|
Top-level
Employers can customize the systems from Forcepoint/Everfox and Microsoft. They can either limit or expand data sources and profiling, and apply it either to only a few employees or to their entire staff. They can implement more or less effective safeguards such as pseudonymization, access control and auditing. I'm addressing Microsoft's privacy and data protection measures in section 4.10. Microsoft's "audit log" can serve both as an additional surveillance tool and as an accountability tool. 3 comments
More problematic, Microsoft systematically incentivizes employers to expand risk surveillance. Its 'compliance manager' uses quantification/metrics, game mechanisms and recommendations to tell organizations that they should set up and configure various security, risk and compliance products, some of them involving extensive employee monitoring and profiling. This includes extensive personal data processing and profiling just to show customers how Microsoft can analyze extensive employee data. The findings of the report suggest that the security+risk profiling systems offered by Forcepoint/Everfox, Microsoft and other vendors help normalize pervasive employee surveillance and contribute to its expansion. Unions, worker representatives and work councils can only be advised to carefully discuss and negotiate the potential deployment of SIEM, UEBA, DLP, insider risk or communication monitoring systems with employers. Several features can probably not be deployed in Germany or Austria. |
Gregory's Server
In any case, software vendors influence and shape how these systems are used.
Microsoft recommends that customers monitor all employee communication at least for “harassment or discrimination detection”. It is doubtful whether intrusive surveillance, which opens the door for applying it other purposes, is an appropriate solution here.
It may rather represent an intrusive technological pseudo-fix for issues that are deeply embedded in corporate cultures and deserve much more serious attention.