General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

Microsoft Backpedals Over 'Productivity Score' Monitoring

User Tracking Eliminated in Microsoft 365 Following Privacy Backlash
Microsoft Backpedals Over 'Productivity Score' Monitoring

Microsoft is revamping its controversial "productivity score" in Microsoft 365 so that individual workers can no longer be tracked. The move follows warnings by privacy advocates that the feature was a step too far into the realm of workplace surveillance (see: Productivity Tools May Be Monitoring Workers' Productivity).

See Also: Cyber Insurance Assessment Readiness Checklist

Jared Spataro, corporate vice president for Microsoft 365, says in a blog post published on Tuesday that the feature was designed not to track individuals but to help IT administrators better "measure and manage the adoption of Microsoft 365," especially given the sudden shift to cloud-based applications and tools for so many organizations during the pandemic.

Microsoft 365 is the company's cloud-based productivity suite, which includes Office 365 applications as well as Windows 10 Pro and Enterprise Mobility + Security.

"We believe that data-driven insights are crucial to empowering people and organizations to achieve more," Spataro says. "We also believe that privacy is a human right, and we’re deeply committed to the privacy of every person who uses our products."

As a result, he says the productivity score feature will no longer display usernames and users' actions, but will only aggregate the information at an organizational level. "No one in the organization will be able to use productivity score to access data about how an individual user is using apps and services in Microsoft 365," he says.

The user interface for the feature is being redesigned to emphasize that it is "a measure of organizational adoption of technology - and not individual user behavior," he says.

How Microsoft calculates productivity scores, an optional feature for businesses that use Microsoft 365 or Office 365 (Source: Microsoft Productivity Score documentation)

Alarm over the feature and its implications had been sounded by journalists and privacy researchers, including Vienna-based Wolfie Christl, as The Guardian has reported.

Jeffrey Snover, a Microsoft technical fellow and its CTO for "modern workforce transformation," thanked Christl and other privacy researchers who had criticized the feature, saying that it was their "feedback which led to this change."

Responding to the change, Christl tweeted: "I welcome that Microsoft is making significant changes and will entirely remove individual-level reporting."

But he noted that this is just one of the features available to organizations that want to monitor employees.

"Microsoft provides usage data for many of its enterprise products in a way that can be exploited for employee monitoring, or is designed for this purpose," he says via Twitter. "The collection and use of personal data at the workplace generally deserves much more scrutiny and attention. This is not only about 'privacy,' but about power asymmetries. A major vendor's product designs affect the daily lives of millions of employees around the globe."

Workplace Surveillance Increases

Interest in workplace surveillance tools has been surging as the COVID-19 pandemic continues and many employees continue to work from remote locations.

But under some laws, employers cannot monitor workers at whim or by simply telling them they're doing so. In Europe, for example, the General Data Protection Regulation safeguards privacy rights by requiring organizations to demonstrate that any technical measures they have in place - including workplace surveillance tools - comply with the law. The organizations must also be transparent about what they are doing.

Jonathan Armstrong, a partner at London-based law firm Cordery, says that, before organizations that must comply with GDPR adopt such tools, they must conduct an impact assessment that demonstrates "the harm we're trying to fix" as well as how their response to that harm is "proportionate." He also cautions that productivity tools may have built-in features that can be used to track employees. And he says organizations must account for any such features left activated in their GDPR impact assessments. Otherwise, he says, they run the risk of an investigation by privacy regulators - followed by sanctions - as well as seeing such data get used against them in employee lawsuits.

Artificial Intelligence Capabilities Evolve

As artificial intelligence and machine-learning tools continue to improve, so too does the ability to monitor individuals in previously impossible ways. Numerous governments, for example, have been adopting AI to provide surveillance capabilities.

A number of tools now offer automatic facial recognition. (Source: Amazon)

Such tools are built by organizations in China, the U.S., Japan and elsewhere, with Huawei, IBM, Cisco, ZTE, NEC Corp., Hikvision and Palantir among the world's top suppliers, according to the Carnegie Endowment for International Peace.

Numerous companies now sell facial recognition technology that has the ability to search for faces. They include Amazon, Affectiva, Google, IBM, Kairos, Microsoft, NEC Corp. and OpenCV. Some of these tools can even be used in real time - for example, to identify individuals in large crowds (see: Amazon Rekognition Stokes Surveillance State Fears).

Fears over such tools - and their potential use by authoritarian governments - has at times provoked a backlash by Silicon Valley employees. But as developers and governments continue their rush to experiment and adopt such technology, some experts warn that security, privacy, data protection and liability questions too often remain unanswered.

Amazon Pitches AWS Panorama

Meanwhile, on Tuesday, Amazon announced a new AI offering, designed for industrial environments and workplace safety applications, that can be used to augment CCTV systems. Built by its cloud arm, the AWS Panorama product is an appliance that plugs into the same network as IP-based CCTVs and can then monitor for a range of employee, facility and environmental conditions.

Source: Amazon

Use cases include counting the number of customers lining up outside a shop or sounding an alarm if any workers are seen not wearing personal protective equipment, Amazon says.

The Financial Times reports that Siemens and Deloitte are among the companies now testing the technology.

An Amazon spokeswoman told the BBC that the focus of the product is on workplace safety and industrial operations, and how it gets configured is up to customers.

"For example, AWS Panorama does not include any pre-packaged facial recognition capabilities," she said. In addition, all processing happens only on the devices and never leaves the customer environment.

But Silkie Carlo, director of British civil liberties group Big Brother Watch, told the BBC that workplace surveillance "rarely results in benefits for employees."

Carlo also expressed skepticism over how the product is being marketed. "It's a great shame that social distancing has been leapt on by Amazon as yet another excuse for data collection and surveillance," she said.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.