Exactly how closely is Big Brother watching me at work?
August 26, 2014 4:16 PM   Subscribe

If I'm on my workstation at the office, using Pages through iCloud.com on a web browser, how likely is it that my IT department can see what I'm typing? I'm fairly sure they can see that I'm on iCloud.com using Pages if they look. But can they see the text I'm typing into a Pages document?

To be absolutely clear, I'm not planning on doing anything nefarious or unethical or against company policy. There will be no lawbreaking and no pr0n. I will not be getting fired. It's not that kind of question. Our company guidelines allow personal use of workstations during our downtime. Most people use this freedom for online shopping or checking their home email, etc.

Related to the main question above the fold...

If I'm on my iPad, logged into our company wifi, typing into a document in Pages or Byword or whatever, can IT see what I'm typing into a document?

And, if I'm on my iPad web surfing, logged into our company wifi, can they see what pages I'm surfing to?

Again, I'm not trying to do anything wrong. I don't mind if the IT department can see that I'm typing something into Pages. Even if they saw what I was typing, I would get teased about it - not fired. I'd just prefer to let any IT watchers think I'm writing to my congressman or my elderly father in my downtime -- and not, say, writing Teen Wolf fan fiction.

(Not that I would ever. And even if I did, I'd keep it PG at work.)

Assume a Windows 7 machine with no keylogger software. User privileges extend to going wherever we want online, but we're not allowed to install anything without admin rights. My desk is positioned so no one can creep up and read over my shoulder without me noticing. I don't know what else would be helpful to share, but I can answer questions if you have them.

If the answer is "it depends..." that's cool; I'm looking for odds, not guarantees.
posted by kythuen to Computers & Internet (10 answers total) 3 users marked this as a favorite
If you are on your ipad and on an https connection they can only see the url
posted by exois at 4:19 PM on August 26, 2014 [1 favorite]

If iCloud is all HTTPS then they can't see what you're doing. "assume no keylogger" is a somewhat big assumption, but most of what IT does they do with locally installed monitoring software and not MITM attacks on your HTTP traffic. If it's your own iPad there's basically zero chance of them monitoring the level of individual keystrokes. They may see what you're surfing as a side-effect of queries to your company's DNS server if nothing else. They can see anything that's non-encrypted HTTP traffic in general.
posted by GuyZero at 4:24 PM on August 26, 2014

If we want to, we can see it (well, we can see batches of keystrokes as they get sync'd up to the cloud). It's a hell of a lot of effort to go through, though. In my org, I don't do anything even remotely close to this without signoff from our HR VP.

This is not in the toolbox of most shops, though. Successfully attacking HTTPS connections is not rocket science, but there are a lot of little details to get right if you don't want the client to catch on. It's not something that most folks get right on their first try.

I'd also like to note that if this is a personal iPad, I wouldn't even attempt this. That's some serious legal gray area, and all of the lawyers I've seen present on this topic say that interception of a personal device's encrypted traffic is something you don't want to attempt without a lawyer involved and an imminent threat to your network.

Also, a minor point of correction: with HTTPS, you can see what _domain_ the client is connecting to, but you cannot see the full URL. HTTPS does encrypt the headers, as it is a tunneling protocol.
posted by bfranklin at 4:38 PM on August 26, 2014 [7 favorites]

If you don't even want your IT to know the domain you're connecting to, you can use a VPN on your iPad.
posted by applesurf at 5:34 PM on August 26, 2014

They can't see what you type generally. However if it isn't encrypted they may be able to see things you transfer over the network to it. But then somebody would have to want to read your block of text for some reason. Then read it. And then tell somebody else which is ethically a big no no if it's not a durable offense and could get them fired.

Just be warned that some companies claim to own the rights to anything created on their workstations. Generally you see problems in IT where sine programmer programs something in their downtime and then the company claims to own it when the tri and monitize.
posted by AlexiaSky at 6:58 PM on August 26, 2014

bfranklin is right on the money: Technically, your IT department could see every keystroke if they have the motivation and resources to do it. Products like BlueCoat's SSL Proxy are made exactly to do this kind of intercept. But even then, it would probably only be automated scanning for keywords, known pattern like credit cards or social security numbers and anti-virus scanning. They would need a specific request from HR or IT Security to start capturing your traffic down to the individual keystrokes.

Since your workplace seems pretty relaxed (Personal use of company equipment, wifi that allows personal devices, etc), my best guess is they can only see the domain.
posted by TinTitan at 7:29 PM on August 26, 2014

As an IT guy, yes, we could probably see what you're doing (unless you're using some kind of encryption via https or VPN). But honestly? It's a LOT of effort, and unless someone is making us do it, we have plenty of better things to do.
posted by Wild_Eep at 7:32 PM on August 26, 2014

iCloud is encrypted with https, so it is relatively safe from most IT staffs (although almost certainly insecure from government actors). In order for your company to know more than "connected to iCloud/Word" two things would have to be true, one of which is fairly unlikely and the other is extremely unlikely.

1) They have to installed a device that acts as a man-in-the-middle attack on https traffic. The most common one is the Bluecoat device described above. Essentially, when you connect to iCloud through the Bluecoat proxy, Bluecoat gives you one certificate (which is really its own) and then passes your request on the real site. It has access to all traffic in between, including your fanfic scribblings. This device is still pretty uncommon outside of military and financial IT shops, but I'm sure many big Fortune 500 type places have them too. If you work for a relatively small place that has trouble distributing virus check updates, they aren't going to be buttoned up that well. The lax IT policies you describe make it sound very unlikely to me. If you want to be certain, there is a tell-tale way to find out. Go to Steve Gibson's Fingerprints service. He will tell you what the Fingerprint of a set of well-known SSH certificates SHOULD be. Pick one and compare it to the one you are served on your browser. The page has instructions to view them on all the major browsers. If Steve's SHA fingerprint pulled on his site matches the one delivered to your browser, your traffic is not being intercepted and they can not read the contents of your traffic without access to your client machine. I would assume that they could easily read anything you type on a machine that they supply. On your own iPad, accessing their WiFi, if the fingerprints match, all they can tell is that you are using SSH and to what site.

2) Even if they did have Bluecoat installed, they are vanishingly unlikely to actually be extracting the kind of information you are concerned about. By default, they would only have very high level logging data. In order to see the individual bytes of your traffic, someone would have to be taking an active interest in your activities. However, if the fingerprints didn't match in Step 1, I wouldn't rely on the safety of Step 2. Places that deploy these kind of tools are usually worried about corporate espionage and the like and your writings might accidentally include some keyword that they would alert on and then the tool would vacuum up everything else you typed and present it to someone to review.

Assuming that they pass the test in Step 1, the answers to your questions and my degree of confidence are as follows:
On own iPad typing into document -- almost 100% certainly not what you type
On iPad using their wifi -- probably 95% sure they see every website you go to. Once in a while a company doesn't bother to log outbound web traffic, but that is pretty rare. You have to assume they can see the URL for everything you do. There are many ways to get around this, which they could tell you were doing but no longer tell where you were going (again assuming they haven't defeated SSH as described in (1) above). If you use your proxy or VPN to bypass their monitoring, this often causes alerts in their proxy software.
On a Windows machine, it is really easy for them to be able to see everything you type if they want to do so and pretty difficult to determine if they are doing that. You could assign a percentage based on how paranoid they are, but this is by far the least trustworthy one of the three.
posted by Lame_username at 8:50 PM on August 26, 2014 [2 favorites]

kythuen: "Assume a Windows 7 machine with no keylogger software."

If your windows machine is part of a domain you should assume they have remote monitoring software installed and can watch what you are doing at any time within the limits of corporate policy. It is dead simple to set this up at either initial roll out or as a software installation push whenever they want.

If it isn't part of a domain you should still assume that but it is slightly harder from the IT end.
posted by Mitheral at 9:18 PM on August 26, 2014

Setting up an https proxy to intercept web traffic in flight is tricky, but doable. Installing keylogger/screen grabber on office pcs? Trivial.

Worth doing without a REALLY good reason? No. Unlike the NSA, we still need legal justification to go invading privacy on personal devices (ipad) and when it comes to work devices, you need a good strong code of ethics around user data, or you don't stay in IT for long. We don't go on fishing expeditions, or watch people because we can. If for no other reason that that is time intensive work, and we have plenty of other stuff to be doing. We're a support service, not the secret police, despite what management would have you think.

Any such monitoring at most would be automated, and there to look for certain keywords in aggregate; to either block dodgy websites to protect the network and/or users from unexpected porn, and to potentially look for information leaks if the company deals in particularly sensitive data.

That they allow you to freely connect your own devices, and even have a policy that allows for internet use in downtime? Definitely not that kind of workplace. 99.99% odds IT is not watching you. At MOST I would expect a log somewhere that nobody reads that you went to icloud that day.

(0.01% in case you've been fingered as a serious criminal, and IT are co-operating with close surveillance from the heavy boots squad)
posted by ArkhanJG at 11:44 PM on August 26, 2014

« Older How to present my tablet app to potential...   |   Alternatives to Gmail? Newer »
This thread is closed to new comments.