Workplace monitoring app work composer licks 21 million employee monitoring screenshots

The rapidly growing market for the monitoring software for employees has experienced a significant security event, whereby the workplace monitoring of the App Workcomposer Millions of Sensible Files reveals. According to an examination by Cybernews, the tool, which was reportedly used by over 200,000 people, have more than 21 million employees screenshots directly on the public Internet.

This exposure comes from an improperly secured Amazon S3 -Cloud -Speicher -bucet, a common cloud storage memory that is for leaks if they are not configured correctly by the user. Such false configurations often contain human errors when determining access authorizations and not when setting authorizations than in the cloud service itself. The company advertises its product as very safe, so “We promise to offer all of our stakeholders bulletproof security” On his website

A window on the desktop

Work composer works by capturing frequent snapshots of employee screens.

The unsecured S3 bucket meant that this continuous visual feed was open in real time. Cybernews outlined several specific dangers that were equipped with such a leak: First, internal documents and communications were only exposed to the eyes of the companies; Second, username, passwords or API keys that are visible in screenshots could “Leading kidnapped accounts and deeper violations of companies worldwide”; And thirdly, companies that use work composers could be exposed to data protection laws such as the GDPR in Europe or California or California CCPA with serious legal and financial effects.

Cybernews researchers found the open bucket on February 20 and alarmed work composers the next day. The progress seemed to be slow, which prompted contact with the certificate on March 19. Access was finally locked up on April 1, with the exposed data secure. However, work composers had not made a public comment when cybernews released its results later this month. Workcomposer's own terms and conditions include a disclaimer that rejects liability for violations of internet security that are stated “We reject any liability or in connection with a violation of the internet security violation or a disruption of the user's connections to the web services or the API.”

This incident was not unique; As an earlier Cybernew's examination from January found, another surveillance tool, webwork, 13 million screenshots leaked through similar weaknesses.

The surveillance landscape and the workers' mood

The use of such surveillance instruments is becoming increasingly common, with some estimates indicate that 70% of the major employers can use them by 2025. Features such as screenshying are widespread, according to reports in 78% of productivity tools. This widespread adoption increases the potential effects of security errors.

These applications intend to pursue productivity, record a wide range of activities on the screen and possibly contain personal messages or sensitive private information. Understandably, employee reactions are different. The data indicate considerable anxiety (56%stressed by monitoring), data protection concerns (43%) and the willingness to leave jobs about monitoring (54%). However, a majority (62%) report on surveillance technology, especially if the data helps to perform or well -being the data.

Earlier precedents and industry adjustments

Debates about digital surveillance in the workplace are not limited to smaller providers. At the end of 2020, Microsoft encountered considerable criticism of the “Productivity Score” function in Microsoft 365. Data protection lawyers argued that it enabled problematic surveillance in the workplace, so that managers can involve individual metrics such as e -mail volume and teams. Researcher Wolfie Christl commented At the time, “This is so problematic on many levels”, “ Add, “Employers are increasingly using metadata that are logged by software and devices for performance analyzes and algorithmic control. MS delivers the tools for it.”

Microsoft initially defended the function with: “Productivity score is an opt-in experience with which the IT administrators get an insight into the use of technology and infrastructure. Insights are shown over a period of 28 days and are provided at the user level so that an IT administrator offers technical support and guidance. The productivity assessment is not a tool for work overview.”

However, the company reacted quickly to the concerns. On December 1, 2020, Microsoft announced 365 CVP Jared Spataro changes as it is called “We heard the feedback and today we react by making changes to the product to further strengthen privacy for customers.”

In the adjustments, individual user names were removed from reports and the tool fully focused on aggregated organizational data for the introduction of technologies and removed from individual productivity tracking. This case shows how important providers can adapt functions based on data protection feedback, in contrast to the situation of work composer, in which a data leak due to a safety return and not with the selection of functions for feature designs.