[quasirandom]

There's more information here as well. Cloudflare was apparently operating network connected facial recognition cameras in their offices.

I'm not someone who's crazy about privacy, but this is a pretty dark indicator for a company housing DNS query records. Maybe its time for someone to build a proxy for tunneling Cloudflare DoH/DoT over tor or some other free mixing network.

[bradlys]

How is that something to be worried about? There are companies out there that try to monitor if employees are in rooms/areas that they're not supposed to be. You can do that with badges/RFID but then people can take a card or slide by in various ways. (Happens all the time at big companies - people just tailgate) If anything, they might be taking privacy more seriously by not letting people without authorized access into secure areas.

I think you give up any sense of privacy as to where you're located in an office or where you've been in an office when you decide to work in an office owned by some employer. I don't know why there'd be any expectation there.

[batty_alex]

I find it fascinating how okay you are with your employer tracking you. We aren’t to the life contract part of the dystopia yet, quit trying to skip ahead and give away your freedom so easily

[neffy]

If you are in a secure area, like a server room for example, it's perfectly normal for there to be badged entry, cameras everywhere etc. There will also be signs everywhere telling you this.

If it's really secure there will be monitoring of all entrances, including corridors. (And there will still occasionally be people successfully tailgating, usually for perfectly innocent reasons like forgetting their badges at their desks etc. Real security is all sorts of fun.)

[Teknoman117]

I've gotten stuck in a datacenter because I forgot the correct badge-out process. Tripped an alarm and got stuck in a man-trap.

For the uninformed - badge in to open the entrance door. The room then locks and you use your badge to open the exit.

[jackson1442]

Interesting. Seems like that would be a fire hazard, or was there a hold-to-escape type crashbar?

[vermilingua]

In fire/hazard conditions, security systems are required (at least in Australia) to permit free handle egress from any point in the building to a fire escape.

Any access control system has the capability to integrate with a fire system and allow this.

[LinuxBender]

Some facilities get exceptions to fire policy and require employees to go through training of sorts. Diablo Canyon Nuclear Power Plant is one place I visited that did not have emergency egress. No badge? Call the guards, that is the only way out.

[datavirtue]

Fire hazard and false imprisonment. Ask walmart. You accidentally lock someone in the store and you are looking at a civil rights law suit. You cannot restrict another humans' movement without due process.

[ravel-bar-foo]

Obviously not the same type of facility, but I have seen buildings where the closing of smoke shutters opens otherwise locked doors, revealing an alternate fire escape from the corridor to the stairwell.

[meowface]

I'm okay with my employer tracking me if I'm on their premises using their property that they've given me. I'm not okay with them knowing anything I do or where I am outside of work, but if I'm at work then I'd be confused if I wasn't being tracked in some way.

Not at all in the paranoid "are you slacking off?!" sense, but just security information like knowing when I've been in a server room, or knowing if my work computer sent traffic to a known botnet C&C. If there's a security or theft incident and they don't know who's been in their building or what their computers are doing, it's pretty much impossible to investigate anything.

I understand that in places like Europe there's a very different culture and workers have a lot of protections from things employers may want to do, but not everyone around the world feels that way. Basic record-keeping of when badge-restricted doors and computers are authenticated to doesn't feel invasive to me in the slightest, even if others may strongly feel it is invasive.

There are many things I would find egregiously invasive, such as a manager inspecting all the websites someone visits to assess how productive they are, or timing people's bathroom breaks, but I just avoid such companies.

[laurent92]

I don’t understand why people think the employer cannot check whether the employee is slacking off.

Maybe what we should prevent is employer keeping months of proof and only bringing it up as inappropriate later, but if the employer uses the camera to tell an employee within 24hrs that he needs to ramp up, it feels ok. Maybe we should impose rules like “24hrs max” and “can’t be used legally, just orally.”

[csharptwdec19]

> I don’t understand why people think the employer cannot check whether the employee is slacking off.

On some level it depends on what 'slacking off' means.

I've had employers where 'slacking off' meant actively doing some %mundane/repetitive/unnecessary% task with every moment of my free time. We were literally pulling the finish off the counters; there was no need to keep dusting them.

I've had software shops where reading integration documentation was 'slacking off'.

An interesting data point; In Germany, MS Office doesn't track how long you have been editing a document. My understanding is this is because the law there more or less says if you pay someone to do a task, you aren't supposed to (i.e. can't) care about how long it took them to actually do it as long as it was done on time.

So I guess that's my problem. There's a very fine line between employers using surveillance to catch 'bad actors' and employers using surveillance as another tool to bully substandard work conditions onto people.

[ocdtrekkie]

My guess is that micromanagement actually decreases quality and productivity as well, just due to the disconnect between management opinions and real-world employee experience. If you are judging performance on the output correctly, the employee will, out of own self-interest, maximize the quality and quantity of the output while minimizing their own effort expended in creating it.

[meowface]

100% of the information an employer needs to determine my productivity can be found by looking at my work output. They don't need to know what I'm doing or looking at at every given moment. The results speak for themselves.

I'm sure they have a legal right to check (in the US), but I really wouldn't want to work for such a company and would immediately start looking for a new job if it happened to me.

[stjohnswarts]

The day one says I'm "slacking off because we noticed inactivity on your laptop" is when I stand up and walk out the door. Hasn't happened yet but I suspect it will at some point.

[the_only_law]

Yeah I’m waiting for it too. It’ll be funny because otherwise people have had nothing but good things to say about my output.

[Shank]

Cloudflare sells security to people. If you don’t want to work at a company that has security requirements like that, don’t work there. Lots of people choose to donate their fingerprints, facial data, life history, and polygraphs to work for the government. That’s their choice to make.

[tartoran]

If that info is well taken care of is one think. If it ends up floating on the internet is another. Rfid badge data floating on the net creates is useless however other personal data could be very toxic in the wrong hands. And usually this info leaks thats why its not a great idea to let it outside the network let alone record it in the first place

[throwawayboise]

> If that info is well taken care of

It isn't. https://en.wikipedia.org/wiki/United_States_Office_of_Person...

[wyqydsyq]

How is being recorded by your employer while on their premises giving away your freedom? It would be a different thing if they were tracking you out of work, but when you enter a premises owned by a business you kind of implicitly agree to be surveilled by them, as it is their right and freedom to protect their assets.

[acomjean]

I worked I the defense sector.

We were tracked by contract (badge into building, badge into area). We couldn’t leave the work area un-attended which was a pain, so there were “processes in place” (last person badge etc..).

Generally we knew they left you alone unless you were cheating. (Having someone badge you in when you weren’t there was a fire able offense).

I don’t miss it, but it wasn’t that bad. Of course having the work network not on the internet what else could we do but work...

[6510]

Its only natural really in this race to the bottom. If your zero hour contract doesn't have room to pay the bills you are not just not worried about tracking, you'd take anything that might show how hard you've tried.

[mc32]

One of the biggest use cases presently is SARS-COV-2 tracing to figure out who needs to be notified they were in proximity for X-time of someone with COVID-19.

[ocdtrekkie]

It really comes down to how it's used. As another commenter pointed out, any company using badges to swipe into doors can track your movements. Most cameras are positioned near entry doors, exteriors, or public areas as it is. The main difference here is the amount of information collected on an unauthorized entrant, and the fact that maybe badge-borrowing doesn't go unnoticed anymore.

I really doubt Cloudflare is the type of company to be tracking where each employee is and whether they are taking too many bathroom breaks. It's definitely an area abuse is possible, but probably not an area it's likely in Cloudflare's case.

[quasirandom]

> It really comes down to how it's used

I absolutely agree. The thing that concerns me is these cameras sitting on the internet. It says something about how overworked the security team is. I trust that they have good faith, but I don't know if they have the resources they need.

[adolph]

What is a specific credible concern about cameras with public API?

[Teknoman117]

People other than the ones you agreed to let monitor you, well, monitoring you. Also, it's a major risk to the company itself, who knows what can be read off of employees screens if they're compromised.

[adolph]

Yeah, it seemed far fetched to me at first but I guess surveillance might be useful to a 3rd party. I read an article a while back on how people make equity trades based on data found through satellite images of refinery tanks and whatnot. I guess unsecured internal surveillance cameras could allow an outsider to find out if a company was really busy or just faking it.

[gostsamo]

Every IOT device is an attack vector against the network.

[adolph]

I wonder if there is a way to dumb down IOT devices so they can’t be an attack vector like that.

[gostsamo]

Lock the memory so that update is physical only and restart regularly to avoid no-memory malware. Not 100% secure and very inconvenient, so people prefer to isolate IOT in its own network and preferably have a good network security like putting the devices behind VPN/firewall/other gatekeeper.

Actually, if you want to have IOT access outside of the network, the best approach is to close all ports and for the device to initiate connection with a control server. The device is dark when scanned while a heartbeat signal will ensure connectivity. This will require a good security on the control server, but that is okay because server security is much better understood and does not suffer from the constraints of the embedded software.

[josefx]

Someone wanting to break in can check if anyone is there or see where easy to steal stuff is kept? Or on a larger scale you might leak when and how security guards make their rounds.

[jgrahamc]

Cloudflare was apparently operating network connected facial recognition cameras in their offices.

We do not use that feature and do not intend to.

[robertlagrant]

But did you ever use it?

[jgrahamc]

No, this was never in active use.

[rattray]

If they did, wouldn't it be a good sign if someone came along and said, hey, this doesn't align with our values, and was able to get it removed?

[robertlagrant]

Yes it would be, but I wasn't after good signs.