The network technology giant Cisco offers to turn Wi-Fi access points installed in offices and other buildings into a system that tracks the location of employees, customers, smartphones, laptops and other devices for a wide range of purposes #workersurveillance
I took a deep dive ⬇️ [thread]
My new case study published today explores behavioral monitoring and profiling in the workplace, with a focus on indoor location and desk occupancy tracking. It's part of a larger research project on employee surveillance.
Read the full 25-page study here:
https://crackedlabs.org/en/data-work/publications/indoortracking
To illustrate wider practices, I examined Cisco's 'Spaces' system.
It allows organizations to leverage Cisco's wireless access points and other networking infrastructure to analyze how employees "move throughout their physical spaces" and track their behavior, location and movement patterns.
Employers can see the current location of each device in the building on a map, access data on past movements and search for devices in order to locate them.
Employees who carry these devices can be identified via device IDs and usernames.
The system can also use Bluetooth/BLE for location tracking.
The system provides reports that display aggregate information about people currently located in a building.
In addition, it can categorize people based on their movements and behavioral profiling, and makes it possible to single out and target individuals in several ways.
Cisco promotes a wide range of applications that affect both customers and employees.
Companies can use the system to track and profile customers, make decisions on buildings or staff deployment, or to implement indoor navigation, patient tracking or student attendance tracking at universities.
Cisco describes many applications related to safety and security, e.g. detecting 'unusual asset usage' or employee equipment leaving the facility.
Hospitals can use it to monitor 'hand hygiene compliance'.
Cisco also suggests to use it for performance monitoring in manufacturing.
The system processes indoor location data on a massive scale and frequency.
Cisco claims that it has so far processed 24.7 trillion 'location data points' on almost 100,000 devices collected via 3.8 million Wi-Fi access points installed in offices and other buildings.
The fact that Cisco is able to provide these numbers raises the question about how the company processes the data for its own purposes.
I briefly address this question in section 3.2.6 of my case study, alongside Cisco's claims about privacy, data protection and 'GDPR compliance':
https://crackedlabs.org/en/data-work/publications/indoortracking
To make things worse, the system can also turn Cisco’s WebEx video conferencing devices and even its security cameras (!) into sensors.
Video camera data can be utilized to analyze the "behavior of people within physical spaces", including employees, students, customers or patients.
Third-party vendors can also offer applications that are integrated with Cisco data:
https://spaces.cisco.com/store/apps/
IBM, for example, offers an application that uses Cisco data to analyze how employees use offices and desks and how they move in buildings:
https://spaces.cisco.com/store/product/ibm-tririga-building-insights/
Juniper, another large network technology vendor, offers a similar indoor location tracking system.
Its access points can locate people either via their devices or via Bluetooth/BLE badges carried by them.
Juniper suggests to use the system to "locate key human resources such as nurses, security guards, and sales associates".
Together with third-party vendors, Juniper offers “tailored workflow applications” that utilize its location tracking system and “enable data-driven decision making”.
Juniper also provides employers with reports that show how employees move between different 'zones' in the office.
An example report in Juniper’s technical docs shows how 551 employee devices were located in a zone labeled 'break area / kitchen', with an average duration of 13.5 minutes per visit.
The report also provides records about each tracked activity, including the “device name” and the exact “enter” and “exit” times.
In my case study published today, I examine a second category of systems that enable employers to profile employee behavior in physical spaces.
Several technology vendors provide systems that use motion sensors installed under desks or in the ceilings of rooms to track desk and room occupancy.
https://crackedlabs.org/en/data-work/publications/indoortracking
The Belgian-German vendor Spacewell offers a system for “real-time office space monitoring” and “workplace analytics” that tracks how employees use desks, meeting rooms and entire offices.
It uses, for example, motion sensors that detect heat emitted by humans and 'low-resolution' cams that utilize computer vision.
According to Spacewell, employers can use the system to “get a detailed picture of how the building is used during the day”, “identify underused areas”, “reduce underutilized space”, “save on rent, energy and cleaning” and “optimize workplace experience”.
An additional module allows employees to book meeting rooms, or, in cases where flexible seating is used, also desks. The booking system can show where specific named employees are currently seated on the floorplan.
Note: The research in my case study refers to products offered by Spacewell in September 2023.
Back then, the company explained that employers can "watch changes that occur over a longer period at an accelerated rate" and then “sit back and watch it as a movie” in order to “get a feeling of how presence, utilization, and comfort parameters evolve during the day”.
Spacewell provides additional functionality, such as a 'smart' cleaning application.
The company provides some functions and information on data security, employee privacy and data protection. But in my view, Spacewell does not adequately engage with the risks posed by behavioral monitoring and profiling.
The 'workplace analytics' system offered by the Swiss vendor Locatee combines motion sensors with badge data and device location data, for example, collected via Cisco Spaces.
Locatee provides reports on “people behavior metrics” and “people presence enriched with team information”.
Employers can analyze, for example, how many employees attend the office each day, how many hours they spend there, how much time they spend at their desks and at which times they enter and leave the building.
These reports display aggregate numbers but still utilize behavioral profiling based on extensive personal data.
The 'team analytics' report, which analyzes how many hours particular teams spend in the office and how much time they spend on each floor, reveals data on small groups.
Not least, I summarize in my case study how employers installing under-desk motion sensors led to worker protests and media debates, ultimately leading to their removal #resist
This happened, for example, at the UK newspaper The Daily Telegraph (2016) and the UK bank Barclays (2017).
Both installed sensors from OccupEye, a firm that has since been acquired by the facility technology vendor FM:Systems, which states that it has deployed 250,000 sensors at 1,200 client sites across 80 countries.
In 2022, the US-based Northeastern University installed motion sensors under the desks of graduate student workers, who considered them to be 'intimidating' and 'unnecessary' surveillance that serves 'no scientific purpose' and just removed them from their desks, using them to form the letters “NO”.
The university stopped the project 🤖
In October, the university quietly introduced heat sensors under desk without notifying students or seeking their consent. Students removed the devices, hacked them, and were able to force the university to stop its surveillance.
Some concluding thoughts:
- Many data practices promoted by the vendors examined in my case study are likely illegal in Germany and Austria under labor law because they violate human dignity
- Some probably violate the GDPR and/or labor law in other European countries
- Most are probably legal in the US and other regions without strong legal worker protections against invasive surveillance
"Office buildings have become like web browsers – they're full of tracking technology"
The Register's @thomasclaburn wrote about my new study that examines behavioral monitoring in the workplace, including how Cisco turns its Wi-Fi access points into indoor location tracking systems:
https://www.theregister.com/2024/11/27/workplace_surveillance/
Wolfie Christl
