On 21 May 2026, researchers at Northeastern University published a study that did something workplace-surveillance research has rarely managed. It measured where the data actually goes. Examining nine widely used employee-monitoring applications, the team found that all nine transmitted workers' personal information to third-party companies, including Microsoft, Google and Facebook.
The software in question belongs to the category sometimes called "bossware": applications that employees are required to install, which record keystrokes, mouse clicks and activity throughout the working day. The platforms studied, among them Hubstaff, Time Doctor 2, Deputy and When I Work, are used by employers including CVS Pharmacy, Dunkin' and Ace Hardware.
What the measurement found
The researchers created both employer and employee accounts on each platform and intercepted the network traffic the applications generated. The personal data shared included workers' first and last names, their email addresses, and the name of their employer. It was sent not only to major technology firms but to mobile advertising companies.
Beyond identity, the applications transmitted records of online activity. IP addresses, device information and the web pages workers visited were sent to more than 145 separate domains. A third of the platforms included the ability to track a worker's precise location at any time, even when the application was running in the background.
From monitoring to onward sale
The distinction that matters here is between collection and distribution. Workplace monitoring is, by now, an established feature of employment. What the Northeastern study documents is the second step. The data gathered in the name of productivity does not stay with the employer. It flows outward, to companies the worker has no relationship with and cannot identify.
Laura Edelson, a computer-science professor who reviewed the study, framed the contribution precisely. Researchers have produced years of qualitative work on workplace surveillance, she noted, but very little hard measurement of where worker data actually ends up. This study, she said, fills that gap.
The providers' own responses are instructive. When the researchers disclosed their findings, four of the nine companies replied. One, the maker of Deputy, said it uses a distributed network of trusted vendors to deliver its services, which it described as standard industry practice, and said it adheres to recognised data-governance standards. The defence is revealing precisely because it is routine. The sharing the study documents is not presented as an abuse. It is presented as the ordinary way these services are built.
The authors' recommendations are addressed to lawmakers. They call for restrictions on the collection and onward sharing of worker data, and ask regulators to examine whether the practices they documented breach the Fair Credit Reporting Act or rules against unfair and deceptive practices.
If a worker cannot see which companies receive the record of their working day, on what basis could they ever be said to have consented to it?
Opinion: Consent That Cannot Be Given
Workplace monitoring is usually defended as a condition of employment. The equipment belongs to the employer, the time is paid for, and the worker accepts oversight as part of the bargain. That argument, whatever its merits, governs the relationship between worker and employer. It does not extend to a chain of third parties the worker never agreed to and cannot name.
The Northeastern findings expose a gap that consent language cannot close. A worker might, in principle, accept being monitored by their employer. They cannot meaningfully accept the transmission of their name, their employer, their device and their browsing to 145 domains, because they are not told it is happening and could not list the recipients if they tried. Consent to a relationship is not consent to its onward sale.
The deeper issue is structural. The infrastructure of work has become an infrastructure of data collection, and the person generating the data is the one party with neither visibility into nor control over where it goes. The protections that might resist this, clear limits on secondary use, enforceable transparency, and a right to know who holds your record, are precisely what the current arrangement lacks.
The question the study leaves open is not whether workers are monitored. It is whether a record of how a person thinks and works, captured at their desk and sold onward without their knowledge, can remain theirs in any sense that matters, and what is left of privacy at work if the answer is no.
Declaration of Generative AI and AI-assisted technologies in the writing process:
The author made use of Generative AI or AI-assisted technologies in the preparation of this post.
Sources
Cesareo Contreras, "Worker data is ending up with third parties, Northeastern study finds," Northeastern Global News, 21 May 2026
Underlying study, Columbia Journal of Law and the Economy, 21 May 2026
The contents of this article are for informational purposes only and do not constitute professional, legal, or financial advice.




