can my employer install spyware on my personal computer I use for work?

A reader writes:

The CEO of our company has recently expressed some concerns with worker productivity and time card fraud. To mitigate this, he’s found a spyware/time card program that uses mouse movements, keystrokes, and screenshots to measure productivity and monitor us. We just tested it out, and as you can imagine, the software appears limited in its ability to track actual productivity, and it’s incredibly discomfiting to feel like you’re constantly being watched.

I know that employers absolutely have the right to monitor company equipment, and they absolutely have the right to fire you for just about anything. But here’s the thing: everyone who works at our company is a remote independent contractor, and everyone uses his or her own equipment. As such, many of us use personal computers for this role, which also contain sensitive personal information. I can’t believe I’m asking this question on your blog, but…is this legal? If it is, do people actually use these programs? Are they effective?

I respect and understand that productivity is important, but I’m deeply concerned about installing software such as this. Perhaps you know of some alternatives that could allay my CEOs concerns?

Your CEO has a limited understanding of how to monitor productivity, and an even more limited understanding of appropriate boundaries.

You probably already know that in most cases it’s legal for your employer to monitor what you do on work-issued devices while you’re at work — even down to the level of logging every keystroke. But you might reasonably assume that when you’re on your own personal device, at home, your employer shouldn’t have the right to spy on your movements … but you’d be wrong.

To get you an answer, I turned to employment lawyer Donna Ballman, author of the awesome Stand Up For Yourself Without Getting Fired (which you should buy; it’s great). She delivered bad news: Employers are getting away with this, for the most part.

She pointed me to this detailed analysis of cases in this area, and this discussion too. She also has some good articles of her own on legal ways your employer might be spying on you, and how your employer might be permitted to track your location on your personal devices.

So there’s the law.

But as for what companies should be doing, and how your CEO should be approaching this? Nothing justifies this level of intrusion. If your CEO wants to pay more attention to people’s productivity, he could try looking at what work they’re producing and what results they’re getting — you know, the fundamental work of, uh, managing.

But there’s also this (as pointed out by commenters below): The law is very clear on who does and doesn’t qualify to be treated as an independent contractor. This kind of control over how you spend every minute of your time is utterly at odds with that. If there’s a law being broken here, it’s that one. So you might say to your boss, “Because we’re independent contractors, this kind of set-up is likely to jeopardize that status and could get the company in a lot of trouble for misclassifying us. If we’re to stay contractors, the company needs to be careful to follow the federal regulations that limit this type of direction and control.”

* I make a commission if you use that Amazon link.

{ 52 comments… read them below }

  1. BRR*

    Is it different because the OP is an independent contractor? I feel like it violates classifying them as an independent contractor if the CEO wants to monitor time in this manner.

    1. Barbara in Swampeast*

      I was going to bring this up. If the OP is really an IC instead of employee then I don’t see how this is legal. Either the OP is an employee and subject to oversight or s/he is an IC and her/his own boss.

      1. Barbara in Swampeast*

        Oh, and by not legal, I mean that this situation might not really be an independent contract situation. Wouldn’t this amount of oversight negate the IC classification. Also, referring to a “boss” instead of client is a give away.

    2. Bill*

      I was thinking the same thing. My understanding was that one of the key determining factors of being a contractor was that you set up and had control over your operating environment, down to the software that is on your computer.

    3. EngineerGirl*

      I was going to bring up something similar. The boss is turning the OP from an independent contractor to an employee by tracking hours and how the work gets done. The OP may want to raise the concern with the boss.

    4. Magda*

      Agree. In addition to the incredible intrusiveness of the request, it sounds like Boss wants to have it both ways — all the benefits of being able to treat the workers like employees, without any of those pesky legal obligations of hiring employees.

    5. Ask a Manager* Post author

      Ha, Donna and I both skipped right over that because we were focused on the crazy keylogging. But yes, absolutely. This kind of control over people’s hours is not all in line with the restrictions on who can be an independent contractor. OP, read this post:
      https://www.askamanager.org/2013/05/what-to-do-when-your-employer-illegally-treats-you-as-a-contractor.html
      Your employer almost certainly is breaking the law in that regard.

      I’ll add something to the main post as well.

  2. Mike C.*

    I wish the Guilty Remnant was a real organization, and would chose your CEO to follow around.

  3. Adam*

    That personal device tracking story creeps me the hell out. What sort of life/mindset must a person have to even conceive of this being a good idea, let alone actually bringing it to fruition? I’m pretty laid back and have accepted a lot workplace frustrations, but if I ever found out for sure the organization I worked for was implementing something like that my resume would be circulating the job boards that week.

    1. Bea W*

      Probably the same people who think asking employees and their partners to submit their height, weight, blood pressure, and laboratory test results to an employer designated company and discuss them with a stranger is a good idea. If it’s not the same people, they are probably close cousins.

  4. Zahra*

    With this degree of oversight, do independent contractors become more like employees and thus due the same benefits and salary as a regular employee? I know that, in Canada, being an independent contractor depends on having more freedom and less oversight than regular employees.

  5. Koko*

    Could this be grounds to ask the employer to purchase a separate machine for work use, as the employee doesn’t feel comfortable allowing things like his online banking logins and other sensitive information on his personal machine to be logged and stored somewhere that could be vulnerable to abuse or security breaches?

    1. The IT Manager*

      I’d be willing to be the boss won’t want to spring for the cost of a separate machine for work only in large part because he seems like the kind of person who is trying to get the best of both worlds for himself, but also depending on number of employees this would be a sudden abd big jump in equipment costs and now maintenance costs for his company’s equipment. this is not the kind of change a company makes lightly.

      1. fposte*

        I think if the OP were an employee, that would be likelier, but since she’s an independent contractor, they’re usually expected to maintain their own equipment.

        1. Rayner*

          I would therefore argue that if they were supposed to maintain their own equipment as contractors, dictating that they download a program they don’t want, that spies on them during non-work times, and they have no control over would definitely overstep that boundary.

          1. fposte*

            I would completely agree–it was just a point that had already been thoroughly made upthread.

            1. Thomas W*

              I agree too — the company should (in a perfect world) have no right to install unwanted software on a personal machine even if used to work purposes. But if the law doesn’t protect from that, I’d say there are two options: 1, buy a work-only computer. Not cheap, not everyone can afford it, but if you can, do it. I was able to do that and I’m very happy to have that solid wall between work and personal computing. 2, create a work-specific user account with entirely separate permissions and don’t allow the software to run on one’s personal account. I’m only familiar with how to do that on a Mac or Linux machine, but I’m sure it’s possible on Windows as well.

              1. NotMyRealName*

                Depending on what’s required, there are some very inexpensive refurbs out there. I spent about $200 for a basic desktop (no monitor or keyboard, but I had those) when my elderly business computer finally died.

              2. Bea W*

                This is possible with Windows as well and not difficult to manage although i’d prefer not to have spyware on a personal computer at all. Option 1 is truly ideal unless you travel a lot on the job and would need one machine to pull double duty.

              3. NoPantsFridays*

                I think it’s possible on Windows, and I would suggest the work and spyware account be a regular user account and NOT an administrator account.

                Another option related to this is a dual-boot system with Windows and Linux. So you have the work stuff and company spyware on your Windows partition, and your personal stuff on the Linux partition. Of course, this would mean you would use Linux for all your personal computing, which may or may not be what the OP wants. You could also dual-boot two separate Windows installations, though I’ve never done this. I’m a regular employee (not a contractor) with a company-issued laptop, but were I in the OP’s situation, the dual-boot setup would be my first choice.

    2. BRR*

      It might also be a good argument that it opens up the company to lawsuits as they will be liable for any security breaches that do occur and result in loss. Sometimes there is only one way ($$$) to explain things to executives.

    3. Lora*

      They would definitely see a nice fat $10,000 Alienware desktop with all the bells and whistles on my itemized invoice. Time AND materials!

      OP, if you were sent to this assignment by an agency/consulting company, this is the sort of thing they should be sorting out. It may violate the terms of the contract, or not be included in the scope of work, in which case your Business Development folks will want to revisit the client with a lovely “this is an extension to your contract to cover materials and activities that were not anticipated in your original quote…”

  6. Brett*

    While the keylogging itself is not illegal, many uses of the information logged would be. If they log a password, and then use that password to access a system, that’s illegal. If they obtain identity information and use that information to access your credit history or credit, that’s illegal. And they might even be opening themselves up to requirements to harden their system security depending on what kind of information they are storing out of those keyloggers.

    And… if that storage system or monitoring system is compromised and a hacker makes off with a storehouse of personal information and passwords from employees, they are looking at a considerable amount of civil liability.

    1. Cari*

      The OP’s CEO doesn’t seem to be aware of the computer security can of worms they’re potentially opening up here…
      Ugh, all that information they could be grabbing – do they have something like the Data Protection Act in the US? I’ve not come across this situation here, but I can see blanket logging of data would not be allowed under it (certainly not storing the data logged).

      Also, if the OP were to not consent to having the software installed on their PC and it gets installed anyway (if that is possible?), would that risk falling foul of hacking and computer misuse laws too?

  7. Traveler*

    Having just watched the documentary Terms and Conditions May Apply, I’m already paranoid and freaked out (and sad at how little legislation there is around this sort of behavior). I don’t think I could continue working for an employer like this. If it’s my personal machine whats going to stop them from logging my bank account information, and checking to see what I spend my money on or my emails to my family or any number of things that are perfectly innocuous but also no one’s business. No thanks.

    1. GrumpyBoss*

      This is the exact reason is never use a personal device for work. Nope. Not going to happen. If you employee me, you need to provide me the tools to do my job.

    2. Not So NewReader*

      The college I went to had me set up accounts and login to all kinds of stuff. I went along, blindly, because I did not know that much about computers. One day I went to see someone at school about a computer problem. She was able to bring my desktop up on HER computer.

      I had all I could do to remain composed. This was nothing I agreed to. And it’s not because I didn’t read the paperwork, I read everything they gave me. The sites they had me go into seemed benign. I had no idea that they could do this. Talk about a huge violation in trust….

  8. Rayner*

    I suppose the only solution to this, if the boss insists on pressing ahead and the OP can’t afford to jump ship right away is to purchase a secondary computer to use for work, and either ask the boss to pay for it or try to work something out.

    But seriously, OP. Get out if you can. That is not a boss who’s going to improve with anything less than a massive personality transplant.

  9. GrumpyBoss*

    I’ve worked on fraud detection/prevention for most of my career. This is actually a very common request/demand employers are beginning to make. More and more situations have an employee/contractor/intern wishing to use their own device. Most companies with a well thought out BYOD policy will require some type of monitoring software to be installed, and the user must consent before said device can touch corporate resources.

    Also, this is usually done to 1. Prevent malware from entering the corporate network; and 2. Prevent data from leaving. If someone thinks this is an efficient way to monitor your work, they are sadly mistaken.

    1. LBK*

      What’s really stupid is that those two things can easily happen on company-owned equipment as well…

      1. GrumpyBoss*

        A company with a strong privacy policy and data retention policy will have this covered.

        Most don’t, which is why I’ve never had a problem finding employment.

        1. Lora*

          Question for you: Why don’t they just pay for computers that are capable of doing the work required?

          Every time I’ve had to use my home computer for anything (which is frequent), it’s because the one I’ve been provided is good for nothing more than Word processing of very simple documents and occasionally checking email. Yes, I realize decent computers that can run SAP and AutoCAD and DeltaV all at the same time are $$$, but if your other options are having employees sitting around bored and unable to do their jobs or running the security risk of employees working on their home machines…why wouldn’t they just pony up? It’s really a drop in the bucket compared to other expenses of a manufacturing business (as opposed to a service business).

          1. Anonyuser*

            Or why do they implement stupid security policues that block people from doing their work. My employer pays millions of dollars for vendor services people can’t use without 6 weeks of screaming and multiple tiers of escalation because of what I am certain is a group of suits in a room completely isolated from the rest of the company making paranoia-induced decisions about how to implement the security features on a vintage version of IE.

            Can get to a work site in which most of my work depends? No. Can I post cat videos to Facebook all day? Nothing stopping me from doing that!

            1. James M*

              “Security” decisions are often made by the people who least understand the topic. That’s par for the course.

          2. James M*

            This. My workplace is replete with POS Dell garbage boxes that regularly fry their power supplies and those dinky 17″ monitors that so often accompany them. It’s annoying, it’s unnecessary, and for twice the up front cost, you can get a machine that twice as good and lasts 3 times longer.

  10. Lora*

    Hi Mr. Nosy Parker Employer!

    Thanks for the company server address, I can always use another proxy!

    Love and kisses,
    Lora

  11. Adiposehysteria*

    A major freelance worker’s site pretty much requires that you put such software on your computer for all hourly work. If you don’t and there is any sort of issue with the client, the freelancer will lose every time. For example. I had an hourly job where the client took the work and vanished. They didn’t complain, they just vanished. I filed a dispute with the company, which promises to offer protections to freelancers, and was denied solely because I did not install that software. I don’t work with them anymore for that very reason.

    1. Cucumber*

      Would you mind sharing which site this was, or clues on it? I have a friend who is picking up a lot of additional freelancing work and would like to warn her off.

      1. Agile Phalanges*

        I’m pretty sure the poster is talking about Elance–they require that sort of software. I’ve done hourly work without it (I refuse to install it on my computer, not just for privacy reasons, but I’ve also heard it slows down your computer ALL the time, not just when it’s running), but the only work I’m doing with them anymore is a repeat project every month for the same client, so I trust him to pay me, and honestly, if he didn’t, I’d be out like $25. I have heard of people being burned exactly as Adiposehysteria (love the name, BTW!) describes.

        There is the option to go with a fixed price job, in which case the freelancer shouldn’t begin working until escrow is funded, and if so, there are protections in place for both client and freelancer, and I think the dispute resolutions are much more fair. It’s hard to do fixed-price for something when you’re not sure how long it will take, but if you stick to jobs that lend themselves to fixed pricing, you can avoid the issue entirely.

  12. The OP!*

    Hi everyone!

    Thanks so much for your comments! While I’m dismayed that there are no legal protections to this, I’m comforted by the fact that most of you believe this kind of monitoring egregiously crosses boundaries. I’m not sure whether or not our leadership will be receptive to these arguments, however. I suppose if they are not, that will be a strong signal that it’s time for me to hit the dusty trail.

    Per the IC illegality point: this has been an issue for folks in this role for a rather long time and for reasons other than the monitoring software. Simply put, by no measure or standard should we be considered contractors (we have set hours, limits as to where we can work, work is permanent, etc.). No one has really raised the issue, mostly because (a) for many of us it’s advantageous, and (b) no one wants to endanger their jobs. It seems touchy to bring these issues up all of a sudden now, when for so long its been an open secret. And honestly, it’s hard to accuse your boss of doing something illegal across his/her entire company. We don’t have a lot of power or protection in these cases, no matter what people say.

    Ultimately, I’m disappointed. I like my job, and this place has so much potential. Decisions like this one chip away at my faith not only in this company, but in all companies. Is this what I have to look forward to, professionally?

      1. AB Normal*

        And another reason it’s well outside the norm (apart from the unreasonableness of asking to install spyware in a personal computer, and the contractor vs. employee situation), is because it’s also one of the most ineffective ways of measuring productivity.

        Suppose the contractor is offline, speaking on the phone and taking notes, or comparing printouts to find discrepancies, etc. What would the CEO do? Dock payment because the person is not typing away at the computer for that period? Seriously, if I wanted to do personal stuff during company time, I’d easily find ways to do so while keeping the appearance of work. I could be playing games in my tablet, watching a movie, or doing laundry while keeping a spreadsheet open in the computer (so screenshots would only capture work-related content). From time to time, I could type something, or change tabs, to log some keystrokes, and go back to my other activities.

        Either the staff is producing concrete outputs (reports, wireframes, code, test results, sales calls, closed tickets, etc.), and you can measure productivity based on the quantity or quality of these outputs, or there’s something terribly wrong with his company. If there are concerns regarding time card fraud, there are plenty of ways for a manager to check whether the contractor is working the expected number of hours (including checking on the person on random times via chat or phone to verify that the person is available, if the job does involve being available to promptly reply to emails or calls from colleagues or customers).

  13. The Cosmic Avenger*

    I know I’m late on this one, but I’ve had experience with having a specialized offsite work environment before, and I used a free trial of VMWare to create a virtual machine, then once you create it you can run it free indefinitely. You’d need a computer with some spare memory and processing capacity, but if you have that, it basically creates a sandbox on your computer, with a separate instance of the operating system and everything. It’s also complicated to set up, but it’s something to look into if you don’t have any other alternatives. I believe VirtualBox also offers a free trial.

    Of course, your boss is still monitoring your computer usage instead of simply measuring the end product of your productivity, which means they don’t know how to manage at all, but this might help you deal with it until you find a better job. :)

  14. j238*

    Technical point.
    It should be possible, in most cases, to allow the program in question to run under a work-exclusive user-id, while keeping personal data and activity private.

  15. Fox*

    This has been happening to me for the past several months and went from being a contractor to now on the payroll. They don’t know I know, but I am building my case. As it began when I wasn’t even being paid yet. They are in a world of trouble according to my attorney.

  16. Employed but the computer is mine*

    I’d be very curious to know how this turns out as well. At my job we all use our own PCs to log into a remote desktop for work. My employer has always used a spyware program to watch us work, but it throws up an extremely annoying popup window and people who had access to it (all of management basically) started using it to torture employees with the endless popups. So employees started blocking it just to get through the day (not hard to do actually if you know how to manage your firewall). So to get around that, now we’re required to download a more invasive program that turns off our User Account Control. Seeing as how the employer is not paying any one of us a thin dime for our PCs, I’m not cool with that. But I guess it is legal for them to make us do it? On our own computers that we have not been reimbursed for in any way? I’m looking for another job.

Comments are closed.