Microsoft faces calls for ‘transparency’ over tools in Office 365 that allow employers to read staff emails and monitor their computer use at work
Businesses can use risk management tools in Microsoft Office to covertly monitor the activities of employees on work-issued computers.
The software company provides tools in its Office 365 suite that can be used by employers to read staff emails and monitor how long they spend on calls and how many meetings they attend.
The surveillance capabilities of Microsoft’s Office suite, which is widely used by businesses across the world, were disclosed in a dissertation by a researcher at University College London (UCL).
The research shows that companies continue to exploit capabilities built into Office 365 to monitor staff computers some 18 months after Microsoft took steps to protect employees’ privacy.
The disclosure has led to calls for Microsoft to change its software to alert staff when companies use its Office 365 productivity tools to monitor identified employees.
Eliot Bendinelli, senior technologist at campaign group Privacy International, which participated in the research, said Microsoft should be more transparent about the data it enables companies to collect.
“The ability for an employer or an IT administrator to read all communications and documents, and to access data about employees’ online activities without their knowledge, is one of the most problematic features of Office 365,” he told Computer Weekly.
Microsoft introduced measures to protect the privacy of employees in Office 365 in 2020 following criticism that its Productivity Score tool allowed managers monitor individual employees.
The company replaced its reports with aggregated data measuring how much employees were sending email, collaborating on shared documents and taking part in group chats, in a way that was not traceable to individual users.
But research by UCL computer science graduate Demetris Demetriades and Privacy international shows that employers are still able to use functions in Office 365 to monitor individual employees.
Demetriades found employers can use the governance and risk management tools in Office 365 to look at the content of emails or messages sent by specific employees and identify the activities that individual users have carried out using their work computer.
Microsoft’s “content search” and “audit” tools can be used by employers to build up a detailed picture of employees’ activities, he told Computer Weekly.
“Whatever interaction is performed through business email, the audit and content search features identify it and log it. For example, they log the time of the email, the recipient and the content of the email. If the email contains attachments or a picture, the employer can see that too,” he said.
Privacy International argues in an article about Demetriades’ research that these tools can be used to build up a detailed profile of an employee.
“Combining these two all-encompassing features, employers are able to draw a rather intimate picture of every employee, down to the finest of details. This includes not only a list of most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through email,” it said.
Monitoring Team players
IT administrators can also use the administration centre in Microsoft Teams video conference, messaging and collaboration software to assess how long employees spend on calls, how many messages they exchange and how many one-to-one meetings they take part in.
The software records which devices employees use to attend each meeting or send each message, potentially allowing employers to make inferences about employees.
For example, managers might make the assumption that an employee who joins an early morning meeting from their phone, rather than their laptop, might still be in bed.
Microsoft provides companies with aggregated data showing how employees across the organisation, or individual groups, are using Office 365 applications. It also provides them with a productivity score that shows how well employees are using Office 365 capabilities compared with similar companies.
For smaller organisations, this data can still be used to make inferences about the performance of individual employees, Demetriades and Privacy International found.
The audit and content search tools offered by Microsoft have legitimate uses, such as allowing employers to identify breaches of employment contracts, breaches of company policies on harassment and the disclosure of trade secrets.
But Demetriades and Privacy International argue there are no safeguards to protect employees from auditing tools being misused and Office 365 users are given no warning if companies choose to enable those tools.
“This lack of transparency and restrictions on the part of the employees means that they can potentially be abused and turned into a surveillance machine without the full knowledge of the employees,” they say.
‘Pseudonymized by default’
Microsoft did not contradict UCL’s investigation, but said in a statement to Computer Weekly that it “standardly” uses masked or “pseudonymized” information about Office 365 users.
The disclosure of user-identifiable information is treated as an event recorded in the Microsoft 365 Compliance Center audit log, the company added.
“We don’t believe in using technology to spy on individual employees. Data-driven insights have long been a critical part of how IT professionals implement and manage solutions, deliver services, meet regulatory requirements and solve problems in their organizations, ” said a spokesperson.
“Most Microsoft 365 analytics tools that provide insight into adoption and usage do so at the aggregate level, across groups or entire organizations. These tools are an important part of helping organizations run effectively and get the most from their investment to get,” the spokesman added.
Microsoft must warn employees about surveillance
Microsoft doesn’t restrict how employers can use its “audit” and “content search” tools, which means they can abuse them to spy on employees without their consent.
If employers don’t disclose which Office 365 capabilities are enabled, employees have no way of knowing “if all their actions with Office 365 are being monitored or even if someone is reading their communications,” the privacy group stated.
Demetriades said Microsoft could do more to prevent employers from spying on employees, such as introducing a dedicated dashboard accessible to all employees that lists which productivity apps are enabled or disabled and what data the organization collects and under what circumstances.
Microsoft must also notify Office 365 users when companies enable “audit” and “content search” features, and when administrators turn off the option to hide usernames in Office 365 for reporting on named people, it added.
“I’m not saying that these functions should be completely removed because they are good for productivity, but they should be used to provide aggregated information,” Demetriades said.
There are other ways to see if individual employees are productive instead of using these metrics, he added.
Employers have legal responsibilities
Under UK data protection law, employers are responsible for ensuring they comply with the law when using software to monitor employees.
Companies need to ensure that the monitoring of employees at work is proportionate and, if so, whether they can justify collecting data on employees without informing them first, said IT lawyer Dai Davies.
“The real problem is that there is no black and white answer. What is delivered in one situation is not in another,” he said.
For example, it is probably reasonable and legal for a retailer to install a hidden camera where there is reason to suspect that a member of staff is shoplifting. However, it would be unfair for a company to record keystrokes made by every secretary employed by the organization to identify less productive typists.
“Controlling everyone is much more problematic than controlling a few people. One of the problems with Microsoft Office 365 is that it allows you to control all employees and is therefore more difficult to justify,” said Davis.
He said Microsoft had failed to recognize that employers could combine data collected from Office 365 with other data they have about their staff.
Legitimate reasons to monitor employees
David Wilson, chief executive of the Fosway Group, an analyst specializing in the human resources industry, said there were legitimate reasons why companies would want to monitor employees.
These include monitoring workplace applications to identify usage patterns or monitoring email to identify intellectual property theft or workplace harassment.
“It is difficult to argue that a company should not have access to staff emails or browsing history if there are legal or business-critical reasons. The issue is more one of governance and ensuring that surveillance capabilities are not abused,” he said.
For example, pharmaceutical companies ask employees for their permission to use software to automatically filter their emails and social media for mentions of rival companies to ensure that employees do not accidentally leak sensitive information to a competitor.
The same software could be used to identify employers who applied for jobs at competing companies.
Office 365 simulation
Demetriades used a trial version of Office 365 to simulate a corporate network consisting of two users and a system administrator as part of his research project for an MSc in Information Security at UCL.
“I set up an administrator account, which represented the employer, and added two user accounts, which represented the employees,” he told Computer Weekly. “I used my laptop and phone, and logged each user on a device, and tried to interact with simple messages and set up meetings to collect data. The platform crawled the data and started generating the charts and metrics.
Demetriades, a software engineer, said it would be “very easy” for an employer to select and read emails sent by a particular employee.
Microsoft pushed Office 365 privacy in 2020
Microsoft announced plans to remove usernames from its productivity scoring tool in a blog post in December 2020, in response to criticism that employers could abuse the feature.
“No one in the organization will be able to use Productivity Score to access data about how an individual user uses apps and services in Microsoft 365,” he said in the post.
The company also changed the interface of its software to make it clear that the purpose of the Productivity Score was to monitor the adoption of technology within the organization rather than individual employees.
But research by Demetriades shows that employers can still use Office 365 to monitor the activities of their staff.
Microsoft said in its statement that there were scenarios where IT professionals needed to access “user-level information” to identify and fix problems or track software licenses.
“Access to these reports is limited to only a few IT-oriented roles. In addition, Microsoft typically takes the step of hiding user, group and site information by default,” said a spokesperson.