• ech0@lemmy.world
      link
      fedilink
      arrow-up
      118
      ·
      edit-2
      1 year ago

      Sr. Systems Admin here. IT does not give 2 shits about what you browse UNLESS something is reported or something trips our Alerts (has to be something major like Child Porn).

      We don’t sit there and actively monitor and watch what you are browsing. We investigate when something is reported by a worker or an Alert/Filter gets tripped

      HR also doesn’t know unless we tell them.

      • Ensign Rick@startrek.website
        link
        fedilink
        English
        arrow-up
        31
        ·
        1 year ago

        Second. I once had a staff member come to me all embarrassed because someone sent a dick pick via some dating app while they was on our corporate wifi. I was like, “I promise we don’t care”.

              • ech0@lemmy.world
                link
                fedilink
                arrow-up
                2
                arrow-down
                4
                ·
                edit-2
                1 year ago

                Uh no? Most organizations use preinstaed certs. They are usually baked into the Windows image for deployment… They are what allow a corporate device to connect to WiFi networks without a password.

                • jasondj@ttrpg.network
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  All of the “privacy experts” in this sub wouldn’t know a certificate if it bit them in the ass. Most don’t even know of VPNs outside of the “privacy” services hawked by YouTubers.

                  Certificates can be used to authenticate machines to wired or wireless. This is true. They are much easier to maintain at scale than pre-shared key, especially when you run an internal CA and can issue or revoke them easily/automatically, and when you run a domain and can push out additional trusted root CAs to endpoints.

                  And if you have either an internal CA or a domain (ideally both), it’s very simple to have your firewall or web filter perform man-in-the-middle “attacks”. Most everything nowadays can handle TLS1.2 and many are starting to support TLS1.3. They essentially break open the traffic for inspection and re-sign it with a certificate that your system trusts so there is no error to the user. Some sites and apps have a hard time with this because of HSTS and pinning, but that’s a bit of a tangent.

                  I say “attacks” in quotes because they own the hardware and they own the time of the person using it.

                  Anyways, don’t do anything on a work computer you wouldn’t want your boss to know about. We usually aren’t actively watching the traffic, but some things are hard to ignore, and sometimes the CEO just wants to know who else has a diaper fetish for “official reasons”.

                • Lyricism6055@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  edit-2
                  1 year ago

                  I’m not sure what you’re saying? Those certs log to somewhere and in my experience HR is nowhere near technically literate enough to monitor and track that stuff.

                  Usually a manager asks a sysadmin to watch someone’s stuff, then the sysadmin and manager tell HR what they find.

                  We had a contractor spending 90% of his day on reddit who got fired. Hr wouldn’t have been able to pull this info since they don’t have access to the system that tracks it

            • DM_ME_SQUIRRELS@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              That only applies to work devices. If you’re using your personal device, they would be able to see traffic to/from a dating website but not the actual content.

      • JokeDeity@lemm.ee
        link
        fedilink
        arrow-up
        21
        arrow-down
        2
        ·
        1 year ago

        Depends on the company size and the people above IT. Sometimes the boss is a chode and demands everyone be supervised like children constantly.

      • ryeonwheat@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Yeah, but the it’s a good rule anyway, for some of the same reasons as the “Don’t put it in an email if you wouldn’t want it read aloud in a deposition” rule.

        • winterayars@sh.itjust.works
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          Probably for audit/investigation reasons.

          IT generally doesn’t care (doesn’t want to care) but you still shouldn’t do personal stuff on work machines/profiles.

    • teft@startrek.website
      link
      fedilink
      arrow-up
      36
      ·
      1 year ago

      Also do some really weird things that are innocuous so the HR lady looks at you weird from now on.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    95
    arrow-down
    1
    ·
    1 year ago

    Everybody has a cell phone nowadays. There’s no excuse not to use your cell phone for private stuff. In fact don’t use the company Wi-Fi. You must use the company Wi-Fi then you must use a VPN

    But no excuse anymore not to use your phone, you don’t need to use the word computer to browse, send emails, flirt, whatever

  • Zeth0s@lemmy.world
    link
    fedilink
    arrow-up
    64
    arrow-down
    1
    ·
    1 year ago

    They see and scan all traffic, even what doesn’t go through the browser.

    No one should use work laptops other than for work

    • Honytawk@lemmy.zip
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Most just monitor your browsing through the Antivirus.

      Since they don’t want you visiting porn or malware websites on the corporate network, for good reasons.

  • Raiderkev@lemmy.world
    link
    fedilink
    arrow-up
    53
    ·
    1 year ago

    I never browse personal stuff on a company device. That’s what phones are for. I also don’t connect to company Wi-Fi on any personal device, because my company makes me sign in with my company’s credentials. This should be common sense.

  • PeachMan@lemmy.one
    link
    fedilink
    arrow-up
    51
    arrow-down
    5
    ·
    1 year ago

    Of course they can, they literally own the machine. You don’t own it, so don’t treat it like it’s your own private job hunting platform or porn viewer.

  • Shiki@lemmy.world
    link
    fedilink
    arrow-up
    52
    arrow-down
    9
    ·
    1 year ago

    Anyone that uses work equipment for personal stuff deserves to be found out

      • linoor@beehaw.org
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        If I remember correctly you have to pay extra to be able to access private messages. Maybe you didn’t have this option enabled?

      • SokathHisEyesOpen@lemmy.ml
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        They can see it. I know because someone had an HR investigation happening and they showed me screenshots of his Slack conversations.

        • library_napper@monyet.cc
          link
          fedilink
          arrow-up
          5
          ·
          1 year ago

          If it was a screenshot then they didn’t get it from slack. They have spyware that takes screenshots.

          Obviously if they install malware that records keystrokes or the screen then they can see what you type and what’s on your screen.

          But slack doesn’t let admins export private chats

          • SokathHisEyesOpen@lemmy.ml
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Then they must have been able to capture his whole screen. Idk how they’d do that days later, but they had a screenshot of a private conversation in slack. Maybe he had already set off some flags before then and they were watching him or something.

    • KazuyaDarklight@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      It actually depends on what tier of Slack license the company uses. Private is a black hole for anything short of Enterprise Grid, unless they reset your password and login as you, obviously doable but not at all subtle.

  • stevedidwhat_infosec@infosec.pub
    link
    fedilink
    arrow-up
    33
    arrow-down
    1
    ·
    1 year ago

    I work in cybersec - I’m not going to speak for all businesses or individuals but I will give you my perspective.

    Sometimes we need to see browser history to help with timeline correlation, it’s mainly to see “how did this file get here, was it downloaded etc.

    Sometimes the investigators need to check out the things they need to check out, BUT

    BUT

    It needs to be done precisely and sparingly where needed only. This means instead of going through the entire history file, or doing unrelated correlation work (spying on you without cause) you are going to only grab specific timeframes from things you suspect explicitly to prevent any overreach. It’s a tricky balance to hold but also why it’s so important for people in tech to be privacy advocates as well.

    There’s a difference between searching for answers to a problem that arose and looking for/predicting problems (thought crime detected!)

    • The Bard in Green@lemmy.starlightkel.xyz
      link
      fedilink
      arrow-up
      12
      ·
      edit-2
      1 year ago

      I also work in cybersecurity. Second everything this person said.

      This thread is a good reminder, because at many organizations HR / management can and will look at your browser history (and computer activity in general) as a method of monitoring performance and staying in control.

      But at my organization, we have never once looked at anyone’s browser history (and I know that HR hasn’t because they would have to go through us). We certainly could if we were asked to and we would if there was an incident (what we would care about is sensitive / confidential information getting leaked or suspicious activity on the network using a specific person’s credentials, suggesting those credentials may be compromised). But in almost 2 years (we’re a startup in the aerospace electronics sector) we have never once had cause to do that and we have a philosophy that happy relaxed employees who feel trusted by their employer are the kinds of employees that we want, so we wouldn’t intrude that way without cause ever.

      • edric@lemm.ee
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        I third(?) this. Security and IT teams are too busy to be monitoring your everyday habits. Sure, they can see your history if they wanted to, but they won’t unless there is an appropriate justification to do so, and it’s usually triggered by an incident or HR. There also stricit rules with doing so because employees still have the right to their own privacy. It’s not like HR can just go over to the security guy and ask them to pull someone’s browsing history.

    • sylver_dragon@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      Another Cybersec worker here, and I’ll broadly agree with all this. That said, I’d also point out that, depending on your site setup, the browser history may be nothing more than another place to correlate information we have from elsewhere.

      Several sites I have been at have used Data Loss Prevention (DLP) software which automagically records (and possibly blocks) data moving into and out of the environment. This can be very detailed, to the point of knowing when someone copy/pastes data to a web form. I’ve also been at sites which sniff web traffic at the firewall and record full pcaps and extract metadata for quick analysis. So yes, for those not aware, deleting browser history or using “in private” browsing or other steps to avoid us seeing your porn browsing, may not be as effective as you think.

      All that said, I’ve never been on a Cybersec team which has had enough time to really care about porn browsing, so long as you are not putting the network at risk. And, so long as HR/Management doesn’t tell us to care. We have better things to spend our time on.

      Lastly, if you don’t want us seeing it, don’t so it on a work computer. Look, we have lots of ways to see what you are doing. Just, do that stuff at home, on your own hardware. And leave the work computer for work. Writing up misuse reports is something I really hate doing.

    • _MusicJunkie@beehaw.org
      link
      fedilink
      arrow-up
      5
      ·
      edit-2
      1 year ago

      Same for our company, and all companies whose security folks I’ve had a chat with. We don’t give a fuck what you do on your computer. Almost all security folks are into privacy themselves, additionally to simply not having the time to look at people’s browser history or traffic or whatever.

      Yes, we have the option to collect data. No, we don’t look at it unless there is a very good reason to do so. And we protect that data, HR or whoever can’t just have it if they feel like taking a look. There is a process to protect the data, because that means protecting the company.

      Your security team is not the enemy.

  • regalia@literature.cafe
    link
    fedilink
    arrow-up
    34
    arrow-down
    2
    ·
    1 year ago

    Until you get asked by HR why you’re breaking their policies by clearing history and why you’re doing it. If it’s a work device that’s not yours, don’t expect privacy. It’s their property.

    • skookumasfrig@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      14
      ·
      1 year ago

      They don’t need the computer to see everywhere you’ve gone. I’ve never heard of anyone getting in trouble for clearing their history, but lots of people who have had problems visiting questionable sites.

    • shalva97@lemmy.sdfeu.org
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      When I turn on my pc I get a prompt saying “this computer is managed by your organization, expect no privacy”

      • regalia@literature.cafe
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        I have a very hard time believing that lol. Doesn’t matter what country, it’s still the companies property, and the work you’re doing in it is still considered their property. It’s not a personal device. What a pretentious statement.

        • CrazedLumberjack@lemmy.z0r.co
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          In Canada employees may have a limited expectation of privacy on work computers.

          Quoting from this article, which references the same supreme court case as the above article:

          Mr. Justice Fish, writing for the majority of the Supreme Court, delineated the following instructive principles:

          • Whether at home or in the workplace, computers are reasonably used for personal purpose and contain information that is meaningful, intimate and touching on the user’s biographical core;
          • The user may reasonably expect privacy in the information contained on their computer particularly where personal use is permitted or reasonably expected;
          • While ownership of the computer and workplace policies are relevant considerations, neither is determinative of a person’s reasonable expectation of privacy;
          • The totality of all the circumstances will need to be considered to determine whether privacy is a reasonable expectation in any particular case;
          • Workplace policies and practices may diminish an individual’s expectation of privacy in a work computer; however they may not in themselves remove the expectation entirely;
          • A reasonable, though diminished expectation of privacy, is nonetheless a reasonable expectation of privacy, protected by s. 8 of the Charter and subject only to state intrusion under the authority of a reasonable law.
          • regalia@literature.cafe
            link
            fedilink
            arrow-up
            4
            ·
            edit-2
            1 year ago

            Accidentally deleted my post lol, but the court case ultimately ruled for the company, and that these laws aren’t very strong to begin with.

            It is recommended that employers should implement clear policies that define, in unequivocal terms, the employer’s expectations surrounding workplace computer use, including smartphone use, if employers provide such equipment to employees in an employment context. Although Fish J., in R. v. Cole, stated that workplace policies are not determinative of a person’s reasonable expectation of privacy, if properly drafted a workplace policy combined with consistent employer actions in the workplace, may diminish, objectively, the employee’s reasonable expectation of privacy. For example, where both the employer’s workplace policy and the employer’s actions in the workplace are consistent in prohibiting any personal use by employees of employer-issued computers or smartphones and where the employee has acknowledge receipt of employer’s policy that provides that any data sent, stored or received using the employer’s computer or smartphone is the property of the employer and the employer reserves the right to perform random checks or audits of the employee’s computer or smartphone use, the employee may be hard pressed to argue that he or she has a reasonable expectation of privacy.

            And the article you linked still suggests it’s a bad idea to assume privacy.

            While it may be tempting to use an instant chat application for workplace gossip, it is best to follow the golden rule: if you wouldn’t share it with your boss voluntarily, it’s probably best saved for a face-to-face conversation.

            This is more so to protect employees who are browsing facebook or something on a personal computer, that the employeer isn’t then allowed to snoop on their private social media accounts. For work related stuff, the rule still applies that it’s work property.

      • VolunTerry@monero.town
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Unfortunately, words on paper frequently fail to prevent organizations, public of private, from doing things they are technically not allowed to do. See the security state apparatus of any of the nations around the world including the 5, 9 and 14 eyes, or any number of tech companies that claim and market privacy respective policies only for people to uncover later that what they pitch publicly diverges in spirit from what they do or what is in the actual terms of service.

        Hopefully if people find their employer going outside the bounds of the contract they can catch it, catalog it and hold them to account. Accountability can often be tricky and costly though.

    • Case@unilem.org
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Sadly this.

      Any personal matters I may have attended to during work hours were done on a personal device, through a VPN, preferably borrowing some other WiFi signal than one run by any company I work for.

      If its even more personal, just drop WiFi I don’t control all together. Either use the phones data plan for 10 minutes, or tether it to a computer and do the same.

    • VolunTerry@monero.town
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      This, but it won’t matter if you delete history. They know anyway if the want, and can enable logging it if they choose.

  • rah@feddit.uk
    link
    fedilink
    arrow-up
    34
    arrow-down
    3
    ·
    1 year ago

    your work sees all your browser history

    Possibly, if they’ve bothered to configure their machines that way. And only on the browsers they’ve configured that way and only on their machines.

    Also, please don’t assume that your work operates the same way as everyone else’s work.

    • Ecology8622@lemmy.ml
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      1 year ago

      We have that capability but dont really have the time or need for it. having said that, it only takes one rouge employee to mess it up for everyone else.

    • Potatos_are_not_friends@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      I’m not on the IT team but have elevated permissions. I can dial into any of my subordinates computers “invisibility” I might add, and watch their screen. I can copy data remotely. It’ll take me a few minutes to grab an image of their computer “for backup” reasons, restore it on another computer, and then safely view their history.

      By invisibility, I still leave log traces on their computer.

      I’m not going to, because wtf. But I totally do have that power.

  • UsernameLost@lemmy.ml
    link
    fedilink
    English
    arrow-up
    23
    ·
    1 year ago

    Oh no, my employer might find out I’m looking for other jobs after being overloaded for a year and a half and constantly having my concerns/feedback/process improvement initiatives brushed aside.

    • Chaotic Entropy@feddit.uk
      link
      fedilink
      arrow-up
      8
      ·
      1 year ago

      I have been hinting to my manager for 6-9 months that he needs to move part of my workload elsewhere so that I can focus and actually achieve something. To think, all it took was for me to tell him straight that I was unhappy and unfulfilled to the point that I was considering resigning. Suddenly he’s all apologies and let’s make changes because you’re kind of vital and we don’t want to lose you.

      • PopularUsername@lemmy.sdf.org
        link
        fedilink
        arrow-up
        8
        ·
        1 year ago

        And I was fired for it. Depends on the market demand I suppose, some industries there is no denying your worth, in others you’re disposable.

        • maynarkh@feddit.nl
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          I love the fact that firing me what the person you’re answering mentioned is illegal here.

          Peace of mind.

          • PopularUsername@lemmy.sdf.org
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Yeah pretty outrageous, I soon found out employment rights in Ontario Canada are practically useless. I had no idea, I thought I had some basic protections, it’s almost nothing.

    • Agent641@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      Shot, i regularly browse jobs websites even though Im not looking to change jobs again soon. Just to keep them guessing.

  • angelsomething@lemmy.one
    link
    fedilink
    arrow-up
    18
    ·
    1 year ago

    I’m an infrastructure analyst and at my workplace I implement such rules for specific reasons: 1) we need to be able to have evidence should an employee act maliciously with a company device. We do also monitor all queries but it’s passive. We can drill into your browsing history in great detail but won’t unless we have to (speaking personally here as I follow the code). 2) people will do dumb shit. And will lie to get support. Now, having been on the other end of a support ticket, I get it. Unless you lie a little, you may not get support promptly. Therefore, it’s part of my job to check what’s the lie and what’s the actual issue, which includes being able to see the download history. I would not be surprised if malware is accidentally downloaded and then it autonomously removes itself from the download history as It has happened before. Strictly speaking, this is done for both your safety as well as that of the company. And generally speaking, you should NEVER use your work laptop/phone/iPad for personal use because of all of the above.

    • 1984@lemmy.today
      link
      fedilink
      arrow-up
      4
      arrow-down
      8
      ·
      edit-2
      1 year ago

      I use my personal laptop at work, no issues. Employer can’t see what I’m doing which is the way it should be.

      If they don’t trust me, don’t hire me then.

      I would never work anywhere where people like you can watch what I’m doing. Luckily I’m in IT so I choose where I work.

      I despise companies who don’t give employees privacy. The reasons you gave means nothing. You can always argue for anything to protect the company. Who protects the employees?

      Safest for the company would be if you have employees in small cells being watched by guards around the clock. That would be really good for the company.

      • Darkassassin07@lemmy.ca
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        1 year ago

        If you’ve connected your personal laptop to your work wifi, they 100% can see all your browsing history (specifically whats passed through their network).

        Hell, I only run a simple homelab and I can see the exact traffic/browsing history of every device on my home network. I’m only tracking via dns traffic, but your https traffic can even be intercepted and decrypted pretty easily. So don’t even trust that.

        This doesn’t require installing anything on your device to fully monitor you.

        • angelsomething@lemmy.one
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          1 year ago

          You’re not wrong. It really comes down to how ethical the IT/company is. And we are, purposely so. Also we have dns-over-https and No other identifier is parsed through. So we can see and block someone browsing porn on the guest Wi-Fi, but we’d never know who it was. Look, I’m not saying things are perfect, but there are people like me who look out for both the user and the company. The goal is ensure that users privacy is respected and that the company is protected agains misuse, malicious intent or just plain bad-luck. This is the “code” I was referring to. As IT people we have to behave ethically for business we operate in. It’s not perfect but nobody is trying to be. This is all best effort from all parties.

          • 1984@lemmy.today
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            edit-2
            1 year ago

            Your ethics goes out the window when being told to do something by your employer.

            Maybe you try to look out for the user, but it’s completely wrong that employees should have to trust you to do that.

            “Company being protected from misuse” is a blanket term for survellience, same as “fighting terrorism”.

            I still stand by my opinion. Companies need to trust employees and not run survellience programs against them. It’s just wrong.

        • 1984@lemmy.today
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          Sure but I work from home. Don’t use their wifi except when I’m in the office. I could connect to a VPN and they would also see a connection to a VPN, but I don’t care enough to do that.

          But when I’m at home, working on my computer, they don’t see anything.

      • angelsomething@lemmy.one
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        I hear you, and fully get where you’re coming from. I work in the finance industry and we have auditors to answer to as well as a ridiculous number of compliance regulations we have to abide by. Not every business is the same. I’m personally on the no-trust policy when you have more than 50 users to manage but it also depend on company policy. No one is saying you can’t use your personal device at work. We don’t monitor the guest Wi-Fi in any way specifically because that would be an invasion of privacy. I was referring specifically to using a work device, managed by the business, for personal use. The employee is protected by being briefed during first day induction of he does and don’t with regards to the equipment that is provided to them to do their job. Their personal privacy is not infringed upon as there is a clear agreement about what is expected from them. By the way, I’m in the uk (not sure if relevant).

      • Aux@lemmy.world
        link
        fedilink
        arrow-up
        1
        arrow-down
        4
        ·
        1 year ago

        Your time during work hours belongs to the company. If you spend it on private stuff, you’re breaking your contract.

        • Bytemeister@lemmy.world
          link
          fedilink
          Ελληνικά
          arrow-up
          1
          ·
          1 year ago

          Eh, not really, at least in the US. You are paid to do your job. The company doesn’t own you during work hours. You can refuse to do work that was not in your job description, or ask for additional compensation. The company may fire you for this, but you would have a very compelling wrongful termination lawsuit.

  • seiryth@lemmy.world
    link
    fedilink
    arrow-up
    16
    arrow-down
    1
    ·
    1 year ago

    Forget chrome management. Any IT shop worth their salt is protecting their egress with a proxy, explicitly or transparently set.

    Don’t browse the net on your employer’s network or devices. Use your phone. Get on 4G/5G.