If you sign into a personal Google account on a new Chrome profile on a managed laptop, can they get access to your entire Google account (drive, emails, etc.) remotely? Can they use an auth token or something to automate the process of downloading all your data? If so, is this legal?
> If it’s a company provided laptop then it’s a good idea to assume that every keystroke, DNS request, and network packet is fair game.
From an OPSEC perspective, sure. But the question was whether it's legal for an employer to do it.
You might also get a phone call (on your private phone) about a private medical matter while at work, but I would hope your employer couldn't use the CCTV audio they have in the office to decide to fire you based on that information (though I don't know if US laws actually protect workers in this case -- in Australia and basically all of Eastern Europe this would be insanely illegal on several levels).
I don't know if this is the case in the US, but in Australia it's very easy (and relatively cheap) to take your employer to tribunal over violations of employment laws (if it was very clear-cut or severe violation you could even make a complaint to the relevant regulator which could launch an action on your behalf). Something being illegal means if they did do it, you'd be owed compensation.
From the article: The only thing they did wrong was not more explicitly mention the monitoring. So it wasn't illegal to monitor communications, rather it was illegal to fire someone for using their work account for private communication without sufficiently warning them. All they have to do is make you sign some document on day 1 and they're covered. Also they were not awarded any damages or anything, so it's not like you'd get a payday after being fired.
>Commenting on the ruling, Pam Cowburn, the communications director at in London, said: “The European court’s ruling is welcome. In some workplaces, it may be necessary for emails to be monitored, but if employers are going to do so, they should make staff explicitly aware of it.”
>Despite finding that Bărbulescu’s rights under article 8 of the convention had been violated, the court declined to award him any compensation, saying the ruling was “sufficient just satisfaction”.
It's definitely NOT illegal in EU if the user is appropriately informed, usually in your employment contract you sign a clause about that. Even the government does it to their employees.
No, there have been all kinds cases of enforcement action in EU where the user was informed but the employer could not justify the violation of privacy; in general EU law and especially in privacy law it's quite frequent that some explicit "consent" clause in employment contracts (essentially, if it's a standard clause in all agreements and "take it or leave it") is treated as not representing true consent and void.
The largest example probably is the 2020 GDPR fine of 35 million euro for clothing retailer H&M for violating the privacy of their employees, despite the employees being informed of that.
What you're talking about has absolutely nothing to do with tracking usage of workplace computers and networks - H&M kept "excessive" (sic) records of personal data of people who were not their employees at all (family members of their employees) - and the problem wasn't that they had some data because in EU you're required to keep track of families of your employees due to tax reasons, but that they had too much of it.
In most EU countries, tracking company-owned hardware is explicitly okay, and where it's not mentioned in law there are judicates that make it OK.
As I said, even the government and its wholly/partially owned enterprises are doing it, and working as a contractor for the government here requires you to track usage of your employees' workplace computers too, so I can't see how it could be in any way illegal. Same thing with working for banks and insurance, and I bet there are more cases.
In The Netherlands, employees enjoy a reasonable level (much stronger than this scenario) of privacy even on company equipment [1]. That is: the company cannot randomly access an employee's mailbox. Of course, in case of employer-employee dispute, things become hairy - but even then, the company is not allowed to go on a fishing expedition. Though they can go on a confirmation run, looking for specific evidence, e.g. mail from Glassdoor.
Don't know about other EU countries, but at least NL deviates significantly from the sketched scenario.
Disagree, with the money I would be awarded from my employer for their breaking of both employment and privacy laws I think I could easily purchase a new laptop - and also fund a few months of vacation while searching for the next job.
Surprisingly I was at a party in SF with a bunch of Apple employees. Somehow some topic came up and I was like "I don't do anything personal on my company laptop. I especially don't look at porn". All 6 of them said they used their company laptops and phones to look at porn all the time.
I've heard some pretty simultaneously funny and Orwellian stories about this, mostly about people being fired for looking at porn using work laptops and the specific porn they were looking at.
Don't use work computers to look at porn, your employers already know about it.
Lol I nominate the above to the title of most entitled and out of touch comment of the month. How is this "basic human need" if online porn didn't even exist before 1990?
If it's not required to do the job and they pay well, then why not. I can easily survive 8 hours without running water. Geologists (often with masters or even PhDs titles) working in the field have neither, and they like their jobs.
Moreover, seeing the right to be paid for jerking off while at work as fundamental human right is really unhinged.
Correct. Rape, theft, murder, and other actions can be performed along the way of people fulfilling their basic human needs, so the reasoning doesn't really justify all activities.
The way I look at it (and not saying it is the best way, just works for me) is that my public/professional person is my brand that the world sees and thinks of when I interact with them. Regardless whether that is big brother junior analyst in IT or a client CEO, I try to keep that consistent and inviting.
If on the weekend I want to only drink Soylent, trade crypto, and otherwise engage in fun but less inviting behaviors, I'll do that off company property.
I'm as sex positive as they come but even I think it'd be pretty dumb to have pornhub pop up while you're sharing your screen in a meeting or something
We've decided to structure society such that some people starve, and we consider that acceptable. There are even children who are "food insecure".
Apparently nobody cares about anyone else's most basic needs like food (even our most vulnerable), I can't see how they'd care about someone else's need to jerk off.
It's very common. Most IT groups collect this information for HR and don't do anything with it. The truth is the company doesn't care if you look at porn as long as you do your job. Until the day comes that the company wants to fire you. If you claim retaliation/discrimination/etc, company just opens up your file and lists all the violations.
My prior employer was the same, I wouldn't use it to make tooling or do anything that might be for my own business, or open source for that matter, they had been known to strong arm staff into giving over IP that might have ever been on that laptop or was ever created during your employment.
But they were quite frank about allowing us to do what ever we want on the laptops providing we delivered positive outcomes for the business.
If this meant the laptops were used to browse porn at home or even during business hours (clearly not on the shop floor if you were in the office) or playing video games, it was fair game.
This employer also had _incredibly_ poor standards and culture for removing misogyny and bigotry, in fact it was one of the worst I've ever seen. Not saying causation = correlation or similar but an interesting data point nonetheless.
Some cynicism on the part of their engineers would be prudent despite that advice. Lots of places encourage you to use the company phone as your only phone, which is convenient, but still not a great idea.
Once when another person in IT was on vacation, I was handed off a manager's laptop to scan for porn. There was no automated tool, so as I recall I did a search for files created or modified since the last check. I found nothing to report.
I think that the periodic checks were set up because a subordinate of the manager's had seen the porn on the machine, and had gone to HR.
Correct me if I'm wrong but if the assumption here is that the EU prevents employers from reading private correspondence of employees then I find nothing to back that up. On the contrary, an employer in the EU explicitly seems to have such rights, given they jump through a few formal hoops first:
It depends on the country in question. In Ireland, for example, any workplace surveillance must be necessary, legitimate, and proportional. The employee also must be informed in advance of who, what, how, and when they may be surveilled.
It is very hard to see the Workplace Relations Commission (WRC - the body which handles workplace disputes) accepting that identifying a user on Glassdoor would meet the test of being necessary, legitimate, or proportional. This is particularly true as the WRC has previously found that monitoring internet usage for example for pornography is not proportionate where the employer has the option instead to block such sites and make a policy against their access.
Of course, an unscrupulous employer could also use surreptitious surveillance and find another reason to let the employee go, although firing an employee in Ireland is notoriously difficult short of gross negligence.
OK thanks interesting, although I would like to add that I did not address trying to identify and punish reviewers on Glassdoor, which may or may not be illegal all over Europe depending on the nature of the review. That point I tried to make was that the GP was exaggerating when painting the US as an outlier regarding the rights of employees of not to be monitored.
The US is more "employer-friendly" if you like, and much less complicated to fire employees (boo!) compared to Europe - yes. But generally not categorically different when it comes to the right of employers to snoop on their employees, which people here might want to be aware of.
IIRC Danish law states that work email may be used for private purposes and that anything clearly labeled as private is to be considered such. For example, by moving email to a folder called “private”.
For the employer to open/read such communication would be highly illegal, akin to opening others private snail mail.
I do believe that this also extends to corporate issued phones and computers. Especially since you’re automatically taxed for “private use” of such equipment when assigned.
In Israel, if you are assigned an employer car, you generally have to prove you don’t make personal use of it to avoid taxation - e.g. prove it isn’t in use almost every weekend (usually done by parking in a managed lot and showing the receipts or stuff like that).
The vast majority of people prefer to also use the car privately, and pay the tax (which is reasonable, if taxation is reasonable).
Cars that keep rotating between drivers are not subject to that (but exact record keeping of driver and trip required to avoid tax)
Similarly, employer provided phone subscription is assumed to be partly private use (50% of monthly subscription cost considered a a taxable benefit iirc), not sure what hoops you need to jump through to prove it is not private use at all. (But phone plans are cheap - excellent domestic plans are $10 or so)
It's up to you if you want to use company provided equipment for personal/private use or not. If you declare that it's only used for work purposes, there is no tax. The tax makes sense, because it's effectively extra salary (eg if the company gave you a leased car).
The thread we are in about companies monitoring people accessing Glassdoor and penalizing them in various ways for using it to say things the company doesn’t consider flattering.
That has nothing to do with putting private email in a private folder on the company mail server, near as I can tell, and nothing in that statement would address the statement about companies monitoring use of company equipment and network etc.
Since they’d need to know even in the private email case what they folder names were, for instance, to know there even WAS private email.
In Germany, you need to document clear and reasonable suspicion of the employee doing something shady before you can monitor them (especially without their consent). It's not fundamentally illegal, but the rights of the employee also weigh in heavily and need to be outweighed before you can start e.g. recording their screen without their consent.
Practically, the company needs to administer and secure their equipment for a number of reasons, including a legal need to keep their customers data safe.
That requires them to use tools which can easily let them know, for instance, what websites someone is visiting, and what executables are executing on the machine, what devices are being accessed and when, etc.
It’s pretty fundamental. An individual looking to secure their machine would need to do the same thing.
If a company abuses that to spy on every waking moment of an employee, that is obviously abusive (barring cases of investigating legitimate suspected abuse by the employee I guess?). But you’d need to somehow codify in law the line, and I haven’t see anyone having any success here so far.
I have seen employees steal massive amounts of trade secrets, secretly steal customers from employers, run porn sites from company equipment, etc.
I’ve also seen employees so creepy stuff like stalking customers, stalking other employees, harassing other employees using this tech too.
Personally, I’ve always kept employer laptops and stuff closed and off when not used, and try to segregate personal and work equipment, but that’s been more to avoid something embarrassing coming up during a presentation or the like.
Just because it is easy and achieves a purpose doesn't make it necessary or right.
People could be making backhanded deals on their phones or they could be having an urgent confidential conversation with their doctor or spouse. Should the company record and review phone calls?
People could be stalking customers/coworkers or making deals in the bathroom. Or they could be using it for more personal purposes. Should the bathrooms have CCTV with audio?
People could be selling company data in the company parking lot, in the mall or at home near/using the company laptop/phone that is permitted to be used for personal reasons, or just mandated to be near them, or they could do the same thing without presence or use of any company equipment. Where do you draw the line, and at what point is it even sufficient to prevent losing information etc.?
Do you trust your employees? All trust can be abused, yet how can the company function if they don't trust their employees at all?
The idea that 'company time' and 'company equipment' gives the company absolute right to record and ownership of recording is almost feudal.
Imagine I were to die in the office in some embarrasing way, on company time, in full view of company CCTV, do they have the right to upload the video to YouTube to make money from it?
What if they record audio of me at home, can they publish it? Can they show it to anyone at the company?
What if audio is recorded outside of compaby time by a company laptop thats had its lid closed? What if it's recording 24/7?
Are they allowed to snoop on traffic of my home network? If I have a home camera thats not password protected, can they help themselves to that Video?
If my network drive has no password, is it okay if they help themselves to those files?
I assume he is trying to establish a dividing line between acceptable and not. For example, I'd consider all mentioned uses to be unacceptable and hopefully illegal, but I think others may be fine with it.
Just about every EU-based company allows for network defense and visibility to include things like SSL inspection and egress monitoring. Some may consider this surveillance, but what needs to be stated from a governance standpoint is that this monitoring is reasonable from a risk mitigation standpoint and the expectation needs to be written within acceptable usage policy.
Even more restrictive countries like Germany are fine with this.
I don't want to work somewhere where this would ever be an issue. More than happy to leave if they pull this kind of personal invasion (yeah, it's their property, but still- basic human decency dictates: don't do it).
>There’s no reason to mix personal and corporate usage.
Exactly! I'm always amazed at people who do ANYTHING personal on corporate resources, especially in this day and age. Even when personal computers were rare and cost thousands of dollars I still didn't do jack shit on work computers, no matter how tempting or "acceptable use" it was.
This is an interesting question post-pandemic where the network the laptop is using may be an employees home network, especially if there is some kind of active scanning involved.
This is a real problem, especially for InfoSec tools. Many EDR tools, such as MS Defender for Endpoint (or whatever it’s called these days) and Crowdstrike Falcon, include functionality that will scan your local network for devices in order to discover unmanaged devices…
It’s a nightmare from a privacy point, but its also a problem for the InfoSec tools… How do they distinguish between an unmanaged private device on a private network or a unmanaged device on a corporate network?
> its also a problem for the InfoSec tools… How do they distinguish between an unmanaged private device on a private network or a unmanaged device on a corporate network?
Trivially, from the simplistic (check IPs and router MACs / SSID in use) to the marginally more advanced (deploy an agent that is only reachable from the corporate network) to determine if the tool should even be running in the first place.
It's really difficult to find solid guidance on how secure that is.
E.g. tag the port on the switch, run a cable to the device so that it doesn't know there's a vlan involved, block routing between vlans. As far as I can tell that's probably good but might not be.
Not specifically through Chrome (managed chrome does not give your employer access to incognito or personal profile data), but if it's a company owned and issued laptop you should assume they have other ways of capturing all activity on the device.
It will depend on your employee handbook, but generally any data you produce on a company laptop belongs to the company. Anything in the browser cache is fair game.
