[illud_tempus]

> The poster says "Their business model (in my case) seems to be to take money from companies to spy on their employees/contractors, and then they sell the employees/contractors private information to "targeted advertising". Do you have any evidence for this??

I read their Privacy Policy. They are quite explicit about what they plan to do to you. I raised the issue with them in an email (among 5 other issues). Their reply is in the header. Another issue I raised is that they expect me to accept undisclosed terms and conditions.

That said. I have worked with computer security at an advanced level, including consulting, training, penetration testing, design/implementation of x-platform server agents for monitoring and alerting, design/implementation of firewall. Once I designed an implemented a system to deal with NATO secrets (not very sensitive secrets, but still secrets) for a military subcontractor in EU. My computer is relatively secure. I follow best practices - and more. A hostile agent would decrease the security on my network. That was my first thought when I got that awful email.

Also, I don't get it why that need such a thing on my PC. I don't have credentials to production systems or production data. I am a software developer. I work with code and documentation. That's it. Anything I produce is reviewed by other developers and then tested independently by QA.

I am careful to be a freelancer, and not an employee, for several reasons. It means that legally I'm my own boss. That feels good (I have a great boss!) It also make it unproblematic to work on open source projects, without getting into discussions about who owns the intellectual rights to that work.

[lucraft]

> I read their Privacy Policy. They are quite explicit about what they plan to do to you.

OK, well, I've skimmed it and I can't see anything that suggests they are going to spy on our employees and sell the data to advertisers. I hate to drop it back on you but which passages make you think they do that?

These things do often sound terrifying because things like "I'm going to use Google Analytics to see which parts of the product people aren't using so we can email them reminders" get turned into passages like "We will upload all your activity to a third-party advertising company for marketing purposes".

> I have worked with computer security at an advanced level ... A hostile agent would decrease the security on my network. That was my first thought when I got that awful email.

I believe you! 100%!

But you are unusual, and without verification a control such as "All laptops should have screens that lock after 5 minutes" won't be followed by everyone. NOT EVEN CLOSE to everyone.

> Also, I don't get it why that need such a thing on my PC. I don't have credentials to production systems or production data. I am a software developer. I work with code and documentation. That's it.

Sure. Another commenter in the thread has said that because of that this isn't strictly required for SOC2. I'm sure they're right.. but I'm not sure I want anyone working on our codebase at all who doesn't have basic security settings set on on their laptop (Again, I know YOU do :) )

Back to the using your own computer thing again - this is why I think lots of companies say "You use our hardware for all company work but IF you really really want to do BYOD then you have to accept some of these agents". Not sure if that's the attitude at your firm, but that seems reasonable.

[illud_tempus]

> OK, well, I've skimmed it and I can't see anything that suggests they are going to spy on our employees and sell the data to advertisers

"We, our service providers and our third-party advertising partners may collect and use your personal information for marketing and advertising purposes: ... Interest-based advertising. ... We may also share information about our users with these companies to facilitate interest-based advertising ... We may create anonymous, aggregated or de-identified data from your personal information and other individuals whose personal information we collect ... and share it with third parties for our lawful business purposes"

Such "de-identified data" is often trivial to re-identify. There are research papers about that. It's well known in the security and privacy community.

Also, they use dark anti-patterns for opting out from them even using your personal data for their own advertising. "You may opt out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us at ..."

If Drata intended to be a nice, trustworthy security partner, use of any personal data for targeted marketing, or sale of any personal information would be opt in, not "out out if you can figure out how ...".

I have not read their terms of conditions or even their glossy information about the agent. I never got that far, as I declined to accept the terms and conditions for using their website. Already at that point, I saw red flags the size of Australia.

I don't believe for one second that Drata has any intention of showing any decency or that they act in good faith towards their customers or anyone else. If they did, they would have developed reasonable terms and conditions. What they have don't even distinguish clearly between the roles of a customer and an employee or contractor for their customers. Hell, they don't even define the term "Customer".

[jwithington]

I think the OP is talking about the "How We Use Your Personal Information" on https://drata.com/privacy

That would seem to only pertain to their website. Yes, they're going to want to market it to you, so that makes sense.

The actual privacy policy for the product the OP is using is likely found in the contract Drata signed with the client company.

[neonnomad]

You are 100% correct.

Source: I am the Drata CISO

[illud_tempus]

> You are 100% correct. > Source: I am the Drata CISO

May be you should go over your user agreement documents and:

1) Make sure that all relevant information is available, so a user can make an informed decision.

2) Distinguish between the user roles, and have different agreements for the different roles. One role is your customer. A second role is the employee of your customer. A third role is the contractor for your customer. A potential fourth role is the person(s) working for the customer that is responsible for dealing with personal and confidential information related to you, employees and contractors.

As of today, your user agreement is a mess, appearing as something you have copied and pasted together without much thought, except for how to cover your own asses. Including the ridiculed clause Microsoft is infamous for, warning that your software is unfit and unusable for any purpose.

[jwithington]

it sounds like you’re trolling tbh

[gwbas1c]

FWIW: I never do personal stuff on company hardware. I always assume that anything I do on company hardware can be tracked, even if no one is deliberately trying to track me.

I think you have 4 options:

- If you use a company-provided computer, install it on their computer. It's their computer, not yours.

- If you use your own computer, set up a VM for this client and install the agent in the VM. Then do your day-to-day work inside of the VM.

- If you use your own computer, buy / expense a dedicated computer for the job

- Politely refuse to install it and accept the consequences. (IE, you might be out of a job.)

Remember that you are paid to do a job. If you don't like the conditions of the job, you can always walk away. As an earlier poster mentioned, this tool appears rather benign.

Regarding company hardware and tracking: Many companies set up things like automatic backups, snapshotting, ect. These aren't meant to track you, but if you're doing personal stuff on your computer, it's very easy to accidentally leak things into the company backup that you might not want there.

[allo37]

Unfortunately, "I know a lot about security, trust me bro" doesn't satisfy the compliance box-tickers, for better or worse.

Maybe run it inside a VM?

[Fiahil]

>> The poster says "Their business model (in my case) seems to be to take money from companies to spy on their employees/contractors, and then they sell the employees/contractors private information to "targeted advertising". Do you have any evidence for this??

> I read their Privacy Policy. They are quite explicit about what they plan to do to you.

That's not evidence, only your interpretation.