I hear this as "blanket advice" all the time, but very rarely is there a discussion about what is reasonable to expect from a "normal" employer who isn't draconian or looking to find an excuse to fire someone.
Actually, the chill employer is the most dangerous.
Even if your employer is fine with personal use, courts will rule that it's all in scope during a discovery phase. I've been involved in litigation scenarios where people's personal email ended up being sifted through by the other litigant because opposing counsel convinced the judge that business was being conducted there, and there was evidence of frequent access on a corporate device.
All of your protections from a legal point of view are really defined by custody and scope of control. Data stored on your device in your home is the most protected. Data stored on your employer's PC or file server on your employer premises is the least protected.
OK, but what about email read/composed on my personal gmail account using a work computer? When you say "personal email" do you mean @company.com email-- or do you mean _any_ personal email as long as it is read/composed on a company machine?
Is it safe to assume that the only way that that (or any https content) can be captured is by keylogging or some kind of desktop capture?
It's one of those pieces of advice that is hard to say it's wrong exactly. However, for many professional employees at a great many companies, it's pretty extreme as practical advice. There are some sensible practices like keeping work email and personal email separate and, for both your own and work devices, following whatever infosec policies there are around encryption, VPNs, and so forth.
But, in general, never do X advice can be actively harmful because it advises people against doing things that very many do without repercussions and causes people to ignore advice that it's important to follow.
It's not really a question of what is reasonable to expect. Even a company that chooses now not to do things like what the article describes, they always can.
They can read your emails, and chat logs and whatever else is sitting on your work machine. The only way of dealing with that is never have personal information on them in the first place.
OK, that is what is "legally possible" in a worst-case scenario.
But IN PRACTICE, what is normal?
Your statement seems to indicate that IT staff can just browse personal communications, desktop displays, keypresses. I am sure that they can if necessary, but what kinds of scale and automation are we talking about? Doing such surveillance ad-hoc or without a very small number of targets seems like it would easily become intractable for any org with thousands of people.
I am not in an IT department, so I have no idea what goes on.
It seems the standard advice is always to take the most extreme precautions and to follow the corporate rules to the letter... but here I am typing this into a work computer on a chrome browser without a care in the world.
Spooky23|10 years ago
Even if your employer is fine with personal use, courts will rule that it's all in scope during a discovery phase. I've been involved in litigation scenarios where people's personal email ended up being sifted through by the other litigant because opposing counsel convinced the judge that business was being conducted there, and there was evidence of frequent access on a corporate device.
All of your protections from a legal point of view are really defined by custody and scope of control. Data stored on your device in your home is the most protected. Data stored on your employer's PC or file server on your employer premises is the least protected.
angdis|10 years ago
Is it safe to assume that the only way that that (or any https content) can be captured is by keylogging or some kind of desktop capture?
ghaff|10 years ago
But, in general, never do X advice can be actively harmful because it advises people against doing things that very many do without repercussions and causes people to ignore advice that it's important to follow.
mhurron|10 years ago
They can read your emails, and chat logs and whatever else is sitting on your work machine. The only way of dealing with that is never have personal information on them in the first place.
marcosdumay|10 years ago
angdis|10 years ago
But IN PRACTICE, what is normal?
Your statement seems to indicate that IT staff can just browse personal communications, desktop displays, keypresses. I am sure that they can if necessary, but what kinds of scale and automation are we talking about? Doing such surveillance ad-hoc or without a very small number of targets seems like it would easily become intractable for any org with thousands of people.
I am not in an IT department, so I have no idea what goes on.
It seems the standard advice is always to take the most extreme precautions and to follow the corporate rules to the letter... but here I am typing this into a work computer on a chrome browser without a care in the world.