Dear Subscriber, here's another piece (well actually, three posts stitched together because they're one, really) which hopefully might interest you. It's about what working from home is going to be like as the initial Covid-19 honeymoon ends. I'm not optimistic that employers will be understanding or supportive of working from home, and unfortunately tech will reinforce their poor judgement. 

As ever, would love to hear your thoughts on this and anything else on your mind. My consulting work with Cleft Stick is picking up again and after a relatively quiet few months, and for those of you who contributed to the Life in the Pandemic podcast, my thanks. If you've not heard from me for a while, it's because the project is on a hiatus. More news anon. 

Working from home will get ugly, but it's not because of the workers, or their homes

Working from home has been a relative success story of these Covid-19 times, but from here on in it's going to get ugly. 

Working from home isn't for everyone, but that's often because people haven't tried it. Covid-19 has given a proverbial leg-up to those still wary of the fence. There are technology hurdles to overcome, as well as social ones. People who worked in offices and relied on pinging IT support as soon as a key started sticking, or grabbed a coffee as an excuse to chat with co-workers around the bean-grinder would inevitably face hurdles. 

But surprise, surprise, turns out there are advantages of working from home, that those of us who already did it had worked out some time ago. Now the rest of the workforce is catching on. A survey in the UK (by a nursery provider, so you could argue it's not exactly in their interest to promote this) has found that only 13% of those 1,500 surveyed " want to go back to pre-pandemic ways of working, with most people saying they would prefer to spend a maximum of three days in the office", according to the Guardian. 

Nearly two thirds of those believe their employers would be up for it. And well over half believe it would increase their loyalty to the company. 

Of course the survey shoehorns in some other stuff, which arguably strengthens their business model: parents say they have had trouble coping with younger kids (and presumably could do with a nursery should this work from home lark continue beyond Covid-19. As you can see below, employers don't like kids.) 

But I think it's good that more people are realising that, the stresses and isolation notwithstanding, working from home has its merits. If nothing else, it wakes people up to how unproductive the workplace can be. Meetings, people dropping by to chat, open plan offices , sick buildings : all are a big distraction, a threat to health and a time-suck. 

And the pandemic is bringing home another reality: most of this office stuff can be done from home. A survey by Deakin University in Australia has found that 41% of full-time and 35% of part-time jobs can be done from home . The study uses a similar methodology from a U.S. study, which reaches similar conclusions. My tuppennies' worth: that number is extraordinarily high, if you think about the different kinds of work people do. But as countries dispense with production and move to services, and the Internet of Things improves the remote (and automated) control and monitoring of physical objects, this proportion will grow further. I've rarely come across someone in the services sector who couldn't do what they do out of a Starbucks. Even, sadly, the Starbucks employees themselves. 

It's not the workers, it's the managers who are the problem

But this isn't where the problem lies. The problem is going to lie in managing these people. Managing a remote work force is quite different to managing a physical office. It's about faith: do you trust the people you hired to do a good job? If so, let them do it. I had a boss at my last employer who was upset if we were in the office, quite rightly saying the way to get stories was to go out and talk to people. His successor was the opposite, what I call "managing by line of sight." She liked to be able to see everyone at their desk and was suspicious if someone wasn't. 

This is where things are going to get problematical. You need much better bosses with a broader range of EQ to be able to support and get the best out of your crew if they're all dispersed. If you start at the point of thinking they can't be trusted to be working, then you've already lost. On June 26 Florida State University told employees working remotely that it "will no longer allow employees to care for children while working remotely." Allowing this was in any case a 'temporary exception to policy' and approval for the Temporary Remote Work agreement "may be rescinded at any time if an employee:

- is unable to remotely perform the essential functions of their position; or 

- is not adhering to the requirements outlined in the Temporary Remote Work Agreement; or

- remote work no longer meets the business needs of the department. ¹

It's not hard to see where this is going. Companies -- and particularly places like universities -- that are largely agglomerations of buildings and people are going to find it hard to shift permanently to a more virtual arrangement. Universities, of course, are going to find it doubly hard because their hefty fees are largely based on the agglomeration factor. But big companies, too, are obsessed with the bricks and mortar of their self-image, and those managers who have risen through the ranks in such environments are going to be ill-disposed, and ill-equipped, to shift to anything virtual. 

So expect to see some ugliness creep in. There will be less talk of 'keeping our workers safe’ and of workplace flexibility and more like the above, as in "we've been extraordinarily kind and generous to our employees, but this nonsense can't go on forever; if you want to continue play hooky you need to start filling out forms." 

Teleworkers have long been used to that kind of passive aggressive intimidation and discrimination. I would expect to see more. Workplace surveillance, possibly in the form of ensuring social distancing . And tools to monitor the user's computer -- something whose heritage I'll argue in a future post is closely wedded to the world of spam and hacking. 

 

Employee snooping is big business

I wrote previously about how snooping on employees is going to become 

But that's just the start. There's a whole market -- worth $4 billion by 2023 according to this report ² -- of employee surveillance tools. Some of them sound cute (Hubstaff, Time Doctor), some less so (VeriClock, ActivTrak, StaffCop and Work Examiner). Who wants this fella on your machine?

 

 

They all feed off the fear of the Manager By-Line-of-Sight, like Workpuls :

Remote work has certainly made employees more independent from their superiors, if nothing else, then because they simply aren’t in the same physical location. That means you are never quite sure if the staff is watching funny videos or actually working. 

While no one expects people to work for eight hours straight, it’s important to ensure that they are working on tasks that actually have high priority, and not just answer a few emails and go out for ice-cream and rollerblading for the rest of the day. 

This perception is fed by a longstanding piece of 'data' which claims that workers actually only work 2 hours and 53 minutes in any work day. This study is regularly cited, though its source rarely, as proof positive we're all lazy gits when it comes to home working. I’ve written a separate piece debunking this little gem. 

So what do these tools do? Well, most monitor what software you're using, what websites you're logged into. The idea is to virtually handcuff you to work. For example, Time Doctor will 

• ask the user if they're still working when they visit a social media site. "Whenever an employee accesses unproductive sites like these, the app automatically sends them a pop-up asking them if they’re still working. This little nudge is usually enough to get them off the social media site and back to work." 
• Managers will have access to a 'Poor Time Use' report that details what sites an employee accessed and how long they spent there. Time Doctor can also take screenshots of employees’ screens at random intervals to ensure that they’re on productive sites. 
• Some, like Keeper, will monitor employees' browsing history, ostensibly to check they're not venturing onto the dark web. 

Workpuls, meanwhile, boasts

Our all-seeing agent captures all employee actions. From app and website usage, to words typed in a program, right down to detecting which tasks are being worked on based on mouse clicks.

These tools all integrate via APIs with other services and apps, so don't imagine that employee monitoring software can't track what you're doing when 

The more sinister aspect to this is that managers not only don't trust their employees to work remotely, but they don't trust them not to steal stuff. And we're not talking paperclips. This is called Data Loss Prevention, or DLP, and is itself big business. One estimate ³ has the market worth $1.21 billion in 2019, rising to $3.75 billion by 2025. 

These tools include (this according to a deck from Teramind) 

• machine learning which scans an employee's workflow, 'fingerprinting' documents and then tracking any changes and movement
• 'on the fly' content discovery 
• clipboard monitoring -- everything you copy and paste will be collected
• advanced optical character recognition: think studying images and videos watched and uploaded by employees to check for steganographic data exfiltration (steganography is when data is hidden in a supposedly harmless message, often a picture.) 

It's not so much the eye-popping technology involved, as the realisation that everything that an employee does on a work computer (or a work-related computer) can be, and probably is, being monitored. 

To be fair, companies like Teramind are focusing less on employee productivity and more on catching the bad apples. But these tools still sound to me overly intrusive. 

From Russia with love

There's something else: Who, exactly, are these companies? StaffCop -- the dude with the shades -- is owned by Atom (and sometimes Atomic) Security Inc (sometimes LLC), which despite its name is actually based in the Russian city of Novosibirsk, in the southwestern part of Siberia. (Here's StaffCop's Russian website .) 

A datasheet for its enterprise product promises "employee monitoring the way you couldn't imagine!" which probably sounds better in Russian. Staffcop is refreshingly candid about what it offers -- all the usual stuff, as well as a 'wayback machine' to rewind and see what an employee was doing at any specified period in the past. 

It can even activate computer microphones to "actually hear what's going on around specific workstations and specific times." (It's not clear to me whether this is part of the 'wayback machine's' capabilities. The datasheet also mentions being able to activate the computer's webcam. The latest version of its software, released on June 22, includes the following: 

• can record any audio in any application
• can recognise faces on web-cam snapshots (presumably those photos discreetly taken by the employees' webcam) 

In short, StaffCop is basically a way to hack into your employees' computers. And that, of course, raises not only ethical questions, but also practical ones. If a company is using StaffCop, say, what vulnerabilities might they have opened up? There are two possibilities -- does the hacking software itself incorporate inadvertent vulnerabilities, or render existing software vulnerable? And secondly, where is all this data the company is collecting on its employees going, besides the boss' console? 

Well, to answer the first question, StaffCop has previous. In 2015, it was found to be using a piece of software called Redirector, which was developed by a now defunct company called Komodia , which intercepts traffic on a target computer. The software was built with the goal of snooping in mind, along with manipulating data (including decrypting it), injecting ads etc. Vulnerabilities with the software were discovered in 2015 , which would have allowed third parties to conduct man-in-the-middle attacks, which are exactly what they sound like -- someone grabbing data on its journey between two computers. 

So what about the company name? Any time I see a company having slightly different versions of its name, I get nosy. Atom Security Inc. was set up in 2001 and says that it is (was) a Microsoft Certified Partner. The CEO of the company is cited as one Dmitry Kandybovich, who appears to have 61% of the Russian entity LLC Atom Bezopasnost , who on his rather threadbare LinkedIn profile is also listed as chief of sales for one AtomPark Software. AtomPark Software has a somewhat different pedigree, focused mainly on mass mail software. Indeed that's its domain name . AtomPark has long been in the cross hairs of the anti-spam brigade: The SpamHaus Project has a whole page dedicated to them , and in particular one Evgeny Medvednikov, who it says is (or was) owner of the domains staffcop.com, among others. ⁴

Medvednikov seems to have moved on, and is now based in New York, according to his LinkedIn profile,  where he lists his achievements simply: "Run and scale Internet projects. Again and again. Can not disclose them all." (AtomPark is mentioned in a recommendation he gives one of his former employees.) He has invested in several U.S. companies, mostly email marketing companies. He founded SendPulse , a company which combines multi-channel marketing with chatbots, automating much of the process. It claims amongst its clients PwC, Radisson and Swatch. 

 

 

––––––––––––––––––––––––––––––––

 

¹ This announcement was 'clarified' on June 29 said that these terms applied only to those "whose job duties require them to be on campus full-time during normal business hours (8:00 am to 5:00 pm) and is intended to create flexible work arrangements that serve both the needs of the employee and their work unit." It does not apply to those who were already telecommuting.

² This report was done in 2019 and is not by one of the more reputable outfits. Like most of these reports, it should be taken with a pinch of salt. But its existence suggests there is growing interest by companies in this space. 

³ Yes, I know we shouldn't take the numbers seriously 

⁴ The page contains what is presumably a response: Atompark says: Being the designers of software solutions for email marketing, we would still like to note, that mass emailing is not illegal if the emails follow the guidelines of the CAN-SPAM Act. In brief, emails that are repeatedly sent unsolicited or contain misleading information (like fake TO: or FROM: information) are considered SPAM, but the weekly newsletter you signed up for is not. A mass email is also not SPAM if it's the first time that you are sending an email to that address and your recipient can unsubscribe from your email newsletter receiving.