dissent, apply excessive behavioral policing or impose arbitrary disciplinary action.

Remember when Amazon was officially looking for an 'intelligence analyst' to spy on 'organized labor'?

27 August at 22:50 | Open on mastodon.social

Wolfie Christl replied to Wolfie

As discussed in the final section of my report, today's cybersecurity and risk profiling systems can put employees under general suspicion and undermine privacy, human dignity, autonomy, freedom of expression and trust in the workplace.

No, employees do not lose any fundamental rights at work, certainly not in Europe.

Of course, this kind of surveillance generally increases the information and power asymmetry between organizations and employees.

27 August at 22:53 | Open on mastodon.social

Wolfie Christl replied to Wolfie

Plus, increased risk surveillance can intensify performance monitoring:

When employees with 'poor' performance reviews receive extra scrutiny, employers can apply more rigid performance monitoring.

27 August at 23:03 | Open on mastodon.social

Wolfie Christl replied to Wolfie

Employers can customize the systems from Forcepoint/Everfox and Microsoft. They can either limit or expand data sources and profiling, and apply it either to only a few employees or to their entire staff. They can implement more or less effective safeguards such as pseudonymization, access control and auditing.

I'm addressing Microsoft's privacy and data protection measures in section 4.10. Microsoft's "audit log" can serve both as an additional surveillance tool and as an accountability tool.

27 August at 23:09 | Open on mastodon.social

Wolfie Christl replied to Wolfie

In any case, software vendors influence and shape how these systems are used.

Microsoft recommends that customers monitor all employee communication at least for “harassment or discrimination detection”. It is doubtful whether intrusive surveillance, which opens the door for applying it other purposes, is an appropriate solution here.

It may rather represent an intrusive technological pseudo-fix for issues that are deeply embedded in corporate cultures and deserve much more serious attention.

27 August at 23:21 | Open on mastodon.social

Wolfie Christl replied to Wolfie

More problematic, Microsoft systematically incentivizes employers to expand risk surveillance.

Its 'compliance manager' uses quantification/metrics, game mechanisms and recommendations to tell organizations that they should set up and configure various security, risk and compliance products, some of them involving extensive employee monitoring and profiling.

This includes extensive personal data processing and profiling just to show customers how Microsoft can analyze extensive employee data.

27 August at 23:29 | Open on mastodon.social

Wolfie Christl replied to Wolfie

The findings of the report suggest that the security+risk profiling systems offered by Forcepoint/Everfox, Microsoft and other vendors help normalize pervasive employee surveillance and contribute to its expansion.

Unions, worker representatives and work councils can only be advised to carefully discuss and negotiate the potential deployment of SIEM, UEBA, DLP, insider risk or communication monitoring systems with employers.

Several features can probably not be deployed in Germany or Austria.