Security and Privacy Analysis of Employee Monitoring Applications
MetadataShow full item record
Workplace surveillance is not a new issue; however, recently there has been increasing adoption of Employee Monitoring Applications (EMAs) that observe employees' digital behaviour. This trend was advanced by the increase of remote work due to the COVID-19 pandemic and the ease of deployment of EMAs with the accelerating cloud computing industry. EMAs allow employers to monitor their workers' behaviours remotely, resulting in privacy concerns. EMAs use highly privileged functions to achieve their features, such as web browsing monitoring, key-logging, microphone monitoring, webcam monitoring, and remote takeover of the device. EMA vendors claim to protect company security and employee privacy. Our research challenge is to assess how well the vendors uphold their claims of protecting security and privacy. We develop a framework to assess security and privacy issues related to EMAs. Our framework applies dynamic and static analysis techniques to ten popular Windows EMAs. EMAs typically have a monitoring app, which is installed on an employee computer. The app collects and sends data to the backend server, which aggregates the data and displays it in a dashboard. The employer has access to the dashboard to view the collected data and configure monitoring settings. Our app-centred analysis is focused on issues such as insecure data transmissions, lack of certificate pinning, residual vulnerabilities after app un-installation, security vulnerabilities due to use of a proxy, anti-keylogging, conforming to Windows privacy permissions, effectiveness of EMA privacy features, and determining a general monitoring profile. The app-centred analysis informs us whether EMAs are secure at the local and network levels. We also assess whether EMAs uphold their promises in regards to privacy. Our backend analysis focuses on issues like password security, lack of input validation, open cloud storage, insufficient access control, server geolocation, and insecure security configurations like no HSTS enforcement and out-of-date TLS versions. Analysing the backend infrastructure tells us on EMAs' vulnerability posture in regards to a remote attacker threat. We assess whether EMA vendors adequately protect the data they collect about employees. Our analysis reveals a number of security and privacy vulnerabilities. These vulnerabilities include issues like data creep, where apps collect metadata about employees and their devices, but do not display this data on the dashboard to an employer. We also notice that one app does not use TLS for data transmission, so it sends private employee data over the public Internet for anyone to eavesdrop. One app offers a GDPR mode, which claims to stop collecting highly sensitive data like web browsing history and screenshots. However, we see that this app still collects and sends web browsing history while this mode is turned on. Backend security misconfigurations we observe include open cloud storage, weak password requirements, lack of password guess rate limiting, and no HSTS enforcement. Overall, we find that each app in our analysis is vulnerable to at least one threat we assess in our framework. Our study aims to provide data for legal analysis to assess the need for legal protections for employees against this kind of monitoring.
Cite this version of the work
Adam Campbell (2023). Security and Privacy Analysis of Employee Monitoring Applications. UWSpace. http://hdl.handle.net/10012/19724