Why (and how) bosses set up devices to ‘supervise’
If you’ve ever thought about driving your company car to a strip club during your lunch hour, don’t. Your employer may be watching you.
A California construction worker found this out the hard way in 2014, when he parked a truck emblazoned with his company’s logo and equipped with a GPS tracker at a local nude-dancing establishment, only to lose his job and throw his marriage into turmoil. His employer was monitoring his movements, and then told his wife of her husband’s indiscretion.
This scenario isn’t unique to company-issued vehicles, says Todd Wulffson, a managing partner at California-based employment law firm Carothers DiSante and Freudenberger. Wulffson, who represented the construction company when the fired worker threatened to sue, says he has seen employers track work-issued smartphone GPS signals, hack data to determine whether workers are having affairs while away at conferences, and even use drones to spy on unsuspecting employees.
READ MORE ON WORKPLACE SECURITY
Looking to hide your traffic from ISPs? Not all VPNs are equal
How to wipe personal data from work laptops and phones
Bob Lord: What I preached as Yahoo’s CISO (Q&A)
How YubiKey could double-lock your online accounts
How to transition from consumer to small-business computer security
It may seem easier to use your school- or company-issued device to make personal calls, post on social media, shop online, or look up driving directions than it is to lug around multiple laptops or smartphones. But at least you can equip your separate personal devices with software—from virtual private networks to encrypted-messaging software—that can help keep your private communications and movements private.
“Generally speaking, you should assume if you have been issued a corporate device, absolutely everything you do on your corporate device is logged and analyzed,” says Dan Tentler, founder of the security testing company Phobos Group.
Even if your boss isn’t actively surveilling you—or you think you have nothing to hide—you should know how blurring the line between personal and professional puts your privacy at risk.
Emory Roane, policy counsel for the nonprofit consumer advocate Privacy Rights Clearinghouse, says there are several standard—and obvious—ways organizations moderate how employees use their company-issued devices to protect their own networks against security breaches.
Administrators of company-issued Apple iOS devices like iPhones and iPads, for example, can enable parent-like “supervision” of the devices they issue that enables them to restrict access to certain apps, filter Internet usage, and track user locations. They must enable supervision during device setup and cannot turn on a supervision feature after issuing them without notifying the users. If the administrator turns on location monitoring after issuance, for example, the device will lock and notify the user on the lock screen.
Android devices have a similar feature called a work profile that allows the device administrator to remotely wipe data, monitor network usage, track locations, and silently add or delete apps. According to Google’s guidelines, admins cannot access data or apps on your device outside of your work profile—but only the administrator can delete a work profile, or do a factory reset to remove data.
In either case, it’s easy to figure out whether an administrator has access to your device. For devices running iOS 10 or later versions, the supervision message is found on the main Settings page. Users of Android devices can go to Settings, then Accounts to see whether a work profile is listed.
Things get tricky when organizations move past official supervisory capabilities and mobile-device management, installing more invasive spyware on the devices they issue. According to Roane, keyloggers, as well as remote access to device microphones and cameras, are relatively easy for an organization to set up. And they are nearly impossible for the user to detect.
“The devices we’re carrying in our pockets have dozens and dozens of sensors, and look into our personal lives,” Roane says. “There is a lot of potential for abuse. You should always operate under the assumption that anything you do on a workplace device could be seen by your supervisor.”
Roane also says there isn’t a strong legal framework to protect worker privacy, or to prevent employers or educators from monitoring what you do with your company-issued phone or laptop.
“If you are an employee, and your employer has given you a device to use for work, you can rest assured that they are legally allowed to do a lot of surveillance on that device,” Roane says.
All that said, experts agree that your employer or school likely isn’t actively tracking your day-to-day movements or recording private conversations you have at home.
”There is a reasonable expectation of privacy with employees, and if [employers] want to transcend that reasonable expectation of privacy, [they] need to do it with notice to the employee,” Wulffson says.
In most cases, Tentler says, organizations are simply using monitoring as a preventive measure against rogue or careless user actions that put sensitive data—and large sums of money—at risk.
“Is your device logging things? Absolutely, no question,” says Tentler. “Does your employer actually care about what you’re doing enough to record audio of what you’re doing on a road trip? Highly unlikely.”