‘Bossware’ Is Spying on Workers and Sharing Their Data

In the 1880s, brothers Willard and Harlow Bundy invented “The Key Recorder,” the first mechanical time-clock—one of the first mechanical systems to capture worker movements in and out of the building. By the 1900s, “business efficiency strategists” expanded this logic, using photography to map workers’ bodies—turning physical labor into something that could be monitored and measured. Henry Ford pushed these ideas even further, instituting the moving assembly line for the Model T car, where labor and output became controlled and monitored. Innovations like these in the early 20th century laid the groundwork for modern workplace surveillance.

Today, workplace surveillance is far more sophisticated. Computers, mobile devices and wearable sensors are capable of generating far more granular behavioral data about both workers and consumers—including location, biometrics, pauses, activities online, and attempts to infer emotional states.

Indeed, workers are now subjected to surveillance at almost every step in the job market—from hiring and onboarding to evaluation for promotion and post-employment. Workers have little visibility and even less control over how their information is managed and leveraged. This emerging reality raises urgent questions about how workplace data is collected, shared, and repurposed—along with the mechanisms and actors that drive this surveillance.

Given the rise of the surveillance economy, we assembled an interdisciplinary team collaborating across four universities to investigate how workplace monitoring platforms—sometimes called “bossware”—collect worker data and whether that data is also collected by or shared to third party data brokers. Our report examines nine widely used workplace monitoring platforms—Apploye, Deputy, Desklog, Hubstaff, Monitask, Buddy Punch, Time Doctor 2, Vericlock, and When I Work—tracking how each app collects and transmits worker data in practice.

What we found was surprising: Workplace monitoring platforms are sharing identifying worker data and transmitting online activity data with hundreds of outside companies—in ways that are not clearly disclosed to workers, and in some cases, may contradict the companies’ own privacy policies.

1. Worker data is being shared. Every platform studied shared identifying worker data—names, emails, and company name data—with third parties in one session, generating 121 documented data-sharing instances involving companies including Facebook, Google, Microsoft, and AppLovin, a mobile advertising platform.

2. Workers’ online activity is being shared. All nine platforms transmitted workers’ online activity data—IP address, device information, web pages visited, unique identifiers—to 145 distinct third-party domains, including facebook.com, google.com, linkedin.com, and yandex.com, a Russian tech company known for its search engine.

3. Some workers are being tracked “at any time.” One in three platforms studied can track workers’ precise location at any time—including when the app is in the background or the worker is off the clock. Three apps require access to motion sensor data just to allow an employee to clock in.

So what should policymakers do? Perhaps most importantly, it is time to move beyond the “notice and consent” framework that has failed time and again to solve these problems. Instead, policymakers need to take more direct action, including banning the sale or sharing of worker data, prohibiting unlimited data retention, and barring collection of sensitive employee information. We also urge enforcement agencies to examine whether current practices violate existing federal and state law, including the Fair Credit Reporting Act and UDAAP statutes.

Workers are now facing and interacting with products like workplace monitoring platforms at almost every step of the labor market process—from hiring and onboarding to evaluation for promotion and post-employment. In particular, these dynamics point to a rapidly evolving data ecosystem in which workers have little visibility and even less control over how their information is managed and leveraged. This emerging reality raises urgent questions about how workplace data is collected, shared, and repurposed.

As this surveillance infrastructure expands, it transforms tracking from a background feature of the web into a structural condition of participation in society. What is at stake is the ability of people—both as consumers and workers—to participate in digital and economic life without being subjected to constant, opaque surveillance.

The full report is available here. The website is available here.