web privacy at work?
April 11, 2008 5:02 PM   Subscribe

Theoretically, your employer might have access to every single keystroke you type. Depending on how you connect to the internet at work, they could also be reading every single unencrypted message you send or receive (including handles and passwords sent "in the clear"). If they want to do this, using gmail won't help you. In my opinion, it is highly unlikely that they will bother to do this unless they already suspect that something is a problem, but you can't really know that. They could also be sampling message streams looking for "problem" words, and decide to look then. Basically, when you are using someone else's computers and resources, you have no guarantee of privacy.
posted by ubiquity at 5:14 PM on April 11, 2008

Best to assume you have no privacy whatsoever, other than SLL (https connection) traffic; the only way to browse safely from work otherwise is to set up a heavily-encrypted tunnel outbound, and they will be able to tell you're doing that even though they don't know what you're doing there.

Also, you have no idea if your company installs keyloggers on your machines, or if a rogue IT person has done so, or perhaps they're running a remote desktop solution that enables them to watch what you're doing without you knowing (ostensibly for tech support purposes) and under those conditions even your SSL connections and encrypted tunnels aren't completely safe.

This is why you shouldn't do anything from work, or with a work machine, that you wouldn't want your employer or fellow employees to know about. Period.
posted by davejay at 5:16 PM on April 11, 2008

If your IT people were totally paranoid, they could install a keystroke logger on your keyboard and know all of your passwords. They don't have to tell you because the equipment belongs to them.

I know at my last job, the IT people could create reports for users, like, "On January 15th, User X spent 4 minutes on gmail.com." But I don't think that the reports were any more specific than that. If it helps, they were using Novell.

But anyway, I would assume they can see anything they want to see. But, many companies make IT people sign a code of ethics, which means that IT people agree not to abuse their power.
posted by waywardgirl at 5:20 PM on April 11, 2008

As an ex IT worker:

NONE. ZERO. ZILCH.

It's even romanticizing it somewhat to think you have "privacy" from anywhere you might use the internet.
posted by rachelpapers at 5:23 PM on April 11, 2008

If you are in the United States, you have no right to privacy at work that is not granted by your employer. If they have some type of acceptable use or computer policy, it should outline any rights that they grant you.
posted by procrastination at 5:28 PM on April 11, 2008

Assume you have none. Last place I worked had keyloggers installed - at least we knew about it. Where I am now doesn't, and isn't interested in doing so, so I go where I like on the Web, but with the assumption that if they want to know what I'm doing, they can find out.
posted by rtha at 5:30 PM on April 11, 2008

Don't worry, it's a total myth that supervisors can see everything you are doing on the internet at work.

(Bwwwahahahaha!)
posted by jayder at 5:37 PM on April 11, 2008

Everything you send out over the internet, from work, goes through their network. This "network" means their computers and their network software - computer programs that receive what you type and relay it out to the rest of the world. These computer programs, running on computers at your work, are handling your text anyway; it's a simple and common matter to have them also save a copy of the text so that anyone at work -- your boss, the IT guys, whoever -- can read through it at their leisure, or search through it for keywords like "dating" or "female" or "phone number" or "gmail", to see what employees are spending time on.

It's hard to say that this is even unethical, although I make no judgment myself. I mean, the network programs are processing the text anyway; it's no extra work on the part of IT to just turn on logging. And if the information is sitting there, maybe you can see why a manager would feel a responsibility, even, to scan it for problems. I hate the idea myself, but the truth is: if you want privacy, you probably should use your own computer on your own piece of the network that you pay for. And even then, everything you do goes through the network computers and software at your internet service provider. Your gmail messages are stored on Google's computers, so people working at Google can read them. It's all just text copied among various computers; whoever has access to the computers can read the text.

Yes, you can encrypt your messages, and then people who "read" the encrypted messages won't necessarily be able to understand them. But almost no one does that, for some reason.
posted by amtho at 5:50 PM on April 11, 2008

At my place of business, I can see every screen in the building from a monitor sitting on my desktop. If I wanted I could read other's e/mails, I know every site they are on.... etc, etc...

so, no...you have no privacy....
posted by HuronBob at 6:18 PM on April 11, 2008

It's pretty damn simple for an IT person to just observe your screen whenever he wants. I used to own a business, and I had access to all the Macs through Apple Remote Desktop. Now that I work for someone else, I assume the same of them. I surf a few innocuous sites in the morning while having a cup of coffee and going through email, and I might check back in at lunch, or at the end of the day. I do all my NSFW stuff, you know, not at work.

When you're on the clock, on their computer, they have the right to observe/restrict you in whatever way they see fit, I think.
posted by Devils Rancher at 6:23 PM on April 11, 2008

I think the most important thing to keep in mind with regard to this issue is that regardless of what your employer EVER TELLS YOU, they are legally entitled to observe anything you do on a computer at work. So even if they say "There's nothing to worry about, we'd never spy on your internet usage." the truth is that they can, and even though one company might not, they have no legal reason not to.
posted by TimeDoctor at 6:28 PM on April 11, 2008

Agreeing with everyone else. Good time to get into the habit of working when you're at work, and reading blogs when you are not.
posted by gjc at 6:38 PM on April 11, 2008

nothing I necessarily want my boss to know about, because well, it's private.

As many have said, your actions are not matching your goals here. Why are you doing "private" things at work, anyway?
posted by rokusan at 7:07 PM on April 11, 2008

To nth the above posters, you have no privacy, and no reasonable expectation of privacy, while you're using your employer's hardware and/or network. I'd repeat that, except that I'm repeating a dozen people already.

There are a bunch of things that you can do that might provide greater degrees of privacy, though. Running Portable Firefox off a flash drive is incrementally more secure than running IE from your desktop hard drive. If you empty the cache, then people will be somewhat less able to check the cache. As noted above, you could set up an SSL tunnel, run Putty from a flash drive, all kinds of geeky privacy-nut stuff. You get the drift.

The problem with all of that versus just browsing the regular way is that most of these kinds of efforts can easily be interpreted as blatant insubordination, a security risk, 'hacking,' etc. The other problem is that, depending on the tools the IT folks might be using, you could be wasting your effort and operating with a false sense of security. Since most managers/supervisors (as opposed to IT department folks) only seem to pay attention to employee Internet use when there's another problem, these kinds of activities have a real potential to make a bad situation worse.
posted by box at 8:09 PM on April 11, 2008

I use Remote Desktop to connect to my personal computer. This is simple, encrypted, and has the additional benefit of keeping any data separated where it belongs.

Some of the responses here seem paranoid. Some network monitoring is normal; installing programs specifically to spy is not. Of course, they could theoretically install keyloggers and screen monitors, just as they could easily install hidden cameras in the ceiling, or in the bathroom. At the places I have worked they would not do this - though, I realize it is not the same for all jobs.
posted by teki at 10:01 PM on April 11, 2008

Some businesses are required to track all e-mail and electronic communication and be able to reproduce it on demand. GMail and other external communication services are banned by the company's acceptable use policy. So not only do you not have privacy, your company may be legally required to deny you the opportunity for privacy.
posted by SPrintF at 10:10 PM on April 11, 2008

My workplace even has a disclaimer visible when first starting up the PC that mentions something to the effect of "users should have no expectation of privacy." We have filters in place that prevent access to many categories of sites. Generally, we aren't prohibited from doing a little non-work-related surfing every now and then to pay bills online or check the news or e-mail, but that's about it.

Browsing dating sites while at work is not "private." It's using the computer and internet connection provided by your employer to do stuff that's not related to your job.
posted by emelenjr at 10:28 PM on April 11, 2008

As others have said: Technically you have no expectation of privacy, and your employer might be using any number of means to monitor the data that goes over their network.

Having said that though, what you have decide for yourself is: Does my employer have the time, money, resources or energy to invest in a monitoring solution that monitors everything all the time ?

On top of that: Monitoring everything all the time generates an enormous amount of data (logfiles,etc) and searching through that to hypothetically catch anyone misbehaving takes a certain amount of time as well. (yes, I realize there are automated ways to filter through bulk logfiles,etc, but still it takes focused effort)

I've been a consultant to a variety of small and medium business's over the past 10 years and almost none of them took the time to (daily) monitor employee's surfing habits. If there was a complaint, or obvious infraction, then they would. But there had to be a reason to investigate. In the one school district where we did check the filters every day, it took me 1 to 2 hours a day (network of approx 600 computers) to parse through all the logfiles. Even then (after 1 to 2 hours) I was only catching the top 10% or so of people misbehaving. I simply didnt have the time (it wasnt worth the time) to "bust" every infraction.

So while you potentially COULD be monitored every moment of every day, does your employer have the resources to dedicate an employee's time to specifically watching everyone else?.. probably not. If all you're doing is reading an occasional email or blog, then you probably dont have much to worry about. If you're spending half your workday tracking your ebay business, then you might have reason to be concerned.
posted by jmnugent at 11:16 PM on April 11, 2008

You can get privacy at work if you want it. But you will be doing so at the cost of starting fights with your IT people when (not if) they notice what you're up to.

Don't start fights with IT. We know where the bodies are buried.
posted by flabdablet at 1:38 AM on April 12, 2008

Boy, starting to be an echo chamber here. I'm the guy that runs the systems that management would use to monitor you.

First, assume we're monitoring everything. Here's the different levels of logging.

1) website proxy logging. It's safe to assume there's a visible or invisible proxy server between you and websites. It's nearly certain that logging is turned on on that proxy. This will record every unencrypted webpage you visit, as a request, and it's pretty trivial to also record the contents of the page as well, so a complete record is kept. This WILL include login names and password if they're sent in the clear.

Note, I said unencrypted. Any webpage starting with httpS://, with a valid SSL certificate (i.e. the browser doesn't complain about a problem with it), the only information that can be stored is the domain name. Everything else is encrypted, and non-recordable by the proxy. To an outside observer, i.e. me and my systems, when you're visiting your bank website, all we get is gibberish. So a secure site like a credit-card processor, or a bank website is safe from interception at this level. However, gmail secures the login part, i.e. your password - but your emails are read on a non-encrypted page by default. Your gmail emails are quite likely being logging automatically, or certainly could be.

Note - anything sent in the clear, unencrypted, is readable by anyone between you and the destination. This includes the IT guys, the work ISP, and every ISP after that. Anything sent in the clear, like email, is equivalent of putting a postcard into the work mail system, and worrying that some of the postmen along the way will read it.

2) The above system is fully automated, and information is only pulled out on demand. The next stages are manual and required fulltime personal intervention of the IT department. This means they are only usually used in limited quantity for spot inspection or investigation once suspicion is already raised. At least where I work, we only do this under management order, and in combination with management due to the extra invasion of privacy.

stage 2 is screen watching. We use a remote viewing utility, of which there are many, and watch your screen silently without you knowing. Everything you see, we can see in real time. We can even record it for later playback.

3) This is most intrusive method. We install a keylogger software on your machine that records everything you type. There is software out there for IT departments that combines with a screen-watcher, so that it watches for certain keywords typed, and then activates a screen recording session for future viewing. Encyption won't help you in the slightest against a system like this, though you're likely to be under serious investigation for something like this to be used.

4) Bear in mind, that the IT department aren't the only ones who can use these tools. The biggest security threats in a business these days are on the inside of the network. Maybe your co-worker is pissed at you, and decides to snoop on your email. There are all sorts of tools they can use, even without access to your PC. ARP spoofing allows them to insert themselves between your computer and the rest of the network, and do a stage 1 attack on you completely silently. With access to your computer, they can do a stage 2 or 3 attack too.

Encryption, such as encrypted web pages, or going further and using your own VPN tunnel out to someone like relakks or securix to encrypt everything will stop a stage 1 attack. Nothing will stop a stage 2 or stage 3 attack, unless you've very very paranoid and prepared.

Bear in mind though, IT sysadmins generally have to have very strong ethics. I have the access and ability to know everything about everyone that works at my place of business. I am very careful not to do so though. I can fix someone's email system without reading a single word of their email, because it's something you train yourself to do. Generally, it's management who are reading your email, not us. We've better things to be doing.
posted by ArkhanJG at 8:00 AM on April 12, 2008 [2 favorites]

jmnugent: I've been a consultant to a variety of small and medium business's over the past 10 years and almost none of them took the time to (daily) monitor employee's surfing habits. If there was a complaint, or obvious infraction, then they would.

This.

Employers can easily monitor everything you do, if they have the time, resources and inclination. It offers an easy way to find an excuse to be rid of someone, if the real reason they want rid of that someone is messier. I've seen both a blind eye turned to valuable employees' surfing habits and unproductive employees let go for the same.
posted by normy at 8:02 AM on April 12, 2008

None.
posted by CautionToTheWind at 8:28 AM on April 12, 2008

This question has been asked before, multiple times.

In a nutshell (I work in technology, and have worked in big, corporate IT)- Yes, IT logs everything, as people have said. But...

- It's a ton of log data, and it's typically purged regularly both to save space and reduce liability for the company (e.g. you've been looking at kiddie porn for years, no one noticed, but there it is in those logs from 3 years ago).

- No one cares. Really. If you worked for a company that was actively monitoring what all its employees did, you'd know, as they'd be up-front about it.

- The only time anyone ever cares is if you're being disciplined. Companies will sometimes turn to this data for an excuse to fire someone, as it's trivial to dig up.

- All of your co-workers are using Gmail, Facebook, eBay, Match.com, etc.

Basically, unless you're doing something really bad online (which in the corporate world is usually limited to porn or giving away company info) or are spending so much time surfing that your work is suffering, you have nothing to worry about.
posted by mkultra at 9:15 AM on April 12, 2008

The only time anyone ever cares is if you're being disciplined. Companies will sometimes turn to this data for an excuse to fire someone, as it's trivial to dig up.

If an employee's performance is sub-par, and you've tried to help them do their jobs, but they are constantly making excuses for not performing up to standards, you might want to look at their computer activity. If you look at their internet browsing history and realize that they spent five out of eight hours of the work day looking at used car listings, then you let them go. Watching their internet activities is not really an "excuse" to fire them; it's a window into their minds, and if you discover their minds are not on their job, it only makes sense to cut the dead weight out of the company. You're wasting money on them. If, on the other hand, you discovered that an underperforming employee was really trying to do the job, you'd look for a way to salvage them.

Everyone looks at the web at work. But employees fall into two broad categories:

(1) Some employees occasionally look at CNN.com or nytimes.com to take a mental breather for a few minutes, then they get back to work.

(2) Other employees log into MSN Messenger and talk about what assholes their bosses are, spend hours fiddling with eBay or browsing Craigslist, and peruse job listing sites.

I can't imagine an employer who cares about the first type of employee. The second type of employee is the type that monitoring software was designed to ferret out.

Basically, when evaluating your own workplace web habits, ask yourself, "If my boss saw what I am doing on the web every day, would she think I am dead weight? Would she think I am not being productive?" If the answer is yes to either of those questions, then you need to cut it out.
posted by jayder at 10:23 AM on April 12, 2008

I think it depends on the size of the company. I know the CIO of a small company and though he could see everything everyone was doing, it'd be pretty obvious if someone wasn't doing their job even without knowing what they were doing online. So he doesn't need to bother with a lot of logging software, and frankly he doesn't have time.

I work for a big company, and I'm sure they're logging every pageview, because it's a lot easier to hide a poor work ethic when you're an expendable cog in a machine. However, they KNOW some employees are going to visit YouTube, etc., so they filter those sites out at our desks, and provide "unfiltered" (though not unmonitored) access in computer labs. I think this is a good compromise as it lets people get their Facebook fix while they're on their break and removes the temptation to check it at their desk.
posted by desjardins at 11:46 AM on April 12, 2008

I use Remote Desktop to connect to my personal computer. This is simple, encrypted, and has the additional benefit of keeping any data separated where it belongs.

Remote Desktop is secure, IF you secure it. A better option would be to tunnel it over SSH, then it's very very secure.

But, as many have mentioned, as long as you're working on your employers computer, they can monitor every input into the computer, and everything on the screen, meaning you're not secure.

Your best option is to bring in your own laptop, using a cellphone as a modem to get on the internet, then tunnel remote desktop over SSH using strong passwords. If that is not an option, then you should have NO EXPECTATION OF PRIVACY.

Enjoy!
posted by blue_beetle at 1:22 PM on April 12, 2008

blue_beetle: Your best option is to bring in your own laptop, using a cellphone as a modem to get on the internet, then tunnel remote desktop over SSH using strong passwords.

... because that's not suspicious at all.
posted by mkultra at 2:30 PM on April 12, 2008

gmail secures the login part, i.e. your password - but your emails are read on a non-encrypted page by default

This depends how you got to Gmail in the first place. If you get there via https://mail.google.com/ then not only is your entire Gmail session encrypted, but file attachment uploads won't randomly break.
posted by flabdablet at 7:34 PM on April 12, 2008

This thread is closed to new comments.