Keystroke logging records every key an employee presses on a company device. It is legal in most jurisdictions on company-owned devices with prior disclosure, but it captures far more sensitive data than most employers need — including passwords, personal messages, and confidential client communications. For most productivity monitoring use cases, activity-based monitoring is a more proportionate and legally safer alternative.
What Is Keystroke Logging Software?
Keystroke logging software — also called a keylogger — is an application that records every key pressed on a computer keyboard and logs them to a file or remote server. Originally developed as a security tool for investigating insider threats and data exfiltration, keyloggers have been adopted in some workplace monitoring contexts as a way to verify that employees are actively working and to capture evidence of policy violations.
Unlike activity monitoring software, which records what applications are open and how long they are in use, a keylogger records the actual content typed — every character, in sequence, with timestamps. The resulting log file contains a verbatim record of everything the employee has typed: emails, documents, chat messages, search queries, and passwords.
This distinction — capturing metadata and patterns vs capturing content — is the central issue with keylogger use in employment contexts. Most employers who deploy keyloggers are trying to answer the question "is this employee working?" Activity monitoring answers that question with proportionate data. Keyloggers answer it with a surveillance record far more invasive than the question requires.
What Keystroke Logging Actually Captures
Employers considering keystroke logging should understand the full scope of what will be recorded before deploying it:
- Work product: Emails drafted, documents written, code typed, messages sent in Slack or Teams
- Passwords: Unless the keylogger is configured to suppress password field input (many are not), employee passwords — including personal account passwords typed on a company device — are captured in plain text
- Personal messages: Personal texts sent via web-based messaging apps, personal emails opened in a browser, private notes
- Confidential communications: Client names, deal terms, legal advice, financial data typed into any application
- Search queries: Everything typed into search bars, including medical searches, personal research, and anything else the employee searches for during the day
- Banking and financial data: Account numbers, card details, or financial information typed into any field on the device
Most employers do not want or need access to this data. They want to know whether employees are working, not what they are typing. The mismatch between the monitoring goal (productivity visibility) and the data captured (verbatim content of all typed communications) is why keystroke logging creates legal and cultural problems that activity monitoring does not.
Is Keystroke Logging Legal for Employers?
The short answer: it is legal on company-owned devices in most jurisdictions with prior disclosure, but it sits at the edge of proportionality requirements that govern data protection law in many countries. Whether it is legal and whether it is wise are separate questions.
India
The Information Technology Act (2000) and the Digital Personal Data Protection Act (2023) permit employer monitoring of company-owned devices for legitimate business purposes. However, the DPDP Act requires data minimisation — collecting only the data necessary for the stated purpose. Keystroke logging's capture of passwords, personal messages, and sensitive personal data is difficult to justify under a data minimisation principle when activity monitoring achieves the same productivity oversight goal with far less invasive data collection. Disclosure is mandatory; legal exposure increases with data sensitivity.
United States
Under the Electronic Communications Privacy Act (ECPA), employer monitoring of communications on company-owned systems is generally lawful with employee notice. However, keystroke logging that captures personal communications — even on company devices — enters more contested territory in states with strong privacy protections (California, Illinois). The capture of passwords creates a separate negligence liability: if a data breach occurs and an employer's keylogger logs were compromised, the employer may be liable for the resulting account takeovers. Several US employment attorneys recommend against keystroke logging precisely because of the breach liability exposure.
United Kingdom & EU
Under UK GDPR and EU GDPR, the data minimisation principle is explicit and enforceable. Employers must collect only the personal data necessary for the specified purpose. The ICO's Employment Practices Code and the European Data Protection Board's guidelines on employee monitoring both indicate that content-capturing surveillance (including keyloggers) requires a stronger justification than metadata-level monitoring. Keystroke logging for general productivity monitoring is likely to fail a proportionality assessment. It may be justifiable for specific security investigations with documented grounds, but not as a routine monitoring tool.
UAE
Federal Law No. 5 of 2012 (Cybercrime Law) broadly prohibits interception of communications without authorisation. Keyloggers that capture personal message content — even on company devices — may constitute interception under this law if not properly disclosed and scoped. Employment contract disclosure is necessary but may not be sufficient if the keylogger captures personal communications on the device.
The Trust Cost of Keystroke Logging
Beyond the legal analysis, keystroke logging carries a trust cost that most employers underestimate. When employees discover — through word of mouth, an IT audit, or a departing colleague's disclosure — that everything they have typed on a company device has been recorded verbatim, the reaction is almost universally negative. This is true even for employees who have nothing to hide.
The reason is intuitive: keystroke logging feels categorically different from productivity monitoring. Knowing that your manager can see you spent 45 minutes on YouTube is uncomfortable. Knowing that your manager has a verbatim transcript of every message you have ever sent on your work computer — including messages to your doctor, your partner, and your bank — feels like a fundamental violation of privacy, regardless of the legal basis for it.
Research on employee monitoring consistently shows that perceived surveillance intensity — how invasive employees feel the monitoring is — correlates negatively with job satisfaction, trust in management, and voluntary retention. Keystroke logging sits at the far end of the surveillance intensity scale. Activity monitoring sits at the moderate end. Both answer the productivity question. Only one carries the cultural cost.
When Keystroke Logging Is Appropriate
There are legitimate use cases for employer keystroke logging, but they are narrower than the general productivity monitoring case:
- Active security investigations: When there is documented evidence that a specific employee may be exfiltrating data, leaking confidential information, or communicating with competitors, keystroke logging as part of a formal investigation (with HR and legal oversight) may be justified and proportionate.
- Regulated industries with content capture requirements: Certain financial services regulations (MiFID II in the EU, FINRA requirements in the US) require that electronic communications be captured and retained. In these contexts, content capture has a specific regulatory basis. This is distinct from productivity monitoring.
- High-security government or defence environments: Contexts where national security requirements mandate content-level monitoring and where employees have been explicitly informed and consented as a condition of employment.
If your use case does not fall into one of these categories, keystroke logging is almost certainly more than you need.
Why Activity Monitoring Is the Better Choice for Most Employers
Activity-based monitoring captures what applications are in use, how long, which websites are visited, when employees log in and out, and what their screen shows at periodic intervals. It answers every question a productivity-focused employer needs to ask:
- Is this employee working during their scheduled hours? → Attendance and active time data
- Are they spending time on non-work activities? → App and website categorisation
- What does their work actually look like? → Periodic screenshots
- Are they meeting their output targets? → Productivity score and active time trends
None of these questions require knowing what the employee typed. Activity monitoring provides proportionate answers without capturing passwords, personal messages, or confidential content. It is legally safer, culturally less damaging, and technically sufficient for the vast majority of employer monitoring use cases.
Trackpilots' stealth monitoring mode captures all of this data — activity time, screenshots, attendance, app usage — without logging keystrokes. See how it compares to keystroke-based approaches in our employee monitoring legal guide.
Conclusion
Keystroke logging is a legitimate tool with specific, narrow use cases in security and compliance contexts. For general employee productivity monitoring, it is disproportionate — it captures far more sensitive data than the productivity question requires, creates legal exposure under data minimisation principles in the UK, EU, and increasingly the US, and carries a trust cost that undermines the workplace culture most employers are trying to build.
Before deploying a keylogger, ask: what question are you trying to answer? If the answer is "are my employees working and being productive?", activity monitoring with screenshots, attendance data, and app usage reports answers that question with a fraction of the legal risk and none of the trust damage. Start with Trackpilots — free for unlimited users, no credit card required.