The technology allows the company to see all the activity on the device and what is stored on it. But you have to meet some rules to make it legal
At the beginning of 2017, a woman was fired because her company discovered that she was using the free time left by her reduced hours to do other jobs. The following year, a judgment of the Superior Court of Justice of Madrid found that her dismissal was inadmissible, among other things, because the company had discovered what the employee did in the afternoons through a conversation she had with another colleague on Skype during your working hours. In this case, it was considered that the worker’s right to privacy had been violated because the company had not notified her that she could access the content of their conversations.
Confident of her privacy, the woman had personal conversations using the company’s devices. She was not aware of the extent to which the company can monitor and monitor the activity of its employees through, for example, the work mobile. “Without taking into account the legal part and focusing on the possibilities offered by technology, yes, the company can see everything you do with your work mobile and what you keep in it”, assures Hervé Lambert, head of operations in the area consumption in Panda Security. “ Malware can be used to access information, it is quite easy and is available to anyone. There are complete tool packs on the dark web and it would not be very difficult to know what one of your employees or your collaborators does ”.
But most of the time, companies don’t even need to resort to malicious software . Since the devices are theirs, they do not have to hack the mobile to see what is inside, but to give the applications the necessary permissions, for example, to access the camera. There are also settings that allow the company to view the phone photos: “If you are registered with the company email and you are using a corporate cloud service, then the system administrators can access the cloud account where they are saved those images automatically, ”explains David Jacoby, a security researcher at Kaspersky.
In addition, the company can also pre-install software that collects the information it seeks, usually related to the time of use of applications, social networks or WhatsApp, the sending and content of messages and calls and even the location . “In general, they have access to everything you do with the phone,” explains Lambert. “They can install any application capable of doing a complete spying of what is on the mobile and access it as a normal user of that phone, so they could see everything”, agrees Eusebio Nieva, technical director of CheckPoint in Spain and Portugal . “Except those applications that have encryption like WhatsApp.”
Nieva gives one of the keys: encrypted content, such as communications through WhatsApp, are more difficult to access. The conversations of this messaging service and the information that is shared are protected from end to end, which means that it does not allow anyone between sender and receiver to monitor the communication. “So the most likely thing, unless they use hacking techniques , is that they can’t read those chats,” explains Nieva. “Although all systems are flawed and you can snoop on almost everything. It takes technical know-how and significant technological skill, but just because it’s complicated doesn’t mean it’s impossible, ”adds Lambert.
Another entry point, apart from pre-installing the software , is the Wi-Fi connection. When the device is connected to the company network, its content can also be accessed, “see what you save, what you are doing, discover your passwords to different pages… It’s like when you connect to a public Wi-Fi network ”Explains Lambert. Although he insists that encrypted information is more difficult to monitor, whatever the form of access to the information.
Although the technicians in charge of cybersecurity of the company can access all this information, normally these mechanisms are not used to capture data, but to protect the devices. “There is an attack called man in the middleor middle man attack. It means that someone gets between your device and the website you want to visit. Anyone who is connected to Wi-Fi can do it, ”explains Eusebio Nieva, CheckPoint’s technical director in Spain and Portugal. “It is a very common practice to have computers protected: they put a certificate from the company itself in the middle to be able to know if what you are downloading is harmful or not; just like they scan your email to see if they are sending you viruses ”. In this case, the company is doing an interception of the communications, normally, to analyze if what is downloaded is secure.
If during this monitoring the company detects any behavior that it considers to be against its interests, it can take action. But you will only be able to use the data you access on the employees’ mobiles if you have previously notified them that they are being observed. This is one of the few legal questions that is applicable to almost any case. “In order for an employer to control the use of the devices, there must be prior communication,” explains Eva Gómez, a labor lawyer from Sanahuja Miranda. “The company has to advise that it can access the content of the devices and specify whether or not the worker has permission to use them for personal purposes,” explains Cecilia Pérez, a partner in the Garrigues Labor Department and an expert in digital economy issues.
If the company does not expressly communicate that it is forbidden to use the work mobile for personal purposes, “there is an implicit rule that says that it cannot control the device, because it has given the employee carte blanche,” explains Pérez. “If nobody advises him to the contrary, the worker acts under an expectation of privacy.”
It is considered that the company has notified the workers if it delivers a circular to the staff prohibiting the use of these devices for personal use indicating that there could be sanctions. It is also possible that it is included as a clause in the employment contract, in a format similar to that of the Privacy Terms and Conditions that users have to accept when registering with any social network. “This serves to establish the criteria for use and, in case of doubt, to have rules to consult,” explains Gómez.
Although each case is different and moves between gray. The Workers’ Statute states that “the employer may adopt the measures that he deems most appropriate of surveillance and control to verify compliance with the obligations of each worker” but also that “workers have the right to privacy in the use of the devices digital made available by the employer ”. So where is the limit? How far can the company snoop? “In practice, you have to do a case-by-case examination of each situation,” Gómez explains. “The company can access the device to make sure that the worker is doing his job but not in an unlimited way.”
Where appropriate, the judge evaluates whether the employer’s control has violated the worker’s privacy. “It is evaluated if there is another less intrusive measure to control the employee’s activity than spying on everything he does,” explains Pérez. For example, if there is an indication that the worker may have had an email crossing saying something that goes against company policy, and the company needs, because there is no other way to get to that proof, to access the device, Ideally, you do this by searching for keywords in the email. That would be a proportional control, what would be considered excessive in that case would be to read all the messages or monitor information that is not related, such as photos.