Employees are often required to use Enterprise Security Software (“ESS”) on
corporate and personal devices. ESS products collect users’ activity data
including users’ location, applications used, and websites visited – operating
from employees’ device to the cloud. To the best of our knowledge, the privacy
implications of this data collection have yet to be explored. We conduct an
online survey (n=258) and a semi-structured interview (n=22) with ESS users to
understand their privacy perceptions, the challenges they face when using ESS,
and the ways they try to overcome those challenges. We found that while many
participants reported receiving no information about what data their ESS
collected, those who received some information often underestimated what was
collected. Employees reported lack of communication about various data
collection aspects including: the entities with access to the data and the
scope of the data collected. We use the interviews to uncover several sources
of misconceptions among the participants. Our findings show that while
employees understand the need for data collection for security, the lack of
communication and ambiguous data collection practices result in the erosion of
employees’ trust on the ESS and employers. We obtain suggestions from
participants on how to mitigate these misconceptions and collect feedback on
our design mockups of a privacy notice and privacy indicators for ESS. Our work
will benefit researchers, employers, and ESS developers to protect users’
privacy in the growing ESS market.

By admin