Federal government employees are well aware that their government-issued devices used to perform work duties are – and must be – monitored by their employers for a host of reasons, from compliance with records retention and access to information laws, to the need to detect and counter intelligence risks, and more. To be sure, incidental use of devices handling unclassified government information for personal purposes has long been permitted. But in an environment where federal workers are likely to have emails fed into AI and are being administered “loyalty tests” regarding their personal political beliefs, it is more crucial than ever to understand workplace surveillance risks and potential mitigations.
The Rise of Workplace Surveillance
Workplace surveillance has been on the uptick for several years, and federal employees are no exception. The U.S. government is, of course, not a business, but to understand the state of the art in workplace surveillance, it helps to start by looking at what is now frequently deployed in the private sector. Spyware for businesses has become so popular that PCMag even has a category for it. Oft-used workplace surveillance tools often operate under names such as “productivity tracking” or “bossware.” While workplace surveillance and technological scrutiny of workers has historically been associated with retail, factory, and warehouse work, the last decade has seen an exponential rise in surveillance of office workers as well.
The availability of cameras, microphones, and other sensors (such as chips in employee badges) makes a sensor-laden environment rather easy to establish in a physical space. To go to work, employees often must pass through numerous obligatory passage points or digital doors that require credentials from entering the office building, accessing email, signing-on to meetings, and so on. Several companies sell software claiming to detect worker sentiment to predict their likelihood of quitting. Many systems exist that routinely capture screenshots or gauge the movement of the computer mouse to measure productivity. It’s not always obvious that these features are toggled on. While there is limited evidence to support the popular belief that in office directives are connected with increased productivity, this could be one reason why the Trump administration wants government workers back at their desks.
Enterprise software is not typically associated with workplace surveillance, but systems like Zoom, Slack, Google Workspace, and Microsoft Teams provide tiered permissions to those with administrative privileges, who may be able to track and access direct messages, emails, and meeting notes or data. For any employee, in any sector, it should now go without saying that if you do not own the device or if you are using your workplace email to log into a service, assume someone else could see or intercept those communications. Particularly, if you are calling into a service, assume that your phone number will be logged. If you are using meeting software (Google Workspace, Zoom, Teams) that includes an AI assistant, notes will be continuously taken even if you’re “off the record” or just chatting up a colleague. If your employer has provided you with a cell phone, they may be able to track your location, monitor text messages, and see who you are calling. .
Advances in technical surveillance in the workplace may pose risks to U.S. government employees who use their work-issued devices for non-work purposes. Especially if used for communications like planning to engage in protests or whistle-blowing activity, employees should not expect that those communications will be fully private. To be sure, calling out political malfeasance or fraud is as dangerous now as ever before, which is why federal workers should take steps to protect themselves. Because President Donald Trump fired over a dozen inspectors general who typically would field government whistleblowing complaints, leaking to social media may become more prevalent.
Steps Employees Can Take to Protect Personal Communications
For the public sector, eliminating workplace surveillance is simply not possible. For employees concerned with the possibility of having their personal communications surveilled in the workplace, one of the most important concepts is that of risk assessment or threat modeling. When dealing with sensitive information take a minute to consider these five questions:
- what you are protecting;
- who you are protecting it from;
- what the actual risk is;
- the consequences of the information getting out;
- and what you are willing to do to avoid potential risks.
In addition to risk analysis, employees should consider the resources that may be used against them. Since we are talking about an employer, their capabilities are not entirely panoptic. The boss’s vision is limited by access to employees physically and digitally. Limiting their visibility into personal social ecosystems is becoming even more crucial in today’s technologically-dense environment.
If an employee signs on to a workplace virtual private network (VPN), the employer is able to know everything that happens on that device while on that network. Even when working from home on a personal laptop, the employee’s activities may be visible to an admin when logged into the VPN. Employees should therefore avoid carrying out any tasks like checking personal email, bank, or texts, while on the VPN or on a work device and turn them off when not in use.
Conversely, signing on to the workplace WIFI on a personal device (cellphone, laptop, wearables) could allow an administrator to access that information.
Most importantly, it’s difficult to predict whether an employee will become the target of a direct surveillance operation at some point in the future. While government employees typically focus on mitigating surveillance risks from external threat actors, in the current political climate they must take steps to guard against internal workplace surveillance as well.