This happened to me years ago. I was put in an empty office at the opposite end from my boss, and because he couldn't walk up behind me to see me working, he secretly installed a program on my computer that took a screenshot every 30 seconds (or so?).
I quickly noticed that my computer was hitching regularly (when the screenshot was taken - this was in the late 90s BTW), and so investigated my computer on a day when he wasn't in the office.
After finding what looked like malware on my computer, I checked with other colleagues - and the other owner - and no one had any idea what it was.
So we put the office network on lockdown, halted everything and started the process of rotating all our passwords and scanning every computer in the office looking for signs of intrusion, etc..
We lost a solid day of productivity for everyone, and when we finally reached the other boss, he owned up to what he had done, and the other owner - who had spent the day in a panic - wasn't thrilled about it to say the least.
The irony was that I was probably the most productive person in that office (in my humble opinion).
> because he couldn't walk up behind me to see me working, he secretly installed a program on my computer that took a screenshot every 30 seconds
> The irony was that I was probably the most productive person in that office (in my humble opinion).
The easiest and the most efficient way to ruin my productivity is to look at my screen. I can't work (nor can I pee - a funny coincidence, that's called "paruresis") when somebody is watching.
I had, what I felt, was the best seat in the office at my previous job. We had an open office with short cubicles and standing desks, and the cubicles were arranged so that two people shared a small area with two desks/cabinets/etc.
For a while, it was wonderful. My "cube-mate" worked from home 4 days a week and only came in for meetings, and we had a window on one side and an empty desk on the other. It was about as great as an open office can be.
And then my manager moved into the cube nextdoor, and arranged his desk so that when he stood at his standing desk (which was most of the time), he was looking directly over the cube wall at me and my monitors. It made me very self-concsious and uncomfortable, and was (a small) part of the reason I left, TBH.
Looking back over my career, there's an obvious inverse correlation between being watched and being productive. Well, except that I'm able to look productive while being watched, and arguably that counts as "productivity". Just not the kind the company probably had in mind.
Works the other way as well. I don't want to be able to see what others are working on--open offices are also distracting for this reason.
I've always been terrible at looking busy. At my very first job, I'd written a bunch of macros and scripts to generate my code directly from the functional design, so half the time I would be leaning back watching all my scripts do their thing. My boss hated it.
Over time, I think I've gotten better at looking busy while reading HN. I don't think there's a very strong correlation between looking busy and being productive.
You know, I've always wondered why there are so many stories about these middle management types who seem to pay so close attention to things that are _not_ employee productivity. I guess on first glance, it may appear that "looking busy" corrates to "getting stuff done", but why not cut out the middle man and pay attention to what the employee actually does?
I'll give you a potential corollary. Quality control.
In a perfect world, quality control twiddles their thumbs all day, does some tests, and collects a paycheck because everything is perfect the first time.
In practice, I know engineers who leave in tiny and easy to fix mistakes for QC to catch. They do this because if they turn in something with no errors QC finds something for them to add, frequently requiring larger changes and thus creating a crunch. QC does this because they have someone breathing down their neck who measures their effectiveness by how many errors they caught. I'll refer you to Goodhart's Law[0].
I'll also note that I see this as a common "tip" for paper submissions. But I'm not sure it is as strong of a correlation as when passing things through QC.
That requires the middle managers to actually understand the jobs and responsibilities of their staff. For me, this hasn't been the case in over a decade. Since my current boss doesn't really have a technical understanding of what's involved with his teams responsibilities, he instead simply feeds metrics to his boss (also not technical). These metrics range from tickets closed, system uptime, and "automation." I would love to have the Bobs come in and ask him what he actually does here.
It's also important to realize that what middle management wants and what its staff thinks is important usually diverges. Middle management wants to look good, to climb the ladder. Staff generally wants someone to provide guidance, and remove obstacles. If middle management isn't technical, there ends up being a gap.
My favorite is a manager who hired a DevOps admin. This person had never touched Docker, yet after a one week course, was put in charge of our environment. Needless to say, he's made Docker look really bad due to his inexperience. The manager looks good though, because our stodgy company is using Docker.
My second is the manager who was hired to manage our SQL and Oracle team. He has no experience with either database, and was a pity hire by our VP. He's been wonderful.../s
The problem is that most middle managers don't really care about the product. Their entire job is just message passing between higher level managers and lower level employees. Their real purpose in the organization is to propagate a sense of hierarchy which makes directors feel important and the workers feel unimportant.
Their purpose is to manipulate the self-esteem of the people within the organisation so that workers feel so bad about themselves that they never feel entitled to ask for a raise and directors feel so good about themselves that they feel entitled to keep paying themselves large bonuses. Middle managers don't serve customers, they only exist to serve the emotional needs of their bosses.
I notice a lot of people here feel uncomfortable when other people can see their screen. I completely recognise that feeling, though over time I learned to ignore it, and these days I just don't care anymore.
That said, there has been one situation where it was actually an advantage that everybody could see our screen. We had the most terrible working spot you could imagine: next to an intersection of two corridors, in a room that was open on one side, had a glass wall on another, was shared with another team, and had only a single window. A co-worker was sitting with his back to the intersection so everybody could see his screen. At the time, we were playing around with Neo4j, which has a nice graphical browser interface, and everybody seeing that, got us into contact with a couple of other teams we didn't know before that were also using Neo4j.
To be fair, I don't think the manager in question did it purposely to monitor me, but it made me uncomfortable nonetheless.
TBH, I should have asked him about it, but I couldn't think of a way to bring it up that didn't sound rude or suspicious, and it turned out I left soon anyway.
I fear that a lot of this stems out of those managers having a fixed mindset, where they feel that they are smarter and more productive than everyone else (telling themselves that's why they got promoted), but they also don't trust that their staff being productive.
Same here -- until recently the door nearest my desk was the one the CEO would use to enter/leave the office. The first thing you see when you open that door is my 21" screen, and it was nerve-wracking the whole time. Now that I'm home I'm so much more relaxed, and way more productive as a result.
I'm only like that because I know that someone looking at my screen will either misinterpret what they are seeing or they will ask a question that requires a lengthy answer(a domain they have little understanding over yet is under their authority), so my brain goes into overdrive trying to figure out how to answer them in a way that gets them to go away as soon as possible.
My touch typing goes to pieces whenever somebody is watching for some bizarre reason. It's like my fingers get self conscious and start tripping over themselves. I'm normally a 75-80 WPM typist.
I developed that paranoia over ten years ago in my first real job. The only desk available was the one right next to the door. With the back to the door. Everyone who entered the office had no choice but to stand in my back and look at my desk and screen. Still flinch when someone comes up behind me when I'm working, even it's my kids.
This is one reason why it's really not natural for some of us to do whiteboard coding interviews, or even CoderPad, etc. interviews. It's like trying to pee when someone is watching you, although that's not an analogy I would encourage job seekers to make to a hiring manager.
Screenshots are not standard practice- in fact, since they're a great way to leak secrets being displayed on screen (passwords, confidential information), that's probably the opposite of standard practice.
Standard practice is monitoring emails, chat, web traffic and so on.
It is? I guess I'm in a special boat being a developer and being able to run Linux at work since 2012, but even on the corporate Windows/Mac workstations, I don't think I've been at a company that's installed any type of spyware (other than standard remoting tools used by help desk and controlled with Group Policies).
They don't disclose what they do, and typically it's a function of company size. Once you get past a certain point and there is budget for an IT department, they start installing things like 'endpoint management' and redirect your DNS to something that logs all DNS records, etc.
Things like DNS tracing apply outside their network too, like WFH situations with no VPN.
Overall in practice, there is nothing stopping creepy sysadmin, boundary overstepping lawyer or creepy manager from secretly stalking specific employees by pushing IT departments to install extra monitoring software or just plain spying on specific employees.
Because every place I've worked (including corporations) I've had local admin on my box and could see the entire process tree. Usually you have to be running all the antivirus and monitoring stuff to connect to the employee network/VPN, but when you're off VPN you can kill those processes off.
>Because every place I've worked (including corporations) I've had local admin on my box and could see the entire process tree.
That's assuming that the spyware isn't some sort of rootkit that tries to hide its presence. If you're on windows, it's also very easy to hide behind some generic looking executables like svchost.exe
You are certainly correct, but a bit of light digging + reflection on your company can give you a lot of confidence. For example, I work at a startup and I can say with great certainty that my boss has way too much going on for him to have installed any sort of rootkit after wiping the previous data and before I set up my admin account.
I've been driven to the store and told to pick out my own computer and accessories and nobody ever had it in their hands for any length of time other than the employee who carried it to me. This has happened in two of my seven or so jobs. As a counterpoint, however, at another position the boss was indeed spying on us, which wasn't surprising if you worked there for any appreciable time since he was a complete control freak.
In some juridictions (mostly EU countries I think ?) your employer would be at fault if they gathered personal information (for instance a sexual orientation you didn't disclose) from a personal account you used on a work computer. Or from anything you explicitely marked as personnal, even if it's on your computer. They might still delete the data indiscriminately, just shouldn't access it.
Being at work, on company's hardware, isn't enough to completely void your expectation of privacy.
I've been working in software for almost 20 years and have never had spyware like this installed on my PCs. I've worked for companies with over 70k employees, down to start ups with fewer than 100. Both in office and remote.
I'm not saying it doesn't happen, but it's definitely not normal, and I would personally never work under those conditions.
It's not normal to do screen capture, but internet logging and email/chat discovery are almost universal in a large company. Most financial companies will have forensic agents and inspect random emails.
Also, security tools are getting more sophisticated. As legacy AV gets replaced by next-gen stuff, there will be more creepy shit. If you have a tool like Crowdstrike, most developers will do stuff will get them flagged as high-risk.
You don't need to go to third parties to obtain such surveillance software, microsoft has several solutions for this as well. Actually many large companies that are running windows are also using windows defender advanced threat protection (atp), not just b/c it's easy to deploy, but also b/c it isn't very noticeable by users.
It's questionable how much such tools actually improves security, most of it appears to be a power grab by someone in charge of security, usually there's no transparency, and even C*Os aren't aware of how much they are snooped on. For example (as atp does), recording of all commands including arguments, stored in a searchable database. Who does this benefit the most?
> It's questionable how much such tools actually improves security, most of it appears to be a power grab by someone in charge of security, usually there's no transparency, and even C*Os aren't aware of how much they are snooped on. For example (as atp does), recording of all commands including arguments, stored in a searchable database.
I would agree it's often a power play for would be corporate cyber-warriors.
But the tools are very effective for certain threat categories. The downside is that they require skilled operational security people to be used effectively, and may security organizations are mostly compliance focused and don't have the talent or framework to pivot the organization. It's similar to how underperforming IT organizations were/are aligned with the CFO -- many security orgs are aligned with counsel/risk.
As a contractor or a full time employee at the 70k people companies? Was it in the past 10 years? If you used a company provided computer, did you investigate what was running? Did you go beyond the typical process manager and look into the kernel modules list?
They often don't disclose explicitly that this stuff is running, because it rightfully creeps people out and the 'security' types don't want people to know.
Contractor here, I mainly work on mega-big corporations. I always check what run on my PC. I never use the work machines for anything personal. FFS I don't even use their guest wifi. I stick to my data plan.
I have noticed the last few years that BlueCoat is on the rise. From some article a couple of months back I read that the company/Fund that owned BC also bought Sophos.
Yes but would it always hold up in court? You can give your soul away by installing a piece of software without reading the agreement but it wouldn't hold water, of course. Curious how this would work with federal or state level wiretap laws.
Holding up in court is one facet. Needing to litigate in and of itself is typically a deterrent, especially for complex issues where there's a time/cost deterrent for pursuing combined with perception of success in court.
There's a lot you can get away with by making a process complex, arduous, and potentially expensive. Faced with that option vs letting some employer take photos of you in your pajamas without shaving while watching your every move, people tend to forego privacy.
When the working population at large starts to follow suit, you've artificially introduced a new trend with artificial social acceptance. Now, it makes a single employee battle concerned about privacy even more daunting and introduces perception of increased risk of failure if legally pursued for the employee thinking of litigating.
The end result is: privacy is eroded. Rinse repeat, for just about anything you want to change. Just make change gradual and give it time. It then takes someone with the financial and time resources to take a hit and pursue as well as eagerness to bother.
Activating the camera and/or the microphone remotely without notification, on non-corporate owned premises may be illegal. There are wiretapping laws, etc.
Just because I own a microphone and camera doesn't mean I can use it unknowingly in your home. Even if you were to borrow it and willfully bring that camera and microphone into your home, there are reasonable expectations of privacy that can't be violated.
If I explicitly said I'll be using that microphone and camera to record you, made that very clear, and had you sign off on it without duress, then there may be grounds. The problem is, as a condition of employment, at least for me, would be a form of duress. If it becomes widespread and everyone caves into signing off on that sort of recording, then itll start to lose strength as being a form of pressure.
Many people agree to a lot more than they realize in order to get the job. And since some practices are very common, rejecting them simply locks you out of your target segment of the job market. The balance of power in most cases is heavily tilted towards the employer, things like this aren't negotiable unless you are at or close to the top.
But it's not illegal to watch a video of someone with their consent. Whether an employment contract counts as consent or not is an exercise that I'll leave to the reader, but it's definitely a gray area.
You can't consent to things that are not allowed by law. If the law states that you cannot murder people, and someone consents to being murdered, you're still not allowed to murder them and it's still murder.
Murder is an example here, but there are similar laws regarding spying on people, using private information in business and reading someone else's mail. Consent does not override the law.
But to get more specific to your point and the grey area: there is a case where the law permits video surveillance (i.e. in an office) and as a side-effect some footage of a display might be captured. If the display happens to show private content, that is not actionable/admissible anymore. Some countries and laws go as far as to make dashcam recordings inadmissible and even illegal. While impractical in some cases (i.e. if your car gets bumped in to by another car while parked) it's also to prevent a government to "get all recordings of all cars in a street to find a person that might have walked by".
Some laws have exemptions like high security areas where the law explicitly states that if you are not allowed to be there expect for specific purposes, and not allowed to conduct anything there except specific tasks, and you are allowed to record the area to be able to verify it (i.e. nuclear energy plant), then that specific area is off-limits to your private activities/data. But it's not broad enough to allow any company to spy on anyone doing work for them. I suppose that might be different in the US or some US-states.
It does seem that way. Maybe not screenshots, but very often screen monitoring. And network MitM and logging, of course.
However, many firms provide WiFi APs for visitors and consultants, and employees can use them for their personal devices. So there's no need for anything personal to touch a business device.
Spying on your employee, or using covert monitoring tactics, is rarely legal. Not sure on the criminality, but privacy laws are enforceable. Also, there's a distinction between monitoring and spying.
I'm not sure how that article claims that spying is illegal. Typically it isn't illegal for a company to monitor is own equipment. That article says they can't force you to divulge your social media password. Most companies prohibit you from doing personal stuff on your work computer. I'm not saying it is right, but I don't know if any laws in America that make it illegal.
They install cameras everywhere, they have a full rootkit on your machine, they log every network interaction and email/chat and they let themselves do it through 100s of pages of policy documents that you have to sign as a condition of employment. It might as well be covert in practice.
Using snooping software for recording of all command lines, including arguments, is common practice at many companies.
Also when network connections are recorded it does not stop at a list of ips, surveillance software commonly also provide easy-to-consume search facilities and cross reference capabilities, dashboards including comprehensive history and supplied annotation, i.e can tell when and how often you visited facebook.com, what you looked at, how much time you have spent at non-essential sites, and of course it also does this when you're at home using your employer's laptop for WFH or anything else.
The same is true when using a company phone when travelling, it can not only tell your employer where you're staying currently, but also where you usually stay at your holidays.
One such software is ms atp, if you have "Advanced Threat Protection" installed, it does occur. I would be surprised if it holds up in any EU court, because when I worked with development of similar software, long before gdpr, it did not.
On this previous company we used to get a network message on every login explaining to us that since this was company hardware there was no such thing as an expectation of privacy.
They would install all kinds of stuff to monitor our computers, and continuously require explanation on why we installed this or that tool. It wasn't fun.
It definitely existed in some form by the late 90's. I recall very basic surveillance and remote control software being installed on school machines back then.
I think this might actually have been what he used.
I am actually still friends with the guy (we were both quite young back then, and you learn from your mistakes), and I tease him about this incident at least every few years.
It is in the Netherlands, permanent surveillance of employees without a specific reason (read: related to a specific instance or incident) is not permitted.
Same in Switzerland. If there is a specific reason for surveillance the employee must also be informed of upcoming surveillance and the consequences if something were to be found.
No, not if you are not working in a bank where there is a specific reason for your employer which is for example exposure to a considerable risk of being robbed. It is also permitted if you have had problems in the past with employees stealing things from the company, but only in places where it makes sense and is proportionate.
In any case, you have to make that absolutely clear to your employees. Any unanounced surveillance is a criminal offence here.
I live in the EU and I cannot think of a single law where the employeer cannot take screenshots of the machines they own. I'll be happily proven wrong though.
Permanent and comprehensive PC monitoring at the workplace based on a general suspicion is not permitted. The employer may only monitor the employee on the PC if there is sufficient concrete suspicion of improper use of the work computer.
What applies to private use of the work computer?
If private use of the work computer is expressly permitted to the employee, PC monitoring at the workplace is fundamentally excluded.
What if the boss monitors my PC even though he is not entitled to it?
If the employer does not adhere to the requirements for PC surveillance, he is punishable and in the worst case must be prepared for imprisonment.
>>If private use of the work computer is expressly permitted to the employee, PC monitoring at the workplace is fundamentally excluded.
Cool. In most places that are not fancy IT companies where everyone is given a brand new MacBook Pro to use as a mixed work/personal machine, there is no such thing as "private use of the work computer". So given what you posted, there is no legal issue then.
It would. I said most people aren't provided with those. You sit at your desk and are given a machine to do data entry/accounting/etc all day long, not for private use.
This does not reflect reality. The employer must acquiesce in the full-time employee conducting private matters, such as making physician's appointments or checking in with one's child after school, over company owned equipment (phone/computer).
It needs to be proportionate and justified. Putting an employee under an unreasonable amount of monitoring for no discernible reason could be a problem. Of course weather taking screenshots of one's monitor every 30s is or isn't reasonable would be left to the interpretation of the court.
>The ECtHR held that the employer had breached B’s right to privacy because they didn’t inform him of the monitoring in advance and nor did they tell him that they may access the content of his communications. The previous courts had also failed to determine the reasons justifying the monitoring and whether these were proportionate to the purpose or whether the employer could have used less intrusive measures to achieve the same result.
If I read this correctly even if the person had been informed of the monitoring the evidence wouldn't have been receivable because the monitoring wasn't deemed "proportionate".
That isn't necessarily true either. IIRC, there was a case not so long ago of a school that was using quite aggressive surveillance measures, and obtained some degree of prior consent. It was still penalised under the GDPR, because all processing of personal data must be justified. Even consent is not carte blanche to do whatever you want, and that's probably a good thing for the same reason that inalienable consumer rights when you shop or employment rights when you take a job are probably good things.
Edit: Apparently there are now at least two examples of this.
Right, but both of these examples are about using personal data(facial recognition data and then fingerprints) for purposes where it's not needed. Again, I would see the issue if the employeer was taking pictures with the webcam every 30 seconds - that is definitely a privacy problem because you neither expect your employeer to be photographing you every 30 seconds, nor is it necessary for your job. But pictures of the screen? Screen that's meant to be used for work and where no reasonable expectation of privacy should exist?
It’s a common practice at most companies to allow some minimal use of company equipment to check private email etc while on break. As soon as that’s allowed a reasonable expectation of privacy exists.
You keep saying there is no reasonable expectation of privacy, but there is no basis in law for that position, at least not in the EU or UK.
I've edited my earlier comments to add some sources, including a reference to the official guidance from the UK's national data protection authority that directly states that just because someone is at work it does not mean they have no expectation of privacy. You can also find lots of public commentary from employment lawyers on the Web where they have interpreted the GDPR similarly, similar statements from other national regulators, etc. Some of these highlight tricky situations like the need to respect personal email as well.
What kind of informed? Buried in hundreds of pages of policy documents, that they make you 'acknowledge'? A separate network use agreement when employed giving cart blanche? Or something specific and upfront?
I don't know, the company I work for(in the EU) you get an email on your first day saying that the company has a private certificate installed on every machine, so they are intercepting and inspecting all of your network traffic including encrypted websites. So while allowed, please refrain from browsing your own email, bank accounts etc, as the company software can and will see the contents of those.
Like, it's pretty explicit. I don't know how different that is from just sending an email saying "hey your screen is being monitored every 30 seconds".
-While I cannot recall the exact legal aspects, years ago while I was the union representative at the engineering company I worked for, the company wanted (for very valid reasons) to go through a number of E-mails sent to/from a couple of specific employees.
The E-mails were eventually read - but in the presence of the employees in question and their (chosen by them, paid by the company) legal counsel.
I can not imagine an employer going to such lengths to accommodate the employees unless required by law to do so. This was in Norway.
In the EU there is. For instance the company can't normally access directories or emails clearly labelled as "private". Monitoring can occur but it's pretty tightly regulated.
> * Employers can monitor employees’ emails at work but need to approach this with caution and careful consideration.
> * Follow the ICO Code and 29 WP opinion, including conducting a DPIA prior to undertaking any monitoring, considering whether it is possible to achieve the objective through less instructive means and ensuring policies clearly notify employees that monitoring takes place, why and that the content of emails may be viewed.
> * If emails are identified as or are clearly “personal” do not open unless there is a real risk of serious harm to the business and, where possible, inform the employee in advance that the content may be viewed.
I find that perfectly reasonable IMO. You're not your company's property. Your boss can't put a camera in the corporate bathroom's stall just because he owns it.
I think it's reasonable that if you're going to be in front of a computer for ~8hours a day from time to time you're going to do personal stuff on it. This was especially true a few years ago when smartphones and unlimited data plans weren't quite as common.
I mean sure, if it's the PC controlling some industrial machine you're probably not expected to browse Facebook on it. But if you're some temp working the reception you might have some time to kill even if you do your work properly...
There's also the situation where you're traveling and don't want to carry two laptops from instance.
You might be required to use company resource for private matters depending on what you do. You can't really choose when some of the private things will happen that need immediate reaction.
You should be able to find them on the Web sites of the relevant social partnership organisations, self-regulatory organisations or public rights corporations. In case of EU members, work backwards in time from directive 95/46/EC.
If you were having a conversation with a colleague in your office kitchen, and then noticed your boss was aiming a high-gain directional microphone at you, how would you feel about that?
The mere fact that the employee is at work or using work resources has been found on several occasions to be insufficient justification for serious privacy infringements. These days it would come under GDPR or, in some member states, their national privacy laws where those are stronger.
As a rule of thumb, an employer can take reasonable steps to protect themselves as far as monitoring is concerned, often with the requirement that the subjects of the surveillance have been told in advance that it might happen. But there is always an implied requirement of necessity and proportionality in the background. Monitoring a specific employee where there is evidence to suggest they are leaking trade secrets is one thing. Routine monitoring of everyone's computers where you end up, say, recording the login details they used to access online banking and check whether their expenses have been paid yet is something very different.
You can also check the guidance from the various national data protection agencies, such as the ICO's publication "The employment practices code", which address this issue in quite a lot of detail.
It’s not illegal under EU law, but illegal in some countries.
EU law has lots of restrictions however, the employer needs to be crystal clear and transparent about the monitoring. The situation OP describes, would not be legal.
"privacy" is not a crime, you need to be more specific. I would maybe understand if the employer was taking pictures of the employee with a webcam, but they were taking screenshots of the machine owned by the company - how is there any expectation of privacy if you're using company equipment?
There is an expectation of privacy when using the bathroom though. There isn't when using a company issued computer, your employeer controls all the software on it, controls the network traffic - why would anyone have an expectation that what they use it for remains private? It's like there's no expectation of privacy when using an industrial lathe - it's meant for a specific purpose, if you use it for private purposes while at work, you shouldn't be expecting that to remain hidden from your employeer.
IANAL, but if the purpose of taking screenshot every 30 minutes is to control the work of the employee you must know that in the EU you have the right to be informed about any measure taken to control you.
If you can convince the judge that taking the screenshot has other purpose then GDPR doesn't apply.
From (2): The WP29 outlines that a DPIA is likely to
be required if «a company systematically monitor(s) its employees’ activities,
including the monitoring of the employees’ work station, internet activity»
since it implies a «systematic monitoring and data concerning vulnerable data
subjects» (23), form GDPR and Personal Data Protection
in the Employment Context CLAUDIA OGRISEG
In (1) at point 8: the employeer has to inform the employee about: (i) whether and when monitoring is applied.
(ii) the purpose of data processing,
(iii) the means used for data processing.
Wow - at one consulting/project shop place I worked, a manager questioned the veracity of my buddy's time-sheet entries. We both quit that evening with zero notice and started our own company.
It was just your basic job shop, we had 8 C/C++ developers.
Everything was okay for a few years until we hired a "professional" sales guy who wrecked our project pipeline.
We handed sales over to him. He lied about prospects for eight weeks then quit to go somewhere else. We were doing okay before him, but we naively thought hiring a pro would help us grow.
We were bootstrapped so when profit/revenue looked like it was going dry up we shut down rather than go into deep debt and went back to real jobs.
I quickly noticed that my computer was hitching regularly (when the screenshot was taken - this was in the late 90s BTW), and so investigated my computer on a day when he wasn't in the office.
After finding what looked like malware on my computer, I checked with other colleagues - and the other owner - and no one had any idea what it was.
So we put the office network on lockdown, halted everything and started the process of rotating all our passwords and scanning every computer in the office looking for signs of intrusion, etc..
We lost a solid day of productivity for everyone, and when we finally reached the other boss, he owned up to what he had done, and the other owner - who had spent the day in a panic - wasn't thrilled about it to say the least.
The irony was that I was probably the most productive person in that office (in my humble opinion).