User Activity Monitoring Explained: Examples, Legality, and Tips

User activity monitoring sounds straightforward – until you begin digging into its many uses.

Let’s do just that, making things as easy to follow as we can, with a specific focus on how to improve it in the context of risk management.

What Is User Activity Monitoring?

User activity monitoring (UAM), also known as user access monitoring, is a form of surveillance designed to log and track user actions on devices, networks, or websites. Note that the term user may refer to customers, visitors, or even company employees. 

The goal of UAM is generally to reduce risk in the context of cybersecurity, fraud prevention, and IT security. However, user activity monitoring has many other uses, from tracking employee engagement to targeted marketing. 

In information security, user activity monitoring is specifically deployed to reduce the risk of data breaches originating from internal company users, contractors, or partners. 

Why Monitor User Activity? 5 Good Reasons

Wherever there are people, there is risk.

In the digital world, these people are users. Monitoring how they interact with your website, app, or infrastructure can help reduce risk or improve your business operations. Let’s look at five concrete examples.

1. IT Security and Cybersecurity

One of the key reasons to monitor users is to secure a company’s data, both physically (IT security) and digitally (cybersecurity). In 2022, the average cost of a data breach reached a record $3.86 million, according to IBM.

As data breaches continue to wreak havoc with companies’ online reputations (and bottom lines), it’s more important than ever to ensure that you can flag suspicious user actions.

These suspicious actions may look very different from one company to the next, but IT security teams will generally look at the security of their SQL databases, OS, and administrative commands. 

More importantly, these protection measures tend not to discriminate between customers, employees, or executives. Any kind of unwanted change will be logged – and potentially blocked depending on its severity. 

2. Legal and Compliance

Ensuring compliance is a growing reason to deploy user activity monitoring software.

Compliance monitoring, for instance, is a regulatory requirement for companies in the context of KYC and AML. It also involves looking at user data and behavior. In this example, the relevant data must also be logged when submitting a suspicious activity report, aka SAR. 

Here, again, the goal is to reduce risk. Namely, the risk of having to pay a heavy compliance fine by allowing identity thieves and money launderers to interact with your business. 

3. Marketing and Sales

Web analytics is probably the form of monitoring people will be the most familiar with.

Tools such as Google Analytics and Search Console do indeed fall under the umbrella of user monitoring since you capture user data (geolocation, session length, click-through rate, etc.) in order to create reports or analyze your traffic’s performance. 

The data is useful for a number of cases, from targeted marketing to upselling, A/B testing and even customer segmentation.

4. Fraud Prevention

User monitoring is a core feature of fraud prevention. You want to be able to separate legitimate customers from fraudsters. This involves collecting data relating to the following:

• The user’s identity, either through document verification steps or digital footprint analysis, which looks at alternative data such as their device setup and social media activity.
  
• The user’s behavior: By monitoring and comparing user actions (for instance, a signup or money deposit), we can identify suspicious behavior that may point to fraud or high-risk customers.
  
• The user’s connections: The user may be part of a fraud ring or multi-accounting. To stop them, we will be looking at similarities in data points to catch as many members and related accounts as possible. 

The kind of user activity monitoring features you need for fraud prevention varies depending on your business model – which is why we strongly recommend going through our risk assessment checklist to get started.

5. Employee Engagement

With the rise of remote and hybrid work setups, many companies have been deploying employee monitoring programs. These may look at internet access, professional emails, or computer activities. 

Some tools are more controversial, such as keylogging and attention trackers. In 2021, for instance, the video conferencing company Zoom came under public scrutiny for a feature called attendee attention tracking, which they eventually removed. 

Still, there is no denying that employee monitoring is a form of user activity monitoring. The kind of data it collects and how it collects it is similar to how it is done in IT security, even if one focuses on productivity while the other aims to reduce risk.

What Data Is Collected for User Activity Monitoring?

When it comes to user activity monitoring, there is no shortage of tools and features designed to capture as much data as possible. This may include:

• video recordings 
• log collection
• network packet inspection
• keylogging
• kernel monitoring
• screen captures
• and more

However, collecting every data point isn’t always efficient. Depending on your user activity monitoring strategy, it’s much more effective to focus on specific data points rather than taking a one-size-fits-all approach or getting lost in endless data. 

These days, most software comes with user logging, so you have full visibility of which user has done what and can both monitor suspicious activity and dig into what happened if something went wrong. That is a start – but for many use cases, you would want to capture even more.

User Activity Monitoring and the Law

With the increase in data-protection policies, such as the GDPR, you may think that user monitoring and compliance are at odds with one another.

Not so. In fact, the GDPR specifically states that user monitoring is legal when necessary for the purpose of preventing fraud and for targeted marketing. 

“The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Recital 47

In fact, most user activity monitoring can be legally covered with a transparent and honest company policy. 

In the US, employers are allowed to monitor employees under the Electronics Communications Privacy Act (ECPA). Whether the monitoring program has to be made public to employees varies from one state to the next. In California, for instance, the California Consumer Privacy Act has several guidelines that need to be followed.

In Europe and the UK, employee privacy must be protected. Employers have to give notice of the monitoring program and must receive a written agreement to proceed. 

Before deploying UAM elsewhere in the world, it is important to consult the local legislation. To make matters even more confusing, the laws may be different based on the user’s location rather than the company’s. Therefore, professional legal advice is essential.

How Can SEON Help?

SEON’s captures the data of users of a website, platform or app and enriches it to find even more via a process known as data enrichment.

This data can then be fed through risk rules, which allow you to:

• automatically flag suspicious user behavior
• block suspicious logins and signups with stolen or made-up data
• run more effective KYC and AML checks
• segment users into low, medium, or high-risk categories
• segment users into high-value or low-value customers
• and, of course, reduce all kinds of fraud, from payment fraud to bonus abuse and chargebacks

Whether you need the risk in the context of compliance, fraud attacks, or even stolen user accounts, SEON has got you covered.

Frequently Asked Questions

Sources

• IBM: How much does a data breach cost in 2022?
• Zoom: Attendee attention tracking
• BJA: Electronic Communications Privacy Act of 1986 (ECPA)