Workers’ information shared with third-party companies, new research reveals
Companies share workers’ information with third-party firms like Google and Facebook, new research reveals
Companies are sharing workers’ identifiable information and online activity to third-party companies, including Microsoft, Google and Facebook, using employee monitoring software known as “bossware,” new Northeastern University research has revealed.
The research, published today, helps uncover how little privacy protections employees really have in the workplace, explained David Choffnes, a professor in the Khoury College of Computer Sciences and one of the co-authors of the study. Additionally, he said, it highlights that the data isn’t only being collected by companies, but is actively shared with those outside it.
Bossware is monitoring software that companies require employees to install on their computers to allow them to track their keystrokes, mouse clicks and other activities, Choffnes explained. For years, privacy advocates have scrutinized companies that use this technology, but it has become widely adopted.
Around the country, close to 78% of employers use “online monitoring tools” to track workers, according to a 2025 survey conducted by the virtual private network technology service provider ExpressVPN.
For this study, researchers examined nine widely used workplace monitoring platforms used by big name companies, including Ace Hardware, Ben and Jerry’s, CVS Pharmacy and Dunkin’. Those nine apps were Apploye, Deputy, Desklong, Hubstaff, Monitask, Buddy Punch, Time Doctor 2, Vericlock and When I Work.
To collect their data, the researchers created both boss and employee accounts on each of the platforms’ desktop and mobile apps and used HTTP Toolkit, an open-source desktop application that allows users to track and intercept internet traffic, to collect data, according to an executive summary of the report.
The research revealed several key insights, Choffnes explained.
Northeastern Global News, in your inbox.
Sign up for NGN’s daily newsletter for news, discovery and analysis from around the world.
The report found that all nine of the platforms share workers’ personal data, including first and last names, email addresses, and the company they work for, with major technology companies such as Facebook, Google, and Microsoft, as well as with mobile advertising companies such as AppLovin
All of those platforms also shared workers’ online activity, including IP addresses, device information and web page visits, to more than 145 domains, including Facebook, Google, Linkedin and Yandex, a Russian search company similar to Google, according to the report.
A third of the platforms the researchers examined also have “features to track workers’ precise location at any time – even when the app is in the background,” researchers wrote in the report.
“This is another specific harm because essentially you now have the monitoring program able to follow you as you move around the world,” he said.
When researchers disclosed their findings to the nine platform providers, four responded, according to Alan Mislove, a professor in the Khoury College of Computer Sciences and a co-author of the paper.
The makers of the workplace monitor platform Time Doctor 2 responded with a response generated by a company chatbot thanking the researchers for sharing their report and findings, adding that “both data and external communications may serve legitimate tracking, analytics or operational purposes, but reviewing in proper context is key.”
The makers of When I Work, responded by asking the researchers to send the findings again, he said.
Ciaran Hale, chief technology officer of Deputy, in an email said the company “uses a distributed network of trusted vendors to deliver our services, which is standard industry practice,” and that it “strictly adheres to ISO and industry-standard global data governance standards.”
Editor’s Picks
“This includes practicing data minimization to ensure that only the minimum necessary information is shared with these vendors, the vast majority of which is non-identifiable,” she added.
A representative from Hubbstaff told the researchers they would get back to them by 5 pm EST. on May 21.
Laura Edelson, a professor in the Khoury College of Computer Sciences who served as a reviewer of the report, said the researchers’ findings provide “empirical confirmation of something a lot of us have long suspected but couldn’t prove.”
“We’ve had years of qualitative and normative work on workplace surveillance, but very little hard measurement of where worker data actually goes,” she said. “This study fills that gap.”
In terms of recommendations, the researchers are suggesting lawmakers and policymakers step up by banning the collection and sharing of worker’s data, and restricting app makers from adding surveillance features into their workplace applications.
They are also calling on lawmakers to examine if the researchers’ findings prove that these companies violated the Fair Credit Reporting Act, which protects people’s consumer report information, and Unfair Deceptive, or Abusive Acts of Practices rules, which protects people from deceptive business practices.
“Our research shows there are significant privacy implications in requiring workers to use [such apps], and will hopefully spur more work in this space to fully understand how they are impacting workers, and what the third parties who receive this information are doing with this data,” Mislove said. “Our hope is that this work will help lawmakers and regulators as they are trying to understand how to best protect workers.”
