Consumer privacy breaches are in the news. But who's spying on you at work?

Heavyweight tech corporations are turning into surveillance companies, tracking the behavior of businesses and users — who have become heavily reliant on their ubiquitous services and platforms. Few of us are aware of how widespread this has become. By championing advertising-first business models, Big Tech is knowingly putting user and business data at risk. The result has been a series of data leaks as well as consumer privacy breaches. Some recent examples include:

• Facebook's privacy woes have been well documented. As the Wall Street Journal reports, "Facebook executives have been dragged before legislators on both sides of the Atlantic, after the company said data related to as many as 87 million people may have been improperly shared with Cambridge Analytica, a political analytics firm. And in September, Facebook said hackers had gained access to nearly 50 million accounts."
• Back in 2014, five million Google passwords were leaked without causing much public ire. But in 2018, Google found itself in hotter water when the data of 52 million users was breached through a vulnerability in the company's essentially defunct Google+ social media platform.
• In September the news broke that monitoring devices had been planted into an "untold" number of Apple products by hackers. Ironically, it was Google security researchers who alerted Apple to the problem, a problem Apple claims was widely overblown by their competitor.

A steady stream of privacy breaches

Outside of Facebook, Google and Apple, leaks have spiked among non-tech businesses, too, further frustrating and confounding customers who have grown increasingly exhausted by these leaks:

• In November, department store Macys revealed that it had been breached by an unknown third party that had inserted unauthorized computer code, which could potentially expose the "name, full address, phone number, email address, payment card number, card security code and card month/year of expiration" of customers.
• Solara Medical Supplies, a California-based medical product provider, was the victim of a phishing scheme in November as well, potentially exposing the "Address, birth date, employee ID number, Social Security number, health insurance information, financial information, credit card/debit card number, passport details, state ID number, driver’s license number, password/PIN or account login information, claims data, billing information, and Medicare/Medicaid ID" of more than 114,000 patients.

Thanks to a steady stream of privacy breaches by consumer applications in the news, more and more people are aware of the basics around data privacy. They get that their online habits are being tracked, and that the data is sold to advertisers who in turn use it to promote products and services that are considered relevant to them.

Big Tech is tracking you at work, too

But there is another, less publicized way that people's information is being mishandled, and it involves partnerships between technology companies and software vendors.

Most software vendors monitor customers, users, and prospective customers through cookies, or ‘trackers’ placed using simple embedded code. Software companies pay top dollar for advertising online and want to know whether that investment is translating to leads and increased traffic. These companies rely on free services such as analytics or tag management or usage stats provided by Big Tech companies and in turn pay by exposing user data. Unbeknownst to users, SaaS vendors will run trackers to qualify user behavior, check their click-through rates, and then share that information with third-party ‘surveillance’ companies as a kind of quid-pro-quo.

Let's say a popular CRM vendor is using Google, Adobe, and Twitter analytics on their homepage or Facebook Pixel or Signal for usage statistics. When either an employee of a company is using that CRM, or even when a non-customer visits that CRM vendor's homepage, their information is being handed over. On its face, this is only a matter of privacy so long as the data stays secure. However, in this era of big breaches and given the track record of some of these large tech companies, the potential for a data leak is increased exponentially — all without the customer, user, or visitor knowing about it.

A simple search on Builtwith.com reveals that on one very large software vendor's homepage, over 20 separate companies were tracking visitors. It's one thing to track the personal online activity of a user — it's entirely different, however, to deal in the personal data of an unsuspecting employee who is using a service or software as a core function of their job.

Consumers flock to Big Tech surveillance companies because their services are offered for free — knowing to varying extents that they are paying with their data. Businesses, however, use these and other surveillance companies' services because they're mostly free and require minimal work, usually just embed a little code. In this case, businesses are paying with user data often without informing the user.

Both consumers and businesses are putting themselves at risk because the services they or their companies prefer are available for free, or because they are easy to implement, shortening go-to-market time. To give an example, if a business needs a website analytics solution, they have three options — but whereas developing software in-house requires significant effort, it is far simpler to either purchase software or use free software.

What is the solution?

The most secure course of action businesses can take regarding which software to use is to do as much research ahead of implementation as possible. Larger companies may opt to build certain tools in house ensuring that employee data stays on premise, but the cost and sophistication of this can be prohibitive for small and midsize companies. Not surprisingly, this option is the least common model of the three.

For businesses looking to use free or paid software while continuing to protect their employees' data and privacy in the workplace, there are a few questions they can ask of a prospective software vendor:

• Are third-party privacy policies easy to understand? In most cases, not really. To give one example, taking a look at Zoom's privacy policy requires lots of time and the ability to understand some fairly technical jargon. Furthermore, some of the actual policies can be alarming. For instance: "[Zoom] Products do not support Do Not Track requests at this time, which means that we collect information about your online activity both while you are using the Products and after you leave our properties." This is obviously concerning for workers who are forced to use Zoom at work but would prefer that the company not track their online activity "after you leave their properties."
• Does your employer pledge to keep employee data private? A recent Gartner survey found that more than half of companies used "non-traditional monitoring techniques" to track employees. In addition, when employees use apps such as Twitter while at work, they may be divulging information on how and when they use other common workplace apps, such as Salesforce or Zoom.
• Does your employer use apps that don't collect consumer data? While some apps only collect data that's necessary for them to work effectively, others clearly take the practice to another level by unnecessarily tracking things such as online activity.

If today's businesses don't take action when it comes to privacy, they face many potential risks, such as losing key employees and damaging their company's reputation. On the flip side, educating employees in good faith has a number of benefits for business owners, such as attracting talent and building trust with their workforce.

Everybody wants to work for a company that is open and honest about how data and privacy may be affected when on company time, but employers and employees need to work together to fight against surveillance and technology that compromises data security and privacy.