|
Top-level
In addition to employee communication, the system can access device and browser data on file/app/web activity, meetings, 'employee profile data', performance rating from HR systems, badging data, and activity data from other software provided by Microsoft (e.g. Exchange, Teams, OneDrive, Entra, Defender) and other vendors (e.g. Salesforce, Dropbox, SIEM systems). Section 6 in my report summarizes the data practices/sources/purposes identified for the Purview insider risk management system. 15 comments
Indicators that contribute to assessing employees as potential 'insider threats' can include "unacceptable web usage" or "risky browser usage". Microsoft explains that “workplace stress may lead to uncharacteristic or malicious behavior” by employees that could “surface as potentially inappropriate behavior” in employee communication. It suggests to use the system to address a wide range of "risks from illegal, inappropriate, unauthorized, or unethical behavior and actions" by employees. While Microsoft Purview combines various tools for security, risk profiling and compliance, Microsoft Sentinel specifically promises to help organizations prevent cyberattacks, including by 'insiders'. At its core, Sentinel is a 'security information and event management' (SIEM) system. It analyzes log data on device, file, process, network and mail activity, up to millions of log records per second, including activity logs from Office, Exchange, Teams, Salesforce, SAP, Confluence/Jira, Zoom... Sentinel can analyze log data from an organization's entire IT infrastructure. As it can process alerts about suspicious employees from Purview (communication compliance, insider risk), Forcepoint/Everfox and other systems, it becomes a combined security and risk surveillance system. Section 6 in my report summarizes the data practices/sources/purposes identified for Microsoft Sentinel. Like the insider systems from Microsoft and Forcepoint/Everfox, the Sentinel cybersecurity system can calculate risk scores for employees, single out those who are assessed as suspicious, detect 'anomalous' behavior, and put employees on 'watchlists'. Organizations can then investigate their activity in detail to understand whether a suspicious user is an "engineer who often performs unusual activities as part of their job" or a "disgruntled employee who just got passed over for a promotion". Organizations can use Microsoft Sentinel also to perform 'dragnet' searches for certain behaviors across log data sources according to various criteria in real time. Via the query language KQL, they can search, for example, for employees who access certain resources or use 'noisy language' in emails. Almost any functionality in Sentinel, including pre-built detections and reports, is based on KQL. Employers can search up to seven years of log data and 'bring' their 'own' ML models to Sentinel. Yes, organizations must protect themselves from cyberattacks, data loss and criminal misconduct. This is not optional, and, in several ways, mandated by law (which itself may be problematic in some cases, e.g. NIS-2). Nevertheless, intrusive security and risk surveillance raises serious concerns about misuse by employers, disproportionate monitoring and profiling across purposes, flawed risk assessments and arbitrary suspicions. The systems examined in the report can be considered corporate mass surveillance systems. Similar to predictive policing tech, they promise not only to detect incidents but to prevent them before they occur. Employers can potentially misuse them to spy on employees, target organized labor, suppress internal dissent, apply excessive behavioral policing or impose arbitrary disciplinary action. Remember when Amazon was officially looking for an 'intelligence analyst' to spy on 'organized labor'? As discussed in the final section of my report, today's cybersecurity and risk profiling systems can put employees under general suspicion and undermine privacy, human dignity, autonomy, freedom of expression and trust in the workplace. No, employees do not lose any fundamental rights at work, certainly not in Europe. Of course, this kind of surveillance generally increases the information and power asymmetry between organizations and employees. Plus, increased risk surveillance can intensify performance monitoring: When employees with 'poor' performance reviews receive extra scrutiny, employers can apply more rigid performance monitoring. Employers can customize the systems from Forcepoint/Everfox and Microsoft. They can either limit or expand data sources and profiling, and apply it either to only a few employees or to their entire staff. They can implement more or less effective safeguards such as pseudonymization, access control and auditing. I'm addressing Microsoft's privacy and data protection measures in section 4.10. Microsoft's "audit log" can serve both as an additional surveillance tool and as an accountability tool. In any case, software vendors influence and shape how these systems are used. Microsoft recommends that customers monitor all employee communication at least for “harassment or discrimination detection”. It is doubtful whether intrusive surveillance, which opens the door for applying it other purposes, is an appropriate solution here. It may rather represent an intrusive technological pseudo-fix for issues that are deeply embedded in corporate cultures and deserve much more serious attention. More problematic, Microsoft systematically incentivizes employers to expand risk surveillance. Its 'compliance manager' uses quantification/metrics, game mechanisms and recommendations to tell organizations that they should set up and configure various security, risk and compliance products, some of them involving extensive employee monitoring and profiling. This includes extensive personal data processing and profiling just to show customers how Microsoft can analyze extensive employee data. The findings of the report suggest that the security+risk profiling systems offered by Forcepoint/Everfox, Microsoft and other vendors help normalize pervasive employee surveillance and contribute to its expansion. Unions, worker representatives and work councils can only be advised to carefully discuss and negotiate the potential deployment of SIEM, UEBA, DLP, insider risk or communication monitoring systems with employers. Several features can probably not be deployed in Germany or Austria.  |
Gregory's Server
Employers can then use Microsoft Purview's communication monitoring and insider risk systems to further investigate 'suspicious' employees and their past behavior, including their website visits, file and application usage, badging activity and communication contents.
For 'forensic' investigations, employers can access screen recordings and fine-grained user interaction data.