A bill that is being considered by 30 states in the U.S. would force state contractors to install software that would perform screen-captures on the employee’s system, ostensibly to prove that they are indeed working on state projects during the hours that are billed to the state. But such a system can also unintentionally capture highly-sensitive consumer information, potentially creating compliance problems as the screen captures are shared.
One of the companies behind this effort—it has been lobbying these states for the law change—is Transparent Business. (Here is an example of one such proposed law.) Transparent argues that it has created several mechanisms to keep sensitive data from entering the state’s database, as well as their databases, but most pose a non-trivial labor burden on the workers.
The company’s marketing material, for example, said: “Audio and visual alert when a screenshot is taken, three minutes buffer time to delete it before it’s uploaded to the cloud.”
Three minutes? If a worker is in the middle of a complicated project—or perhaps is in the middle of a conference call—it not be highly disruptive to stop within 180 seconds and delete material. More to the point, not all workers have the background to make the determination of what is compliance sensitive and what isn’t. Those three minutes represent slim timing for a worker to get in touch with a supervisor to make a determination.
Another option offered by Transparent Business: “Workers can review their logs at any time to remove any private information.” This speaks to employee logs—as opposed to the screen captures—but it places the burden of activity on the worker, who is likely not used to continually removing sensitive data.
The risk is that as these laws are enacted throughout the country, state contractors could easily find themselves leaking sensitive PII and other sensitive data into cloud servers controlled by this vendor and by the state itself.