Screenshots are not standard practice- in fact, since they're a great way to leak secrets being displayed on screen (passwords, confidential information), that's probably the opposite of standard practice.
Standard practice is monitoring emails, chat, web traffic and so on.
It is? I guess I'm in a special boat being a developer and being able to run Linux at work since 2012, but even on the corporate Windows/Mac workstations, I don't think I've been at a company that's installed any type of spyware (other than standard remoting tools used by help desk and controlled with Group Policies).
They don't disclose what they do, and typically it's a function of company size. Once you get past a certain point and there is budget for an IT department, they start installing things like 'endpoint management' and redirect your DNS to something that logs all DNS records, etc.
Things like DNS tracing apply outside their network too, like WFH situations with no VPN.
Overall in practice, there is nothing stopping creepy sysadmin, boundary overstepping lawyer or creepy manager from secretly stalking specific employees by pushing IT departments to install extra monitoring software or just plain spying on specific employees.
Because every place I've worked (including corporations) I've had local admin on my box and could see the entire process tree. Usually you have to be running all the antivirus and monitoring stuff to connect to the employee network/VPN, but when you're off VPN you can kill those processes off.
>Because every place I've worked (including corporations) I've had local admin on my box and could see the entire process tree.
That's assuming that the spyware isn't some sort of rootkit that tries to hide its presence. If you're on windows, it's also very easy to hide behind some generic looking executables like svchost.exe
You are certainly correct, but a bit of light digging + reflection on your company can give you a lot of confidence. For example, I work at a startup and I can say with great certainty that my boss has way too much going on for him to have installed any sort of rootkit after wiping the previous data and before I set up my admin account.
I've been driven to the store and told to pick out my own computer and accessories and nobody ever had it in their hands for any length of time other than the employee who carried it to me. This has happened in two of my seven or so jobs. As a counterpoint, however, at another position the boss was indeed spying on us, which wasn't surprising if you worked there for any appreciable time since he was a complete control freak.
In some juridictions (mostly EU countries I think ?) your employer would be at fault if they gathered personal information (for instance a sexual orientation you didn't disclose) from a personal account you used on a work computer. Or from anything you explicitely marked as personnal, even if it's on your computer. They might still delete the data indiscriminately, just shouldn't access it.
Being at work, on company's hardware, isn't enough to completely void your expectation of privacy.
I've been working in software for almost 20 years and have never had spyware like this installed on my PCs. I've worked for companies with over 70k employees, down to start ups with fewer than 100. Both in office and remote.
I'm not saying it doesn't happen, but it's definitely not normal, and I would personally never work under those conditions.
It's not normal to do screen capture, but internet logging and email/chat discovery are almost universal in a large company. Most financial companies will have forensic agents and inspect random emails.
Also, security tools are getting more sophisticated. As legacy AV gets replaced by next-gen stuff, there will be more creepy shit. If you have a tool like Crowdstrike, most developers will do stuff will get them flagged as high-risk.
You don't need to go to third parties to obtain such surveillance software, microsoft has several solutions for this as well. Actually many large companies that are running windows are also using windows defender advanced threat protection (atp), not just b/c it's easy to deploy, but also b/c it isn't very noticeable by users.
It's questionable how much such tools actually improves security, most of it appears to be a power grab by someone in charge of security, usually there's no transparency, and even C*Os aren't aware of how much they are snooped on. For example (as atp does), recording of all commands including arguments, stored in a searchable database. Who does this benefit the most?
> It's questionable how much such tools actually improves security, most of it appears to be a power grab by someone in charge of security, usually there's no transparency, and even C*Os aren't aware of how much they are snooped on. For example (as atp does), recording of all commands including arguments, stored in a searchable database.
I would agree it's often a power play for would be corporate cyber-warriors.
But the tools are very effective for certain threat categories. The downside is that they require skilled operational security people to be used effectively, and may security organizations are mostly compliance focused and don't have the talent or framework to pivot the organization. It's similar to how underperforming IT organizations were/are aligned with the CFO -- many security orgs are aligned with counsel/risk.
As a contractor or a full time employee at the 70k people companies? Was it in the past 10 years? If you used a company provided computer, did you investigate what was running? Did you go beyond the typical process manager and look into the kernel modules list?
They often don't disclose explicitly that this stuff is running, because it rightfully creeps people out and the 'security' types don't want people to know.
Contractor here, I mainly work on mega-big corporations. I always check what run on my PC. I never use the work machines for anything personal. FFS I don't even use their guest wifi. I stick to my data plan.
I have noticed the last few years that BlueCoat is on the rise. From some article a couple of months back I read that the company/Fund that owned BC also bought Sophos.
Yes but would it always hold up in court? You can give your soul away by installing a piece of software without reading the agreement but it wouldn't hold water, of course. Curious how this would work with federal or state level wiretap laws.
Holding up in court is one facet. Needing to litigate in and of itself is typically a deterrent, especially for complex issues where there's a time/cost deterrent for pursuing combined with perception of success in court.
There's a lot you can get away with by making a process complex, arduous, and potentially expensive. Faced with that option vs letting some employer take photos of you in your pajamas without shaving while watching your every move, people tend to forego privacy.
When the working population at large starts to follow suit, you've artificially introduced a new trend with artificial social acceptance. Now, it makes a single employee battle concerned about privacy even more daunting and introduces perception of increased risk of failure if legally pursued for the employee thinking of litigating.
The end result is: privacy is eroded. Rinse repeat, for just about anything you want to change. Just make change gradual and give it time. It then takes someone with the financial and time resources to take a hit and pursue as well as eagerness to bother.
Activating the camera and/or the microphone remotely without notification, on non-corporate owned premises may be illegal. There are wiretapping laws, etc.
Just because I own a microphone and camera doesn't mean I can use it unknowingly in your home. Even if you were to borrow it and willfully bring that camera and microphone into your home, there are reasonable expectations of privacy that can't be violated.
If I explicitly said I'll be using that microphone and camera to record you, made that very clear, and had you sign off on it without duress, then there may be grounds. The problem is, as a condition of employment, at least for me, would be a form of duress. If it becomes widespread and everyone caves into signing off on that sort of recording, then itll start to lose strength as being a form of pressure.
Many people agree to a lot more than they realize in order to get the job. And since some practices are very common, rejecting them simply locks you out of your target segment of the job market. The balance of power in most cases is heavily tilted towards the employer, things like this aren't negotiable unless you are at or close to the top.
But it's not illegal to watch a video of someone with their consent. Whether an employment contract counts as consent or not is an exercise that I'll leave to the reader, but it's definitely a gray area.
You can't consent to things that are not allowed by law. If the law states that you cannot murder people, and someone consents to being murdered, you're still not allowed to murder them and it's still murder.
Murder is an example here, but there are similar laws regarding spying on people, using private information in business and reading someone else's mail. Consent does not override the law.
But to get more specific to your point and the grey area: there is a case where the law permits video surveillance (i.e. in an office) and as a side-effect some footage of a display might be captured. If the display happens to show private content, that is not actionable/admissible anymore. Some countries and laws go as far as to make dashcam recordings inadmissible and even illegal. While impractical in some cases (i.e. if your car gets bumped in to by another car while parked) it's also to prevent a government to "get all recordings of all cars in a street to find a person that might have walked by".
Some laws have exemptions like high security areas where the law explicitly states that if you are not allowed to be there expect for specific purposes, and not allowed to conduct anything there except specific tasks, and you are allowed to record the area to be able to verify it (i.e. nuclear energy plant), then that specific area is off-limits to your private activities/data. But it's not broad enough to allow any company to spy on anyone doing work for them. I suppose that might be different in the US or some US-states.
It does seem that way. Maybe not screenshots, but very often screen monitoring. And network MitM and logging, of course.
However, many firms provide WiFi APs for visitors and consultants, and employees can use them for their personal devices. So there's no need for anything personal to touch a business device.
