Don't use work laptops for personal stuff

“You have 20 Seconds to comply!”

I’m always amazed when I see coworkers doing clearly very personal things on their work machines. I’ve seen a coworker fired because IT went through his browser history one day and, well… something in there was a fireable offense. Nobody knew what exactly, but it must have been something remarkable if simply seeing the URL led to “fire that guy now”. The employee left fuming that IT had looked through “his personal stuff”. Um, dude… of course they’re watching everything on the hardware they pay for.

Modern work 101: Have a strict air gap between all of your personal computing and all of your work computing. Nothing should ever touch the other in any way.

Same. Offered a company phone, with the understanding that they will monitor calls, texts and internet usage. But Free Phone! Thanks, but no. Not interested at all. I am in a place where laying out for my own phone is not a big deal. My privacy is.

I’ve known people who refused to heed this advice because they otherwise had no computer available to them. I have complicated feelings about that situation. I understand your phone can only be so sufficient sometimes.

Notes from a corporate IT guy (true for the large company I work at):

• Yes, we can see everything
• We really don’t want to see your stuff because it’ll just add to our workload and we care less than you think
• HR only sees stuff when there’s weirdness with a termination or disciplinary action
• Because of Security Audits (SA) we have to monitor all files coming or going through the firewall. We’re looking for things like SSN, CC#, and other stuff that would get us sued for GDPR, CCPA, etc.
• Our Splunk logs are already insanely massive, we don’t want to monitor keystrokes and neither does the business
• The real issue is that, to meet our with our SA requirements, we have to lock down file up and download, so your personal stuff is trapped. As this noose tightens, you won’t be able to get it off your work machine to your home machine and our hands are tied by the SA.
• Again, because of SA, we have to run automatic doc content tagging so we can show that we’re following all the necessary guidelines for security. God only knows what the system will tag your personal stuff as. No human is looking at your stuff, but the Data Loss Prevention (SLP) software is constantly big brothering.

Honestly, it’s just a big hassle to do personal stuff on work machines. I’m not talking about watching a YouTube video or doom scrolling, I’m talking about stuff that leaves files that you care about on your machine. Of course everyone does it, yes the IT people are doing it too. But less every year and eventually it just won’t be worth the grief.

did work from home change this calculus?

Ditto. And that’s another reason my work machine is, as @VeronicaConnor put it, air-gaped. When I turned down a company phone both my current and previous employer required an authentication dongle for the work machine. That shit will never have a direct data connection to my LAN.

They don’t trust me to take digital devices into secure work areas. Why on Earth would let them into my home network?

Work from home changed absolutely nothing for us. We’ve always had home-based employees, we just had more. Any corporate work from home occurs over a VPN or dedicated router, so we can’t see your personal home traffic, just the activity that’s on our network.

As with the power imbalance with LE, the precautions aren’t because employers want to log everything they can, it’s that employers can log most of what they want.

Sure. And we man-in-the-middle all the corporate IT traffic because our audters require it of us (more power imbalance). There’s a huge power imbalance becuase the financial hit of being sued falls on the company (take a look at how much a company can be sued for under GDPR.)

I’m not saying that people’s fears about corp. big brother aren’t valid. I’m just saying that the pressures are usually coming from finance and legal, not HR. I’m sure some companies are just mean and ugly, but as an IT guy, my recommendation is to segregate work and personal.

My employer is pretty nice to work for, and I’m sure most and possibly all of the IT, HR, finance and legal folks are decent non-invasive people. But I still protect my privacy. It’s just good data hygiene.

(And, given this forum has a somewhat US focus, I should perhaps clarify that I mean the natural power imbalance that comes from surveillance, not the incredibly messed-up state of LE in the States which is its own kettle of fish.)

Never mix work and personal on the same device, ever.

Never trust a work device to not spy on you, ever.

Beyond the typical “IT sees everything” warnings, which are completely valid, is the risk of getting your personal information entangled if your employer ever gets caught up in legal proceedings. Your personal phone could suddenly become ‘evidence’ that has nothing to do with you at all.

When doing work-from-home, I don’t even allow any work device on my home network. I set up a separate guest network for it with only internet access.

I did work at a (small) company where the boss could and did peek in on employees’ systems if & when he felt like.

Also had cameras throughout the office – ostensibly this was for the customer’s (i.e. federal gov’t) security requirements but he’d also watch for things like two developers working on (helping each other with) the same thing (i.e. that he’s only paying 1 of them to do).

And, although it happened rarely, he could dip into anyone’s (company) email if he wanted.

But even a micromanager like him didn’t have that much time on his hands. Usually there was a reason he was looking in on someone.

I figure in any workplace there’s someone capable of doing this (and it’s company equipment, & company data, so it’s pretty much theirs to do as they please). But the bigger the company, I figure, the farther apart the person who is able to do it and the person who needs it done, and someone is even less likely to look unless there’s actually something truly suspicious going on.

My $0.02

In bigger companies that have to deal with security audits or a NIST/ISO standard, the set of folks who can see traffic, remote to other people’s machines, dig into backups, etc. is limited by ‘Segregation of Duties’ requirements. These are the same rules that keep devs from getting root access (or direct access to prod altogether.) So if management or HR wants to dig on someone, they have to make a request to the head of the Ops or Network team of IT.

In companies my size, we can’t even keep root access for most servers, it has to be allocated for a limited amount of time via a Privileged Identity Management (PIM) tool with a note as to why it was allocated and to who.

Smaller companies are way more wild and anything may go. Scary companies use ‘Productivity Management’ software, and the gloves are off at that point since a lot of the personal data may be being piped into a data warehouse.

Apple effectively makes it impossible to not do personal stuff on work computers.

This whole story triggers me.

Long ago, I was one of half a dozen people who did software development on a time-shared PDP-11/60. There was a twenty-something sysadmin who spent his spare time reading users’ files, especially the ones marked readable only by owner. I wrote a memo to my boss “agreeing” that this guy needed to be fired. Didn’t send it, just left it with my files. A day later, great fun ensued.

I’m aware of Fortune 500s who put man-in-the-middle attack certificates on their machines so that they can clear-text log all “secure” SSL traffic. Further, they have “help” instructions for visiting vendors, contractors, etc… to install these attack certificates to solve certificate error messages encountered on their network. SSL is not to be trusted on corporate devices, and do not dare install work certificates on your personal devices.

I just used to swap the hard drive and never connected with my HD from work.

This is the notebook I used to take to work.

IMG_1309600×720 32.8 KB