Businesses can use risk management tools in Microsoft Office to covertly monitor the activities of employees on work-issued computers.

The software company provides tools in its Office 365 suite that can be used by employers to read staff emails and monitor how long they spend on calls and how many meetings they attend.

The surveillance capabilities of Microsoft’s Office suite, which is widely used by businesses across the world, were disclosed in a dissertation by a researcher at University College London (UCL).

The research shows that companies continue to exploit capabilities built into Office 365 to monitor staff computers some 18 months after Microsoft took steps to protect employees’ privacy.

The disclosure has led to calls for Microsoft to change its software to alert staff when companies use its Office 365 productivity tools to monitor identified employees.

Eliot Bendinelli, senior technologist at campaign group Privacy International, which participated in the research, said Microsoft should be more transparent about the data it enables companies to collect.

“The ability for an employer or an IT administrator to read all communications and documents, and to access data about employees’ online activities without their knowledge, is one of the most problematic features of Office 365,” he told Computer Weekly.

Microsoft introduced measures to protect the privacy of employees in Office 365 in 2020 following criticism that its Productivity Score tool allowed managers monitor individual employees.

“The ability for an employer to read all communications and documents, and to access data about employees’ online activities without their knowledge, is one of the most problematic features of Office 365”
Eliot Bendinelli, Privacy International

The company replaced its reports with aggregated data measuring how much employees were sending email, collaborating on shared documents and taking part in group chats, in a way that was not traceable to individual users.

But research by UCL computer science graduate Demetris Demetriades and Privacy international shows that employers are still able to use functions in Office 365 to monitor individual employees.

Demetriades found employers can use the governance and risk management tools in Office 365 to look at the content of emails or messages sent by specific employees and identify the activities that individual users have carried out using their work computer.

Microsoft’s “content search” and “audit” tools can be used by employers to build up a detailed picture of employees’ activities, he told Computer Weekly.

“Whatever interaction is performed through business email, the audit and content search features identify it and log it. For example, they log the time of the email, the recipient and the content of the email. If the email contains attachments or a picture, the employer can see that too,” he said.

Privacy International argues in an article about Demetriades’ research that these tools can be used to build up a detailed profile of an employee.  

“Combining these two all-encompassing features, employers are able to draw a rather intimate picture of every employee, down to the finest of details. This includes not only a list of most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through email,” it said.

Monitoring Team players

IT administrators can also use the administration centre in Microsoft Teams video conference, messaging and collaboration software to assess how long employees spend on calls, how many messages they exchange and how many one-to-one meetings they take part in.

The software records which devices employees use to attend each meeting or send each message, potentially allowing employers to make inferences about employees.

For example, managers might make the assumption that an employee who joins an early morning meeting from their phone, rather than their laptop, might still be in bed.

Microsoft provides companies with aggregated data showing how employees across the organisation, or individual groups, are using Office 365 applications. It also provides them with a productivity score that shows how well employees are using Office 365 capabilities compared with similar companies.

For smaller organisations, this data can still be used to make inferences about the performance of individual employees, Demetriades and Privacy International found.

The audit and content search tools offered by Microsoft have legitimate uses, such as allowing employers to identify breaches of employment contracts, breaches of company policies on harassment and the disclosure of trade secrets.

But Demetriades and Privacy International argue there are no safeguards to protect employees from auditing tools being misused and Office 365 users are given no warning if companies choose to enable those tools.

“This lack of transparency and limitations on the employee side means they can potentially be misused and turned into a surveillance machine without employees’ full knowledge,” they claim.

‘Pseudonymised by default’

Microsoft did not contradict the UCL research, but said in a statement to Computer Weekly that it uses masked or “psuedonymised” information about users of Office 365 “by default”.

“We do not believe in using technology to spy on individual employees. Most of the Microsoft 365 analytics tools that provide insights into adoption and usage do so at the aggregate level – across groups or entire organisations”
Microsoft spokesperson

Revealing identifiable user information is treated as a logged event in the Microsoft 365 compliance centre audit log, the company added.

“We do not believe in using technology to spy on individual employees. Data-driven insights have long been a critical part of how IT professionals deploy and manage solutions, provide services, meet regulatory requirements and fix problems across their organisations,” a spokesperson said.

“Most of the Microsoft 365 analytics tools that provide insights into adoption and usage do so at the aggregate level – across groups or entire organisations. These tools are an important part of helping organisations run effectively and get the most out of their investment,” the spokesperson added.

Microsoft should alert employees to monitoring

Although Microsoft mentions in its privacy policy that Office 365 can be used by organisations to “access and process your data”, including “the contents of your communications and files”, it is unlikely to be noticed by employees who may have to consent to the software their company is using.

Microsoft does not limit how employers can use its “audit” and “content search” tools, which means they could potentially misuse them to spy on employees without consent.

If employers do not disclose which Office 365 capabilities are turned on, employees have no way of knowing “whether their every action with Office 365 is being monitored or even if their communications are being read by someone”, the privacy group argued.

Screenshot from Microsoft’s privacy policy section

Demetriades said Microsoft could do more to prevent employees being spied on by their employer, such as introducing a dedicated dashboard accessible to all employees that lists which productivity apps have been enabled or disabled and what data the organisation is collecting and under what circumstances.

Microsoft should also notify Office 365 users when companies turn the “audit” and “content search” features on, and if administrators disable the option to conceal usernames in Office 365 to generate reports about named individuals, he added.

“I am not saying these features should be removed completely, because they are good for productivity, but they should be used to provide aggregate information,” said Demetriades.

There are other ways to see whether individual employees are being productive rather than using these metrics, he added.

Employers have legal responsibilities

Under UK data protection law, employers are responsible for ensuring they comply with the law when using software to monitor employees.

Companies need to ensure that monitoring employees at work is proportionate, and if it is proportionate, whether they can justify collecting data on employees without informing them first, said IT lawyer Dai Davies.

“The real problem is that there is no black and white answer. What is proportionate in one situation is not proportionate in another,” he said.

For example, it is probably proportionate and lawful for a retailer to install a hidden camera where there are grounds to suspect a staff member of pilfering from a till. However, it would not be proportionate for a company to record the key strokes made by every secretary employed by the organisation to identify the least productive typists.

“Monitoring everyone is much more problematic than monitoring a few people. One of the problems with Microsoft Office 365 is that it allows monitoring of every employee and is therefore harder to justify,” said Davis.

He said Microsoft had failed to acknowledge that employers could combine data gathered from Office 365 with other data they hol on their staff.

Legitimate reasons for monitoring employees

David Wilson, CEO of Fosway Group, an analyst specialising in the human resources industry, said there were legitimate reasons why companies might want to monitor employees.

These include monitoring workplace apps to identify patterns of use or monitoring email to identify intellectual property theft or workplace harassment.

“It is hard to argue that a company should not be allowed to access staff emails or browsing history if there are business-critical or legal reasons. The issue is more one of governance and ensuring that monitoring capabilities are not abused”
David Wilson, Fosway Group

“It is hard to argue that a company should not be allowed to access staff emails or browsing history if there are business-critical or legal reasons. The issue is more one of governance and ensuring that monitoring capabilities are not abused,” he said.  

For example, pharmaceutical companies ask employees for consent to use software to automatically screen their emails and social media to see whether rival companies are mentioned to ensure that employees do not accidently leak confidential information to a competitor.

The same software could be used to identify employers who have applied for jobs with competing companies.

Office 365 simulation

Demetriades used a trial version of Office 365 to simulate a company network made up of two users and a systems administrator as part of his research project for a masters in information security at UCL.

“I set up an admin account, which represented the employer, and I added two user accounts, which represented employees,” he told Computer Weekly. “I used my laptop and my phone, and I logged each user in on one device, and I tried to interact with simple messages and set up meetings to collect data. The platform tracked the data and it started to generate the graphs and the metrics.”

Demetriades, a software engineer, said it would be “very easy” for an employer to select and read emails sent by a particular employee.

Microsoft boosted Office 365 privacy in 2020

Microsoft announced plans to remove user names from its Productivity Score tool in a blog post in December 2020, in response to criticism that the feature could be misused by employers.

“No one in the organisation will be able to use Productivity Score to access data about how and individual user is using apps and services in Microsoft 365,” it said in the post.

The company also changed the interface of its software to make it clear the purpose of Productivity Score was to monitor the adoption of technology within the organisation rather than to monitor individual employees.

But Demetriades’s research shows that Office 365 can still be used by employers to monitor that activities of their staff.

Microsoft said in its statement that there were scenarios where IT professionals need access to “user-level information” to identify and fix problems or to track software licences.

“Access to these reports is restricted to only a few IT-focused roles. Moreover, Microsoft generally takes the step of concealing user, group and site information by default,” a spokesperson said.