Everyone replying with "what's the big deal?" is showing their tech privilege. You may not have to deal with intrusive monitoring, but warehouse workers are increasingly being made to wear ankle bracelets so every movement of theirs can be monitored and stack ranked. Workers in WFH "gig" jobs are made to install always-on keyloggers and other monitoring software on their personal computers and phones (which are required for the job). Companies take photos/videos of them in their homes every few minutes throughout the day. Plenty of jobs require you to hand your social media passwords to your employer. There is an entire class of companies that specialize in all of this.
Not everyone is able to say "no" to all this and still make rent next month. I'm happy the government is finally stepping in.
Last year when I started looking for jobs I landed a job in a company that did consulting services. All looked fine on the outside, but when I joined I found out they are doing software for this kind of stalking, and even use AI to classify employees as "productive", "not productive", and other criteria based on their computer's activity.
I noped the hell out of there without even having spent a week working for them. The fact that they even accepted those kind of jobs told me our sense of ethics was way too different, and I didn't want to contribute to that. If it were "just" web tracking, then I would be able to (barely) accept it, if a bit reluctantly. But that's more or less where I draw the line.
I still haven't found a job since then, and I'm currently barely surviving through freelance gigs. Professionally speaking, leaving that job might have been a mistake; but I still think it was the correct decision.
Thanks to the article I now have the proper word for it: Bossware.
I feel reminded of Ploito. It got advertised on HN. 6 months later I'm sure: It was an ad to gain attention. Idk what happened but it seems that the poster and their business owner became very silent 2 months after their pitch.
It's still worth to quote the BO
> "weed out the lazy and deceitful, thereby forming a healthy and efficient team."
It's bossware disguised as a "cool" product to connect teams. You could say it's a Trojan horse. Sure the monitoring is all "optional" but the mentality is baked into the product.
For me it's just right to reject every potential company installing bossware alone for your personal health. People burn out under constant monitoring forced to be 100% productive all day. Have a bad day? Sad for you, it lowers your numbers. Sick leave instead? "Oh what a weak person, how unreliable".
People with utilizing computers to effectively slave-drive people should be held responsible for the damage they cause. They should pay for the treatment if they drive people into depressions and burnout and neither health insurances or the society.
I'd have done the same, and have done before when I've found myself on client projects related to online gambling (the business model is to milk addicts for everything they have and more, don't listen to anyone who says otherwise).
I know if I don't do it someone else will so it doesn't really make a difference - but at least I can retain some sense that I'm not the kind of person who does bad things, and that's worth something.
With web tracking you can at least be 'careless' in your implementation and 'accidentally' make it not work very well because most of the time nobody will ever test it properly. No way to get away with that with this "Bossware" stuff, it'll be in active use all the time.
> With web tracking you can at least be 'careless' in your implementation and 'accidentally' make it not work very well because most of the time nobody will ever test it properly.
And users can normally install tracking blockers, either in browser or DNS-based (in your home's router), to at least prevent some thirdparty stuff from loading, so that's some defense against it.
Of course it's not always possible. But the chances that a user can do something against a web service tracking them are still better when compared to an employer's in-device tracking.
PIhole + Brave + uBlock Origin + Privacy Badger ... I'll deal with the occasional web app not working. More app/site developers should really test to make sure their app works with the ads blocked. When I've worked on public sites, I always tried to make the app degrade gracefully (depending on hidden/reserved element spaces).
I also block this stuff, personally - but I'm not sure I completely buy the argument that it's OK to work on something because technically competent people can circumvent it. For example I wouldn't work on China's Great Firewall (not that they'd ask me to) - even though those with sufficient skill and bravery can penetrate it.
I didn't suggest, or mean to suggest as much... I mean that when I worked on a public site with ads, I made sure that the site continued to look right and operate when analytics and ads were blocked. Unless you're asserting that every website with ads or any kind of analytics/tracking is evil?
Oh, absolutely - sorry if I implied that, I sensed the suggestion of it in the parent comment and clumsily followed on from your response to that part.
I completely agree with making sure things work as much as possible and look OK when stuff like that is blocked and even when JS is disabled.
Analytics can be useful and ads are a necessary evil for the prevalent web business model. Tracking is, ugh, I guess in theory acceptable with informed consent - though I've tested a couple of those "consent frameworks" that popped up after GDPR etc and even ignoring the dark UI patterns let's just say they didn't stand up well to scrutiny regarding doing what they say they do.
> I sensed the suggestion of it in the parent comment and clumsily followed on from your response to that part.
Nah it wasn't my intention to give that kind of impression[0]. I was just trying to add to the part I quoted from your comment (also the keywords from my first comment (not the one with the quote) were "barely" and "reluctantly").
It's not that I think it's okay, but I probably should have used the word "tolerate"[1] instead of "accept".
So basically I agree with you. I wouldn't work on something like GFW[2], or ad[3]/gambling/porn/blockchain/dating companies, or "VPN" services (in the diluted sense of the word), or Discord, or smart TVs, or software for IoT, stuff like that.
But I also know that if I want to get a remote job, I'll have to compromise somewhere.
---
[0]: Mic and cam recordings can be trivially circumvented by anyone who knows how to turn on a computer, for example, but even if I have permission/access to them, I won't touch those things unless it's to do something the end user wants to do.
[1]: There's probably a word that better captures the nuance tho. English is not my first language.
[2]: Or anything from countries who don't even try to appear like they follow the GDPR.
[3]: Where the ads are the product/service being sold. Or in other words, if a company uses adsense it's a maybe-work-for-them-but-try-to-find-something-else; if the company is adsense, it's a straight no.
Yeah... I'm in the US, mostly having worked on local sites, so hadn't had to deal with that. At most, the tracking I've added is Google Analytics, but have also used other types of tracking in bursts to get usage flows, or ui heat maps on what is moused over/to, etc.
> With web tracking you can at least be 'careless' in your implementation and 'accidentally' make it not work very well because most of the time nobody will ever test it properly.
I recently struggled with this. My situation was likely different given the outcome. I was able to prevail on both the sense of decency in the client and their marketing firm by explaining the PII ramifications of what they asked for, and was also able to prevail on how their customers would perceive it.
Not everyone has the luxury of clients and marketing agencies like that. I wasn’t sure whether or not I did until I tried it. I can’t know for sure until it’s needed whether I would have simply refused. I really wrestled with the idea of not doing my level best work as a technical implementer.
I found Kevin Burke’s “Ethics” to be a really great way of working [1]. He based it on an earlier piece by Kyle Kingsbury [2].
I worked through a couple onboarding/marketing projects for a large financial institution several years ago... I finished up my 6 month contract, but felt icky and didn't want to continue beyond that.
I also outright refused to work on a project for the RIAA at one time as well.
This is crazy to read. I live in what you consider a highly authoritarian and non-free society and can't imagine something like this happening here. Lower paid jobs are even more privileged in some ways: for example, in many companies you can just not show up for work for a couple of days if you feel like it, and the worst thing you can expect is a small pay cut at the end of the month.
It will really vary. Most places I've worked, even in lower paid jobs in my later teens, they're pretty lenient and understanding with personal/sick time.
I have found, between the span of $8/hour and $88,000/year, that the amount of tracking (and also the amount of "if you have time to lean you have time to clean"-type busywork) is very close to inversely proportional to income in the US.
Well-positioned workers have little recognition of what lower-paid or lower-prestige labor has to deal with, even a few years out of such work. And when they know, they rarely understand. Seemingly small or innocuous things can make a massive difference in your experience at an employer. It was surprisingly frustrating having to throw my phone into a locker at my $16/hr warehouse job like I was entering a SCIF when, really, they just wanted to cut down on people taking photos of OSHA violations. The joke is that it was easy to use their disposition system to sneak photos to my email. Which is to say, this class of policy/tech just encourages people to find undocumented (read: insecure) ways to retain their at-work QoL.
Not arguing against your points but I'm wondering if this is more a US related issue? I never heard this being a thing here in the EU but maybe it's just me being unaware of all the various situations. I don't know anyone who works from home (whether in tech and in other sectors) that has to deal with all that nonsense.
Germany reporting in, couldn't see that becoming a thing here. I have about 99% wfh currently, and if my employer would try to implement something like that, the union would probably not even have time to get involved because the works council ("Betriebsrat", not sure if that's a good translation) would swat it down instantly.
It sounds insane, but believable for the US (but that might be my bias showing, I've always heard bad things about worker's rights in the US).
The fact that you have a Betriebsrat along with strong unions is why that sort of thing doesn't happen. Many European countries have works councils with a similar union-adjacent role. I'm not aware of an equivalent in the USA.
I have a friend in the UK (and this was a few years ago when it was still part of the EU) who worked for a company that had always-on screen monitoring installed on company computers and their boss would randomly remotely view people's screens to check on what they were doing throughout the day.
That may not have been legal, but it was certainly happening.
The US has significantly less privacy in general than most of the EU. The way the whole freedom thing is implemented tends to skew heavily towards "businesses can do whatever they think makes the most profit".
I can't find a single source for your claim that warehouse workers are being made to wear ankle bracelets. The closest I see is an Amazon patent from 2018. This kind of hyperbole is not helpful to conversations like this.
I've worked in factories and seen the degree to which productivity is an issue. I actually lobbied for us to use the time tracking that was already available to us via our ERP, and management declined. Humans are lazy by default. We seek the highest return on our effort. Building great things (i.e. making life better) requires us to fight this instinct.
Additionally, I have seen absurd abuse of WFH/remote since COVID among co-workers. There have been instances where I truly cannot wrap my head around someone seeing it as anything but theft. I don't particularly like being monitored either, but I definitely understand the motivation for monitoring or RTO initiatives.
Your company isn’t using remote workers correctly. If there’s no way to measure work output besides physically seeing someone work, then there are fatal flaws in how you measure work output in the first place.
> For example, employers ... track [workers'] movements using wearable devices
2nd paragraph of GP's link.
> Abruzzo’s memo cites things like wearable devices for warehouse workers
6th paragraph of OP article.
I don't think the commenter meant literal ankle bracelets. But I think that's a bit pointless. I don't think it's okay whether it is a literal ankle bracelet, or some BLE tag in their badge. Do you think some option is okay?
Yes, definitely. The distinction between a supervisor watching their employee vs. cameras + CV vs. using wearables to automate the watching seems completely arbitrary to me. Are you OK with a cab company monitoring its cars via GPS? Or a trucking company monitoring its loads via tracker? I am, and again, I find the distinction arbitrary. With one caveat–the employee is informed prior to employment that these tools will be used and they are a requirement of employment.
> The distinction between a supervisor watching their employee vs. cameras + CV vs. using wearables to automate the watching seems completely arbitrary to me.
I'd be pretty weirded out by constant camera and CV monitoring too
> Are you OK with a cab company monitoring its cars via GPS? Or a trucking company monitoring its loads via tracker?
Those are (a) not monitoring a person and (b) much more coarse than "what shelf is this person standing in front of". They tell the company that the cab driver parked, not that the cab driver took exactly 3 minutes and 33 seconds in the restroom.
I suppose my biggest concern with it is that it's measuring the wrong thing. If someone's doing as much as their coworkers even though they leaned on a shelf for 5 minutes yesterday, is that really a problem?
By comparison monitoring a car with GPS has legitimate purposes that actually advance the interests of the business.
The fascination with ankle brackets notwithstanding (does a badge worn at the ankle count? How bout an ankle bracelet obscured in the pocket?) I hope the safety aspects dominate anything like that. How many people are in the mine? How many minutes was each employee exposed to over 90 dB?
As pointed out elsewhere in the thread, the distinction of where a wearable device is worn on the body is not the most important point to most people.
I don’t see how someone can read the various articles about how closely workers are monitored in warehouses these days and be this defensive about the surveillance practices. Do you work for a tech company that uses a lot of warehouses? ;)
“Kochland” includes a chapter on warehouse operations that tracked workers’ activity down to the minute (each conversation and bathroom trip had to be accounted for) and posted their performance rankings on a bulletin board.
> Not everyone is able to say "no" to all this and still make rent next month. I'm happy the government is finally stepping in.
More good news is that since workplace surveillance is already heavily-limited by law in some other highly-productive developed-economy states, this shit’s all probably pointless anyway. Just one of many cases of execs going full “seeing like a state” and wanting everything down to the finest detail to be “legible” and able to sort-by on a spreadsheet, even when it’s actually just noise.
Plus workers in tech are absolutely not immune to this stuff and nobody should be complacent.
"They can't monitor me because I spent my morning mentor Alan the Junior at his desk" - that may be so but it won't stop them from trying, and the lag from deploying bad business intiatives to realising they're bad can be months or years in the making.
-> I'm happy the government is finally stepping in.
Why are you happy from taking learning process and responsibility from individuals? With regulation of sick mindset you potentially keep alive edited form of it.
Instead employees should really refuse to be part of those illegal activity and let company die naturally. This learn both sides.
>install always-on keyloggers and other monitoring software on their personal computers and phones
1. WTF is anyone doing using their personal belongings for their work? Cleanly and clearly demarcating personal and professional is CYA 101, for both employee and employer.
2. WTF is the employer doing if they don't provide all necessary tooling for the job prescribed?
3. WTF are you doing working for above employer? I sympathize not everyone can do so, but the only way such bullshit will change is if enough of the workforce says "nope" and quits for greener pastures.
Regarding 1: Not everyone wants to buy a burner phone to do 2 factor authentication. And many (most?) employers won't provide one just for this.
The real evil are companies that require you to use a phone for 2 factor authentication and assert that they have the right to examine your phone because you use it for work purposes.
Don't use 2-factor if they're not going to provide the hardware for it. Demand a U2F (e.g. https://www.yubico.com/) if they don't hand out phones. It's not your account and you're only responsible for the security inasmuch as they provide the means to make it secure.
(Not necessarily directed at parent, but anyone who is unsure or worried about this.)
1 and 2 is how all the gig companies like Uber, door dash, amazon delivery etc work. The line between personal and professional has been blurred intentionally by the big employers. This helps them CYA as you phrase it.
3. WTF are you doing working for above employer? I sympathize not everyone can do so, but the only way such bullshit will change is if enough of the workforce says "nope" and quits for greener pastures.
...this is exactly what the parent comment is talking about. People take these jobs because you need money to live and not everyone has the luxury of being able to turn down jobs with shitty conditions. Employers take advantage of this and do things like require their employees to use their personal belongings.
1. WTF is anyone doing using their personal belongings for their work? Cleanly and clearly demarcating personal and professional is CYA 101, for both employee and employer.
2. WTF is the employer doing if they don't provide all necessary tooling for the job prescribed?
Because then they don't have to spend any company money.
I had to make a point of getting a company phone. If I didn't, it would've meant allowing my employer's IT department access to my phone, including the ability to read arbitrary data and to be able to wipe it. That's a big no, but thankfully they saw sense.
I was surprised (perhaps I shouldn't have been) to encounter bossware-like surveilance in an interview process.
About 6 months ago I was interviewing with InterSystems, a company that does healthcare software. Only when I signed in for the online coding interview did I learn that they required I have a webcam on myself the whole time.
I don't like using coarse language. But it was the first time I struggled to not use the phrase "fuck you" in my email to the recruiter.
IMO there's a huge difference between "we do this because we had too many fraudulent applicants and this is a compromise compared to having you interview in-person" versus "this is representative of how the entire employment relationship will go."
If the former, their fears are not unfounded: Sometimes the person who impressed you in the interview is not actually the same person who arrives for their first day of work. There are also less-audacious forms of interview cheating, where an off-screen cyber-Cyrano is supplying them with answers and/or keyboard-input.
That said, I agree that any workplace with a "webcam on at all times for monitoring" policy for employees is one I would leave ASAP. Not just because it's hostile and offensive, but also because it's indicative of the company doing badly while management is busy "rearranging deck-chairs on the Titanic."
> "this is representative of how the entire employment relationship will go."
Seems like it's great signal of how the company thinks, and will behave.
Not necessarily that they'll put all employees under video surveillance, but if they think that interview thing is a good idea, I'd guess probably they'll do numerous other things along the same line of thinking.
Occam's Razor possibilities:
1. The company is normally very enlightened and thoughtful and fair, and has a very subtle and nuanced rationale for why they're coming across as invasive and overbearing in this one narrow instance, and their reasons in this bad first-impressions instance (when they should be thinking about first impressions) were simply somehow not explained.
I think the former might strongly imply the latter.
If a company can't think of a single way to ensure the person who interviews is actually the person who comes to work the first day (hint, there was a time when webcams did not exist), then that company is probably also inclined to inflict lazy, intrusive surveillance-based schemes on employees after they're hired.
That's what I was getting at. If you want to be sure that the human body who will be present in the office is the one doing the work, then you need to have at least one on-site interview.
If the work is fully remote, then does it really even matter? If you hire Person A to provide certain business results, but he actually contracts it out to Person B who does all the work, yet the expected business results are provided, then do you actually care?
1- You don't want an incompetent, non-trustworthy person to work for you. They ruin the culture and affect the entire company.
2- Once they are in, it's not likely that they care as much as the interview time to delegate the job to a person.
3- You might have other non-technical requirements, like a background check, culture fit, personal skills, etc. The person they might delegate the job has not gone through this filter.
> I will not install spyware on my personal computer.
Agreed, if they want to lend me a computer for the exercise, that's another matter. :p
It's been a while since I last interviewed in earnest, but my recollection is that those situations (fortunately) correspond with companies that I probably wouldn't want to work for anyway.
If you expect to be doing take home assignments, you need to know how to use virtual machines, restrictive outgoing white list only firewalls (or at least open snitch) and wipe everything except the source code you create. Between companies / every single use
If a prospective employer refused to conduct my interview because their anti-cheating software could detect I was using a virtual machine, then I would tell them to go fuck themselves.
I would rather clean toilets with dignity than be bitch-whipped into programming for such psychopathic entities.
So you are okay with giving random companies an hour of footage of your face and part of your house just for the privilege of going through their automated screening round?
Emm, yes? What do you think they are going to do with it. They are also considering giving you access to potentially a vast amount of their IP and maybe even customer data.
I just don't understand this at all. Perhaps if they said they intended to record the interview I'd be a little uncomfortable. Otherwise, did you hide your identity in face to face interviews? Do you refuse to enter buildings with CCTV?
I've interviewed hundreds of people since COVID / interviews going online. I'm not aware that it's been a problem for a single candidate, I don't even think we say it explicitly.
Wouldn't you need to sign over your name, image and likeness (along with an affidavit that it isn't already exclusively owned) in order for them to legally reuse it?
Granted, I've seen tech employee contracts that do include that wording, but it hasn't been in any of the pre-employment paperwork like NDA, etc., in my experience.
> Wouldn't you need to sign over your name, image and likeness (along with an affidavit that it isn't already exclusively owned) in order for them to legally reuse it
Cybersecurity nerd here, have talked to many platform and financial company CISO’s, security teams and recruiters over the past few years.
Fake interviewees are pretty rampant. We’re getting to the point where presenting yourself in-person to a government representative, agency or a private attestation company will be part of the onboarding process. At this point it looks like it’ll be iris scans.
In the US it’s even an issue in-person with H1B’s where they get interviewed and hired online, then someone else shows up.
Also the fact that insider threats are almost never budgeted for, and so many companies blanket-approve access to systems like logging systems, customer support systems, source code, etc - means attackers don’t even need to get hired into a very important role to get the data they want.
That argument works for fingerprints because it’s possible to replicate them (kind of) but how do you replicate someone’s eyeballs assuming supervised setup ?
If we assume "supervised setup", then doesn't that negate the fingerprint issue too because a supervisor can tug off fake-fingers and wash tips with alcohol etc?
Either way, I think this is one of those "if it was used properly, people won't like the limitations, so they'll use it improperly" situations. Kind of like with social security numbers.
No, because nobody trusts full-names or addresses the same dumb way that they wish they could trust iris-data or fingerprint-data.
"Welcome to Acme Bank. To prove you are the owner of this bank-account, please supply your full name and street address. *ding* Authentication successful! Please choose an amount to transfer."
At best, biometrics can only replace usernames. In other words, information that is quasi-public and not expected to be easily changeable... With the additional problem that sometimes it changes all on its own.
We've seen that also. You interview someone online, help file the paperwork to get into the country and work visum, and then someone else, a technically much weaker guy, shows up on the first day. We had that twice in the last two years
wild. So the paperwork and the visa etc was all actually filled out with the details of the weaker guy? Including the photo and suchlike? crazy that gets past the companies immigration lawyers
Also, doesnt he just get fired straight away and lose his visa? Seems like very high effort and low chance of success, I must be missing something
This is in EU. You have three months to find a new job, which I found here after your comment made me think [1].
This may be a reasonable gamble, as many companies do probably not expect such a rochade, and do not have detective measures in place. And if that doesn't work, you still have 3 months time to find another job in an environment that favored job seekers at this time.
In light of interview fraud, it seems reasonable for the interviewer to request that you are live on camera so they can see that you are who you say you are and that you are working alone.
The part that would have made me walk away would have been if the video was being recorded and retained, as opposed to merely being watched live.
Unfortunately this is a requirement nowadays. Scammers learned how to generate realistic CVs and they organize people to pass online interviews for them. After getting the job, they do nothing, get their salary for the first billing period, and leave.
> Scammers learned how to generate realistic CVs and they organize people to pass online interviews for them.
Can they help me out? Apparently, those scammers have figured out a way to convince companies they are real applicants, yet somehow I, a real applicant, apparently cannot do the same.
Use a short take-home test for coding stuff, and then do a live interview where you do roleplay and situational questions that make it really easy to tell if someone has actually done this stuff as a job, or is just reciting answers they memorized.
I was asked to be recorded answering three stupid questions like "what motivates you?", "why do you want to work here?" etc. before attending a multi-stage interview. I never got invited to that interview, and I did wonder if I could take them to court, because my CV showed me as good fit for the job (literally ticked all the boxes), but they clearly rejected me based on the video. (In case you wonder why I thought I was a good fit, I can tell you that I built the tech they were implementing.
The amount of cheating and deception in tech interviews is off the charts. There have been many, many examples commented about on HN over the years. So the webcam requirement seems pretty reasonable. Probably best that you and that company went separate ways.
How can you vet a candidate remotely without having them on the cam? Especially today with all the LLMs, it's pretty much a hiring requirement if you can't bring the candidate in for an interview.
We're probably at the point where it's cost effective to pay for traveling-to-interview again, especially for the later-round interviews.
That is, unless companies are lying about how much damage bad hiring does. I don't suspect they are, but they apparently can't also do the math to go back to that option.
Using a coworking space sounds viable. Past that maybe a cafe if it's not gonna be a heavily technical interview where you need peace, quiet and a whiteboard.
Edit: Maybe a library? Most around me have rooms for working in groups.
I was flown out from the east coast to the company's HQ in Portland, OR to do the last technical round of interviewing back in 2006. All expenses paid (flight, meal, 1 night of hotel).
I genuinely don't have a webcam. I mean my work laptop does, but I wouldn't be using my work laptop to interview with people. My home desktop doesn't have one though because I'd literally never use it, and no way I am buying one to take an interview test.
Do these companies support Linux or do these recruiters only go after Windows users? There are of course lots of perfectly fine technical folks who are windows-centric, but it still seems like a pretty bad filter to apply to their candidate pool.
I've started preemptively stipulating to recruiters that I will not accept spyware (including browser extensions and phone apps) or autoproctoring as part of the application process, nor will I subject myself to interviews with or evaluation by a large language model after encountering this nonsense once.
Having run this kind of thing for customers over the years, my takeaway is that every place that wanted this was a completely toxic and paranoid work environment.
Except for one. This place that seemed to have a reasonable use case. They dealt with very sensitive legal cases involving children, and they wanted an audit trail to ensure sensitive media was handled according to their policy.
Yep. The need signals a lack of trust within an org, and perhaps a management attitude of infantilism and/or a lack of professionalism amongst workers. There is no quick-fix technology solution to business culture dysfunction.
Yeah, I would not have a problem with intrusive monitoring related to any sensitive data. Just limit the monitoring to dealing with the sensitive data.
Never seen anything like this IRL despite working at various major companies. Hell the other day I explained to my rather senior boss that the yellow teams icon means away from desk.
Work is me trading my time for money, and I can begrudgingly accept some level of monitoring. That's after all what a boss is - they supervise aka monitor.
However the blurrying of boundaries really irks me. This is part of the reason why I carry two phones, refuse to use remote desktops from personal devices and definitely don't connect personal devices to corporate wifi. Similarly that aggressive invasive student exam monitoring software in use makes me thankful I studied in more classic times.
Yep, my policy is to never "cross the streams." Work stays on work-provided (and controlled) devices and personal stays on personal devices, and never the twain shall meet. I work remotely, so I even go so far as to ensure all my work-provided devices are on their own VLAN which is isolated from the rest of my network and only have limited Internet connectivity. I don't really understand people who use work devices for personal (sometimes VERY personal) tasks, or even worse vice-versa: Bring Your Own Device for work tasks.
In many jobs, you're not provided a separate device to use for work. It's just expected that you will have a personal device that you can use. And if you have a problem with that, you can just go work somewhere else.
I have been told in at least two interviews that a condition of my employment is that i have a relatively recent Android phone.
I know I'm (heavily) privileged but man is it nice to just say no to such shenanigans knowing that the company I work for is does not want to loose me. In my eyes this is the healthy relationship: I like the job, they like me doing it. I can make requests, they can do so. I can say no, they can say no. I can walk away, they can walk away (ok technically laws in my country prevent them from being able to walk away but I consider it a matter of pride to leave as soon as they don't appreciate me anymore). All these are just signs of mutual respect.
This is going to be impossible to police, and we haven't seen anything yet:
All knowledge workers (at least) are going to end up with real Bossware, in the form of a an AI chatbot boss.
Of course they will be called AI assistants, co-workers, collaborators, secretaries, etc, but while they will most likely be able to help complete complex tasks in a variety of industries, it's absolutely certain that they will be able to 'help' with todo lists and scheduling.
So, after conversing with your personalized AI to create a new sales report or whatever, the AI is going to helpfully remind you that you have a meeting in 20 minutes, and that's just enough time to squeeze in the product inventory report, if we go for it.
And then at the end of the day/week/month, the AI will 'helpfully' assess your performance and recommend corrective measures.
And make recommendations about you to your human bosses too, of course.
That's a big reason that I purchased my own, personal computer, many years ago. I was paid well enough, that it was quite possible.
Back then, they hadn't really gotten going with all the monitoring stuff, but I did it from a sense of personal integrity.
I was writing open-source stuff, and there was no way that I was going to allow my company to try to claim it. I didn't use company time, and I didn't use company equipment.
I did not have a "shower clause" in my employment contract, so I was free to work on my own stuff, on my own time.
However, I worked at a company that employed a ton of photographers, and there is no way that they would be able to get photographers to sign over that kind of authority to the company.
That said, I was there for almost 27 years, and a lot could change, in that time.
By the time I left, their HR was starting to get downright rapacious, so newer employees might have had to sign over those kinds of rights.
As many others said, assume that it does, by default.
Do you have admin rights, including to the firmware? Can you, and did you setup from scratch the device that you received from the from the employer? If not, then it is almost 100% there is surveillance. If they let you do all the setup, then maybe 50%.
Just isolate any box your employer touches, both physically and in the network sense, separate visible and sound space as possible, separate WiFi network, etc..
Generally you won’t, but some vendors documentation lists folder paths you can check, like if this folder exists in your computer it’s running Teramind [1]:
There's a (_relatively_ benign) bossware-like software on my work provided laptop. It forces updates of browsers and common software like the company VPN. When it updates and restarts my browser, it helpfully mentions that if the browser itself was unable to restore my tabs, I can always ask IT to look up what tabs I had open before the update. Maybe ask your IT services if they can help you remember what you had open a few days ago.
We have some ridiculous timeout on our work machines that triggers the screensaver after 2 minutes of idle time (we can’t change this).
After it’s triggered, you need to enter your password to unlock (company mandated, 10 chars minimum, no repeating chars, at least 1 upper and 1 lower case char, at least 1 special symbol, change every 90 days, can't be too similar to last 10(!) passwords).
Okay, this is annoying. So, for the longest time, I used an open source mouse jiggler app (basically simulated cursor movement).
This worked fine until a recent software update. I wondered why my screen saver was being triggered again. Oh, the mouse jiggler isn’t running! Let’s open it up.
A big dialog box appears on the screen: “THIS APPLICATION VIOLATES COMPANY POLICY AND ITS USAGE HAS BEEN REPORTED.”
Oh… cool.
I went on Amazon and ordered some $5 hardware mouse jiggler dongle. That worked for about a month or so.
Then suddenly, I started getting CrowdStrike notifications: “Functions of a USB device were restricted according to company policy.”
Fun times!
It’s only a matter of time until Zoom starts sending reports of whether I had the window in focus or not during meetings with management.
This... sounds like their security is doing their job, tbh? Like, yes, if you have access to sensitive data your computer _should_ lock when you are away from it, and you shouldn't be able to circumvent this.
I am, generally, very sceptical of corporate surveillance stuff, and think that it should be largely banned. But this particular case isn't surveillance, it's security.
You are the user I fear most; clever enough the be dangerous and aware of the bullshit.
If you were really smart you would lobby your IT department to change the ridiculously short timeout, and protest by not working when it locks on you during normal pauses.
The dangerous ones are these misguided IT departments.
Of course it's a balance, but think of the wasted productivity from a 2 minute timeout with stupid password requirements like that. That incurs a cost.
I bet they also have many other wonderful ideas and overly-bureaucratic processes that are strangling efficiency and preventing innovation.
Hah. I'd like to think there's nothing to fear from me as a user.
Look, I get why some of these policies are in place -- a bunch of it stems from locking down our systems and protecting critical data due to various Sarbanes-Oxley requirements. Plus, sometimes smart people do dumb things, and it leads to bad things (e.g, see the LinkedIn incident) [1].
But man, oh man, is it annoying! Especially if I'm in my own home, with no one around, and I otherwise get my work done.
I thoroughly agree - Two minutes is an insane timeout, and exactly the kind of security stupidity that makes users like yourself build ways to circumvent it, making it worse than useless because now you're plugging in sketchy dongles into your corporate PC.
Ah, that's an interesting point. I haven't tried to correlate that, but it must be true. For example, the screensaver never seems to appear during Zoom calls!
That might also be implemented as "don't start the screensaver if the camera is in use". Easy to detect in either /proc/ or /sys/, I forget which one I was fiddling with.
The trick that I heard is to just place the mouse on a clock. The second hand jiggles the mouse every minute. Can be stashed away in a drawer or something. Never tried this though.
If you're on MacOS or Windows, start a WebEx or zoom call; the timeout for screen locks is reset while a meeting is running. Also, it means that your boss sees "in a meeting" if they look at your status, which makes you look busy, which bosses think means productive.
I mean, you can just make a copy and name it whatever? You can even have it generate a new name every time you run it if you'd like. Imo this is a rather pointless cat and mouse game with developers, because either they can't do their work properly or there will be ways to work around stuff like this.
If you're on a work VPN, presumably you wouldn't want this in the DNS logs. Best to make a local clone! Simply "Save" from the browser, assuming the whole trick is within a client-side script that doesn't phone home, which appears to be the case.
i solved this by putting an optical mouse on a 12 inch wall clock (laid flat under my desk). the second hand moves the mouse a little bit once a minute.
One aspect not covered here: if such a device was around a person with classified status, at any hour of the day, shouldn’t we need to label it as a probable eavesdropper? I imagine a chunky yellow label saying that we technically cannot tell if this phone has spyware, because bossware activity is blended in.
This reminds me of what my cousin was doing last year, while on our Christmas lunch. (At a south hemisphere country, we tend to party hard that summer night and meet with family the next day.) She had some macro software moving her mouse and throwing keypresses at some notepad app or whatever. And she would get a random videocall to check on her at some point. I am sure that if they were to add an always-on video feed she would find the way to send some video loopback device like any Linux power user would do xD
Is there any networking hardware that can intercept and obfuscate payloads that are collected by bossware tools? Also, is there a database of known bossware? I’ve used MITM proxy to intercept web analytics payloads, but I’m curious to know if there is anything available at the hardware level.
It's generally a good idea to separate work and personal devices. It reduces convenience and can take up more space, but definitely the way to go more often than not.
You're on work devices ~35% of your waking hours. There's still a need for dignity and privacy within that time. Working doesn't mean you become completely subject to your employer's whims those hours.
I'm not saying there isn't... It's a matter of trust, and I tend to be a bit paranoid in general. I don't trust work devices, even if working on highly sensitive or secure applications.
I limit what types of work apps I'll install on my personal phone, and try to limit personal usage of work devices.
The reasons given are pretty much a nothingburger and standard compliance items you should be doing anyway!
I am trying to figure out what exactly is the problem people have though: you're literally on a company asset, being paid by the company, you've signed copyright away, you're aware their is no expectation of privacy. Use your cell phone or your home computer for home business, work during company hours, doesn't seem like that big of a deal.
=== EDIT:
Re: Comments about about webcams, and nowhere in my comments did I say anything about cameras. Read both the article and my comments before attacking straw men.
Why should employers be allowed to take pictures and videos of me without my permission or knowledge? If I work from home, how much of my home is now the company's business? Should my employer be allowed to see my home office at will? What if my home office is a bedroom and have private things around that I don't want them to see? Or a living room and I have family moving around in the background? Does my employer actually have a right to film my spouse or children?
There are also issues beyond those. What about employers that require you to install software on your person phone so you can access MFA or work email? Some of that software requires you to sign all rights away from your personal phone and there's a risk you may have all your data deleted on your personal phone when you leave the company.
You want to know how the Overton window shifted from workers as humans, to workers as property? Look at laws around the telephone.
If you have a telephone on your desk, it is illegal for your employer to secretly listen into those calls. However, if you send an email, you employer has every right to secretly read them.
The only difference is, emails don’t exist in the 30s, but telephones did.
I always ponder from this perspective as well, think about the strength of laws regarding physical mail as well. Most of those privacy/tampering laws should have been applied to email from the get go.
Objective snapshot-in-time comparisons like this are fantastic. It's all too easy for the novelty of tech churn to serve as justification for the age-old authoritarian desire.
Different person here, but: literally anything. I don't have "anything to hide," but I don't trust the company's judgment (or, more specifically, that of every possible "company representative." It only takes one to make something a federal fucking issue.)
If I do a google search for "cake toppers for lesbian wedding" while my code's compiling, that's morally fine. But if a bored "company representative" decides to take offense to that, now it's a whole goddamn situation that I have to deal with.
Or if I'm on Stack Overflow to copy&paste, and one of the "Hot Network Questions" in the sidebar has an "offensive" phrase in it, is it going to trip their automated flagging criteria?
Going even further: what if it's for your upcoming lesbian wedding, and the company didn't know that? Maybe the CEO hates lesbians and this information somehow trickles up and you get fired later for a "bad culture fit"? Maybe you have a disability, a serious medical condition requiring FMLA leave, or something else.
Maybe you'll sue for it. Maybe all those activity logs become part of the evidence. Maybe there are other people who got fired under similar circumstances, and you form a class action... After all, who can say that the company isn't engaging in illegal discriminatory behavior based on those logs, simply because the logs were conveniently available and detailed?
My concern is that workers who produce the desired output for their company, ie perform the labor they are paid to perform, will not be able to use excess time to be with their family, take care of chores, rest, or otherwise live life, and will instead need to pretend to be busy as though they’re still in an office under the watchful eye of an overpaid manager. Monitoring should be reserved exclusively for cases where an employee’s output is not measurable in any other way, and should then be kept to a minimum. If we exclude the possibility of webcam or audio monitoring, then my primary concern is that a worker will be made to waste their time satisfying the arbitrary metric by which present-ness on their company computer is measured, and so the thing I am worried about being seen is the absence of activity.
Him not replying to you is the funniest tacit admission of being wrong I've ever seen, unless he angrily replies to me. It's surreal that people defend being recorded in your own house. This is figuratively 1984, y'know.
How can this be a serious question? Much of my company is in an earlier time zone and I frequently log into meetings and start work while my wife is still ambling about, showering and walking around naked. My naked wife is something I don't want my employer seeing. A house is a shared space. No one in it except me accepted any sort of consent to monitor agreement.
I would not accept employment under any terms that allowed my employer to look at me without my knowledge, or snoop around on my computer without my acquiescence.
Due to security restrictions, any device you bring to work to use for Company purposes is subject to the IT Acceptable Use Policy and you consent to allow Company to take whatever measures it deems necessary to protect its data including, but not limited to, network monitoring and mandatory installation of endpoint security software.
I haven't seen this implemented for developer workstations; generally BYOD is forbidden for computers. I have seen this implemented for cellphones. If you want to use a personal cellphone for work, you have to install their MDM app and the device becomes, in effect, the company's cellphone.
From the article: "Abruzzo’s memo cites things like wearable devices for warehouse workers and GPS cameras on truck drivers, but she pays particular attention to computer-based surveillance, calling out “keyloggers and software that takes screenshots, webcam photos, or audio recordings throughout the day.” The memo goes on to mention tools that keep watching when employees are off the clock, such as those that 'track employees’ whereabouts and communications using employer-issued phones or wearable devices, or apps installed on workers’ own devices.' "
So, we according to the article, we are not only talking about screenshots and access to the computer's contents. I will accept a charitable interpretation that you are comfortable with a subset of bossware, but the article was talking about a wider swath.
First time i've looked at kolide in a couple of years, and two things jumped out at me:
- They got acquired by 1Password
- They've pivoted away from a managed osquery product.
A few years ago, I wanted to throw money at kolide to manage compliance in a large enterprise using osquery, but their product/sales team was quite underwhelming. Whilst we were testing it, they switched to requiring slack integration as their control and management plane and wouldn't support the existing workflow... So I had to reluctantly drop them.
Not everyone is able to say "no" to all this and still make rent next month. I'm happy the government is finally stepping in.