A new study found that workplace monitoring software used by hundreds of thousands of companies shares employee data with Meta, Google, and data brokers. All nine bossware services examined in the research transmitted personal information beyond employers.
Workplace monitoring software—often called "bossware"—has become commonplace across corporate America. These tools track employee activity, from keystroke logging to screen monitoring. A comprehensive review led by Stephanie Nguyen, senior fellow at Columbia Law School's Center for Law and the Economy, reveals the scope of data leakage from these platforms.
The study examined nine major workplace monitoring services and found that all of them share employee data with third parties. Meta and Google are among the biggest recipients, gaining access to information about workers through tracking pixels and data integrations embedded in these monitoring tools.
Nguyen, who previously served as chief technologist at the Federal Trade Commission under Chair Lina Khan, oversaw the research that documents how bossware vendors collect detailed behavioral data and then distribute it to digital advertising platforms and data brokers.
The implications are significant. Employees believe their monitoring data stays within their organization, used only for workplace purposes. Instead, the information flows to major tech platforms that use it for targeted advertising and other commercial purposes. This creates a secondary surveillance system layered on top of employer monitoring.
The findings raise questions about workplace privacy and data practices. Employees have limited visibility into what data their monitoring software collects or where it goes. Many are unaware their activity feeds into advertising networks.
The research adds to growing scrutiny of both workplace surveillance tools and how major tech platforms acquire data. Regulators, including the FTC, have increasingly focused on data broker practices and how companies acquire personal information through third-party channels.
Neither Meta nor Google immediately responded to requests for comment on the study. The bossware vendors involved have not addressed the findings.
The study underscores the interconnected nature of modern data flows—where information collected for one purpose rapidly becomes valuable to other industries, often without meaningful user consent or awareness.
LastPass has issued a warning about an active phishing campaign using fraudulent security notices to redirect users to malicious websites. The scheme targets both LastPass and Bitwarden password manager users.
Microsoft has rolled out cumulative updates KB5101650 and KB5099414 for Windows 11, addressing security vulnerabilities and bugs across multiple versions. The updates target versions 25H2/24H2 and 23H2.
Iran leveraged known vulnerabilities in mobile networks to identify and target U.S. military personnel in the Middle East during the buildup to and early stages of armed conflict.
Security researchers can now validate system vulnerabilities by analyzing attack techniques rather than launching live exploits. This approach eliminates risks to critical infrastructure while still determining exploitability.