\u201cThe ability for an employer or an IT administrator to read all communications and documents, and to access data about employees\u2019 online activities without their knowledge, is one of the most problematic features of Office 365,\u201d he told Computer Weekly. <\/span><\/p>\n Microsoft <\/span>introduced measures to protect the privacy of employees<\/a> in Office 365 in 2020 following <\/span>criticism<\/a> that its Productivity Score tool allowed managers monitor individual employees.<\/span><\/p>\n The company replaced its reports with aggregated data measuring how much employees were sending email, collaborating on shared documents and taking part in group chats, in a way that was not traceable to individual users.<\/p>\n But research by UCL computer science graduate Demetris Demetriades<\/a> and Privacy international shows that employers are still able to use functions in Office 365 to monitor individual employees.<\/p>\n Demetriades found employers can use the governance and risk management tools in Office 365 to look at the content of emails or messages sent by specific employees and identify the activities that individual users have carried out using their work computer.<\/p>\n Microsoft\u2019s \u201ccontent search\u201d and \u201caudit\u201d tools can be used by employers to build up a detailed picture of employees\u2019 activities, he told Computer Weekly.<\/p>\n \u201cWhatever interaction is performed through business email, the audit and content search features identify it and log it. For example, they log the time of the email, the recipient and the content of the email. If the email contains attachments or a picture, the employer can see that too,\u201d he said.<\/p>\n Privacy International argues in an article about Demetriades\u2019 research<\/a> that these tools can be used to build up a detailed profile of an employee. <\/span><\/p>\n \u201cCombining these two all-encompassing features, employers are able to draw a rather intimate picture of every employee, down to the finest of details. This includes not only a list of most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through email,\u201d it said.<\/p>\n IT administrators can also use the administration centre in Microsoft Teams video conference, messaging and collaboration software to assess how long employees spend on calls, how many messages they exchange and how many one-to-one meetings they take part in.<\/p>\n The software records which devices employees use to attend each meeting or send each message, potentially allowing employers to make inferences about employees.<\/p>\n For example, managers might make the assumption that an employee who joins an early morning meeting from their phone, rather than their laptop, might still be in bed.<\/p>\n Microsoft provides companies with aggregated data showing how employees across the organisation, or individual groups, are using Office 365 applications. It also provides them with a productivity score that shows how well employees are using Office 365 capabilities compared with similar companies.<\/p>\n For smaller organisations, this data can still be used to make inferences about the performance of individual employees, Demetriades and Privacy International found.<\/p>\n The audit and content search tools offered by Microsoft have legitimate uses, such as allowing employers to identify breaches of employment contracts, breaches of company policies on harassment and the disclosure of trade secrets.<\/p>\n But Demetriades and Privacy International argue there are no safeguards to protect employees from auditing tools being misused and Office 365 users are given no warning if companies choose to enable those tools.<\/p>\n \u201cThis lack of transparency and limitations on the employee side means they can potentially be misused and turned into a surveillance machine without employees\u2019 full knowledge,\u201d they claim.<\/p>\n<\/section>\n Microsoft did not contradict the UCL research, but said in a statement to Computer Weekly that it uses masked or \u201cpsuedonymised\u201d information about users of Office 365 \u201cby default\u201d.<\/p>\n Revealing identifiable user information is treated as a logged event in the Microsoft 365 compliance centre audit log, the company added.<\/p>\n \u201cWe do not believe in using technology to spy on individual employees. Data-driven insights have long been a critical part of how IT professionals deploy and manage solutions, provide services, meet regulatory requirements and fix problems across their organisations,\u201d a spokesperson said.<\/p>\n \u201cMost of the Microsoft 365 analytics tools that provide insights into adoption and usage do so at the aggregate level \u2013 across groups or entire organisations. These tools are an important part of helping organisations run effectively and get the most out of their investment,\u201d the spokesperson added.<\/p>\n<\/section>\n Although Microsoft mentions in its privacy policy<\/a> that Office 365 can be used by organisations to \u201caccess and process your data\u201d, including \u201cthe contents of your communications and files\u201d, it is unlikely to be noticed by employees who may have to consent to the software their company is using.<\/p>\n Microsoft does not limit how employers can use its \u201caudit\u201d and \u201ccontent search\u201d tools, which means they could potentially misuse them to spy on employees without consent.<\/p>\n If employers do not disclose which Office 365 capabilities are turned on, employees have no way of knowing \u201cwhether their every action with Office 365 is being monitored or even if their communications are being read by someone\u201d, the privacy group argued.<\/p>\n Demetriades said Microsoft could do more to prevent employees being spied on by their employer, such as introducing a dedicated dashboard accessible to all employees that lists which productivity apps have been enabled or disabled and what data the organisation is collecting and under what circumstances.<\/p>\n Microsoft should also notify Office 365 users when companies turn the \u201caudit\u201d and \u201ccontent search\u201d features on, and if administrators disable the option to conceal usernames in Office 365 to generate reports about named individuals, he added.<\/p>\n \u201cI am not saying these features should be removed completely, because they are good for productivity, but they should be used to provide aggregate information,\u201d said Demetriades.<\/p>\n There are other ways to see whether individual employees are being productive rather than using these metrics, he added.<\/p>\n<\/section>\n Under UK data protection law, employers are responsible for ensuring they comply with the law when using software to monitor employees.<\/p>\n Companies need to ensure that monitoring employees at work is proportionate, and if it is proportionate, whether they can justify collecting data on employees without informing them first, said IT lawyer Dai Davies.<\/p>\n \u201cThe real problem is that there is no black and white answer. What is proportionate in one situation is not proportionate in another,\u201d he said.<\/p>\n For example, it is probably proportionate and lawful for a retailer to install a hidden camera where there are grounds to suspect a staff member of pilfering from a till. However, it would not be proportionate for a company to record the key strokes made by every secretary employed by the organisation to identify the least productive typists.<\/p>\n \u201cMonitoring everyone is much more problematic than monitoring a few people. One of the problems with Microsoft Office 365 is that it allows monitoring of every employee and is therefore harder to justify,\u201d said Davis.<\/p>\n\n
<\/i>Monitoring Team players<\/h3>\n
<\/i>\u2018Pseudonymised by default\u2019<\/h3>\n
\n
<\/i>Microsoft should alert employees to monitoring <\/strong><\/h3>\n
![](\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2022\/06\/microsoft-office-365-has-ability-to-spy-on-workers.jpg\")
<\/i>Employers have legal responsibilities<\/h3>\n