It's the item with the words "leavers classifier" in the title.
Hah, creepy technology. I suppose they could do a lot more, like using metrics to measure productivity, and if it's below what the employee usually has, then, maybe they've lost motivation.
They pretty much do this already. If you opt in to office insights you get mails like "hey you @mentioned your colleagues 22% less this week, maybe you should engage more with your team!".
> Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are explicitly opted in by an admin, and audit logs are in place to ensure user-level privacy.
> And employees are opted in without any notice from their employer
[edit] Obviously professional communication channels are monitored, but it would still be nice to be informed when policies change. (Anyhow, personal and professional communications should always be kept separate to avoid this issue)
As far as I understand this is not just email, but teams conversations as well (though I'm not sure if it applies to both voice & text or just text, but be aware that Teams already has voice to text built right in!)
And also be aware that the 'watercooler' conversation has been replaced with digital forms over the last 2 years, meaning a look over your shoulder to see who's within earshot is no longer sufficient. And it's not always obvious that someone (or something, in this case) may be watching.
In the last 2 years most of my comms with my colleagues went from 90% face to face to 80% digital. Big difference. And it's not healthy either to not talk about frustrations at work.
Yeah MS is just making and selling tools to make dystopian omnipresent AI surveillance easier and more likely, they're not actually forcing anyone to use them, so it's 100% ok and moral.
How is it not in a businesses best interest to identify who wants to leave? Are you assuming they'd get fired or something? Maybe they are integral to the company and they'd get a raise or some other perk.
Still, it's not good when someone has private concerns to intrude on these.
This barrier exists for a reason. It will only make coworkers more fake because they will watch more what they say. A panopticon is never good.
PS: If my work starts using this I will start doing a "compliance bingo", to try and trigger as many detections as I can every day :) And I will say so publicly.
It’s not valuable information in that there’s no much a company can effectively do to change anything. From a security and operational risk perspective it should be covered under existing policies and everything else is fine to be reactive.
The false positive risk is more harmful than any benefit gained.
The odds of “I read your email and saw you’re thinking of leaving so here’s a raise” working are negligible.
This seems like a way for someone to waste time on thinking they know something useful.
I’d love to see how frequently people talk about this and leave. I expect there’s dozens or hundreds of instance of people who apply for a job or network looking for jobs vs people who leave. There’s no published data on identified leavers who leave so that’s where my assumption that this is garbage data.
There is a reasonable expectation not to be targeted by adversarial AI though. This feature makes a terrible future. I will never recommend a client use MS email again.
What the flying f***.. Is this going to be a standard part of Microsoft 365?
Edit: Nope, luckily not. It's part of Microsoft Purview, which is an add-on to M365 by the looks of it: https://www.microsoft.com/en-us/security/business/microsoft-... . At least it's not going to bother everyone that uses M365. It probably costs a lot to add on too. Meaning our company will probably not use it. Phew.
But whoever's employer does buy this are now constantly going to be scanned for potential malicious activity at work. Sounds like a scene from The Circle, or worse, The Every. Where the characters constantly have to express how happy they are and how aligned with the company because they're insta-fired if they're in the bottom 10%. This was meant to be a work of fiction. 1984 was not a manual, Microsoft.
When Microsoft started their data farming with office insights "purely anonymous and intended to help increase your personal performance!!" I always knew it was a way of introducing much worse. But I didn't imagine they'd go this far this quickly, I assumed they'd just use all the data for marketing and misguided employee performance metrics. I say "misguided" since Office insights used the same "healthy" metrics for online meeting hours, concentration hours etc regardless of employees' roles, which obviously differ greatly in the type of work and amount of collaboration. I'm not sure if it still does this by the way, as I turned it off after the first weeks. Which by the way doesn't stop it collecting data, it just stops emailing me about it.
It's a totally different thing to accuse employees of wrongdoing based on AI algorithms though.
Imagine saying something like "oh god what a day, I hate this place" in a private teams chat after a frustrating meeting. +1 potential leaver point. Or "hey I hope they're going to give us some nice goodies at that event!". +1 suspicious gifts point. A few more points and way to go, you're on the HR shitlist. Sure, Microsoft recommend an "explicitly opted-in investigator" looks at it but who has time to spare these days. It'll just end up a metric on an excel sheet somewhere.
I'm sure the data will be "anonymised" but this will probably mean that it will be averaged across a team. Since most of our teams are really small, it's really not that anonymous. And in fact, it makes it even harder to disprove, a low 'leaver' score might be caused by one colleague and put a dark shade over the entire team.
I really don't like this at all. I understand that corporate comms tools are not meant to be private. But to me that means someone could look at it in the case of major transgressions. Not to constantly look at it and weigh every word in search of things which aren't even transgressions (as far as I recall, wanting to leave an organisation is still legal).
PS: Also... "usernames are pseudonymized by default". What do you mean "by default"???, so it can be switched off to not pseudonymise?
I really wonder how legal this is in the EU, especially stricter countries like Germany.
I am shocked and dismayed that a team of software developers would be willing to implement this kind of feature. The following poem comes to mind:
First they came for the Communists
And I did not speak out
Because I was not a Communist
Then they came for the Socialists
And I did not speak out
Because I was not a Socialist
Then they came for the trade unionists
And I did not speak out
Because I was not a trade unionist
Then they came for the Jews
And I did not speak out
Because I was not a Jew
Then they came for me
And there was no one left
To speak out for me
I've used communication compliance for various things and in short - if a communication flags on a policy set up by an admin, it generates an alert that is reviewed by an analyst. By default, the username and associated metadata are masked. The analyst can tag the communication as compliant, non-compliant, or ask a second tier analyst to review.
The analyst can also open up an investigation in the eDiscovery module, which prevents the documents from being deleted and allows attorneys or analysts to perform additional searching and tagging. The username, mailbox, and other metadata is not masked in eDiscovery, and so in order to access the investigation someone would need additional permissions.
The upshot though is that even if the classifier detects a message, a human analyst would need to decide how to tag the message, and the decision for how to do so would need to be done according to a defensible policy.
To your concern about not having to look at every word/message - it's less invasive to only investigate targeted communications than to read every message, or sample a fixed number or percentage of messages. I'm not entirely convinced that a ML approach is that much more useful than having a list of risk keywords because there isn't an easy way to measure and tune to the percentage of true positives detected or how many false positives you need to review to find true positives.
Supervised machine learning like this is used pretty regularly during lawsuits to make the exchange of information more efficient but when people use an algorithm to avoid reviewing documents there is typically a process to demonstrate within a certain confidence level and margin of error that the relevant documents have been produced. But if used in a corporate investigation where you would want a higher confidence level and lower margin of error. And to get a higher statistical degree of confidence you need to review more.
I really don't understand how a company could distrust their employees as much as this to have a process and people in place to do all this crap. If they trust them that little, why are they even in business?
I can understand some industries might need it for some compliance thing. Law enforcement perhaps. But really some of the things that MS are tagging are completely arbitrary. Just the way you might want to leave, this is not something that could ever be associated with any kind of governmental compliance. It is simply not wrongdoing at all nor any indication of it.
I work closely with our insider threat team and they don't do anything preventative like this. They just investigate when allegations have been raised, and even then they are really hands-off in terms of internal comms. They have to get special permission to access that, showing proof of the allegations. They behave like the police would, get explicit permissions (akin to a warrant in law enforcement).
The process you describe is more akin to what an intelligence organisation would do, with dragnet surveillance. Totally not acceptable in a business environment IMO.
I have zero confidence that this system is smart enough to differentiate between all these things and the legitimate variants thereof that companies actually want people doing or discussing and likely outnumber the bad by orders of magnitude.
We have detected overly negative language in your correspondence that we have correlated with being a danger to yourself or others. Due to this we have decided to terminate your employment immediately. Please find attached references to local psychiatrists that may be able to help you with your reeducation. Have a nice day!
Don't use your work computer for non-work related things, especially looking for another job. Get another computer for your personal use. The company owns those company assets and can do with them what they want. You don't have an expectation of privacy on your company computer.
No you don't. But you do have a working relationship with your colleagues which is increasingly digital (don't forget the huge shift to WFH!) and thus all captured and analysed by software like this.
Such human relationships may include banter which may be about how you might like the look of the canteen girl, about frustration at processes, about going for dinner with a vendor.
All things which would be flagged under this. This is not your regular "personal use" web usage monitoring which we've all come to loathe.
Yeah i don’t do any of the things you said when using the companies computer and I WFH
It is okay to ask for people’s WhatsApp / Facebook and so on to talk about this sort of stuff
Even if the national law would permit it there, I would really want a front row seat when this would be presented to the worker's council. That would be some show :)
So this is just Email and Teams, right? This isn't corroborated with intrusive MITM-extracted browser history from work computers, right? Right !?
Dear company IT spy overlords, my use of LeetCode is exclusively to learn new interviewing techniques to help me bring in only the best of the best to our amazing company! /s
Having used the comm compliance tool in m365 and other similar tech - a lot of the comments here seem to miss the point. "Leaver" IT policies are fairly common security practices to limit the risk that someone takes IP or customer lists with them to another job. The point is not to detect whether someone is going to quit but rather to detect unapproved behaviors by someone as they are on the way out the door. There are various compliance tools in Office 365 designed for data retention, eDiscovery, and investigation and this is an offshoot of that. It is more efficient and less obtrusive to target suspect behaviors than to have an analyst or attorney download and review all of an employee's communication and activity.
As I've seen communication compliance used, the leaver policy is enabled when a person is marked within an HR system as leaving the company, or when their Active Directory account is disabled. If certain sequences of activity occur such as downloading lots of files from SharePoint and they are copied to a USB drive or to an external file share, or if a file previously owned by the leaving employee is accessed after the AD account is disabled by an external user, it fires off an alert.
I'm skeptical about the value of the use of a "classifier" given that there isn't much documentation that explains how it works, how it's trained, and any documented workflow to statistically validate the model. Instead of using "classifiers" you can create custom policies based around keywords, regex patterns, or targeting sequences such as download x # of files then copy then delete. I think it would be interesting if you could build a custom classifier using your own positive and negative examples, define your own score thresholds, train models around specific excerpts rather than on entire emails, and test the classifier using a set of human reviewed data.
Regardless though - I'm far less suspicious of the general idea that companies are focused on "inside threats" than whether they understand how things work. Machine learning algorithms are basically just fancy text searching backed by statistical analysis but there are a lot of input variables and also a few different ways to defensibly measure the performance of the tools. The M365 tool doesn't expose much of that and a lot of compliance teams are probably going to be concerned about wasting time chasing false positives.
For sake of discussion: aren't there uses of this that aren't nefarious?
Their claim that employees intending to leave "may put the organization at risk of malicious or inadvertent data exfiltration upon departure" is, cynically, corporate bs; but data theft or vandalism isn't entirely unheard of by departing employees.
Ever moved your source code to a thumb driver before you left your job, even though your contract technically forbids it, you've signed away the IP rights, etc?
It's weird to assume that noone would copy the data before resigning instead of after resigning though. Especially if your company might immediately garden leave you.
Since it’s Microsoft AI, I assume it will be lousy and full of false positives and predict lots of false negatives.
It’s weird how there is no predicted accuracy and no SLA or any measure to hold it to. So should be a frustrating time using the information properly. I assume smart people will ignore the results and idiots will think it means someone will leave.
42 comments
[ 3.2 ms ] story [ 84.2 ms ] threadHah, creepy technology. I suppose they could do a lot more, like using metrics to measure productivity, and if it's below what the employee usually has, then, maybe they've lost motivation.
Well nothing to worry about then.
> And employees are opted in without any notice from their employer
[edit] Obviously professional communication channels are monitored, but it would still be nice to be informed when policies change. (Anyhow, personal and professional communications should always be kept separate to avoid this issue)
And also be aware that the 'watercooler' conversation has been replaced with digital forms over the last 2 years, meaning a look over your shoulder to see who's within earshot is no longer sufficient. And it's not always obvious that someone (or something, in this case) may be watching.
In the last 2 years most of my comms with my colleagues went from 90% face to face to 80% digital. Big difference. And it's not healthy either to not talk about frustrations at work.
Now I'm in the position to make this call for my org and I wouldn't use it.
This is a tool for org admins, this isn't MS being evil. If your company uses it, be pissed at them if you so choose, not MS.
It’s like people who write spam software who say “it’s really up to spammers who choose to use this software, don’t blame us.”
There’s really not a positive reason to identify “leavers.” Their data exfoliation reason is bogus and should be prevented by other reasons anyway.
Take your tinfoil hat off and get outside.
This barrier exists for a reason. It will only make coworkers more fake because they will watch more what they say. A panopticon is never good.
PS: If my work starts using this I will start doing a "compliance bingo", to try and trigger as many detections as I can every day :) And I will say so publicly.
The false positive risk is more harmful than any benefit gained.
The odds of “I read your email and saw you’re thinking of leaving so here’s a raise” working are negligible.
This seems like a way for someone to waste time on thinking they know something useful.
I’d love to see how frequently people talk about this and leave. I expect there’s dozens or hundreds of instance of people who apply for a job or network looking for jobs vs people who leave. There’s no published data on identified leavers who leave so that’s where my assumption that this is garbage data.
That’s weasel talk. Opt in means you get to choose if you want it.
They’re turning it on by default and not telling people.
This is the most bullshit thing Microsoft has done in decades.
Edit: Nope, luckily not. It's part of Microsoft Purview, which is an add-on to M365 by the looks of it: https://www.microsoft.com/en-us/security/business/microsoft-... . At least it's not going to bother everyone that uses M365. It probably costs a lot to add on too. Meaning our company will probably not use it. Phew.
But whoever's employer does buy this are now constantly going to be scanned for potential malicious activity at work. Sounds like a scene from The Circle, or worse, The Every. Where the characters constantly have to express how happy they are and how aligned with the company because they're insta-fired if they're in the bottom 10%. This was meant to be a work of fiction. 1984 was not a manual, Microsoft.
When Microsoft started their data farming with office insights "purely anonymous and intended to help increase your personal performance!!" I always knew it was a way of introducing much worse. But I didn't imagine they'd go this far this quickly, I assumed they'd just use all the data for marketing and misguided employee performance metrics. I say "misguided" since Office insights used the same "healthy" metrics for online meeting hours, concentration hours etc regardless of employees' roles, which obviously differ greatly in the type of work and amount of collaboration. I'm not sure if it still does this by the way, as I turned it off after the first weeks. Which by the way doesn't stop it collecting data, it just stops emailing me about it.
It's a totally different thing to accuse employees of wrongdoing based on AI algorithms though.
Imagine saying something like "oh god what a day, I hate this place" in a private teams chat after a frustrating meeting. +1 potential leaver point. Or "hey I hope they're going to give us some nice goodies at that event!". +1 suspicious gifts point. A few more points and way to go, you're on the HR shitlist. Sure, Microsoft recommend an "explicitly opted-in investigator" looks at it but who has time to spare these days. It'll just end up a metric on an excel sheet somewhere.
I'm sure the data will be "anonymised" but this will probably mean that it will be averaged across a team. Since most of our teams are really small, it's really not that anonymous. And in fact, it makes it even harder to disprove, a low 'leaver' score might be caused by one colleague and put a dark shade over the entire team.
I really don't like this at all. I understand that corporate comms tools are not meant to be private. But to me that means someone could look at it in the case of major transgressions. Not to constantly look at it and weigh every word in search of things which aren't even transgressions (as far as I recall, wanting to leave an organisation is still legal).
PS: Also... "usernames are pseudonymized by default". What do you mean "by default"???, so it can be switched off to not pseudonymise?
I really wonder how legal this is in the EU, especially stricter countries like Germany.
The analyst can also open up an investigation in the eDiscovery module, which prevents the documents from being deleted and allows attorneys or analysts to perform additional searching and tagging. The username, mailbox, and other metadata is not masked in eDiscovery, and so in order to access the investigation someone would need additional permissions.
The upshot though is that even if the classifier detects a message, a human analyst would need to decide how to tag the message, and the decision for how to do so would need to be done according to a defensible policy.
To your concern about not having to look at every word/message - it's less invasive to only investigate targeted communications than to read every message, or sample a fixed number or percentage of messages. I'm not entirely convinced that a ML approach is that much more useful than having a list of risk keywords because there isn't an easy way to measure and tune to the percentage of true positives detected or how many false positives you need to review to find true positives.
Supervised machine learning like this is used pretty regularly during lawsuits to make the exchange of information more efficient but when people use an algorithm to avoid reviewing documents there is typically a process to demonstrate within a certain confidence level and margin of error that the relevant documents have been produced. But if used in a corporate investigation where you would want a higher confidence level and lower margin of error. And to get a higher statistical degree of confidence you need to review more.
I can understand some industries might need it for some compliance thing. Law enforcement perhaps. But really some of the things that MS are tagging are completely arbitrary. Just the way you might want to leave, this is not something that could ever be associated with any kind of governmental compliance. It is simply not wrongdoing at all nor any indication of it.
I work closely with our insider threat team and they don't do anything preventative like this. They just investigate when allegations have been raised, and even then they are really hands-off in terms of internal comms. They have to get special permission to access that, showing proof of the allegations. They behave like the police would, get explicit permissions (akin to a warrant in law enforcement).
The process you describe is more akin to what an intelligence organisation would do, with dragnet surveillance. Totally not acceptable in a business environment IMO.
"Sci-Fi Author: In my book I invented the Torment Nexus as a cautionary tale"
"Tech Company: At long last, we have created the Torment Nexus from classic sci-fi novel Don't Create The Torment Nexus"
-- https://twitter.com/alexblechman/status/1457842724128833538
We have detected overly negative language in your correspondence that we have correlated with being a danger to yourself or others. Due to this we have decided to terminate your employment immediately. Please find attached references to local psychiatrists that may be able to help you with your reeducation. Have a nice day!
Such human relationships may include banter which may be about how you might like the look of the canteen girl, about frustration at processes, about going for dinner with a vendor.
All things which would be flagged under this. This is not your regular "personal use" web usage monitoring which we've all come to loathe.
I would never put anything like that in email, or even say it in a teams call.
“Never write a letter, and never destroy one.” - Cardinal Richelieu
Companies shouldn't be able to access 1:1 correspondence between employees without some kind of complex legal process first, IMO.
Dear company IT spy overlords, my use of LeetCode is exclusively to learn new interviewing techniques to help me bring in only the best of the best to our amazing company! /s
https://en.wikipedia.org/wiki/Pre-crime
As I've seen communication compliance used, the leaver policy is enabled when a person is marked within an HR system as leaving the company, or when their Active Directory account is disabled. If certain sequences of activity occur such as downloading lots of files from SharePoint and they are copied to a USB drive or to an external file share, or if a file previously owned by the leaving employee is accessed after the AD account is disabled by an external user, it fires off an alert.
I'm skeptical about the value of the use of a "classifier" given that there isn't much documentation that explains how it works, how it's trained, and any documented workflow to statistically validate the model. Instead of using "classifiers" you can create custom policies based around keywords, regex patterns, or targeting sequences such as download x # of files then copy then delete. I think it would be interesting if you could build a custom classifier using your own positive and negative examples, define your own score thresholds, train models around specific excerpts rather than on entire emails, and test the classifier using a set of human reviewed data.
Regardless though - I'm far less suspicious of the general idea that companies are focused on "inside threats" than whether they understand how things work. Machine learning algorithms are basically just fancy text searching backed by statistical analysis but there are a lot of input variables and also a few different ways to defensibly measure the performance of the tools. The M365 tool doesn't expose much of that and a lot of compliance teams are probably going to be concerned about wasting time chasing false positives.
Their claim that employees intending to leave "may put the organization at risk of malicious or inadvertent data exfiltration upon departure" is, cynically, corporate bs; but data theft or vandalism isn't entirely unheard of by departing employees.
Ever moved your source code to a thumb driver before you left your job, even though your contract technically forbids it, you've signed away the IP rights, etc?
It’s weird how there is no predicted accuracy and no SLA or any measure to hold it to. So should be a frustrating time using the information properly. I assume smart people will ignore the results and idiots will think it means someone will leave.