Comment by macNchz
4 hours ago
This is something that genuinely runs the gamut across different companies—plenty don't even know the serial numbers of company-owned machines, never mind which devices individuals have, while others do effectively have live feeds of every employee's screen available to managers at all times. In between you have many businesses that manage their devices but only insofar as to enforce some basic protection and reserve the right to investigate it in the case that something does go wrong. In having conversations about this kind of stuff with company leaders, many will strongly reject any of the most invasive tracking stuff, believe it or not.
I do agree, though, that for any type of surveillance, the rise of AI presents a really problematic opportunity to allow more targeted observation, since nobody has to spend their own time looking for what people are doing, they can ask an AI to keep tabs and look out for the things they care about.
On that note, I think one of the more realistic risks for an everyday person doing personal things on a work machine is probably insider threat from a rogue IT admin, whose access allows them insight into company devices without enough oversight.
I think IT departments also tend to underestimate the risk they pose when they manage machines. Look at Stryker, where intruders used Intune to wipe all the company's devices. The ability to do that shouldn't exist, but the IT department happily rolled out the means of their own destruction in the name of compliance and making their lives easier.
Device management is definitely a big hole to punch into each machine, but, once you're above a handful of staff, managing devices manually is not really tenable, and I do think the restrictions provided by device management have tangible benefits (it's amazing what people will download and run without a thought).
Arguably the risks of the MDM should be assessed and mitigated with some kind of defense in depth approach—highly sensitive things like bulk wipe disabled with multi-person approval required to re-enable, hardware MFA requirements, anomaly detection + alerting for weird behavior, etc etc. I'd argue the risks stem more from badly configured MDM where a compromise of one sysadmin's browser has a company-wide blast radius, rather than the fundamental presence of device management itself.
I think I'm probably coming at this from a different perspective than IT people.
I've worked on IoT products where we've deployed fleets of thousands of devices without user interfaces placed all over the world in random, inaccessible places, hanging off cellular radios. We're definitely not managing those manually. Architecting management systems for that is always interesting. Sometimes the question would come up, "why don't we do X?" where X necessarily included the ability to brick the entire fleet (and probably kill the company) in 5 minutes. My philosophy was that certain things are too dangerous to exist, no matter how useful they might be.
1 reply →
There are also individual-level risks. If you capture everything, you might capture bank account numbers when setting up direct deposit or credit card numbers from corporate purchases (these are clearly valid uses of company equipment). In a only slightly less valid use, you might submit a medical claim (using a company benefit), and surveillance software gets part of your medical record.
There are underappreciated liabilities companies take on with this monitoring.
Yeah, many companies don't want the liability issues. Like what happens if I open my bank account on my work computer? You could argue I can expect someone to be watching but I have no warning that someone is? Here in the EU that would probably be an easy lawsuit.
Why would you ever login to a sensitive account on a device you don't own and have root on? Like I trust my employer not to do anything shifty with my banking info, if I were to use it, but I'm not going to take that chance for a dozen reasons.
> Why would you ever login to a sensitive account on a device you don't own and have root on?
You mean like the phones that everyone uses with banking apps?
3 replies →
You probably use direct deposit in which case your employer already has your banking info
4 replies →
What are the reasons?
Can’t speak for the EU, but the companies I’ve worked for in the US explicitly state what they do not track in their privacy/use policy when giving out laptops/phones/tablets.
E.g. their anti-virus or firewall system may ignore URLs related to banking, medical, or political affiliation and chose not to log or decrypt that traffic
Once I was trying to find a scene from a TV show at work for a joke with colleagues, and the quote I used ended up triggering a very NSFW search. Did not get fired, not even talked to. Thank goodness!
A lot is tolerated, until they want to get rid of you. But in the EU i'm pretty sure they can't use regular non-compliance stuff (general browsing, etc) in evidence. In DE you can't even identify an individual.
Moreover: what is the upside?
Spying on employees is not free. If you want to spend serious resources doing it, there has to be an upside.
How do you expect an employee to prove their banking actions on the company computer were spied on? I imagine this impossible to prove.
If the employer is spying on everything, it's quite easy.
In discovery you can ask for the records. Of course you would need some initial evidence to show it’s likely it exists.
By having it in a small window that's always on the screen.
Isn't Facebook training their AIs on their finest engineer's computer use so the AIs can become better computer users?
In this case, the more insidious yet subtle risk and attack vector for humans using these Facebook computers, is that Facebook begins to use this data to discriminate (legally) on performance metrics. They can then use these to automatically disseminate performance improvement plans, lead to higher productivity (perceived, as whats measured no longer ends up being a useful metric) and control and urge people to do more of what they desire.
And my curiosity is: does what Facebook desire align with what the humans who work for Facebook desire? I think with AI, that's a no. The company desires as low a labor/workforce/compensation cost as possible, while the humans desire as much compensation as possible.