The court cases, statutes, and academic scholarship that shaped Momentum's design. Workplace monitoring is one of the most legally fraught categories of software — most tools either dodge the question or pretend it doesn't exist. We did the homework, and we built around it. This page shows our work.
Most workplace-monitoring vendors talk about features. Almost none talk about the legal regime they operate in. That asymmetry means customers get talked into deployments that look productive on a demo and turn into wage-and-hour lawsuits, ECHR Article 8 complaints, or state-AG penalty letters two years later.
We don't think this is fixable with a longer Privacy Policy. It's fixable by designing the product around the case law in the first place — picking what to collect, how to disclose it, and what to refuse to build, against the boundaries that decades of court decisions have already drawn. That's what Momentum is. This page is the audit trail.
ECPA is the closest the United States has to a federal employee-monitoring statute. It does two things relevant to Momentum:
CFAA penalizes "unauthorized access" to a computer. Increasingly invoked against employers who exceeded authorized monitoring scope (e.g., installing keyloggers, accessing personal accounts on work devices without acknowledgment). Momentum runs strictly inside Revit's published API surface — it has no general-purpose access to the modeler's machine.
US workplace-monitoring law turns on whether the employee had a "reasonable expectation of privacy" in what was monitored. Four cases — spanning 14 years and three jurisdictions — define the modern shape of that test.
Facts. Michael Smyth was a Pillsbury regional operations manager. The company assured employees that internal email was "private and confidential" and that messages would not be intercepted or used for discipline. Smyth, relying on those assurances, sent emails from home critical of management ("kill the back-stabbing bastards" and references to a "Christmas party"). Pillsbury intercepted the emails and fired him.
Facts. Sgt. Quon was a member of the Ontario Police Department's SWAT team. The City issued him a pager. After Quon repeatedly exceeded the monthly text-message character allowance, his chief audited the messages to determine whether the contractual character limit was set too low. The audit revealed personal (and sexually explicit) messages. Quon sued, alleging a Fourth Amendment violation.
Facts. Marina Stengart used her employer-issued laptop to access her personal, password-protected Yahoo account, through which she emailed her attorney about a discrimination claim. After she resigned, her former employer's expert reconstructed the emails from the laptop's browser cache and used them in litigation.
Facts. Holmes used her work computer to email an attorney via the company's email account (not a personal webmail) about her pregnancy-discrimination claim. The company's handbook clearly stated that company email was for company business, that the company would monitor, and that employees had "no right of privacy" in messages sent through the company system. She had signed an acknowledgment.
Facts. Bogdan Bărbulescu, a Romanian engineer, used a Yahoo Messenger account at his employer's request to handle client inquiries. He also used it to communicate with his fiancée and brother. His employer monitored the account, recovered the personal communications, and dismissed him. The Romanian courts upheld the dismissal. Bărbulescu sought review at the European Court of Human Rights, citing Article 8 (right to respect for private and family life and correspondence).
The Grand Chamber set out a six-factor test that has become the de facto European standard for assessing the proportionality of any workplace monitoring scheme. Domestic courts must consider all of the following:
| Bărbulescu factor | How Momentum addresses it |
|---|---|
| 1. Has the employee been notified of the possibility of monitoring AND its nature? | Modeler sees a one-time WPF window on first Revit launch listing exactly what is and is not captured. Acknowledgment required to dismiss. |
| 2. Extent and degree of intrusion (content vs. flow; subset vs. all communications; time/space limits). | Metadata only — timestamps, document/view names, edit/save counts. No content. Idle detection uses Win32 GetLastInputInfo, which returns one number (ms since last input), not what was typed or which app received it. |
| 3. Justification for the monitoring (content access requires "weightier justification"). | Project-time tracking and task routing — operational, not investigatory. We never access content. |
| 4. Was a less intrusive alternative available? | This is the prong Momentum is built around. Every category we collect is the smallest signal that delivers the project-management outcome. Foreground-app categorization, screenshots, and keystroke logging would all "work" — and we don't do any of them. |
| 5. Consequences of monitoring for the employee. | Member-tier dashboards hide team-wide visibility cards (Live Now, full session tables, lost-idle columns); only admins see full team data. Modelers see their own work and tasks. |
| 6. Adequate safeguards — particularly: was the content accessed only after the employee was notified? | Multi-tenant isolation enforced at the Firestore database layer (not just in application code). Per-tenant API keys, revocable without touching the addin. No backdoor to other tenants' data, even for our own staff. |
Three US states have specific statutes requiring written notice before electronic monitoring. Customer firms in these states bear the notification obligation; Momentum's transparency surfaces (the addin notice, the public How Momentum works page, the email template we publish) make it easy to comply.
Requires: prior written notice to all employees who may be affected, identifying the types of monitoring that may occur. Notice must be posted in a conspicuous place readily accessible to employees.
Penalties: civil penalty up to $500 first offense, $1,000 second, $3,000 third and subsequent. Levied by the state Labor Commissioner after a hearing.
Important nuance: Connecticut courts have held there is no private cause of action under § 31-48d. Enforcement is exclusively administrative. (This makes the statute easier to comply with than to be sued under, but the reputational risk if AG enforcement happens is real.)
Requires: employers must either (a) provide an electronic notice each day the employee accesses the employer-provided email/internet, OR (b) give a one-time written notice acknowledged by the employee in writing or electronically.
Penalties: civil penalty of $100 per violation. May be brought in any court of competent jurisdiction.
Exception: the statute does not apply to processes that "manage the type or volume" of incoming/outgoing email or internet usage (i.e., spam filters, network monitoring) and that are not "targeted to monitor or intercept" a particular individual.
Requires: any employer in New York that monitors or intercepts telephone, email, or internet activity must give prior written notice upon hiring, the employee must acknowledge it in writing or electronically, AND notice must be posted in a conspicuous place readily available for viewing by affected employees.
Penalties: civil penalty up to $500 first violation, $1,000 second, $3,000 third and each subsequent violation. Enforced by the NY Attorney General.
Heads-up for customers: the requirement is per-employee for the written notice and per-workplace for the conspicuous posting. We've seen customers handle the posting requirement by including the How Momentum works page printout in their employee handbook plus a poster in the office.
Single comparison table for legal review. Each row references the case or statute that imposes the requirement and what Momentum actually does to satisfy it.
| Legal requirement | Source | What Momentum does |
|---|---|---|
| Prior written notice to monitored employees | CT § 31-48d · DE § 705 · NY Civil Rights § 52-c · Bărbulescu factor 1 | First-launch in-addin notice (modeler must click Acknowledge); public transparency page; email template for customers to send their teams |
| Acknowledged in writing or electronically | NY § 52-c · DE § 705 (one-time option) | Acknowledgment writes %LocalAppData%\Momentum\monitoring-ack.json AND emits a Note event on the session — both server-visible audit trail |
| Identify scope of what's monitored | CT § 31-48d · Stengart · Bărbulescu factor 1 | Plain-English event-by-event list at /how-it-works + side-by-side "what's NOT collected" panel |
| Legitimate, work-related (non-investigatory) purpose | Quon · ECPA "ordinary course" · Bărbulescu factor 3 | Project-time tracking, task routing, project-budget alerts. Operational. Not investigatory. |
| Proportional — no more intrusive than necessary | Quon · Bărbulescu factor 4 | Metadata only. No screenshots, no keystrokes, no foreground app capture, no window titles. Idle detection returns one number. |
| Less-intrusive alternative considered + chosen | Bărbulescu factor 4 | Win32 GetLastInputInfo for idle (one number, no content) is the least-intrusive idle signal that exists on Windows. We use it. |
| Data minimization | GDPR Article 5(1)(c) | Approximately 10% of typical workplace-monitoring tool data footprint. Concrete: 7 event types vs. dozens. |
| Storage limitation + access controls | GDPR Article 5(1)(e), Article 32 · Bărbulescu factor 6 | Per-tenant Firestore security rules. Tokens scoped to one tenant. Encryption at rest (AES-256) + in transit (TLS 1.2+). |
| Personal-account / attorney-client / off-system protection | Stengart · ECPA Title II · CFAA | Addin runs strictly inside Revit; reads only Revit's published events. Never touches browser, email, clipboard, or any other application's data. |
| Right of access / erasure / portability | GDPR Articles 15, 17, 20 · CCPA / CPRA | Customer is data controller — modelers direct DSARs to their employer; admins direct DSARs to Info@getmomentum.studio. Privacy Policy §7 for the full flow. |
| Tiered visibility (modeler vs. admin) | Bărbulescu factor 5 · best practice | Roles & permissions matrix. Members see their own work; team-wide visibility cards are admin-only. |
| No covert monitoring | Bărbulescu factor 6 · Stengart | First-launch notice is a blocking modal-style window. Cannot be hidden. The Revit ribbon shows a top-level Momentum tab — visible at all times. |
Marketing copy is one thing. Real assessment is another. This is our internal grading of Momentum against each test in the framework above — published intact instead of buried. If you're an attorney evaluating Momentum, scan this table; the gaps are the gaps. We'd rather you see them here than discover them in deposition.
| Test | Grade | Honest read |
|---|---|---|
| Smyth v. Pillsbury — employer-system floor | A | We don't even play in this space — no email reading, no system-content access. Trivially clears the lowest bar. |
| Quon — legitimate purpose + proportional | A− | Purpose is operational and clear. Proportionality is mostly excellent — but a strict reading would ask "could you do project tracking with even less?" Yes, technically (pure self-reported time), so the automatic-capture choice has to be defended on accuracy grounds. We can defend it. |
| Stengart — personal accounts protected | A | Strongest mapping. The addin runs strictly inside Revit's API surface. It is structurally impossible for us to read browsers, email, clipboard, or any other app. Architectural enforcement, not policy. |
| Holmes — clear acknowledged policy = lawful | A− | v1.6.0 closes the prior gaps: per-modeler ack with workspace-wide rollup, deferral cap (3 deferrals OR 7 days), and Firestore writes deferred until acknowledgement. Customer admin can now see exactly who has and hasn't acked. |
| Bărbulescu factor 1 — notice + nature | A− | Notice happens at first Revit launch. Server-side capture is now deferred until acknowledgement — we don't write a single session document to the cloud until the modeler clicks Acknowledge. Strictest interpretation of "notice precedes processing." |
| Bărbulescu factor 2 — extent + intrusion | A | Metadata only, no content. Solid. |
| Bărbulescu factor 3 — justification | A− | Operational, not investigatory. Fine as long as the customer uses it operationally. We surface a one-time admin-guidance banner reminding admins that using Momentum data as the sole basis for adverse employment actions shifts the framing toward investigatory and weakens this prong. |
| Bărbulescu factor 4 — less intrusive alternative | A− | Strong. Defensible. The "could you not capture at all?" argument exists but accuracy + auditability defends it. |
| Bărbulescu factor 5 — consequences for employee | B+ | Member-tier dashboards hide team-wide visibility from modelers, and modelers now have a self-serve "Download my data" + "Request deletion" surface so the data feels less one-sided. The factor-5 analysis ultimately turns on actual use, which we can't enforce — but we no longer leave modelers without recourse. |
| Bărbulescu factor 6 — safeguards | A | Tenant isolation + encryption + per-tenant API keys. Plus the v1.6.0 admin audit log tracks every admin action (role changes, key rotations, member removals, settings changes, DSAR resolutions) — closes the prior gap and aligns with SOC 2 readiness. |
| CT § 31-48d / DE § 705 / NY § 52-c — state notice | A− | Customer must still do the workplace posting (NY) and obtain the individual written acknowledgments (NY). The first-launch addin notice + the workspace-wide ack rollup card give customers the records they need; we can't do the workplace posting for them, but everything else is wired. |
| GDPR Article 88 — EU employee monitoring | B | v1.6.0 ships a Data Processing Addendum template available on request, plus the self-serve DSAR + deletion-request endpoint covers Article 15/17 mechanics. Still gaps for EU customers: no data-residency option (everything in US central), no Article 27 EU representative. Acceptable for early EU customers under SCCs; revisit if EU ARR exceeds ~10% of revenue. |
| CCPA/CPRA — California employee data | A− | v1.6.0 closes the prior gap: members can self-serve a JSON export of their own data, and request deletion via the dashboard. Admin approves; deletion is logged; webhook fires. Service-provider role + DPA template covers the contract side. |
Five gaps from the prior grading were closed in this release:
Items remaining for future releases: SOC 2 Type 1 attestation (~3 months external process), data-residency options for EU customers, Article 27 EU representative.
Things that were technically possible but legally fraught. We checked the case law before writing the code; for each item below, we have a specific reason — not just an abstract privacy preference — for not building it.
"Modeler spent 2 hours in the browser today" is a common feature in workplace-monitoring tools. We didn't build it. Reasons:
Explicitly illegal in many states without consent (California Penal Code § 632 likely applies; common-law intrusion-upon-seclusion is a private cause of action with damages). Captures whatever the modeler types — including passwords, attorney communications, personal medical research. There's no legal context where this is the proportional minimum.
Captures everything visible: open documents from other apps, personal browser tabs, IDE secrets, anything. Same Bărbulescu factor 4 problem — vastly more intrusive than necessary for project-time tracking. Class-action target across the workplace-monitoring industry.
Never. Would require express opt-in even in employment contexts, would invite biometric-privacy claims (BIPA in Illinois has $5,000-per-violation statutory damages), and is irreconcilable with the "operational, non-investigatory" Quon prong.
Even without screenshots, capturing the title of the foreground window leaks tab URLs and document names from every other application. Same problem as foreground-app categorization, plus practical risk of incidentally capturing sensitive third-party information.
The addin is structurally incapable of seeing it. Revit's API surfaces only Revit events. We rely on Revit's process boundary as the technical enforcement mechanism for "we monitor Revit, period."