Photo credit: X/@businessprngEmployee monitoring software shares worker data with Google, Meta, Microsoft, LinkedIn, and a network of 145-plus outside domains, according to a Northeastern University study released on 21 May 2026. Researchers tested nine of the most-deployed workplace tracking apps, used by employers including CVS Pharmacy, Ace Hardware, Ben and Jerry's, and Dunkin', and found every one of them sending identifiable employee information to third parties. The data flowing out included names, email addresses, employer details, IP addresses, and lists of websites visited during the workday. A third of the apps offered precise background location tracking that ran even when the worker had closed the application.What 'bossware' is and what these tools track "Bossware" is the industry term, popularised by privacy researchers, for software that employers install on worker devices to monitor activity. The category sat in the corner of HR software stacks for years before the pandemic pushed it into the mainstream. The ExpressVPN 2025 employer survey put US adoption at 78 per cent. The global market for employee remote monitoring software is on track to hit $1.3 billion by 2027, per Reports and Data forecasts. Modern bossware moves well past attendance tracking, the table below lists what these platforms capture from a worker's device.CategoryCaptured signalActivity logsKeyboard and mouse activity, idle time, active timeApplication usageApps opened, time spent in each, switches between appsBrowsing dataWebsites visited, URLs, search queriesVisual captureScreenshots and full-screen recordingsProductivity scoringAlgorithmic ranking of output and engagementDevice dataIP address, operating system, hardware identifiersLocationGPS coordinates, network region, geofencingCommunication metadataMessaging app usage, email volume, call frequencyThe Northeastern researchers behind the study Coined for the cubicle era and popularised by remote work, bossware now sits inside a study with serious academic credentials. David Choffnes runs the privacy lab at Northeastern's Khoury College of Computer Sciences and co-authored the work. Stephanie Nguyen, a senior fellow at Columbia Law School's Center for Law and the Economy and former FTC chief technologist under Lina Khan - led the report. The nine apps the pair examined sit across multiple slices of the US workforce, household-name employers including CVS Pharmacy, Ace Hardware, Ben and Jerry's, and Dunkin' all appear in customer lists referenced in the study.PlatformTypical deploymentApployeMid-size service businessesDesklogIT services and BPO firmsHubstaffDistributed engineering teamsMonitaskOutsourced operationsBuddy PunchRetail and hospitality chainsVeriClockConstruction and field servicesWhen I WorkShift-based retail and food serviceDeputyMulti-site retail and food serviceTime Doctor 2Remote-first companies and BPOsThe finding: every employee monitoring app leaked data outside Across the nine platforms, the result was unanimous: every app transmitted worker data to outside companies. "Every single platform shared worker data with outside companies," Nguyen told The Verge. The data went to over 145 external domains, Google, Meta, Microsoft, LinkedIn, Russian search engine Yandex, and ad-tech firm AppLovin among them. The categories of data flowing out included names, email addresses, employer information, IP addresses, browsing history, and websites visited. Three of the nine apps offered precise background location tracking - coordinates continued flowing even when the worker had closed the application.The 'worker reputation economy' - the long-tail risk Nguyen and Choffnes warned that the data pipeline has implications past the current employer relationship. Bossware data, once it enters third-party tracking networks, can sit in advertising and analytics indexes for years. The study calls this the "worker reputation economy", a system where behaviour and tracking data may continue to shape the employee's digital identity long after departure from the company that ordered the surveillance. Earlier research finding that Uber and Lyft gig workers' Social Security numbers leaked to social media company servers sits as the cautionary precedent.India: where the DPDP Act meets employee monitoring Since 2020, India's enterprise stack has absorbed bossware at scale - IT services, BPO floors, startups, and consulting firms run productivity trackers across distributed teams. The legal frame has now tightened. India's Digital Personal Data Protection Act, 2023 came into operation with rules notified in 2025 and enforcement carrying into 2026. The framework recognises employee records as personal information and binds employers to four duties: clear notice of monitoring, defined business purpose, data minimisation, and storage limits. Section 7 of the Act lets employers process employee data for "employment-related purposes" on legitimate-use grounds, bypassing the explicit-consent requirement that applies elsewhere - but the privacy notice must be available in 23 languages and the scope of monitoring disclosed up front.The older permissive regime under Section 69 of the IT Act, 2000, and the Telegraph Act, 1885, which lets employers intercept and monitor activity on company devices, now sits inside the newer DPDP framework that demands transparency and proportionality. Continuous keystroke logging, full-day screen recording, and covert tracking carry heightened legal risk even where older statutes technically permit them. The 2026 shift is structural, from broad employer discretion to a privacy-first standard the regulator can enforce.AI takes bossware from logging to inferring Behind the dashboards, bossware vendors are wiring large language models into their interfaces to convert raw activity logs into behavioural assessments - flagging "disengagement," scoring "focus quality," predicting attrition risk from messaging patterns. The capability shift moves bossware from recording activity to interpreting it. The same dataset that produced one row per minute now feeds models that infer mental state, intent, and value to the employer. The Ponemon Institute's 2026 Cost of Insider Risks Global Report puts the annual cost of insider incidents at $19.5 million per organisation, which gives employers a budget line for deploying sharper AI monitoring under the security banner. The BlackFog late-2025 survey found that 49 per cent of employees admit to using AI tools outside the approved stack, which gives the same employers a reason to push harder.How employees can reduce their exposure Workers facing monitored devices have a limited but useful set of moves. Run a separate personal device for personal accounts and personal browsing - banking, shopping, messaging family, anything that belongs outside the job. Avoid logging into personal Google, Apple, or Microsoft accounts on company-issued laptops, which creates cross-account linkage that survives offboarding. Keep work activity on the company network and personal activity on home or mobile networks; the two stay separate by default. Read the IT acceptable use policy and the monitoring disclosure document the company is now required (under DPDP, in India) to provide. If both are absent or vague, ask HR for the specifics in writing. The asymmetry between employer and employee on monitoring will stay; documentation moves part of the leverage back.The regulatory pressure ahead Looking past the Northeastern study, bossware was already drawing scrutiny from US lawmakers, EU regulators, and Indian privacy advocates. The next phase will likely combine three pressures - sharper enforcement of the DPDP Act in India and the EU GDPR in Europe, lawsuits in the US based on third-party data sharing without disclosure, and worker pushback inside companies as monitoring becomes a hiring and retention issue. The technology of bossware will stay where the market wants it. The legal frame around it is starting to move at a different speed.end of article