(By Kashmir Hill)
“It’s not unusual for employers to monitor employees’ computers and even their smartphones, but many employees don’t think about this in the course of their work day, spending breaks looking at potentially-sensitive personal email, having sexy chats, scrolling through (hopefully not too scandalous) Facebook photo albums, or maybe even checking out job listings elsewhere. Before you do anything too outrageous on your work computer, you might want to think about whether it’s monitored.“
Earlier this year, the CEO of a Christian publishing company gathered his troops for a meeting where he went ballistic over rumors being spread about the company by internal sources — and then punished the unidentified culprits by firing 25 employees. During the meeting — which garnered press coverage thanks to one of the employees secretly taping it — Ryan Tate revealed that he had been monitoring his employees’ computer activity to try to figure out who was responsible.
“I’ve looked the other way… I’ve trusted you. Good God. Want to watch Netflix? Let them watch Netflix. Let them throw it up on a projector if they want. They want to be on Facebook all day long? Be on Facebook all day long. Sure I’m paying you to do that. That’s all okay,” he said.
He was okay with employees goofing off, but not with their badmouthing the company. “I got to read some of your Facebook pages. My favorite is when you post something and then take it down and don’t think we archive it all.”
I reached out to the company at the time to see how they were doing their monitoring, but never heard back. Tate may have had a company policy of monitoring employees’ social network activity, or it may have been capturing their Facebook sessions on their work computers (or maybe it was just a bluff). Either way, Tate is far from the only employer to be snooping on employees’ digital activity. The FDA is currently fighting off a lawsuit by scientists who claim they were fired for whistleblowing, something the federal agency realized they were doing thanks to a spyware program from SpectorSoft that captured their emails and computer activity. Thanks to a mess-up by a contractor maintaining the files, the 80,000 (!) pages in the spying dossier were temporarily leaked online, making it clear just how extensive the monitoring was.
It’s not unusual for employers to monitor employees’ computers and even their smartphones, but many employees don’t think about this in the course of their work day, spending breaks looking at potentially-sensitive personal email, having sexy chats, scrolling through (hopefully not too scandalous) Facebook photo albums, or maybe even checking out job listings elsewhere. Before you do anything too outrageous on your work computer, you might want to think about whether it’s monitored. I talked to computer forensics expert Michael Robinson and security researcher Ashkan Soltani about some tells that would reveal you’re potentially being watched.
First off, you should check your employee handbook or computer usage agreement. If your employer says there that your computer activity could be monitored — which is pretty standard — then they’ve got the right to peek. But then there’s the question of whether they’re actually taking advantage of that right.
“Whether you’ll be able to tell depends on where the monitoring is being done,” says Robinson. “If it’s upstream, at the Firewall, it’s hard for the user to know. That’ll just tell the employers which websites employees are going to, so they could check, for example, how many employees went to Monster.com that month. But if they want to actually see more granular activity, they have to put monitoring software on the computer itself.”
Security researcher Ashkan Soltani says a tool like netalyzr.icsi.berkeley.edu may tell you if you’re being monitored at the Firewall. “It will demonstrate there’s something ‘in the way’ of your secure communications,” he says. “It’s not 100% reliable but often there are ‘tells.’”
If you’re on a corporate network, all non-https communication is visible to he who controls the network. Some employees mistakenly think that if they’re on Gmail or Facebook — which offer https security — that their communications will be encrypted and no one can read them. That may be true if monitoring is happening upstream, though there are methods for a company to see through encryption since they control the network and often the device you’re accessing your personal information through. For example, see this BlueCoat guide for gaining control of encrypted sessions. And if the software is on your computer itself, https-ssl definitely offers no protection.
Monitoring software on a computer captures keystrokes and screenshots. That means it can reconstruct your Gmail or Facebook session (which may be how Tate Publishing had records of what its employees had put up on Facebook, and later took down). These kinds of programs won’t show up as applications, but they will show up as running processes.
If you’re on a PC, you can see a running process by hitting “Alt-Ctrl-Del” and pulling up your “Task Manager.” Switch to the “Processes” tab.
On a Mac, go to your “Launchpad,” bring up “Gadgets and Gizmos,” then go to “Utilities” and click on “Activity Monitor.”
The process probably has an innocuous name, but will be pretty busy as it has a lot of activity to capture. So how do you know if one of these processes is spyware? One option is to compare your processes with those running on a colleague’s computer. If one of you is being monitored and the other is not, you’ll likely notice some different processes running. If you’re both being monitored, though, that’s not very helpful (“and you should probably get a new job,” says Robinson). Luckily, there’s another option to run a check.
Funnily enough, many of these “spyware” programs are flagged by anti-virus and malware programs as malicious. Fancy that. As a result, some of the companies that offer this software have made “white lists” so that the IT departments running them can make sure that Symantec, McAfee and others recognize their processes as not-evil. And in many cases, those white lists are public, so you can see exactly what the file names are. Had FDA’s consultants checked out their processes, they likely would have seen some of these executables running on their computers, via SpectorSoft’s whitelist.
Thanks to this, if you Google a strange process you’re seeing and it’s spyware, it will likely lead you back to the spyware vendor’s website.
Unfortunately, some spyware programs are savvier than others. “The more sophisticated ones behave more like rootkits in that they hide themselves from view,” says Soltani.
“I used to work for a company that when you gave notice, HR would tell IT to monitor you to make sure no intellectual property was stolen,” says Robinson. “The day I gave notice, a Windows update popped up. They thought they were being sneaky. I typed on the screen, ‘I see you watching me watching you watching me.’”
“If your boss is actually opening up your email and reading it, you might be able to embed tracking beacons into mail messages and then monitor when they’re opened,” says Soltani. You can use a program like emailprivacytester.com or ReadNotify — the program a crazy fan used to check to see if Jay-Z was reading the emails he sent to him.
Bosses who are doing full scale captures of everything their employees are doing are probably a rarity, says Robinson. “They’d be spending more time monitoring than managing,” he says.
It’s more likely to happen if a boss is actually worried about a particular employee, or if they’re worried about sensitive information leaving the company. In the case of the FDA, the federal agency was concerned that the consultants were leaking information critical of the agency to Congressional members (and they were right).
Given the many ways that your employer could spy on you — and the fact that they’re not all detectable — it’s probably wisest just to save anything too sensitive for your personal device or home computer.
In his closing remarks to his employees at that revealing all-hands meeting, publisher Ryan Tate said, “Be smart especially in this digital age. I get it if you’re at home and complaining to a loved one, but who goes online to do that, or sends an email?”
Um. Everyone one, I’d say. But do be smart about which computer you’re doing it from. And of course, if you do choose the safer option of your home computer, keep your fingers crossed that a loved one isn’t snooping on you there.
“Opinion pieces of this sort published on RISE Networks are those of the original authors and do not in anyway represent the thoughts, beliefs and ideas of RISE Networks.”