Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Get your staff's consent before you monitor them, tech inquiry warns (theregister.com)
152 points by rntn on Aug 10, 2023 | hide | past | favorite | 160 comments



Our system is pretty straightforward. We are 100% WFH. Whatever you do on the virtual/cloud work desktop is considered entirely property of our company. Your incidental Spotify, Youtube and 4chan visits are included in this scope. We actively encourage our employees to minimize their cloud desktop and use their thin client/MacBook/2nd computer/whatever for non-work things.

To go even further - the physical hardware we provide to our employees is no longer enrolled into IT policies. If someone uses the actual work machine to play counterstrike, we literally don't care about this anymore. It wouldn't show up on any report.

We seriously don't give a shit if someone is listening to music, having Netflix playing, etc. The only thing that matters is the work product at the end of the day. Some people are incredibly productive while listening to death metal at reference volume. Others are not. Who are we to judge?

Even though we have access to deep digital forensics on our employee's virtual desktops, we would only ever use them if there were some criminal or civil proceedings brought forth.

If you feel like you have to use the digital panopticon to micromanage your tech/knowledge employees, you are potentially a really shitty manager.


Person who is productive while listening to death metal checking in.

I have two jobs currently - one is regular 40h/wk salaried day job, another is part-time, nights and weekends, hourly pay. I only need to work 15-18 hours a week at the part-time one to exceed my full-time pay, but the part-time one is:

  - Windows
  - internet routed through a hardware appliance that I'm sure logs every bit and packet
  - forced to run an invasive full-system virus/malware scan on start-up and at 5AM every morning (takes 4-4.5 hours) forcing me to leave the thing runnings for days or weeks at a time and preventing any early morning work
  - random things that were fine for years suddenly blocked, e.g. spotify/youtube
  - I will occasionally get emails from IT asking why I have a random application installed, what it does, and why it's "operationally necessary"
  - Once had trouble working during an active malware scan so did non-sensitive but time critical work on a personal machine and got an email the next day why I was clocked in when the computer was off
Compare to my full-time job

  - Not windows
  - VPN is off by default and IT makes a conscious effort to move things *off* of VPN instead of the opposite
  - No tracking of any sort
  - We literally play Steam games for work events sometimes so it has Steam installed
Now clearly there are some big culture differences between the two as well, but needless to say it's rare the side gig beats my full-time paycheck, precisely because it's such a horrible work environment.


I hate this full-system (anti-)malware crap as much as the next guy. But this:

> - I will occasionally get emails from IT asking why I have a random application installed, what it does, and why it's "operationally necessary"

The issue is that policies have to be fairly general and can't just count on all employees actually knowing what they're doing. And sometimes people actually do shady things, even if it's not intentional. And if IT is understanding, then I think it's OK.

The other day, there was a story on the HN front page [0] about some innocuous looking app that got bought and converted to some kind of shady proxy. If I was responsible for my company's staff machines, I sure as hell wouldn't want that kind of crap running on them.

What's to say that your random app won't be siphoning up ~\Documents\top_secret.doc?

[0] https://news.ycombinator.com/item?id=37052508


Anyone with "software engineer", "developer", or "programmer" in their job title should be given full benefit of the doubt by default and only bothered if the program is proven malware. It's our job to know what we're doing, so we should have admin too. I feel like Ron Swanson in Home Depot every time I have to ask IT to do something.


As someone who’s been responsible for dealing with the consequences of “programmer” output, I’d say that they definitely should not be given the benefit of the doubt. While it may be hard to believe, the average “programmer” knows nothing about IT or networking or hardware, and you’d be lucky if they know where the power button is.

Generally “programmer” type folks are only power users in the context of software, possibly even only the software they wrote or tooling they chose.


> It's our job to know what we're doing, so we should have admin too.

Nope.

Engineers and programmers are the most-likely source of "I know what I'm doing so I can run it this way" and you end up with things like NFS running on systems that haven't been bounced in over 300 days and can't be updated because someone used sudo to break yum.

No one gets admin unless they explicitly need it. Period. Because while you may actually know what you're doing, most programmers haven't the slightest inkling about safe computing practices, based on experience.


Well, I’m glad I don’t work for you. I work for a Fortune 100 company with nearly 100,000 employees and we all have admin/root access to our company provided hardware. I’ve worked here for decades and have never heard anything through the IT grapevine of issues arising from this.


I, too, work for a fortune 500. They're actually in the top 100. No idea how many employees, though.

Every instance I've encountered with an engineer having root/admin permissions has been a shitshow.

I just now encountered an instance of engineers bypassing policy by modifying sudoers to give a lower priv'd generic/shared account passwordless sudo to shit like /usr/bin/make.

The other project I was on, I had to fight with engineers about why having a firewall on your appliance doesn't negate the need to address code execution exploits behind the firewall. These aren't security-savy individuals and they shouldn't ever be given administrative access to anything.

I'm glad you don't work for me, too; I can't stand leadership positions. I work in security and all I see are engineers fucking up daily, so I'm pretty jaded/biased at this point.


I don’t even work for a tech company. Everyone from assistants to designers to managers have admin access on their work machines.


"Anyone with "software engineer", "developer", or "programmer" in their job title should be given full benefit of the doubt"

No one gets the benefit of the doubt, and certainly not programmers. You get more leeway with what we'll allow, but not free reign. Most programmers aren't HN level.


> Most programmers aren't HN level

Oh boy, the self importance here is hilarious


It’s one of the defining cultural cornerstones here.


I'm not a programmer at all, my yearly code output these days can be expressed in double digit hours, and very small ones. I assure you, I do not think of myself as a programmer much less a top tier one.


Ah, yes; because there's a programming skill test we all had to pass to be allowed to post here...


Yeah, I get it, it’s easy to poke at that phrasing.

There’s also a reading of that response where they mean “HN level” like “as confident as the replied-to comment author”. Could even be a bit sarcastic.


I wasn't being sarcastic, but with me it was a good guess. :D


No, but there is a curiosity test, you have to find the place; and then once you're here you have to understand things in order to find value and come back.


If a non-technical user notices something odd (fan running fast, slow boot, lots of network traffic) they’ll go straight to IT.

Someone with the attitude of “it’s my job [to not mess up]” will mess up subtly, try to fix the problem, and not mention it to IT.

As annoying as IT can be, one of those options is a lot better for operational security.


Will normal users really do that? I feel like a normal user's computer could be on fire and as long as it booted they'd continue on as usual.


I actually agree with you, I just brought it up as part of the massive cultural differences between "you managed to download this thing on this very locked down system two years ago, fill out this form to tell us what it is" and "go download steam and here's a steam code for a game, we're playing at 3pm if you want to."


Yes but couldn’t they research the app? If IT understands software, they can ask less often.


They're likely understaffed. They're also going to want to know why you're using it. My colleagues have had a case of someone downloading some program which was doing something that was already provided. Turned out "ours" was missing some features, so they've changed that.

It can also work as a deterrent. If you know you're going to have to fill out a form, maybe you won't download random stuff unless you actually need it.


I understand understaffed although I think that's when siloes should be broken down so technically apt people across the company can reduce the workload (like by advising on a list of safe software that shouldn't be questioned.)

I don't appreciate the deterrent culture because it's hard to get to point A to point B without some exploration if the company isn't used to trying to improve how work is done, or improve its thinking. The opportunity cost of preventing bright people from exploring is enormous. I understand, though, that compliance and uniformity are high priorities in some industries. (My experience with this kind of IT comes from aerospace and finance.)


Oh, I absolutely agree with this. But I think many companies have a hard time with this.

The issue being that, of course, this exploration may end up badly. See all the supply chain issues which have made it to the HN front page. So some guardrails should absolutely be in place.

I don't know how practical that would be, but I keep thinking we (IT people and adjacent) should possibly have two computers. An "untrusted" one, on which we'd be free to tinker, test new things, etc. No issue with nuking it if anything goes wrong. No access to "important" data or networks. And another, "trusted" one, from which you'd do your admin work, deploy to prod, etc.


I would love to see the two computer approach be more widespread. I think "one computer per desk" is a major mental hangup. Computers cost a fraction of what they used to compared to salaries and we still insist on a 1:1 ratio.


> policies have to be fairly general

They don't actually. This is why roles exist.


They won't have a "smeagull" role, and a "john" role, etc. If you're a dev in a dev shop, the "dev role" could cover a sizeable number of people.

In my company's case, they do have roles. The "accountant" role has like 60 people. They're all doing mostly the same thing, so it wouldn't make sense to have 60 accountant1..60 roles.


Roles are cross functional. You can have ApplicationUser, AllowedDebug, Network1User, PythonDeveloper, Database1Developer, etc. etc.


> forced to run an invasive full-system virus/malware scan on start-up and at 5AM every morning (takes 4-4.5 hours) forcing me to leave the thing runnings for days or weeks at a time and preventing any early morning work

Maybe its just me, but hasn't Microsoft antrivirus thingy gotten really _really_ heavy recently?

Back in the days you would barely notice it, but nowadays it will take over 1-2 cores and make sure the damn fan is always spinning.


What's not clear to me is why MS implemented the "protected folders" feature so half-assedly as to be useless?

To me, the important thing to protect on a computer are the user's files. Instead of regularly scanning everything and comparing to known bad signatures and grinding the machine to a halt, why not limit what the apps can do?

If it's hard to prevent users from downloading totally_not_shady_app.exe, just make sure that it can't access anything anyway. That may still allow it to mine bitcoin, but at least it won't leak sensitive data. Or better yet: most users aren't devs. Just don't execute anything from the users' home folder. This probably won't help with all the attacks on Office by macros and whatnot, but it'd be a start.


This already exists and is called Windows S mode.

I wish it was more popular, but as soon as it was announced blogs like verge and Engadget started a crusade against it and more or less killed it off


Wasn't that much more limited than what I was arguing for? IIRC, it could only run apps from the MS Store, but it could run any app from the store.


Its inter silo-warfare, the microsoft antivirus regularly detects and reports the operating system spyware?


IMO, the combination of anti-virus and updater got really heavy. But when the updater isn't running, I never noticed the anti-virus.


That's interesting.

I know not everyone is in position to pick and choose between jobs, but frequently you can improve your "it situation" a lot if you raise it during recruitment.

I recently started working for a (large) company that gave me a Linux laptop(I wfh 100%), 99% of their staff uses windows. It uses cisco vpn and a simple script to block all traffic if the vpn is off (once vpn is on, local traffic is allowed). The machine runs a rhel based distro, all public repos are disabled and "the it" maintains only approved packages. Interestingly, I can use sudo, but I have to write justification for every use. There is full disk encryption, but I'm no aware of any "activity monitoring" other than outgoing internet traffic.

Prior to this, the company I worked for gave me a windows laptop. I had Admin rights on it too.

During my recent search for new work I spoke with a company that seemed a great fit. Until they told me they log hours worked by tracking keyboard/mouse/recording screen use. "for client accounting reasons". To my objection that if a client agrees certain job is worth 4h to them, who cares if I do it in 1h they said they have to use this model. I declined to work with them and I got a different offer. I'd hate to have a job where I'm incentivised to work slower not faster.


>Even though we have access to deep digital forensics on our employee's virtual desktops

Yeah you say that and I believe you just like I believed Sergey, Larry and don't be evil.

Don't collect it at all. Collecting anything private is like having to handle toxic waste. Just don't. You can't control it, you can't guarantee security and you don't know what could happen if you're bought out etc etc. You just can't possibly trust all possible future managers about which you know nothing.

Just say no.


>Whatever you do on the virtual/cloud work desktop is considered entirely property of our company. Your incidental Spotify, Youtube and 4chan visits are included in this scope.

"Not only are you fired, the 400gb of futa hentai you downloaded is our property"


Ok, for these employees, do you also consume audio and video? My biggest concern is that WFH bringing company hardware home is inviting employers the opportunity to monitor employee home-life, recording private conversations, for example. It might be one thing to have that sort of monitoring go on at the work place, but WFH own their office, and pay for it too.

Incidentally, I feel the same way about kids bringing laptops home from school.


The simplest way to treat any employer device at home (and work) is that they should be assumed to be hostile. It could be default settings, best practices of Microsoft for adoption, etc.

How to treat a hostile device in your home network is the same as home automation - isolate it.

- Separate vlaned network that can’t see anything on your home network. Separate SSID.

Don’t like the microphone? Find an adapter that mutes it.

- Create a separate vlan and SSID that can’t see anything on your network. The ideal way to do this is configure a travel router behind your regular router. Then extra nat hop is worth it.

- Bonus points for a vpn at home that your travel router can connect to, making your work setup a little more mobile.


If you're concerned about this isn't the simple answer just to shut down at the end of the day?

While I'm sure there are exceptions, thinking about the IT departments I've worked with in the past and how cost-conscious they were, the last thing any of them would want to do is waste the time and money to record non-work related employee conversations at their home.


Well, what's to say that the PC is actually off? Many "enterprise" laptops nowadays can't have their battery pulled out easily.

My HP laptop needs to have the back panel removed. If I do that, it'll trip the intrusion sensor and wipe the TPM. IT can know about this and ask you why you're taking apart the laptop. If it's windows, and you don't have the BitLocker key, you won't even be able to turn it back on.


Spoken like a true over-engineer.

>Put it in a drawer. This isn’t rocket science. Yup


Then close it and wrap it in a couple layers of towels or something, stick it in your refrigerator under the leftover pizza, and/or block its access to wifi through your home router config. Physical controls trump whatever secret monitoring you fear it's doing.


Put it in a drawer. This isn’t rocket science.


Who says family life only starts "at the end of the day"?

And who says that it would be the IT department that would want this capability, instead of, say the employee's manager?


> Ok, for these employees, do you also consume audio and video?

Clearly GP's firm doesn't run a webcam and microphone capture on the thin client. They could potentially monitor audio/video I/O from the cloud workstation that the thin client logs into.


I've taped the webcam on my work laptop. If my employer wants me to use a webcam as part of my job, I'll ask them to buy me one with a physical shutter. Thankfully no one gives half a shit about webcams at our workplace.


I bought a little physical shutter that sticks onto mine.


I think I've seen people report their MacBook displays getting shattered because of those shutters so I've opted for tape instead.


Where do you place the tape to cover the mic? No? Why are you only partially paranoid?


A couple of reasons. First of all, I kinda need the microphone for work whereas I don't need a webcam. I also live alone, so it's not like I am having that many private conversations at home. However, I do for example spend time naked at home, and I'd prefer that to not be visible to any cameras.

There is thankfully a physical cutoff switch for the microphone whenever the laptop lid is closed in case I need to have a private conversation and ensure that there's no employee-provided microphones nearby.


> inviting employers the opportunity to monitor employee home-life, recording private conversations, for example.

Employers have bigger things to worry about than some minor employee’s bickering with their family. I think you can safely worry about bigger things.



I think it is dumb for employers to do this.

However, these examples don’t seem to have anything to do with spying on your private life, i.e. outside typical work hours.


The interface for the virtual desktop in many circumstances is by way of a simple browser tab.

Due to browser security standards, every time you access your work desktop via web, a warning pops up asking if you want to provide camera/audio/location services.

You can decline to consent and there won't be any problems, other than Teams won't be able to use your webcam/audio for a meeting.


As someone who is growing a business and who looks to make the jump from "here is a laptop, GSD*" to "here is a laptop with security, GSD", how does one go about setting up this sort of system of cloud desktop?

* GSD: get shit done (because I literally can't be arsed if you watch Netflix, play TOTK, or whatever so long as clients are happy and you are satisfied with your work)


> how does one go about setting up this sort of system of cloud desktop?

Check out Windows 365 Enterprise. We have it configured for multiple regions in order to minimize latency. One AD security group per US state. Then, we set up an intune provisioning profile per region to map them through.

You can push custom images or take the default 10/11 builds. It seems to be working out really well for us. I run a heavy VS2022 workload all day and have no issues (4vCPU, 16gb, 128gb). Build times are definitely slower than my 32 core battleship, but that's to be expected.

I just checked my RTT stats in MS endpoint management and I am seeing ~18ms between my desktop and the actual desktop. The worst case we have right now is S Florida to N Virginia (US East) @ ~60ms, but they are adding a new region soon so hopefully we will have every employee well under 50ms over time.


> If you feel like you have to use the digital panopticon to micromanage your tech/knowledge employees, you are potentially a really shitty manager.

The higher up the management chain you go, the lower your visibility into developer productivity. It is natural that executives and owners should want that visibility, it's just that it's too fuzzy -- it can't be had with the kind of resolution that they want. Hence we have all these faddish metrics that get gamed and never end up being useful.

We should have empathy for management's need to know even if we don't think they can really get a clear picture.

What to do? Two things:

- Manage better. Companies need managers who can get a good sense for their direct reports' abilities, skills, and productivity. And those managers need to have good BS detectors too. And managers need these skills up and down the management chain.

- Look for outcomes. Teams and employees that never deliver enough value should be looked at with some care -- maybe they are, but the value they deliver is not very visible, or maybe they're expert bullshitters.

Regarding outcomes, long delivery delays need to be investigated because one of the many problems we have as an industry is in estimating time and effort needed to deliver. This happens for reasons, but mainly that software development is harder than we tend to think.

(Also, investigate your software development lifecycles. Maybe your change management schemes are wasteful and delay-inducing.)

I say software development is hard, but I think management is probably much harder. The business school metrics fads that lead managers astray don't help.


Do you enforce any security for the PC used to connect to the virtual desktop? Thinking of possible keylogging, possible mitm when connecting to the virtual desktop, a RAT on the PC used.


No. We aren't this paranoid. Keylogging could be as far up the stack as the employee's brain.


We are still in the dark ages of no root, all kinds of agents and spyware, multiple layers of TLS intercepting proxies, etc.

I still surf HN and listen to questionable and obscure genres of metal while I code. If they ever complain I'll explain that is what I need to get my work done.


I assume programming related websites are ok which I include HN in that category.


Not enrolling work devices into IT policies actually goes against your encouragement to separate your work/cloud client and a 2nd computer/non-work things.

Having rigid boundaries encourages this separation, and I don't mean overly strict IT policies. I think you can easily allow people to listen to their music apps and watch netflix, without opening the floodgates for games that require kernel level anticheat.

IT policies should be as simple as possible, even an app whitelist coupled with preconfigured browser is plenty. You wouldn't even need to monitor them at all this way.


So how do you manage the risk of a user connecting to a remote desktop with an un-updated machine full of malware? In the end if the client machine is breached the remote virtual one will also fall?


IMO a business/manager cannot get "consent" from an employee because that employee is always under threat of being fired. Any consent given should be considered under duress, e.g. not actually consent.


After speaking with an EU Data Protection Commissioner (IANAL), it is my understanding that in the EU this would not be just your opinion, but also the law. Due to the power imbalance between you and your employer, it is not possible to consent to data collection, unless that data collection is governed by some other law.

A quick search also yielded this:

https://commission.europa.eu/law/law-topic/data-protection/r...


This seems like a fair point. It's often argued when discussing sex that legitimate consent can't be given by someone at a significant power disadvantage. Employee vs. boss, model vs. talent scout, legal-aged student vs. lecturer. Surely the same should apply for any other intrusion?


Really need to see more of this attitude in the workplace.

I'd like to think it's not controversial but I'm surprised at how often it seems to be overlooked for workplace romances as well.


I think it will make a resurgence. In boom times when you could work somewhere for 6 months then go anywhere else and make a 10-15% raise, there was at least some validity in the "if you don't like it, don't work here" argument. But if the employment market tightens, or if a) we actually have a recession and b) it meaningfully affects the tech sector (which seems to be unlikely regardless of the broader economy), you'll see people start to behave as if they can't be guaranteed a job somewhere.


> you'll see people start to behave as if they can't be guaranteed a job somewhere.

I'm trying to follow the thread, are you saying that people who don't want to have every mouse click tracked or their private home network, outside the work VPN searched, are behaving in an entitled manor?


No. It's reasonable to expect some sort of fluidity in what employees are willing to accept from employers, and part of what factors into that is how easy it is to get another job. If it's very difficult to go to another employer, employees will naturally accept more "bad" things from their employers than they might if they could make a phone call and get another job.


>are you saying that people who don't want… are behaving in an entitled manor?

It’s not about entitlement, justice or any of that. This is capitalism.

It is about raw power and pragmatism and what one can get away with. When the employee has the upper hand as in a hot market, they have some wiggle room. When the employer has the upper hand, the landscape shifts accordingly.

Unions are unpopular in our industry, but are typically how employees in most sectors have increased their power.

Employer cartels and the state are how employers increase theirs.

Adam Smith covered it all about 250 years ago in the Wealth of Nations, a fantastic read if you can stomach the archaic writing style.


Not much of "IMO", this is widely acknowledged on a lot of different contexts. Employers can not get consent from employees.

It may be different if it's gathered during the hiring process. The earlier, the more likely it is to make a difference.

But just to point it out: on many countries employers do not need consent, often they just need acknowledgement. That one they can get, by doing exactly the things that are on the article.


Reminds me of an old boss telling us "this isn't a 40 hour a week job" and I said to him "I'll agree if you put that in the job postings, before salary negotiations."


I'd probably also say "no problem I don't think I ever worked a 40 hour week in my life"...


Work is a bilateral voluntary arrangement. If you don't like anything; you leave. If they don't like something and it's a firable offence; they fire you. No one is under duress.


That totally ignores the power imbalances between employers and employees.

Like how an employee accounts for 1/n of an employer's work capacity (where n can often be large), but an employer typically accounts for 100% of an employee's income.

Or how an employer can often delay completing whatever task a particular employee was doing with minimal consequences, but if an employee skips paying rent or other bills then they can get stuck with late fees that are a non-trivial fraction of the actual bills, which they already have trouble paying. And you can't skip buying food for a month and make it up next month.

Or how the need to pay for food and rent means that even employers that are widely known to be terrible can often find new employees to take up the slack from somewhere no matter what their turnover rate, but employees who have any kind of negative reputation, or are seen to move jobs "too quickly", can find it hard to find employment again.

I find "Work is a bilateral voluntary arrangement" where "No one is under duress" to be an overly-reductive-to-the-point-of-naiveté position.


This misses the context: the claim is that 100% of things your employer wants you to do you must do or you are fired, and therefore we should call these requests "duress". That's not true. There are laws protecting employees, and, more meaningfully, there are other employers.

> Like how an employee accounts for 1/n of an employer's work capacity (where n can often be large), but an employer typically accounts for 100% of an employee's income.

The employer needs 100% of that employee's work, or they wouldn't pay for it. Conversely to your point, the employer may very much struggle to replace an employee, and an employee may have various other employers to choose from.

Of course there are jobs where this is less the case, and there are jobs where this is more the case. I'm not assuming that all jobs are like this, but I don't think we should be assuming zero (or vanishingly few) jobs are like this.


> The employer needs 100% of that employee's work, or they wouldn't pay for it.

If that were the case, employers would go bankrupt, or at least descend into chaos, whenever anyone took a sick day.

> the employer may very much struggle to replace an employee, and an employee may have various other employers to choose from. [...] but I don't think we should be assuming zero (or vanishingly few) jobs are like this.

OK, then; if not vanishingly few, how many? Out of the roughly 130 million full-time jobs in America, do you want to give a ballpark figure for what percentage of those jobs you think an employer will struggle to cover or get by without in the immediate term, and replace within (say) four-to-six weeks, and would suffer significant effects on their business if that employee disappeared tomorrow?


I think this would hold up better if refusing to give consent didn't end with you being fired on the spot. All of a sudden with no warning you're now not getting your next paycheck. That sounds like duress to me.

I would be much more likely to agree with you if the employer came out and said "here's the new policy, it's being implemented in 6 months. On this date 6 months in the future, you need to sign this form or you're out." That gives you time to make other arrangements, get independent review of the policy, whatever you want.


At the very least, it should factor into a salary negotiation like it would if represented by a union.


Sure, but the contents of what that proposed agreement can be - and are - limited by law.

You can't offer a salary below minimum wage even if both parties agree. You can't have people work hours above a certain limit even if both parties agree. And (at least in EU) in the exact same manner you can't have take-it-or-leave monitoring of all employees even if both parties agree.

Such monitoring may be permissible with genuine 'freely given consent' if it was given without any expectation of terminating the relation or any other adverse consequences or differential treatment. If you say "I'll give you $100 if you consent", the employee can agree, but that doesn't count as valid consent or binding contract and doesn't permit you to do the thing with that employee's data, privacy rights aren't for sale even if people would want to sell them. And you might get consent from some of the employees, but IMHO there isn't (and shouldn't) be any EU-legal way to ensure that you get consent from everyone, because if you do, that's a good sign that's not "valid consent" as defined by EU law, that it wasn't freely given but conditional or coerced.

A good analogy for how consent and privacy is handled in Europe (not in USA though) IMHO is like consent to sexual acts; if in an otherwise identical situation consent given in that manner wouldn't be appropriate to violate someones asshole, chances are that consent wouldn't be valid also for violating their privacy; If part of employment contract or company policies says "I consent to my manager arbitrarily monitoring me" it is about as legally binding as it saying "I consent to my manager arbitrarily fucking me", i.e. just empty words.


> If you say "I'll give you $100 if you consent", the employee can agree, but that doesn't count as valid consent or binding contract and doesn't permit you to do the thing with that employee's data

Yes - illegal things are illegal, of course. I can pay someone $1 to kill someone as a freely arrived at agreement, but that's illegal. What I was saying is orthoganal to legality. It's about whether or not the employer-employee relationship is 100% coercive.


It might not be 100% coercive, however, at least in the EU the general legal principle seems to be that by default it should be assumed that it is coercive, due to the inherent power imbalance in employment contracts.

E.g. PriceWaterhouseCoopers was fined for unlawful handling employee data despite having having the employees "agree" to it (https://www.lexology.com/library/detail.aspx?g=9a315cca-bc71...), and the "consent" being in the employee handbook effectively was an additional violation "PwC had processed the personal data in an unfair and transparent manner, by giving the false impression that it was relying on consent".

For resolving such issues, quoting that article, "the EDPB/ICO guidelines stipulate that in an employment context, consent cannot be given freely as there is most likely an imbalance of power between the employer and the employee".

It could be that in some particular scenario the relationship wasn't coercive at all and the consent is valid, but it would be up to the employer to demonstrate that, and if somehow 100% of employees consented to monitoring, it could be very, very difficult for the employer to demonstrate that no "motivation" (positive or negative) was involved and everyone really just loves being monitored as a pure coincidence.


There's a significant difference between there being an unequal power dynamic, and an actual threat.

True equality in any relationship between different humans is almost impossible. There are always differences where one person has more privilege or advantages than the other, and that includes hierarchy, but it also may be caste, religion, race, gender, sexual orientation, etc. It cannot be avoided that sometimes two people need to engage in a consent agreement and both of them are not considered "equals". Yet it's still important, perhaps more so, to seek that consent, and respect the denial of it. We shouldn't discount that consent agreement just because the two have an uneven power dynamic, because that will always be there.

If on the other hand, an employee has a specific case and evidence for why they are being intimidated, a judge and jury could decide if the extenuating circumstances warrant nullifying a consent agreement. That's basically how things like sexual assault cases are handled. The same logic would apply to business consent agreements.

The real difficulty is evidence. Always keep evidence of your treatment at work. Tell other people, send emails, confirm details after calls that you can't legally record.


At my first job about 15 years ago, my coworker in the cubicle next to me showed me this strange program running on his computer. We saw that it was running on a weird port, so I tried to telnet into it (and the software crashed).

The next day, he was fired and I was brought into a room and basically interrogated. They asked me if I intentionally crashed their monitoring software (which I didn't, I just was curious about what was running on his computer).

Come to find out, they were monitoring all of us all the time. I suspected this was the case a few months earlier because one of my managers started randomly bringing up topics I had in a private AIM (aol instant messenger) conversation.

That day, they told our entire team we were being monitored and we had to sign a consent form or be fired. I signed it and promptly started looking for work during my lunch hour the next day (I would drive a few miles away and use my laptop in my car).

I left two months later. This was all about 6 months before the 2008 downturn and the company I left was in the loan business. I would have most likely gotten laid off in the cuts.


Hearing the British government care about "the risks of excessive surveillance" is a new one.

Although I guess it's because they're talking about companies, not the government itself.


"The British government" is not a monolith. We have an incredibly dysfunctional cabinet for various dull political reasons, but there are a lot of smart and sensible people in committees and the civil service.


That's an important point that's not always visible from the outside. I worked on implementing payroll system for a federal government and it was eye-opening in my ignorance - I always thought of "The Government" as a monolith with unified voice. nothing could be further from the truth. And different parts have explicitly different goals and prerogatives so its not even necessarily contradictory if e.g. Environmental Agency and ministry for interior development have completely opposite points of view.


Trying to ban encryption while they gaslight you about privacy being important and what companies can do but, as you say, they're one of the most abusive and potentially one of the most careless in relation to the sensitive nature of the data as well (see voter leak).


Presumably consent is an obligatory contact amendment and easily introduced to new contracts too.

And British people will accept it like they accept every kick to the balls by government or big business.


  Employer: Employee, you must consent to monitoring.
  Employee: What if I don't?
  Employer: We will fire you.


It's more like "Read this 50-page employee handbook and send us your signature acknowledging it. You must do this every year." (It is the mostly identical to last year's version but with the employee monitoring added to a clause, and we aren't mentioning what's changed)


At least in EU that clause is not binding, if you sign the handbook (or a contract) agreeing to it, that doesn't give the employer permission to do it - there are multiple precedents with GDPR fines for employee monitoring despite doing what you proposed.

Putting it in your employee handbook means acknowledging (in writing) that you have an illegal, prohibited policy, and getting employees to agree to it doesn't make it permitted.


I hope so, even though I don't think I'll ever feel the need to perish on that hill, just to check if it's actually true.

Here's my signature.


There's no need to perish on that hill or confront anyone, a report to the local data protection agency should suffice to get it investigated and corrected, although it may take quite some time.


We've been hearing authoritarian minded people for years saying things like "actions have consequences" and "you had a choice, no one forced you to" but coercion (pushing someone to an unwanted choice using an imbalance of power/threat) is simply an illusion of freedom and fairness.


My personal 'favorite' replies in that vein include thinly veiled threats to RTO.

'You come back or we find someone else to do the job.'

What is interesting is that those same people no longer add 'your job will be outsourced'.


    Employee: But what about my health insurance?
    Employer: Better not make us fire you


Consent is a two way street!


The beatings will continue until morale improves


There is no consent when it comes to the employer/employee power imbalance. Agree or be fired is coersion.


That might fly in an at-will state, but in the UK it's going to end up at an employment tribunal. "Agree or be fired" falls down if the law strictly regulates how, when and why someone can be fired and those laws are readily enforced. An employee asserting their statutory rights is absolutely not a legitimate grounds for dismissal.

The Data Protection Act does allow for monitoring without consent, but only where that monitoring is specific and limited to an absolutely necessary purpose that overrides the rights of the data subject: for example, the detection and prevention of crime, the protection of life or limb, or the fulfilment of a legal obligation. For any other purpose, consent must be given; for that consent to be valid, it must be fully informed, freely given and freely revocable. Where consent is relied upon as the basis for data processing, the burden of proof is upon the data processor to demonstrate that the consent was legitimately given.


It won't in most cases. People either don't know or don't want to risk their job for the possibility of a payout at tribunal.

That's assuming the employee is even aware that they're being monitored in the first place.


Mostly it will be rolled out over time. Not "agree or be fired" but rather "agree or don't get hired".

It will become a standard cause in employment contracts that people will be "free" to negotiate, just like everyone "negotiates" their employment contracts now.


Yes, a voice of commonwealth reason. Not everywhere is an at-will employment type of place, and it’s refreshing to see people be reminded that employee rights exist in parts of the world and that employment isn’t a one-way street.


All of the USA except sort of Montana is an “at will” state and even Montana is basically “at will”.


May I counter with a different idea?

I have no responsibility outside my job duties. The company goes folds? Goes into massive debt? I do not lose sleep or stress in the slightest.

There is no power imbalance in my mind. There is no whip or debt to the company to pay off.

Acquiring this mindset took one bad boss when they altered our agreement and I quit that moment without looking back. I had no job lined up yet knew my skills were valuable.


> I have no responsibility outside my job duties. The company goes folds? Goes into massive debt? I do not lose sleep or stress in the slightest.

I mean, that's great for you. But for millions of people, their health and wellness is directly tied into making money this very month (and possibly getting health insurance for them and/or their family), and losing their employer because they fuck up directly interfere with that, and will make their life a living hell until they can find a new job, which isn't always easy with the various constraints people have in their life.


One of the best things you can do to make your life significantly better is to figure out how long it would take you to get a job that you could survive with, then save enough many in the bank to be able to live that long without trouble.


"One of the best things you can do for yourself is having enough money" yeah, no shit. Except many (or even most) people can't.


Sure, which is easy for us (here on HN) as we possess skills that are sought after. But even you have to realize that most people aren't in the same situation, nor in situations where they can just sit down and learn stuff like that. In addition, being poor tends to make you more poor, as everything is working against you. But it might be hard to sympathize with that reality unless you've experienced it yourself at one point in your life.

Life is wide, really really wide, and it's a shitty experience for large swaths of the population.


While I don't disagree with you, I also hope you don't live in the US and find yourself in a situation where you or a family member depend on your health insurance for survival.


Also there’s no consent about equipment that someone else owns.

It’s like expecting the phone company not to log every key press on the pay telephone boxes they have set up.

I assume everything my work computer can monitor is being monitored. If I want privacy, I use a personal device.


Would you be okay with your boss putting a CCTV camera in their bathroom and watching you do your business? After all, it’s their toilet.


Fortunately in the US there are laws against surveillance where there’s an expectation of privacy and bathrooms are explicitly called out.

There have been numerous tests and offices and computers have been noted to not have an expectation of privacy, even keyloggers.

Id like to see a case where people take their work laptop into the toilet and employers record business and see how the courts decide that.


To paraphrase the apocryphal Churchill somewhat, now we’ve established that people have a right to privacy at work, we’re just haggling over what those rights should be.

Laws are reflections of attitudes. People in the US believe that they have limited right to privacy at work and so laws are written to reflect that belief. People in the UK don’t buy into that theory and so laws are written that are more nuanced. The first step to gain rights is to believe in them.


And it's worth noting that this "expectation of privacy" depends on the jurisdiction, and in EU there have been numerous legal tests asserting that employees do have an expectation of privacy even when e.g. checking personal email on their company computers in company offices during work hours; so if you have a multinational company you need to acknowledge that you might be prohibited to apply the same IT policies for all your physical locations.


Precisely. There need to be carve outs. I need to be able to check my bank balance to see if I can afford lunch with my coworkers. I need to be able to receive messages about my family’s health and well-being. I need to do this without my employer then having unfettered access to sexy wife pics and my full banking history.


As an employer, I don’t want you checking your bank balance on my equipment. I don’t want to know that about you. I don’t want to worry about accidentally storing your confidential bank info on my servers and then if I have a breach it’s way worse because now your bank info is breached.

And mainly, as an employer I need all the info on your computer, it’s valuable. And there’s not a way to filter out what’s weard_beard’s family messaging them vs work stuff. So I just keep it all.

Of course I don’t do that because I don’t employ people, but that seems rational if I did.

So what I do, individually, is I have a phone. It belongs to me. If I want to check my bank balance, I use my phone. If I want to receive messages about my family’s health, I get them on my phone.

Even if my employer promised never to monitor my work computer, and they kept their promise, I wouldn’t want my kids’ school messaging me on my work email or my work phone.


As an employer you don’t want to give bathroom breaks or pay a living wage either. I’m saying these are part of employing humans. Let’s find a way to make it work


I definitely want to give bathroom breaks and pay great wages. That’s how I get happy and productive humans.

No one needs to check their bank balance on their work computer to be happy and productive. Nor do they need to get texts from friends and family on their work phone.

But everyone needs money. And everyone needs bathroom breaks.

For me, it’s about reasonable vs unreasonable.

I think it would be odd if an employer actually banned bank web sites. But it would also be odd if an employee didn’t want their computer logged in the off chance they checked their bank balance. Or wanted the employer to buy some method of not storing personal data while storing business data.

I mean, my employer is regulated and must store all documents, email, and web traffic I send or receive. I wouldn’t expect them to try to distinguish what’s personal and not store it. Is that even possible?


Is the employer hiring you to use the toilet to produce input for the company’s economic product? like human based manure maybe, then yes.

The outrage seems to mostly be about computer system monitoring but it’s bizarre to me as I’ve also always assumed all my computer activity at an employer device is 100% monitored. Why would it not be? especially this has always been done for security reasons.


> that someone else owns.

No one tell this guy about the shit home owners have to deal with. Once you decide to give other people access to anything you own you are held to a completely different set of standards than for things you keep locked in your closet at home.


This is all related to a “reasonable expectation of privacy” [0].

People who rent a home are legally entitled to privacy and the home owner can’t put cameras up and monitor them unless the resident permits it.

But if I own a home and live there I can put cameras up wherever I want. And if you come into my home, you don’t have a reasonable expectation of privacy standing on my front porch. But if it’s different if you’re in the bathroom of my home because you expect privacy there.

Of course “reasonable” varies and states vary. But, in the US, the courts have ruled that at work you should pretty much zero expectation of privacy except in a few exceptions like bathrooms and lactation rooms and clinics and stuff.

[0] https://www.findlaw.com/injury/torts-and-personal-injuries/w...


Can you expand on this a bit more? I'm not sure I follow you.


when you rent an apartment generally the owner of the apartment does not have any rights to the apartment and anything inside it, other than it not be damaged, and they have the obligation to keep things working if the damage was not caused intentionally.

in countries that have strong protection for renters, the owner does not even have the right to enter the property without express permission from the persons living there and any kind of surveillance is out of the question.


Probably referring to things like easements and adverse possession.


The UK still follows the GDPR, and the GDPR doesn't care who owns the device.

Device ownership can change what's considered a legitimate interest. For example if you set up a pay telephone box you can implement monitoring of keypresses to prevent fraud. But you can't just record whatever you want without justification, and you can only store the data as long as your justification requires and use it only for that purpose. Everything above that requires consent.


At a certain point there is always going to be a power imbalance between two parties.

So if the existence of an imbalance implies non-consent/coercion, can there ever be consent?


Employers will just put it in the employee handbook and, as they already do, require accepting and signing the employee handbook as a condition for employment.

A lot of companies have some really nutty stuff in their employee handbooks. One of my previous employers had a "professional appearance in public at all times" provision. Even when you weren't on the clock, you were expected to dress in a suit, not drink alcohol (even in restaurants), and several other things I don't remember, because "a client could see you".

Places like that are likely chomping at the bit to get tracking software installed on your personal computer.


I know the UK adopted GDPR, but I'm not sure about any changes which might have happened since Brexit.

However, in the EU, where the GDPR was written, consent must be freely given (which means that it must also be possible not to consent without negative consequences). Especially for employees, the prevailing opinion is that employees cannot give consent freely in most circumstances (https://commission.europa.eu/law/law-topic/data-protection/r...)

I'm surprised to see a recommendation to gather consent in this context.

(BTW: the report itself is hidden behind a link fairly far down in the article: https://committees.parliament.uk/publications/41099/document...)


Note that GDPR does have some carveouts for workplaces (meaning, it doesn't always apply in full as you'd expect).

As always, it really leans heavily on why people are recorded and how that data is used.


I'm not sure what would people expect for GDPR to apply in "full" in the workplace. (TBH I'm not even sure what would most people expect from GDPR, apart from being annoyed with cookie questions while browsing the web, but let's concentrate on people who know their rights and would potentially want to exercice them.) And even then, GDPR applies, and in a good amount of cases require even more strict measures than "baseline" GDPR. E.g. employees are considered "vulnerable" because of the employee / employer relationship, and that often implies that Privacy Impact Assessments are required (fulfil one criteria and as soon as 2 are presents, PIAs are needed).

That you can't use GDPR to e.g. delete random company data just because you are somehow associated to it is only logical, but I would not really count that as "GDPR not applying in full". That was understandably never the intent of the law, and it is detailed enough to avoid silly scenarios.


> GDPR does have some carveouts for workplaces

Can you point me to any? IMHO it does not have any explicit clauses mentioning more lax conditions for consent in case of employment relationships, and there have been multiple cases of GDPR enforcement re-asserting that anything that you require from all employees doesn't count as consent. An employer might assert a "legitimate need" basis for processing (in which case you need to only inform the employee, not their consent), but that is inherently limited and there have been large fines assessed for employees trying to push constant monitoring with this justification; the employer has a duty to minimize the invasiveness of achieving that legitimate need (e.g. surveillance for theft prevention can monitor only places relevant for that, and doesn't permit using the same videos for any other purpose e.g. measuring employee activity).


We had a situation where we had to use monitoring software to try to catch a very random issue that we suspected was user error, but the user was very obstinate it was a system error.

The software we found, the "features" are abhorrent in my opinion - the screen recording was what we purchased for, and we disabled everything else.

Thing is, we've discussed this with the specific employee involved and shown them exactly what we can see, and exactly what we can't see. Informed them that only I can see the data and will only use it when that specific problem is reported.

Watching seems to have reduced the incidence of the error, it was happening once or twice every 3 weeks, but it's not happened within the past 7 weeks at all.

It's "saved" us about 5k so far, so I can see why it's attractive.


An employee was making a mistake that was costing the company thousands of dollars, and was insistent it was a system error not their fault?

I'm really curious about what they were doing now, and why they would blame it on system error.


It's possible they do believe it's a system error, but now that there's new monitoring in place, they're being very careful about that part of their job. Or perhaps it was a conflict with some personal software that they uninstalled after hearing about the new debugging/monitoring.


We have a print job "triplicator" that I wrote about 12 years back to replicate three part dot matrix paper on a laser/mfp.

The employee works at a branch office that used to have a really good connection but now has an awful 50/12 adsl link.

They connect to our remote desktop server to our accounting software - create a proof of delivery that is printed via the triplicator to their local mfp machine which can take a moment to actually print.

When we moved from the 100mbps mpls link to the crap adsl there were some issues with printing the delivery notes, which we had to work around, but this is now recorded in people's memories as an ongoing issue - which it's not.

So, the issue is they believe they've processed the delivery notes and printed them, but they never appear. We can prove they've not been processed or printed due to database entries and logs, but the employee is adamant she's done them, and she's a great employee bar this one thing so hr and her manager don't push back.


For those in the UK, you should join the United Tech and Allied Workers - see https://utaw.tech

Aside from normal union activities, they have a very active interest in employee surveillance and are looking at how to fight it. Go and join, before you end up wishing you had done it sooner.


If you're in Canada, you can't even get consent, you cannot monitor your staff. Supreme court ruling is what it is.

I had a collegue recently tell me how he was monitoring employees and 1 of the staff was working from home, but in reality watching porn all day.

Despite an HR derpartment, for some reason they required him to be the one who fired the person. Bizarre... infosec people should never be firing people. They did it because he ought to have known what he was doing was illegal.


I don’t understand why a manager wants to waste their time monitoring this. Workers are measured by their outputs. You should be able to clearly identify a contributors outputs. There’s many ways and popular tools to track this.

So long as you make your meetings during “regular business hours” and produce agreed upon outputs then who cares if the contributor is fishing half the day. Their ambitious peers will take on more work if they being underutilized and when it comes time to distribute merit increases and promotions it is obvious who earned it.

Manage outputs and distribution of labor and build your metrics around this instead of trying to determine if someone looks busy.


Whenever I'm asked to help look at a specific person it's because they suspect cause or are looking for cause to get rid of them. TBH I usually find it.


What in particular are they doing?

This seems different than watching day to day work. I understand that if the company is suspicious an employee is doing something that’s an fireable offense then they need tools to take action.


I have to fight my own team to keep them from turning on "screenshot everything" tools for everyone we suspect might be doing something.

The concept of probable cause as a requisite for more-invasive monitoring is foreign to most people.


Running a side business with company resources, sending leads out to their friends or possible future employers instead of pursuing them, watching TV all day, sending mass company data / PII to their personal gmail, just straight up not doing any work... Porn hasn't come up that often surprisingly but spending time on other work inappropriate time sinks does. Etc Etc


Just not monitoring staff might be an option too.


Hypothetically, but that would be outragious, wouldn't it?


It's important to eat breakfast at your computer to simulate activity. If you're not remote, you should be in the office 9 hours, browsing Facebook on your phone (as to not get logged.)


Morally the equipment and services belong to the employer so to assume you can use them for personal reasons is a big assume. Whenever I'm asked to look at someone I always tell the owner to consult with a HR professional before using anything directly.

Nobody cares about your personal business. Just don't do dumb stuff like watching porn at work, email company data to your personal account. Or sit watching Netflix all day.


Just because someone owns the hardware doesn't remove your right to privacy (neither morally nor legally in the UK/EU).


> Or sit watching Netflix all day.

Meh. I know a bunch of people who like having the TV or the radio on in the background. They're not actually listening to it, but they say they like the feeling of not being alone.

My mom does that when working around the kitchen. She'll have some news channel or similar on. She'll hear the same bulletins 10 times a day. And when in the evening something comes up at the dinner table, she'll have no recollection of ever having heard about it.


OK, but if someone's looking at you because of performance or whatever then having Netflix or YouTube open all day is not a good look.


That's precisely the point of their comment though. There's more context than just how long Netflix was open. It's not a "bad look" if it's literally how you do your job and are productive.


A good chunk of monitoring of work computers is to detect malware/evil actors.

Your work antivirus probably keeps records of every file opened and saved for example, every URL visited, every password entered, etc. Thats pretty invasive monitoring.

Yet that information is only used to determine if you have accidentally fallen for a phishing attack or accidentally installed malware on your machine. It isn't the employee who is the target of the monitoring, but the possible evildo-er they might be letting into the corporate network acting under the employees credentials.


Even before I got my security clearance, it was always in my employment agreement that my employer may monitor my communications while at work. Is notification the same as consent under these circumstances?


Well, if it's in the employment contact, which you agreed to and signed, it's not 'notification', you agreed to that term.


Going back to the mid-90s every company I worked for had a computer use policy which I had to sign as part of onboarding. These always included a section regarding monitoring and that signing the policy was agreeing to the monitoring. This included small businesses up to large global enterprises.


"Consent"


Consent meaning "sign here or we fire you"...




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: