I assume that my keystrokes are always being monitored on a company device. Obviously I'd prefer to not be monitored, but I don't really have an expectation of privacy at work on a work device.
Is that warranted by other practices of your employer (locked down laptops, etc.?)
We give full admin rights to laptop owners and don’t install spyware. I would be sad if a coworker acted as if their keystrokes were being recorded; thinking that would surely slow them down and make them more careful about pursuing all promising research paths. So I think it’s important for companies that don’t spy to signal that they don’t; the opportunity cost outweighs the marginal security benefit.
Once a company reaches a certain size and deals with sensitive enough data, it's poor risk management practice to leave device security entirely up to the individual. Mistakes are made, malware-laden software is downloaded, laptops are lost in town or borrowed by kids or S.O.'s at home, etc. Restricting the user's device permissions is not a judgment cast on any individual specifically, it's just a responsible way to deal with something that statistically happens sooner or later even with perfectly well-intentioned employees.
Does your company has network-based IDS? Or local antivirus/ endpoint protection? What happens if those detect something?
In a lot of places, in case of severe signal, like computer reaching out to know malware C&C servers, the computer is taken by IT and investigated - does it really have malware? How did it get on PC? Did it propagate?
This sometimes involves digging through browser cache and history.
So even if you not recorded all the time, you should be prepared that your computer will be taken away from you at any moment and browser history examined. Such is the life in a big company.
Yep, the responses are interesting as they all assume a certain company size (which makes sense given how many faang etc. employees post here.) Eventually a company will hire IT that create their own work and aren’t mindful of the chilling effect monitoring has.
It’s very common to have locked down devices. No admin rights of course, but also a whole suite of surveillance software permanently running (antivirus, local blacklist of websites and executables, SSO authenticator…).
>thinking that would surely slow them down and make them more careful about pursuing all promising research paths.
Huh? I've worked at multiple companies that all do very broad device monitoring (it's fairly standard at all large companies) and I don't think I've ever heard anyone express any concern like this. I've certainly never felt this way myself. What "promising research paths" are you talking about? Do your google searches at work frequently involve porn or something?
Where I work, I will frequently attempt to visit sites, generally the tech blogs of individuals, that are blocked by my company’s filters.
I get big scary corporate “You’re not allowed to go there!” and get the feeling that there’s now somehow some black marks on my invisible permanent record, because I wanted to read something about Zig or something.
I know I’m not going to be fired for something like that. What I don’t know is if some higher up just looks at some roll-up without digging or understanding, the kind of scenario that could come up in something like, for example, layoffs.
Definitely has a chilling effect for me personally.
> Do your google searches at work frequently involve porn or something?
If I want to look up example of string operations in C I might Google "c strings" or "c strings examples". Incidentally, in similar fashion to G-strings, a C-string is a type of lingerie.
If I'm doing quick graphics adjustments I don't want to bother the art department with I might use the fantastic GNU Image Manipulation Program and do a search for "gimp tricks" or "gimp tutorials". Incidentally, as anyone who's seen "Pulp Fiction" might know, a gimp is a type of BDSM gear. Definitely not savory for work.
This is why, much as I'm concerned about personalized searches, it's kind of non-negotiable for me that to function as a professional software engineer I should be logged-in to my Google account. It's the only way I can be sure not to get results from, say, Victoria's Secret.
In the US, that might be a wise assumption for any individual to make. However, I think you still should push back on these practices as a society. Why should this be legal? What common good comes from this?
That's because you probably don't live in western Europe.
Over here, when a company would do that and use it against me, I would sue them for privacy breach. Employee rights are very well protected in western Europe.
And internet activity. Even if you put a personal device on company WiFi you should assume that the DNS and TLS SNI/IP data is being logged and analysed.
Use a VPN, that way if you good off on your phone during the day at least they can only see how many bytes you're using and when
It's my employer's laptop, so I agree. I do make an exception for things benefits-related, as in a medical claim won't necessarily make it back to my boss, even if it's done on a work computer. I don't think it's strictly true, but I can make a case for how HR should shield certain things IT might collect from my boss.
In practice, companies only have humans look at IT use if there's a security problem or a performance problem.
