What helped federal authorities link Winner to the leak were unrelated personal emails she had sent to the Intercept news site weeks before, which surfaced when investigators searched her computer. But how were officials able to gain access to her personal accounts? The answer, according to some former NSA analysts, is that the agency routinely monitors many of its employees' computer activity.
The case offers a reminder that virtually every American worker in today's economy can be tracked and reported — and you don't even have to be the NSA to pull it off.
“She emailed the Intercept using her work computer,” said Michelle Richardson, a privacy expert at the Center for Democracy and Technology, a Washington think tank. “They can monitor the traffic on their systems, look at the six people who printed the doc, and see that she was the one who had contact.”
The NSA didn't immediately respond to a request for comment.
Employee monitoring is so extensive in American society that it may be difficult for workers to know just how far they might have to go to avoid it. It is a $200 million-a-year industry, according to a study last year by 451 Research, a technology research firm, and is estimated to be worth $500 million by 2020.
Monitoring techniques have become quite sophisticated, enabling employers to track not only what websites their workers visit, but also when they plug in USB storage devices, move or copy files, and what programs they run, privacy experts say. One company even allows bosses to play back videos of what took place on a user's screen and can collect “communications activity” both on traditional email programs as well as “popular webmail services.”
Employee monitoring recently came to light in a high-profile lawsuit involving Uber and Waymo, the self-driving car company owned by Google's parent firm, Alphabet. In accusing former Waymo employee Anthony Levandowski of stealing trade secrets and taking them to Uber, Waymo said it was able to determine that Levandowski installed inappropriate software on his company-issued laptop, then downloaded thousands of confidential files before putting them on an external storage device he connected to the machine.
Despite Levandowski's attempt to then “erase forensic fingerprints” by reformatting the laptop's hard drive, Waymo said, the company was nonetheless able to gather the requisite evidence — likely using monitoring technology, analysts said.
Even workers who don't report to an office every day are subject to monitoring. The proliferation of GPS devices in smartphones now means that even truck drivers can be tracked. A recent report from the technology research firm Aberdeen Group found that nearly two-thirds of companies with employees who work “in the field” were tracking their employees with GPS.
The earliest forms of modern employee monitoring date to the early 1910s, when companies would use mechanical counters to track how quickly workers were typing on their typewriters, according to Jitendra Mishra and Suzanne M. Crampton, who co-wrote a study in 1998 on the topic. They noted that “what has changed in more recent years is the method of supervision and the extent of information gathering capabilities available.” That includes phone and video surveillance, keystroke logging and other forms of monitoring.
Since then, numerous court cases have given employers a remarkable amount of freedom to watch their workers. In 2010, the Supreme Court heard a case involving two police officers who had been punished at work after it was discovered that they had used their mobile devices to send personal text messages. The officers argued that the police department's search of their devices was unconstitutional under the Fourth Amendment, but the court unanimously ruled against them, saying it was a reasonable search and that the officers should have known that their work devices might be inspected.
Privacy advocates have been pushing for years to have Congress review various communications privacy laws in light of updates to technology. Many argue that the 1986 Electronic Communications Privacy Act does not provide enough protections to consumers today because many emails, text messages and other content can be summoned by law enforcement with little more than a subpoena.
“ECPA was first passed in 1986 before Congress could imagine the wealth of personal information that would be stored on third-party servers rather than private hard drives,” the Electronic Frontier Foundation, a technology advocacy group, has said.
Congress took a step toward updating the country's digital privacy laws in February, when the House voted to approve the Email Privacy Act. While the bill has largely stalled, it proposes requiring a warrant for searching emails that have been sitting in an account for more than 180 days.
Still, given the other case law surrounding employee surveillance, it's important to note that changes to the ECPA might not put an end to routine employer monitoring. So you might still want to be careful with what you do on your devices at work.