Please note: This master’s thesis presentation will take place online.
Adam Campbell, Master’s candidate
David R. Cheriton School of Computer Science
Supervisor: Professor Urs Hengartner
Workplace surveillance is not a new issue; however, recently there has been increasing adoption of Employee Monitoring Applications (EMAs) that observe employees’ digital behaviour. This trend was advanced by the increase of remote work due to the COVID-19 pandemic and the ease of deployment of EMAs with the accelerating cloud computing industry. EMAs allow employers to monitor their workers’ behaviours remotely, resulting in privacy concerns.
EMAs use highly privileged functions to achieve their features, such as web browsing monitoring, key-logging, microphone monitoring, webcam monitoring, and remote takeover of the device. EMA vendors claim to protect company security and employee privacy. Our research challenge is to assess how well the vendors uphold their claims of protecting security and privacy.
We develop a framework to assess security and privacy issues related to EMAs. Our framework applies dynamic and static analysis techniques to ten popular Windows EMAs.
Our app-centred analysis is focused on issues such as insecure data transmissions, lack of certificate pinning, residual vulnerabilities after app un-installation, security vulnerabilities due to use of a proxy, anti-keylogging, conforming to Windows privacy permissions, effectiveness of EMA privacy features, and determining a general monitoring profile. The app-centred analysis informs us whether EMAs are secure at the local and network levels.
Our backend analysis focuses on issues like password security, lack of input validation, open cloud storage, insufficient access control, server geolocation, and insecure security configurations like no HSTS enforcement and out-of-date TLS versions. Analysing the backend infrastructure tells us on EMAs’ vulnerability posture in regards to a remote attacker threat.
Our analysis reveals a number of security and privacy vulnerabilities. These vulnerabilities include issues like data creep, where apps collect metadata about employees and their devices, but do not display this data on the dashboard to an employer. We also notice that one app does not use TLS for data transmission, so it sends private employee data over the public Internet for anyone to eavesdrop. One app offers a GDPR mode, which claims to stop collecting highly sensitive data like web browsing history and screenshots. However, we see that this app still collects and sends web browsing history while this mode is turned on. Backend security misconfigurations we observe include open cloud storage, weak password requirements, lack of password guess rate limiting, and no HSTS enforcement. Overall, we find that each app in our analysis is vulnerable to at least one threat we assess in our framework. Our study aims to provide data for legal analysis to assess the need for legal protections for employees against this kind of monitoring.