[slg]

A practical joke, especially in a work environment, should be good-natured and harmless. I think the screen recording aspect of this joke crosses that line. Every other aspect would make for a good prank, but there is just too much potential downside to watching their screen without them knowing. Even if OP didn't see anything but the Minesweeper games and the coworker has no legal expectation of privacy on a work computer, it still violates that person's trust and their likely assumed level of privacy.

[arethuza]

"coworker has no legal expectation of privacy on a work computer"

That does rather vary by country - Germany has some strict rules about what employers can and can't monitor.

Also, some organisations explicitly choose not to monitor computer usage too closely (e.g. by using proxies that intercept HTTPS traffic) out of the fear that this would expose the organisation to greater liabilities in the case that someone was doing personal banking from their work PC.

[tialaramex]

One of the fun things that happens with HTTPS proxies is people desire a policy that only spies on some things people do, and the people making these middleboxes (who are concerned first and foremost with selling a product not with whether that product works or even if such a product could in principle work) are eager to offer that.

This can't work, but, having sold it/ bought it then there's a lot of pressure to make it work.

The best case scenario with such products is that some fraction of traffic is unmolested but the product owner policies do not actually control what that traffic is (which might surprise them and make their overall security policies ineffective but otherwise is no big deal)

The worst case is that in the attempt to do this "selective proxying" some or all traffic security is compromised. Non-participants aren't affected (except it might introduce denial of service) but active participants give up potentially all security. e.g. the company laptop that's configured to the trust the MITM proxy, might not only be uploading your bank password to some screen accessible by an entry level IT guy it might also just inadvertently remove the security of the bank connection altogether so that now random bad guys on the Internet can see everything, whoops.