Every day when I boot up my company-issued laptop, I am greeted by a warning: “This computer system is the property of Time Inc. and is intended for use by employees and authorized agents of Time Inc. in accordance with its stated policies. Use of this system constitutes consent to monitoring and no expectation of privacy in such use.”
We live in the golden age, if you could call it that, of electronic surveillance. Whether it’s the National Security Agency harvesting millions of emails, or police and property owners in cities mounting cameras in public seemingly every five feet, or advertisers trailing you as you move around the web, you’re deluded if you think somebody isn’t following you at any moment. Even your TV may be peeping if you own a Vizio.
Why should the workplace be any different? There, as my own example suggests, many companies at least let us know they’re watching. Yet most of us forget, and ignore the fact that organizations are amassing copious information—our every log-in time, every website visit, every keyboard punch—on our actions and movements every single day. “They’re collecting everything you do,” says Avivah Litan, an analyst at research firm Gartner. “It can get pretty creepy,” she says.
The many ways companies keep tabs on employees are dizzying. On physical premises, businesses use closed-circuit cameras to capture video, contactless card readers to manage access and log hours, and audio recordings to check up on customer service. Some go as far as parsing emails and texts, raising flags whenever a trigger word—or today even a concept, since artificial intelligence may be employed—is spotted. GPS tracking, commonly available in company-owned vehicles, now extends to company-issued phones and even, on occasion, ID badges.
The limits are blurry at best. Phone tracking, precisely, begot a lawsuit in 2015 when a California company called Intermex allegedly fired a salesperson for refusing to use a phone app that would have let the company monitor her location at all hours. (The suit was reportedly settled last year.)
In a notable case in 2016, the Daily Telegraph, a British newspaper, installed heat and motion sensors underneath staffers’ desks. The purported goal was to make the office “as energy efficient as possible,” but some employees suspected that management wanted to track their hours to help identify candidates for downsizing. (The devices were removed after the newsroom revolted.)
And even if a company isn’t trying to spy, the ubiquitousness of cameras and now drones that watch and record all sorts of processes can create its own inadvertent dragnet. The supervisor on a construction site in Los Angeles fired two workers after a drone monitoring the site happened to catch them having sex on their break. The workers threatened to sue, arguing that the company failed to disclose the hovering eye beforehand. The company settled, according to its lawyer, Todd Wulffson of Carothers DiSante & Freudenberger.
These days, snooping doesn’t require fancy gadgets. Sites like Facebook and Twitter reveal a lot to bosses about how their staff spend their off-hours, and sometimes on-hours, whom they associate with, and where their political loyalties lie. “Social networking has created an almost indirect type of monitoring,” says Carothers lawyer Mark Spring. (Sign of the times: The website of a top employment law firm recently featured a question from an executive asking if she can fire a worker she saw in a political protest covered on TV.)
Of course, one side’s snooping is another side’s protection. If you’re a customer of a brokerage, given the long history of misdeeds in that industry, you may well be pleased that every email, instant message, and phone call is being recorded. Nir Polak, CEO of Exabeam, a cybersecurity startup that analyzes employees’ metadata, says there are two main reasons customers buy his firm’s monitoring product. The first is because an external attacker can compromise workers’ identities, hacking and impersonating them and using their credentials to run amok. The software can help pick out the “imposters roaming around in your IT environment,” Polak says.
The second is the fear of employees going rogue. Call it the Snowden factor. Say you’re a company developing intellectual property in another part of the world. Manufacturing firms, for example, must keep tabs on outsourced work, making sure no one is stealing, say, source code. “That’s what happened with globalization,” Polak says.
As a rule, the software masks identifying information, Polak says: “Only when something is deemed to be a threat do you get approval from the chief privacy officer or part of the legal team to be able to break the glass”—decrypting more granular personal data—“and see who the individual is,” he adds.
Given the ease of gathering data, companies are often unsure of how much or what to collect. Mike Olson, a senior information security analyst at outdoor-gear retailer REI, says there are few standards defining what’s okay. And does the company even want all that data to begin with? What if it can be used against the company in a wrongful-termination lawsuit or an age-discrimination case? Just because you can collect, does that mean you should?
European countries generally have greater respect for privacy than the U.S., says Bart Willemsen, a research director at Gartner and a former chief privacy officer based in the Netherlands. He talks up “data minimization”—collecting data only for a specific purpose, rather than gathering everything you can and finding a use later. It’s a nice idea. But as the monitoring technology gets ever cheaper and more powerful, it’s not hard to tell which direction this trend is headed in.
A version of this article appears in the March 15, 2017 issue of Fortune as part of the “100 Best Companies to Work For” package.