How to enable End-to-End Encryption (E2EE)

Visit the profile section and click the Security link. Click Manage button.

“Enable Encryption”. Please note: this option will not affect existing devices and data for your account. 

Download new StaffCounter agent

For Update – just reinstall StaffCounter over the existing version. For fresh install – Install it and open StaffCounter in order to connect it to your account. Learn more about how to connect it.

When the device is added – it will start to upload only anonymous data about employee productivity in plain form, until you confirm the encryption for it, in the account profile, described in the next chapter.

 

After a successful update or installation of the new StaffCounter Agent application, you need to visit Dashboard again. You should see the notice to Confirm new devices with encryption support. In 1-2 seconds this message disappears and confirmation of encryption for this device will be done.

 

Done. Within an hour the confirmation will be received by the StaffCounter agent app on the computer and it will start collecting and encrypting all productivity data according to the settings. 

Visit the profile section and click the Security link. Click Manage button.
Open the Tools tab.
Click Backup Keys to download the backup file for your Master Encryption Key. This will allows you to access your data in offline mode and also restore access to your account in case you forgot the password.

You will notice no many changes in your Dashboard and report despite all information is encrypted. This is possible with the on-the-fly decryption process right in Web Browser thanks to the Web Crypto API standard available in the majority of browsers like Chrome, Firefox, Opera, Safari, and others. The specially developed Java Script code works in the web browser and constantly decrypts all encrypted strings within a web page content returned by StaffCounter service.

How does E2EE affect time tracking, productivity categorization, and productivity alerts functionality? 

Time tracking, productivity reports will work in the same way, but productivity rules need to be re-assigned. 

In fact, the encrypted opaque data have an identical structure as clear text data. For example, before encryption StaffCounter uses the string “winword.exe” or “gmail.com” to calculate the total time spent in the application and assign the productivity category. 
After encryption is Enabled, StaffCounter uses the tokenized strings that are looking as “w6Wd4SSxgK9EqmHuR4EAWw==” or “UssM8UxGazi4kDxn5JDO4g==” to calculate the same total time or assign the productivity category. This is possible because a single encryption key is used to encrypt all data uploaded by computers from a certain account/organization to StaffCounter Server. So the specific application name, title, or URL address maintains the same tokenized text form within the data of a single account.  This allows processing encrypted data in the same way, but with the highest anonymization and privacy level. 

All reports generated to account email will contain encrypted data. This allows the protection of confidentiality even after the data retention period in your organization. We are working to publish a Web Browser plugin that will allow decrypting StaffCounter reports in any web-based email such as Gmail or outlook.

StaffCounter allows you to download all data for a specific computer or department. This data includes a raw log of user activity in chronological order and screenshots. If encryption is enabled, this backup will be encrypted. To view the data, you need to unpack the archive into a new folder and use the Open Encrypted file command on the Report files and alerts page. Menu Reports -> Files and alerts.

Select the desired file and it will be decrypted in the browser. Use the Save decrypted file button to save it in decrypted form

Выберите нужный файл и он будет расшифрован в браузере. Воспользуйтесь кнопкой Save decrypted file чтобы сохранить его в расшифрованном виде

The E2EE functionality is open source and placed within the jsec.js file available online on data.staffcounte.net. Encryption is based on Web Crypto API available in the majority of web browsers and executed only in the Web Browser memory. StaffCounter service helps to store and exchange Public Keys and opaque encrypted data between the User account owner and computer with the StaffCounter Agent application.

StaffCounter End-2-End Encryption specification in brief:

  • Each user account and StaffCounter Agents installed on computers generate its own RSA key pair with 2048 bit private and public keys. 
  • User account owner generates random AES 256 bit encryption key is referred as MasterKey.
  • MasterKey is protected with user account password by using PBKDF/AES-256 intermediate key and stored in StaffCounter service as an encrypted blob.
  • User account encrypts MasterKey with RSA-SHA1 and sends it to computers by using StaffCounter service as an encrypted blob.
  • StaffCounter Agent encrypts sensitive information in productivity data with AES-256 bit MasterKey: application name, window title, URL address, keystrokes, clipboard, chat text, document name, screenshots, camera-shots, voice data. Meta-data such as the type of action, time, and duration are stored in clear form.
  • PBKDF key derivation is used to protect the user account password and generate intermediate encryption keys. 
  • User account password is never transferred to StaffCounter server in clear form.
  • Once enabled, data encryption can not be disabled in StaffCounter account and Agent applications.

StaffCounter service does not perform crypto operations and store only public keys or opaque encrypted data. We are working to continue improvements to allow user account owners to store MasterKey and respective RSA SecretKeys only in the browser memory of the trusted computer. Currently, we are working under the SafeJKA plugin for Web Browsers that will implement strong authentication and encryption ownership principle.