I hear this as "blanket advice" all the time, but very rarely is there a discussion about what is reasonable to expect from a "normal" employer who isn't draconian or looking to find an excuse to fire someone.
Actually, the chill employer is the most dangerous.
Even if your employer is fine with personal use, courts will rule that it's all in scope during a discovery phase. I've been involved in litigation scenarios where people's personal email ended up being sifted through by the other litigant because opposing counsel convinced the judge that business was being conducted there, and there was evidence of frequent access on a corporate device.
All of your protections from a legal point of view are really defined by custody and scope of control. Data stored on your device in your home is the most protected. Data stored on your employer's PC or file server on your employer premises is the least protected.
OK, but what about email read/composed on my personal gmail account using a work computer? When you say "personal email" do you mean @company.com email-- or do you mean _any_ personal email as long as it is read/composed on a company machine?
Is it safe to assume that the only way that that (or any https content) can be captured is by keylogging or some kind of desktop capture?
> Is it safe to assume that the only way that that (or any https content) can be captured is by keylogging or some kind of desktop capture?
No, plenty of corporate firewalls provide HTTPS MITM by installing their own root certificate and making client machines trust it. HTTPS certificate pinning as it's implemented in most browsers specifically allows this behavior by not checking pinned certificates if the root certificate is in the computer's private keystore (vs. system keystore) because it's assumed the private keystore is full of only certificates the user or machine owner wants to always trust.
Any forensic analysis of a PC/Laptop or look at proxy logs will show your connectivity to an personal email account. In a discovery scenario, all that needs to be done is to present a pattern where personal mail was used for business in the company. (I guarantee that is happening somewhere)
It's one of these scenarios where it isn't a problem, until it is
Thanks guys, that helps me to understand. This stuff is usually explained either as utterly vague blanket advice or in technical shorthand terms. I think it is really important for people who might barely even know what https is to understand how and why the security of it is limited.
It's one of those pieces of advice that is hard to say it's wrong exactly. However, for many professional employees at a great many companies, it's pretty extreme as practical advice. There are some sensible practices like keeping work email and personal email separate and, for both your own and work devices, following whatever infosec policies there are around encryption, VPNs, and so forth.
But, in general, never do X advice can be actively harmful because it advises people against doing things that very many do without repercussions and causes people to ignore advice that it's important to follow.
It's not really a question of what is reasonable to expect. Even a company that chooses now not to do things like what the article describes, they always can.
They can read your emails, and chat logs and whatever else is sitting on your work machine. The only way of dealing with that is never have personal information on them in the first place.
OK, that is what is "legally possible" in a worst-case scenario.
But IN PRACTICE, what is normal?
Your statement seems to indicate that IT staff can just browse personal communications, desktop displays, keypresses. I am sure that they can if necessary, but what kinds of scale and automation are we talking about? Doing such surveillance ad-hoc or without a very small number of targets seems like it would easily become intractable for any org with thousands of people.
I am not in an IT department, so I have no idea what goes on.
It seems the standard advice is always to take the most extreme precautions and to follow the corporate rules to the letter... but here I am typing this into a work computer on a chrome browser without a care in the world.
So I work in information security and I'll tell you i haven't seen good standards around this. In some places IT people regularly look at emails or web traffic, which i think is wrong.
When I go into a company I make sure we put a policy in place that to review an employees emails / web traffic / devices we need to have Legal and HR sign off on it unless the person being investigated is part of one of those groups then it is one group and an executive.
This covers me from legal/HR fallout and it covers the employees because they know we aren't just sneaking around looking at their stuff, it creates trust.
So here is an example of a school administrator spying on students via their provided laptops. It's not the only one. This was 'normal' for the school system until they got called on it.
Blanket collection and searching of data by a company is very possible, in just the same way as you search through mass of logs from applications. They aren't going to have someone watching these logs all the time though, so you don't have to have a huge staff to handle it. They may spot check, they may only go thought the data when something suspicious occurs. They may automatically troll through the data looking for keywords which escalate to a real person for further analysis.
Even if your employer is fine with personal use, courts will rule that it's all in scope during a discovery phase. I've been involved in litigation scenarios where people's personal email ended up being sifted through by the other litigant because opposing counsel convinced the judge that business was being conducted there, and there was evidence of frequent access on a corporate device.
All of your protections from a legal point of view are really defined by custody and scope of control. Data stored on your device in your home is the most protected. Data stored on your employer's PC or file server on your employer premises is the least protected.