pexels
Show Hide image

Bosses’ right to snoop on staff emails is an invasion of privacy and ignores the way we work

Bosses can look at whatever we do on work devices, as long as this policy is communicated to employees first. Is this a step too far?

Since Edward Snowden revealed the existence of internet surveillance programmes such as XKeyScore, Prism and Tempora, there have been many discussions of digital snooping and its implications for privacy, freedom and civil rights.

Public discourse has focused on the dangers of the emergence of a surveillance-industrial-complex, in which secret services, global communications corporations and private security companies collaborate.

This focus has somewhat distracted public attention from another form of snooping that affects many of us in everyday life: employee surveillance. A recent ruling of the European Court of Human Rights (ECHR) has alerted us of the developments in this realm of surveillance: a Romanian engineer complained to the ECHR about his dismissal in light of his personal use of Yahoo Messenger on a company device during working hours. He had not just messaged professional contacts, but also his family.

The ECHR rejected the complaint that the company’s monitoring of the employee’s communications violated Article 8 of the European Convention on Human Rights, which protects everyone’s “right to respect for his private and family life, his home and his correspondence”.

Who’s watching you work?

Companies’ surveillance of employees’ online communication is widespread. According to a survey of 300 company recruiters, 91 per cent of British employers check job applicants’ social media profiles. Another poll showed that in the US, 66% of employers monitor their employees’ internet browsing and about a third have fired workers for internet misuse.

But why is there so much employee surveillance today? Companies in general tend to favour the surveillance of communications of job applicants, their workplace and staff, property, consumers and competitors in order to ensure control over the production, sale and consumption of their commodities, thereby guaranteeing the accumulation of capital. Surveillance and control are inherent features of capitalism.

The key point in the ECHR’s ruling is that there has been “no violation of Article 8 of the convention” because the court found “that it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours”.

It is important to note that the ECHR’s judgment was taken acknowledging that the company monitored two Yahoo Messenger accounts of the dismissed employee, one used for professional and one used for private purposes. The implication is that employers are legally allowed to monitor all employee communications during working time on company-owned devices.

Always on the job

The ECHR’s legal judgment seems to disregard changes to working life in the digital age that do not allow us to strictly separate working and leisure time. Under the conditions of neoliberal digital capitalism, the boundaries between working and leisure time, the workplace and the home, labour and play, production and consumption, and the private and the public have become blurred and liquefied.

Employees tend to also access and answer e-mails at home as well as on the way to work and back home. Many people search for job-related information on the internet out of regular working hours at home, in cafés, on the train – anywhere you care to imagine. Social media profiles often have no clearly private or professional character because social media are convergence media – our online contacts and communication involve people from different social contexts, including our family life and friendship groups and involve our working life, politics, civil society engagement and the rest.

The general tendency is that there is a 24/7 always-on culture that benefits companies’ profits and turns ever more leisure time into labour time.

Given that under such conditions many employees tend to complete professional tasks out of regular working hours, it is ethically unreasonable to grant employers the legal right to monitor all employee communications on company-owned or other devices. It is also not reasonable to assume that all employees can carry around multiple privately and company-owned laptops, mobile phones and tablets that they use either for personal or professional purposes with separate private and professional social media and email accounts at clearly defined and separated times of the day in order to communicate with neatly separated groups of private and professional contacts.

Need for flexibility

An employee messaging a personal friend via social media on a device owned by the company he works for, using either his personal or professional ID, is taking a break from work. Given the complexity of today’s economy and the emergence of flexible working times, it is feasible to assume that employees’ breaks also need to be flexible. Company rules, regulations and legislation need to be brought up to date with these complexities.

The unfortunate reality seems, however, to be that many employers, legislators and judiciaries assume that large parts of the day have to be seen as labour time that employers are allowed to monitor. In my view, such surveillance practices do not merely undermine the right to privacy and the right to private and family life, but also the “right to rest and leisure, including reasonable limitation of working hours”. They furthermore advance a workplace culture of suspicion, distrust and control that harms both employees and companies.

Adequate protection of workers’ rights in the digital age is a key political task. It can only be achieved by strengthening existing protections at the European and global level in the interest of working people, not by undermining such rights in the interest of corporations. In the digital age, labour time continues to be a strongly contested realm of human life.

The Conversation

Christian Fuchs is a Professor of Social Media at the University of Westminster

This article was originally published on The Conversation. Read the original article.

Getty
Show Hide image

Marcus Hutchins: What we know so far about the arrest of the hero hacker

The 23-year old who stopped the WannaCry malware which attacked the NHS has been arrested in the US. 

In May, Marcus Hutchins - who goes by the online name Malware Tech - became a national hero after "accidentally" discovering a way to stop the WannaCry virus that had paralysed parts of the NHS.

Now, the 23-year-old darling of cyber security is facing charges of cyber crime following a bizarre turn of events that have left many baffled. So what do we know about his indictment?

Arrest

Hutchins, from Ilfracombe in Devon, was reportedly arrested by the FBI in Las Vegas on Wednesday before travelling back from cyber security conferences Black Hat and Def Con.

He is now due to appear in court in Las Vegas later today after being accused of involvement with a piece of malware used to access people's bank accounts.

"Marcus Hutchins... a citizen and resident of the United Kingdom, was arrested in the United States on 2 August, 2017, in Las Vegas, Nevada, after a grand jury in the Eastern District of Wisconsin returned a six-count indictment against Hutchins for his role in creating and distributing the Kronos banking Trojan," said the US Department of Justice.

"The charges against Hutchins, and for which he was arrested, relate to alleged conduct that occurred between in or around July 2014 and July 2015."

His court appearance comes after he was arraigned in Las Vegas yesterday. He made no statement beyond a series of one-word answers to basic questions from the judge, the Guardian reports. A public defender said Hutchins had no criminal history and had previously cooperated with federal authorities. 

The malware

Kronos, a so-called Trojan, is a kind of malware that disguises itself as legitimate software while harvesting unsuspecting victims' online banking login details and other financial data.

It emerged in July 2014 on a Russian underground forum, where it was advertised for $7,000 (£5,330), a relatively high figure at the time, according to the BBC.

Shortly after it made the news, a video demonstrating the malware was posted to YouTube allegedly by Hutchins' co-defendant, who has not been named. Hutchins later tweeted: "Anyone got a kronos sample."

His mum, Janet Hutchins, told the Press Association it is "hugely unlikely" he was involved because he spent "enormous amounts of time" fighting attacks.

Research?

Meanwhile Ryan Kalember, a security researcher from Proofpoint, told the Guardian that the actions of researchers investigating malware may sometimes look criminal.

“This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure," said Kalember. "Lots of researchers like to log in to crimeware tools and interfaces and play around.”

The indictment alleges that Hutchins created and sold Kronos on internet forums including the AlphaBay dark web market, which was shut down last month.

"Sometimes you have to at least pretend to be selling something interesting to get people to trust you,” added Kalember. “It’s not an uncommon thing for researchers to do and I don’t know if the FBI could tell the difference.”

It's a sentiment echoed by US cyber-attorney Tor Ekeland, who told Radio 4's Today Programme: "I can think of a number of examples of legitimate software that would potentially be a felony under this theory of prosecution."

Hutchins could face 40 years in jail if found guilty, Ekelend said, but he added that no victims had been named.

This article also appears on NS Tech, a new division of the New Statesman focusing on the intersection of technology and politics.

Oscar Williams is editor of the NewStatesman's sister site NSTech.