198 comments

[ 2.5 ms ] story [ 230 ms ] thread
tl;dr - European Court of Human Rights (ECHR) says employers can read private messages/mail sent (via non-corporate providers) on company time.

While I understand the employer's desire to ensure employees are working, does this open up personal cell phone conversations to monitoring as well?

The Yahoo IM account used was a work related account, so it's not clear whether the ruling would apply to a personal IM account.
He had both a personal and professional account and they made the case that they accidentally read the personal one.
My answer to your question is "No, it doesn't open up the personal cell phone conversations to monitoring". Because a personal cell phone is a personal device and there is an expectation of privacy once you start using the word "personal", regardless of who owns the device.

I would actually add a bit more as the judges were trying to differentiate between work accounts and personal accounts:

"He argued that his right to a private life had been breached when his employer had read a log of messages on a Yahoo Messenger account he had set up for work, as well as that from a second personal one."

"Despite claims about the second, personal account, the judges only discussed the work account in their ruling."

"The device used to send the messages was owned by the employer, and the judges did not elaborate on whether it would have made any difference if he had used a personal device."

The missing piece of this article is what does the company policy say? In addition, it's clear the judges are saying that if you are using the work (corporate) network, you should not have any expectation of privacy, regardless of who owns the device.

What is unclear thing is who defined/authorized the personal account he created while using the work network? If the company authorized it, then they cannot log it and there is indeed an expectation to privacy. If they didn't, and he is simply personal making accounts using the corporate network, then he would not have an expectation of privacy in my opinion.

I'm also surprised only 1 judge said "One of the eight judges disagreed with the decision, saying that a blanket ban on personal internet use was unacceptable."

There should always be some room for personal use e.g. calling your doctor, kids at school, etc. A blanket ban is not practical at all and can never be fully enforced.

> If they didn't, and he is simply personal making accounts using the corporate network, then he would not have an expectation of privacy in my opinion.

Not quite right - this is one of the grey areas where the law defines something in between "has an expectation of privacy" and "doesn't have an expectation of privacy". Basically, the employer generally can't access personal information on work computers, even connected to work networks, unless they have a reasonable belief that e.g. there's evidence of the employee breaking policy in that personal information.

Even then, they must access as little as possible - for example, if you believe that the employee has personal information on their computer and having personal information is against policy in itself, and that's the only thing you believe, all you can do is ascertain that it actually exists - you can't go digging through people's family photos or private communications unless you reasonably believe that there's further policy violation in there.

I fully agree with you with the grey area sentiment. I eluded it it by saying "my opinion" as I'm not sure we have all the facts given that all policies are different.

The policy the employee accepts, and to be honest not enough employers explain these policies, should be the starting point of determining what is allowed and what isn't to a certain extent.

This is definitely a difficult problem.

> The policy the employee accepts, and to be honest not enough employers explain these policies, should be the starting point of determining what is allowed and what isn't to a certain extent.

While true, we also have a "right to a private life" under Article 8 of the ECHR (where many rights protect you from employers as well as the State, including this one). When your spouse, or your doctor, calls you with an emergency on your company phone because they can't reach you on your mobile for whatever reason, should your employer have the right to know intimate details of your private life or health?

The answer we came to is "no", whereas the US might come to "yes" as its constitution only covers a very narrow definition of privacy which doesn't take into account many modernities.

So widespread, aimless listening on work communications, in the majority of cases, is probably against the law across the EU due to the above argument. Proportionate and limited listening is allowed - for example, if you wanted an alert every time someone accessed Facebook as using it for personal use is against policy, you could do that, but you couldn't go and read all their private chat messages and posts whatever your policy says (unless you have a reasonable belief the account was supposed to be work-specific - for example, you specifically authorized this specific account - and you accidentally stumble across something personal, or that the employee is e.g. sharing trade secrets through Facebook).

> Because it believed it was accessing a work account, the judges said, the firm had not erred.

I think this is relevant, at my workplace which is in EU, sysadmins are allowed to access anything that is not explicitly marked as personal.

I've always assumed that this is some kind of EU regulation, but I don't know. Does anybody here knows?

This is the case in France, and you're even allowed to use work equipment for personal things as long as it is done in a reasonable amount.

For instance, reading news articles on your work computer browser, browsing your personal facebook account, either during a break or for a few minutes a day, will be seen as reasonable. On the other hand, if you spend 6hrs out of 8 doing personal stuffs, the employer can use this against you.

I also assumed this kind of usage would be protected by a court like the European Court of Human Rights, but I was wrong.

It is my understanding that in Germany, an employer cannot listen into an employee's phone conversation, even on employer equipment.
Or your personal GMail, IM or other private communication. They can fire you for doing it, but not read the contents.
What kind of awful company would be expending resources doing this?
Companies like Sony, who want everyone's conversations in one place, so when they inevitably get hacked we can all read those conversations in public.
Every company with a competent information security department.

Protip: Never, ever, use company resources (laptops and workstations, potentially even cell phones) for your personal communications. They likely are MITM with their own root CA and can see what you're doing.

Reason: It's their device on their network, and it has access to company data. Get a cell phone with a good data plan.

If I get an email at work hours and see it on my smartphone, I'd probably rather go to gmail on my work computer to reply, than type in a reply on the phone.
That's fine, but don't get all surprised when your work sees it.
Of course they can, doesn't mean they should. For instance, if they're trying to attract talented employees that's a great way to put them off.
Depends on the industry. If a bank doesn't do this, then it's much easier for an employee to send out PII dumps. If your "Github for farmers" startup isn't worried about code commits to the cloud, then no biggie.
You're right. I had blinders on there about the populace of HN.
Likely?? No, this is paranoid. Sorry, but this isn't happening everywhere.
You don't have to be paranoid about it, it's not like they sneak around when they do it. From my experience it's very common.
And if word gets out and employees make it known their company does this, they are liable to face a backlash.
The employer thought they were reading the professional work account's messages.
"His employer had discovered that he was using Yahoo Messenger for personal contacts, as well as professional ones.

Because it believed it was accessing a work account, the judges said, the firm had not erred.

The man, named Bogdan Barbulescu, ...argued that his right to a private life had been breached when his employer had read a log of messages on a Yahoo Messenger account he had set up for work, as well as that from a second personal one.

Mr Barbulescu's employer had banned its staff from sending personal messages at work.

To check his account, the judges said, it had been necessary for his employer to access his records."

It sounds like a stupid policy, but all the company did was access a Yahoo account that he had set up as a work account and saw that he had also been using it for personal communications.

It's possible the usernames were similar but the profile and log directories have a very clear separation between accounts that any IT person would be able to see. This sounds more like a justification after the fact.
If the file is on your work PC it belongs to your employer. It's a sticky situation but that's how it is.
Which is why I use an external thumb drive with portable software and save any personal files to the thumb drive. It may hit their network but nothing is stored on their computers. Which gives plausible deniability - and I do not think they can legally search the thumb drive.

Not that I'm paranoid about my current employer (extremely relaxed culture) but it is something I do out of habit.

They may have the right to search your thumb drive if they believe you are downloading company data that may help the competition or cost revenue.
They have the same right to search your thumb drive as they have to search your house, which is none.
Keep your personal information off your work devices.
Or if you absolutely MUST then treat work like public WiFi.

No doubt they will have an internal CA installed, but if you keep an eye on who authored the certificates on your favorite websites, you can reasonably be assured of some privacy. Additionally install HTTPS everywhere.

Then all you need to be paranoid about is remote monitoring software.

I hear this as "blanket advice" all the time, but very rarely is there a discussion about what is reasonable to expect from a "normal" employer who isn't draconian or looking to find an excuse to fire someone.
If you work on a big company, that is any time, without your knowledge, or even any reason for your suspicion.
OK, that is what is "legally possible" in a worst-case scenario.

But IN PRACTICE, what is normal?

Your statement seems to indicate that IT staff can just browse personal communications, desktop displays, keypresses. I am sure that they can if necessary, but what kinds of scale and automation are we talking about? Doing such surveillance ad-hoc or without a very small number of targets seems like it would easily become intractable for any org with thousands of people.

I am not in an IT department, so I have no idea what goes on.

It seems the standard advice is always to take the most extreme precautions and to follow the corporate rules to the letter... but here I am typing this into a work computer on a chrome browser without a care in the world.

Normal and possible are not the same thing, and you have to plan for possible.

http://www.huffingtonpost.com/2010/02/26/dan-ackerman-school...

So here is an example of a school administrator spying on students via their provided laptops. It's not the only one. This was 'normal' for the school system until they got called on it.

Blanket collection and searching of data by a company is very possible, in just the same way as you search through mass of logs from applications. They aren't going to have someone watching these logs all the time though, so you don't have to have a huge staff to handle it. They may spot check, they may only go thought the data when something suspicious occurs. They may automatically troll through the data looking for keywords which escalate to a real person for further analysis.

So I work in information security and I'll tell you i haven't seen good standards around this. In some places IT people regularly look at emails or web traffic, which i think is wrong.

When I go into a company I make sure we put a policy in place that to review an employees emails / web traffic / devices we need to have Legal and HR sign off on it unless the person being investigated is part of one of those groups then it is one group and an executive.

This covers me from legal/HR fallout and it covers the employees because they know we aren't just sneaking around looking at their stuff, it creates trust.

It's one of those pieces of advice that is hard to say it's wrong exactly. However, for many professional employees at a great many companies, it's pretty extreme as practical advice. There are some sensible practices like keeping work email and personal email separate and, for both your own and work devices, following whatever infosec policies there are around encryption, VPNs, and so forth.

But, in general, never do X advice can be actively harmful because it advises people against doing things that very many do without repercussions and causes people to ignore advice that it's important to follow.

It's not really a question of what is reasonable to expect. Even a company that chooses now not to do things like what the article describes, they always can.

They can read your emails, and chat logs and whatever else is sitting on your work machine. The only way of dealing with that is never have personal information on them in the first place.

Actually, the chill employer is the most dangerous.

Even if your employer is fine with personal use, courts will rule that it's all in scope during a discovery phase. I've been involved in litigation scenarios where people's personal email ended up being sifted through by the other litigant because opposing counsel convinced the judge that business was being conducted there, and there was evidence of frequent access on a corporate device.

All of your protections from a legal point of view are really defined by custody and scope of control. Data stored on your device in your home is the most protected. Data stored on your employer's PC or file server on your employer premises is the least protected.

OK, but what about email read/composed on my personal gmail account using a work computer? When you say "personal email" do you mean @company.com email-- or do you mean _any_ personal email as long as it is read/composed on a company machine?

Is it safe to assume that the only way that that (or any https content) can be captured is by keylogging or some kind of desktop capture?

Personal == Yours.

Any forensic analysis of a PC/Laptop or look at proxy logs will show your connectivity to an personal email account. In a discovery scenario, all that needs to be done is to present a pattern where personal mail was used for business in the company. (I guarantee that is happening somewhere)

It's one of these scenarios where it isn't a problem, until it is

> Is it safe to assume that the only way that that (or any https content) can be captured is by keylogging or some kind of desktop capture?

No, plenty of corporate firewalls provide HTTPS MITM by installing their own root certificate and making client machines trust it. HTTPS certificate pinning as it's implemented in most browsers specifically allows this behavior by not checking pinned certificates if the root certificate is in the computer's private keystore (vs. system keystore) because it's assumed the private keystore is full of only certificates the user or machine owner wants to always trust.

Thanks guys, that helps me to understand. This stuff is usually explained either as utterly vague blanket advice or in technical shorthand terms. I think it is really important for people who might barely even know what https is to understand how and why the security of it is limited.
How does this apply in BYOD scenarios?
Don't. BYOD policies tend to basically say "we own you". Have your own personal device with its own network connection, and never let it anywhere near your work network.
BYOD means you bought a device that the company now controls. It's not really yours anymore, company policy covers it.
I'm with you 100% of the way when the employer hands me a device for work use.

I'm a lot more confused about 'Bring Your Own Device' (BYOD) companies. BYOD has proliferated because employees are generally happier to pick their own devices and not have to carry two devices. Employers are happy because it's cheaper, even if there is some stipend involved. It makes IT a bit more complicated but thats about it.

But can they look at my messages then? What if they pay my service bill but I own the device?

think about it in the legal context.. if you BYOD, and conduct work on a personal device. Maybe exchanging mails, IMs, text, whatever with a client.

Client gets upset about some deal, they sue your employer. They claim you leaked some information to a competitor. Client and employer both want access to your device, to look for evidence of the information leak. You conducted work, on behalf of the employer, on your own personal device. They have to have the legal right to search that device for evidence..

Now.. if you had two devices. One for work, one for personal. You never used your personal device for work.. then to me, personal device is off limits, unless they found compelling evidence ELSEWHERE that you had disclosed information via your personal device. However, that would need to come out and be backed by evidence. They can't just look at your device without being compelled. I am no lawyer though, and my knowledge of civil/criminal evidence handling is shallow..

Do they really have to have the right to search your personal device? I'm sure they would like to have that right, and perhaps they have managed to obtain it, but it's in conflict with the right to privacy and one could just as easily decide that privacy is more important.

What if you had just memorized the information – does the company have to have the right to waterboard its employees just because they would like to search for evidence?

Most corpofacists would say yes. Anything that work might touch, even if they didn't pay for it, is under their purview. If in doubt, the worker has no rights while employed at the company. Hell, non-competes can tell you who you can and can't work for years after employment has been severed by either party.
> Anything that work might touch, even if they didn't pay for it, is under their purview.

And the law, especially in the US, agrees.

Generally the law in the US agrees with the corporate fascists' view because it's written by them.
Wait, he was using a work account on a company-owned device? I don't see how that can be called a "private message" at all.
Judging from what many Romanian people I know do, he was probably using Yahoo Messenger to talk to his colleagues and his friends at the same time (some of which might have been friends and colleagues at the same time).

Most likely from his personal YM! account.

The real problem was using YM! for work conversations. But if the company involved did not have its own internal messaging setup... it's an easy mistake to make.

This was a work account, set up at the request of the employer, and managed by such. Using a work account for private stuff should set some expectations regarding privacy rights.
The trick here, as my understanding of the law goes, is that (a) the company had a policy that work computers are to be used for work only, AND (b) that the account in question was being used for both personal and professional contacts.

In general, your workplace can (assuming that you have agreed to this in policy) ensure that you're using your computer for approved uses, and it can access all work-related information on the computer. You do have (limited) privacy over anything personal on the computer, but they're welcome to discipline or fire you just for its existence, and in some cases they may access it if they have reasonable belief that they have to.

This ruling clarifies that if your personal information is mixed in with professional information, the company may access it, as little as necessary (the word you'll come across lots is "proportionate"), as part of an internal investigation or similar. This has been spelled out by at least the British Government for a while now, nothing has changed.

EDIT: On a side note, anyone else notice how the article names the ex-employee and not the employer?

Better not to work for such companies.
> Better not to work for such companies.

Don't work for a company that monitors it's own IT equipment?

Monitoring the equipment is to ensure it's working properly, as well as to guard against employees misusing company equipment by installing toolbars and apps that have no business purpose (which ultimately leads to mis-performing equipment, and lost productivity).

I don't think I'd want to work for a company like that - the IT equipment would be in shambles, borderline unusable.

Why? Do you only work for companies that employ children?
Having worked in corporate IT for a long while, I can assure you that users will click "OK" on any popup, and install any program they think they need/want. This includes music player apps, torrent programs, toolbars, etc. None of which is allowed on a company computer (by most policies).

It's not your property, don't abuse it. It's really, really simple.

It's not your property, don't abuse it. It's really, really simple.

No, it is not. Where is the line between use and abuse?

If I install Notepad++ because it allows me to work faster, am I using or abusing the computer?

What if I install Firefox because some suppliers' site doesn't work in the company-provided IE8 anymore?

What if I install Dell's ActiveX control to download their drivers?

What if I disable the company-installed Flash Player because I feel safer without it?

What if I install NoScript or Flashblock using a company-provided Firefox install?

What if I look up my GP's phone number using a work computer because I need a consult for my back issues? Should I take sick leave just so I can call my GP?

I've worked in IT support, and the general rule among those companies was this: if employees have local administrator rights, they are expected to manage their system themselves. So all of the above would fall under "use" where I've worked. If your employees cannot be trusted to manage their machine, why do they have administrator rights in the first place?

> If I install Notepad++ because it allows me to work faster, am I using or abusing the computer?

This, and all of your examples, would be considered abuse if your corporate policy stated you were not allowed to install any software without IT's permission. It is that simple, really.

> if employees have local administrator rights, they are expected to manage their system themselves

This sort of thing really only occurs at small businesses with little-to-no internal IT support, or with very special cases (such as a developer, which would have special approvals by the company to do so).

> If your employees cannot be trusted to manage their machine, why do they have administrator rights in the first place

Well, they shouldn't, and they don't at most companies.

In the end, you signed a usage agreement. If you deliberately break that agreement, don't be surprised by the consequences.

This, and all of your examples, would be considered abuse if your corporate policy stated you were not allowed to install any software without IT's permission. It is that simple, really.

Except that two of my examples did not involve installing anything.

> This, and all of your examples, would be considered abuse if your corporate policy stated you were not allowed to install any software without IT's permission. It is that simple, really.

Well in that case any sane person would try to avoid working for a company with such draconian and controlling policies.

What a ridiculous strawman.

I should not need to explain that you can monitor installed applications without reading the contents of someone's gmail tab.

> you can monitor installed applications without reading the contents of someone's gmail tab

You should not be using gmail while being paid to do work on someone's equipment.

A parallel would be if your company used GMail for business purposes. You log into your personal Gmail account instead, and stay logged in. The company needs to gain access to an email from a customer, so they open Gmail on your computer - but discover you are logged into your personal account and can clearly see you have spent your afternoon sending personal emails... not working.

Another parallel would be if you were hired to drive a bus route, but decided to use the company owned bus to go shopping instead. You are misusing company equipment, and if they discover that via a typical investigation (such as checking your bus' GPS location), then they have done nothing wrong.

I don't see how any reasonable person could argue that this man's case was a clear violation of his privacy. This is a typical case of a person misusing equipment/breaking the rules, then getting upset that he was caught.

Good luck finding one. The clauses that enable this kind of monitoring are boilerplate employee contract and company manual stuff.
Maybe big corporations, there are tons of small companies, which constitutes half the economy that don't do this.
The issue isn't whether they do it routinely, but whether they're entitled to do it. Most small companies hire people using boilerplate employment contracts and employee handbooks, too.

My point is that they don't have to intend to make monitoring possible for it to be possible; it's practically the default.

Also: pay close attention to what 'Spook23 is saying downthread about discovery. Your employer doesn't even have to want to monitor your stuff; all that needs to happen is they get sued, and if you've been mixing business and personal comms, it can all end up in scope.

Might be boilerplate in the US but it'll vary from country to country in the EU. Certainly Germany had very tight rules on this kind of stuff.

Also at a previous employer (multinational, 30+ countries) the CIO took an explicit decision not to employee any kind of technology that could "spy" within SSL traffic to avoid potential liabilities around company IT staff having visibility of personal banking details etc.

Also, just because something is in an employment contract or handbook doesn't mean it's enforceable.

I have researched the situation for Germany and the usual recommendation for the employer is to put something like the following in the contract:

1. Private use is forbidden.

2. Employer can't be held responsible for storing or processing private data if employee didn't follow 1.

Not exactly but quite similar to the ruling described in the original post.

It is not that hard. Just avoid being drone in big corporate. Which is a good job advice anyway.
I think this is the judgement: http://www.clujust.ro/wp-content/uploads/2016/01/CASE-OF-BAR...

> EDIT: On a side note, anyone else notice how the article names the ex-employee and not the employer?

That's weird. This particular court case is him vs Romania, not him vs his employer. The earlier cases, in Romania, would have been him vs the employer.

There are many reports of this case, and most of them do the same thing:

http://www.bloomberg.com/news/articles/2016-01-12/companies-...

https://www.rt.com/news/328755-echr-employee-messages-snoopi...

http://sputniknews.com/europe/20160113/1033075519/eu-court-p...

> The case dates back to 2007 when Bărbulescu was informed by his employer that his Yahoo Messenger communications had been monitored from 5 to 13 July 2007 and that the records showed he had used the Internet for personal purposes.

> Barbulescu replied in writing that he had only used the service for professional purposes. He was presented with a transcript of his communication including transcripts of messages he had exchanged with his brother and his fiancee relating to personal matters such as his health and sex life.

http://www.express.co.uk/life-style/science-technology/63426...

>That's weird. This particular court case is him vs Romania, not him vs his employer. The earlier cases, in Romania, would have been him vs the employer.

The suit is in the European Court of Human Rights. He was claiming that Romania violated his right to confidential correspondence by having civil law that allowed his company to read private messages. He lost, therefore Romania's laws are fine, and thus the employer is still in the right.

> EDIT: On a side note, anyone else notice how the article names the ex-employee and not the employer?

Eh, yeah, that is weird, now that you mention it. It's like they were interested in protecting the reputation of the company, but they wanted to throw the ex-employee to the wolves.

Perhaps the name of the company was not revealed because it was not a party to the case, as strange as it appears. The lawsuit did not include the company, so it might not be in the public record (while the guy's name, being a party to the suit, is)
Do they even need a policy? If someone is on my computer and my network I assume I have the right to access any of the stuff on it.
The law might require it.

I don't know UK law but in several eu countries a employer can't monitor their own computers unless they have in writing informed the employees about it.

You're likely right, but if I was hiring someone, I'd make sure to have a strong rule (ie - work devices/networks are for work purposes only) and a strong disclosure (ie - we reserve the right to monitor, read or otherwise use any and all information on work devices or networks).

Of course, I'm Canadian and our privacy law is fairly strict. Violations are also a tort, even without proof of damage, so my case may be unique.

But regardless, firm, written guidelines applied equally across the organization are always a good defense.

The EU has said several times that any monitoring has to be proportionate and limited, and that you need to tell employees i) that you are monitoring, and ii) what you're monitoring.

Note that in this case he lost because his employer had the policy clearly in place. He might have won if they didn't have that.

The 'limited' aspect seems rather toothless if a clear policy of "we monitor everything" is valid.
The limited aspect is important so that the employee knows what's monitored. Employees are not forced to store private data on work devices or engage in private conversations.

All my employees are regularly reminded that work equipment is work equipment and that we have access to it and will in certain cases use that access. I'll try not to go through their private stuff, but if there's something I urgently need from their device (or account) and they're not able to provide it (1) I'll have to. If you send private conversation via a company account you know what you sign up for.

(1) for any reason, ranging from extended holidays away from the internet to "this person is no longer among us".

But "we monitor everything" is not valid. "We will monitor our work accounts on our equipment" is valid, and "we found some personal messages on this work account" becomes valid because it's not everything (which would violate his privacy) but because it's only the work account.
This doesn't sound proportionate though does it.
"We checked the work account on your work computer"? That sounds pretty proportionate.
The offence ie chatting to a some one - that's a verbal warning offence not gross misconduct aka instant dismissal.
Do you apply this to everything? If someone is using your bathroom do you believe you have a ethical and legal right to surreptitiously observe everything they do in there?
I believe what they meant was if someone were using your laptop on your network then you have the right to know what they're doing. Granted, if you're doing banking then I wouldn't expect that I'd have a right to know your bank account info but I'd expect to at least know if you're using my computer and my network to buy illegal drugs or something like that. This seems reasonable as far as "limited" means. I'd like to know what they found that made them terminate his employment though.
In the computer case, the reason surveillance is a good idea is so the owner can prevent misuse. Misuse is likely, as any computer with an internet browser may temp a user with a wide variety of possibilities for misuse.

In the restroom case, an owner often can safely assume that the user's activities will be restricted to a quite limited range of behaviors. However, if I had reason to believe that the user might be performing some illicit activity in the restroom (e.g. arson), I might feel surveillance is warranted.

The difference comes down to the disparate levels of suspicion.

The employer presumably didn't think he was using their computer for arson. Would you be more comfortable letting a stranger into to your premises to use your bathroom or letting them use your internet connection?
The bathroom.

I haven't put NEARLY enough effort into securing the accessible services on my LAN against unauthorized access. There's a practical upper limit on how much undetected damage someone could do in my bathroom (without a crowbar or a wrench) that is significantly exceeded by how much undetected damage they could do on my network.

Let's not conflate the ideas of a legal right and an ethical right. Especially where privacy is concerned, they are often in tension or even direct conflict.
That's an extremely poor assumption. Any home user's computers would be on their ISP's network. Should they have the right to access any of the stuff on it?
The person is your employee; you entered into a contract with that employee and the computer and your network is not just your property anymore, but tools provided to the employee to be used by said employee according to the contract. At this point, contract law, labor law, etc. can constrain what you can do pertaining to your employee's use of the computer and the network, especially when the constraints exist to safeguard fundamental rights.
So I have a personal device (dual sim) with a personal sim and work sim inserted. I have subscribed to my IT security policies. Any idea what my exposure is? My gut says they'll treat my device like their own
Where I have worked, if you're under investigation or subject to retention we'll seize your device. If you refuse, you'll get canned or sued.
The owner of a computing device has ultimate rights to the device. If your employer owns your computer, he has every right to inspect his device and ensure that you are not misusing it. He has every right not to permit you to connect a personal computing device to his network, and he has every right to inspect the packets you send on his network. This ought to be uncontroversial.

It should be taught in school: Don't use your work accounts for personal stuff, and don't use your personal accounts for work stuff (I'd go even further and say don't have just one personal account for everything).

What load of BS. I don't see how my agreement to their policy should provide them with immunity to what would otherwise be criminal. e.g. That it's criminal to steal from my employer should not mean that if they suspect an employee is stealing from them they can without repercussion steal-back.

Likewise they may have certain legal rights if an employee violates their computer-usage policy -- but that shouldn't give them the right to violate the CFAA.

Checking whether an employee "completing their professional tasks" and reading their private correspondence are very different things. How is this any different (aside from prefixing the word computer) then if you had personal letters on your desk and a manager confiscated them from you (and read them) - in order to "confirm" that you were using "completing their professional tasks".

The employee was using the same messenger session for both professional and personal actions. Part of the ruling was that it was reasonable for the employer to check the logs of the session, because it was ostensibly being used for professional actions.

> His employer had discovered that he was using Yahoo Messenger for personal contacts, as well as professional ones.

> Because it believed it was accessing a work account, the judges said, the firm had not erred.

EDIT: Removed unnecessary remark.

I've worked at places where they set any pcs on the domain to accept their ssl cert. Then they mitm all your https traffic and scan everything. That would include banking, gmail, etc.

Best not to do that stuff at work. You also have to wonder about the internal wifi people put their phones on.

> that shouldn't give them the right to violate the CFAA

The key issue here is the definition of authorized access. If you create a contract with your employer whereby they give you money and you authorize them to access your digital communications (via an explicit policy) then their access is not unauthorized.

> The key issue here is the definition of authorized access. If you create a contract with your employer whereby they give you money and you authorize them to access your digital communications (via an explicit policy) then their access is not unauthorized.

Yes, for example the corporate gmail terms of use explicitly states that your employer has rights to any communications contained therein.

But I would be extremely surprised if someone logging into their personal Gmail account at work would constitutes a 'right' for an employer to access that account (and potentially look through years of personal correspondence) to verify that they were "completing their professional task" - essentially access without authorization (at least in the pre-internet days where these would have been physical letters) would have equated to theft of personal property.

> I don't see how my agreement to their policy should provide them with immunity to what would otherwise be criminal.

But it wouldn't be. It's their computer. If I use your computer, you have every right to examine every file I created while using it; you have every right to install a keylogger; it's your computer (whether it would be decent to do those things is a different subject).

It's not private correspondence if you conduct it in public; it's not private computing if you do it on someone else's computer. If you want privacy, use your own device.

>And they added that Mr Barbulescu had had prior warning that the company could check his messages.

...and there's the part where I'm not surprised this fellow lost his lawsuit.

Honestly, if I come to a railroad crossing and the gate/arm is down and red lights are blinking, and I go onto the tracks anyway, I think I kind of sort of lose the ability to win a lawsuit against the railroad company for hitting my car.

What if the company said that they were going to assault him if he was to use private messaging? Does that make it alright because they warned him?
No, because assault is obviously wrong, whereas his employer having access to his private messaging on his work machine in work time was more of a grey area.
If it's a grey area why should he have expected to lose the lawsuit?
If it wasn't a grey area, why would the European Court of Human Rights be hearing it instead of a local employment tribunal? Lots of law is a grey area, with both sides putting their argument and a judge adjudicating.

On the other hand, an employer physically assaulting an employee (with or without warning) wouldn't need to be heard by the ECHR because there is so much law and precedent to say that employers can't do that.

This is a straw man argument, and it's really not worth debating.

Right. What the company did was bad, regardless of the warning.

But I think his argument would have been stronger if he had raised the issue after his initial warning. Why did they have to invade his privacy twice for it to become an issue for him? The answer: because he was sacked. This seems to change it from a privacy issue to a retaliation.

Not that I'm okay at all with employers being able to violate his privacy, regardless of his motives for claiming his civil rights.

(comment deleted)
This isn't a contract dispute - this is a human rights dispute.

Assault is probably against Romania's laws. As such, any policy or contract specifying assault is illegal.

Invasion of privacy in the workplace is allowed under law; this law was challenged in the ECHR - and the challenged failed, so the law stays. So it is legal to put this in any contracts in EU, since the judgement sets precedence across EU.

>So it is legal to put this in any contracts in EU, since the judgement sets precedence across EU.

Nitpicky, but I believe it says that any European country can have laws which allow this but they are not required to allow it. E.g. the Belgium Gov't might still pass a law which says companies are not allowed to do this.

Just a nitpick - the contract is not illegal. It is not legally enforceable or valid.
Yeah, like 15 years ago I was on a legal seminary about how to deal with private messages at work. It's difficult. If you allow your employees to use certain means of communication for private messages, you bar yourself from reading them. If you prohibit private messages on that channel though, you have to enforce that.

As an example you could give employees 2 accounts on the company's email servers: John@company.com and John-private@company.com. If now John-private@company.com sent to you-private@company.com "lets grab a beer after work. Also check this link below. I guess it fixes the problem we had all week with our servers", as an employer you would have to warn and ultimately fire him over such transgressions of the rule to split private from work. The problem is that you are not allowed to read his private correspondence (grepping the backup for business problems like "where was that link again?") but you are allowed to do all this with his business mail. Not enforcing a split leads to the company legally loosing all access to all the correspondence.

Very worthwhile deliniations you've put forward - matters of policy and employment agreements, to me, aren't able to address every single instance of good or bad judgment by an employee.

I've worked with several highly regulated industries, and while data preservation is a big deal, very frequently compliance officers have said "Just don't store personal-type or non-material information like calendar meeting requests for off-site dinners" because they're simply outside the purview of what's needed to satsify the rules.

On the other hand, it was quite clearly stated that if doing filing/archiving one comes across correspondence that reflects an error of judgment (intentional or not), say relating to giving a "personal" gift to somebody above/beyond the accepted corporate policy or legal mandates (ex: local government officials), then by all means, that's in the company's interest to review and address.

There's a perfectly fine reason some sensitive conversations should take place over the phone instead of in writing (most notably "OUR IT SAYS WE'VE HAD A BREACH OMG OMG OMG"), just like there's ample reason talking about something sketchy is frequently performed over the phone. Funny creatures, us humans.

> If you allow your employees to use certain means of communication for private messages, you bar yourself from reading them. If you prohibit private messages on that channel though, you have to enforce that.

Just curious, are you in the US? My employer's policy is essentially "Your work-provided laptop is for work. However, we recognize that you'll access personal websites and content from time to time. Don't miss deadlines because you're on Facebook or the NY Times all day." However, they explicitly retain their right (but not responsibility!) to monitor, log, and retain all traffic and activity on not only the work machines, but the work wifi (including guest wifi).

I asked about the US because I know privacy protections are much strong in the EU and I had never heard that allowing private messages bars an employer from reading them.

Here in Austria, you can tell employees what you want, but never ever are you allowed to read their internet traffic.
Honest question: What about in issues of court cases? As in, if an Austrian employee is comitting an international crime of bribery and is under investigation, does that forbid the courts or employer from ever reading the internet traffic? Granted, I'm setting up a 'higher bar' to clear than an internal, company-exclusive issue, but if we're talking scope and priorties of laws, I'm curious how they might be reconciled in the situation you present.
There's a rather important difference between a random employer and the court system warrants.

The employer isn't the police.

That cannot be true or you could never do proper security or investigations. How would you know if an employee machine was compromised if you absolutely cannot read their internet traffic? Sometimes you actually have to dump traffic an analyze it with wireshark to figure out something is wrong.
That's a grey area, and you should not do that here because judges mostly rule in favor of employees.
Citation needed. Pretty sure onnoffice equipment you are bound by the rules of the company. it's valid for a company to prevent the personal use of office equipment.
You are correct, employers are allowed to block e.g. Facebook (most have given up on that though). But never read or act upon their email/connection data/... in a semantic way. I have no english source for this, sorry.
If the employer disallows private communication at work and the employee disregards that rule, the employer does not have to special case private data on the company device. This is the same in Austria as the court case here just found.
Warning someone that you're going to violate their right to privacy doesn't magically make it legal for you to violate their right to privacy.

That's why this is a concerning decision. It indicates this european court believes there is no right to privacy at work.

> It indicates this european court believes there is no right to privacy at work

When you're on the employer's dime, using the employer's equipment, and using the employer's internet connection, you don't get to send personal messages. This guy did, and then found out the consequences. It's pretty simple.

The company used MSN Messenger for business purposes. This guy took it upon himself to setup a separate account from which he privately messaged people during business hours.

This guy would not have been able to send those private messages had the employer not fully paid for all the equipment and necessary components to facilitate messaging for business purposes.

Imagine the parallel. I hire you to telemarket for me (make sales phone calls). I tell you all calls are recorded. Sometime later, I'm digging through the recordings to find a customer's call, and discover you have been making many personal non-business-related phone calls. Instead of using my equipment to conduct business, you have decided to make personal calls to your friends. Of course you would be terminated, and of course I listened to the calls, because I own them.

> Of course you would be terminated, and of course I listened to the calls, because I own them.

And of course in several EU countries you'd be staring down a possible severe consequences for breach of privacy. Some countries do not consider employment a right to total ownership of an employee.

Several EU countries recognise that employee has a right to privacy even when working (which includes phone calls and other communication with their families while working and sometimes - like France - even on computer equipment).

> Some countries do not consider employment a right to total ownership of an employee

This isn't about "owning" an employee, this is about owning the equipment which an employee uses against it's explicit purpose (to conduct business).

I don't think many would have an issue with an employee stepping out for a few minutes to handle a personal call. But many would have an issue with an employee phoning friends and chatting during regular business hours instead of doing their work.

The guy in the original story was chatting with friends while at work over MSN Messenger... instead of working.

> And of course in several EU countries you'd be staring down a possible severe consequences for breach of privacy

That's not true in this case. If you have a policy that prohibits personal use of company equipment, and another policy which states clearly all communications are recorded for business purposes, and it's signed by the employee, then it's really cut and dry.

You can't have both a "right to privacy" at work, and high degrees of oversight of companies. The way you have oversight of companies is by monitoring and controlling employee actions while at work. There's no separate "company" that can somehow be monitored without its employees. If you want to create more privacy for employees at work, you also must be willing to subject companies to less scrutiny, because all such private channels are also places to hide malfeasance. Given the meager volume of complaints about workplace privacy (basically, we only hear about it when it directly comes up, like in this article) vs. the near-continual torrent of complaints about companies that comes up all the time, I suspect people are generally going to choose corporate oversight.
> It indicates this european court believes there is no right to privacy at work.

The court has been clear (in this case, and cases in the past) that employees do have a right to privacy at work, and that an employer cannot just trawl everything all the time, even if there are policies in place.

How is it clear exactly? Obviously they won't be trawling literally everything literally all the time, but being able to access anything they choose at any time they choose seems indistinguishable from the employee's perspective, and that is apparently allowed?
They can't access anything. They accessed his work work account because they thought it was the work account, and they had already asked him not to send personal stuff through the work account.

They didn't make any judgement about his personal account (which also got read) because as I understand it they've already ruled that you can't read personal accounts without very good reason.

> It indicates this european court believes there is no right to privacy at work.

That's not true and I guess you haven't really read what the ruling is about. It's about this one exact case where the court ruled that the employer reasonably expected that the account they were looking at wasn't personal.

If the employer would knowingly look into employees personal correspondence the ruling would be different.

Work is not were you want to send private messages that are not work-related from.

Keep that simple rule in mind and you'll save yourself a lot of heartache.

Work is a sweatshop, where you slave away, dont ever forget that.
That's a very specific case and it seems the main problem was that he sent private messages from a monitored work account.

If you send private messages over your company's Twitter account, you can expect to be fired, too.

"Not if you're doing it correctly", say mathematicians.
All real personal stuff is done on my smartphone. I use 4G only at work, no work wifi. I do not open personal mail at the work computer. No Facebook, except sometimes on the phone. The only thing I do is reading and posting here and at several other websites.

I have no idea if my employer knows about this, but I haven't had any remarks about it and I do this for years now. Reading articles on this website and elsewhere (like Slashdot) is a distraction I need on a regular basis. And we don't have a policy like this, so I guess this doesn't apply to me.

Honestly a 4G-only, no-guest-wifi policy is the safest from a privacy perspective.

The downside being that it's possible someone sees you three times in one day and you happen to be on your phone two or three of those times.

"Not if you do it correctly", say mathematicians.
At this point, if you don't understand that company equipment is to be used for company business only, then you're clearly not using your best judgement. Whether or not there's a policy, it should be implied that the equipment a company gives you belongs to them. You wouldn't take a company vehicle to a party or to the bar? Ok, maybe you would, but SMH. The point is that company equipment should be used to that purpose. If you use it for any other purpose you should expect that it's going to be scrutinized. If you don't want someone reading your emails or messages on a company computer, then use something else like a tablet or your phone to conduct personal business. I find the amount of conversation here about this so confusing.
Exactly. My tendency is to try to keep my personal use of company computers to a reasonable level and conservative scope, because while I know my company is going to be reasonable about it and most likely leave me alone, I fully recognize that it's their computer and me using it for personal things exposes those things to their scrutiny if they have reason, or even if they suspect they have reason. Frankly, I'd be a little surprised if none of my employers have ever perused my browsing habits while investigating something (example: I once had an officemate get fired for sucking up all the office bandwidth by running a public porn server from his desktop -- that was a super dumb move, and I really wouldn't hold it against anyone investigating the problem to take a general survey of our web traffic habits in the course of chasing that down).
Definitely. This is especially important for companies that are public or are planning to go public. Knuckleheads exist everywhere and they can be a liability if not kept in check.
Encryption.
Yep. Very first thing I do when setting up a work machine is enable full-disk encryption, both to protect company assets from theft, and protect any sensitive material from prying coworkers/management.
Same here. It amazes me that this is not more common.
I wonder if doing this, just the action of choosing to encrypt, would be held up as sufficient grounds for the company to investigate your activity, or even possibly regarded immediately as criminal or potentially criminal. I can see a lot of companies coming up with extremely irrational policies that say that any attempt to encrypt anything is inherently not allowed.
What? I don’t just encrypt my desktop, I encrypt all the servers too, for the same reason.
Question is Slack falls under this..., if people use Slack at the office on multiple channels than you could consider it a private message on a work computer.
Hasn't the safe advice been that whatever you do on company resources (except time) can be monitored/investigated by the company? Isn't it generally bad practice to handle personal business on a work phone/work laptop/work desktop anyway due to the assumption that your activities can be legally monitored by your company?

Understandably, if you make a send a message/make a personal phone call on company time to your doctor or spouse regarding some issue then that shouldn't be grounds for the company to investigate just because you were on their time and my reasoning for this is that even when you're off the clock, you can still be disciplined for activities that may portray the company in a bad light (getting into a bar fight after work, for example) so its assumed that you're never really off work.

Either way, if I were him I wouldn't have assumed I could have used company hardware to send personal messages yet still have an expectation of privacy.

The key in this case was the guy was using a Yahoo account that was designated for work purposes to message his brother.

What the ruling DOESN'T mean is employers cannot say, demand access to your personal gmail account. However they can reprimand you for visiting gmail.com or whatever for periods of time more than what they deem acceptable.

I know everyone is going to shoot this idea down with a million reasons why, but even so:

why are these laws never symmetric?

Why can't employees also access things possessed and used by the employer, like, say, HR personnel files, or executive emails, so that employees can verify the company is not committing fraud, engaging in discriminatory practices, etc.?

There's such an emphasis on what the company has a right to do to protect itself that we almost don't even think about how company actions, which could be damaging to and unapproved by the employee, go on unchecked all the time.

I assume the answer is just "might makes right" and the employer is the one with capital available for legal and political manipulation. But what's so surprising to me is that we rarely even talk about it even in an era with so much overt and publicly hated corporate corruption.

This is actually an interesting question, IMO. But, I think you can quickly see the situation is not inherently symmetric, so the answer can't be either.

Just one example - giving employees open access to company materials affects the privacy rights of other people, not just the company. So in order to protect the privacy rights you do have vs the company, they will have to restrict other people's access to your information.

The title of this article is misleading in the sense that the decision was that companies may inspect employees' PMs that originate from company computers. They did not make a blanket decision that the company may monitor personal phones or personal computers.

That highlights how the situation is not symmetric in the sense that you haven't loaned your computers to the company in order to produce their personnel files.

I agree with you that it wouldn't be perfectly symmetric and a number of difficult follow-on issues would arise.

But, I see a lot of emphasis being placed on the fact that it was a company-owned machine and that it was ostensibly being used for company purposes. These two facts seem to underpin a lot of what everyone says.

But ownership and mode of use are not the only kinds of resources or properties to think of. For example, at least in the US we have the concept of "company time" which covers the time periods during which you are performing an action sanctioned by a company. Could this be used to demand the ability to monitor employees during time periods when they are on company time?

Likewise, there are a lot of gray areas going in the reverse direction -- from employee to employer. For example, it is true that HR records (say, for example, performance reviews written by my boss about solely me) are electronic files that are the property of the company, just like a computer workstation is property of the company.

But, just as a computer workstation could be misused for personal use, and thus needs to be inspectable for compliance, so also the HR files could be misused for personal use (making jokes, talking about non-professional aspects of me, conspiring to deny a promotion simply due to personal preference, etc.) -- so why aren't such files open for inspection?

Yet another interesting aspect of all of this is why we believe that not only must the workstation be made available for inspection, but further that it is the employer who gets to perform the inspection.

Why isn't such inspection required to be handled by a third-party arbiter, much the way that tax and official records are required to be kept by a certified firm specializing in it. We don't trust companies to say, "Yep, these are my taxes and records, I swear I didn't lie or hide any money." We at least require some third-party to attest to that and stake a reputation on it (subverted though it may be).

Yet with issues of inspection, we just sort of capitulate to this idea that the employer not only gets to raise the issue of suspicion about misuse, but also gets to be the authority on the investigation of whether or not misuse occurred, and to what extent employee privacy must be invaded to get all the relevant info.

For better or worse, companies do generally have the right to monitor you when you're on company time. All companies that I have personal experience with, large and small, recognize that doing so aggressively may lead to lower morale, employee mistrust, or lower productivity. So, they choose how they monitor carefully.

Your primary agreement with the company is a trade of your time and skills in return for money, and the symmetric right you have is that you definitely do have the right to monitor and verify that you've been given the proper amount of money.

> HR files could be misused [...] so why aren't such files open for inspection?

In some places, they are open for inspection. There are laws in at least some US states that the company must show you your own personnel file, if you request it.

> Your primary agreement with the company is a trade of your time and skills in return for money

Not really. The tradeoff is not just for money but for a spectrum of compensation, which could be equity (which could confer voting or board rights to you to monitor certain things about the company financial health), vacation time, conference attendance, foosball table access, etc.

Often these things are negotiable, at least if the employer values talent. So why couldn't we negotiate that part of compensation is some sort of verifiable transparency and mutual respect in terms of monitoring the appropriateness of company activities (whether on behalf of the employer or employee)?

I don't see any fundamental reason why these couldn't be negotiated as part of an employment agreement. Instead, what I see is that most employees either don't know or don't care about these items, and, more importantly, that employers actively collude and engage in e.g. regulatory capture specifically to deny workers the opportunity to be able to negotiate these things.

> The tradeoff [...] could be equity (which could confer voting or board rights to you to monitor certain things about the company financial health)

If you have that, then you have significantly elevated access to the information you were talking about, and you're already landing on the side of protecting the company. The issues you raised don't really apply here.

> [...] vacation time, conference attendance, foosball table access, etc.

If you value those on par with your salary, then I have a job for you! ;)

> I don't see any fundamental reason why these couldn't be negotiated as part of an employment agreement.

You're right, there is no reason. You can and should negotiate these things. Negotiate away!

Just recognize that you may have multiple conflicting interests within yourself. If you want access to confidential company information about others, you're implicitly requesting that they have access to confidential information about you. Most of us wouldn't mind knowing everyone else's salary, and most of us don't want others to know ours. Most of us would love access to the personnel reviews of our co-workers, and most of us would be mortified to let them read ours.

> If you value those on par with your salary, then I have a job for you! ;)

Those things are worth some fraction of salary, at least.

I think there is some valid discusion to be had re: Who gave them the right and should we continue to recognize that right?

The issue of symmetries of power brings into call the granting and enforcing of rights at a very basic level. If rights are not endowed in a symmetric fashion, shouldn't we step the conversation back and talk about that instead of throwing our collective hands up and agreeing to participate in perpetuating institutionaled inequality?

Allow me to be devils advocate here. I'm the all powerful Admin. Whether or not you're on company time isn't the boundary here, it's the network. If you're on my network, I have the right to inspect your traffic and/or restrict access. Not just the right, it's part of my job responsibilities.

While I don't agree with these policies on a personal level, I've seen enough to understand it's usefulness in certain environments.

To avoid these kinds of things, always use your own device on your own internet for all things outside of work. Then you only have to worry about the upstream snooping your data.

Notice that I never challenged the result of the ruling -- I actually think it's totally fine to give employers the right to inspect equipment they own and I pedantically follow the advice you suggest by absolutely never logging into any personal account or generating any non-work-related web traffic on any work-owned devices. I want to personally ensure that if an employer ever does see fit to inspect my workstation, it will just be super boring for them. I try my best to extend this to my work emailing habits too, by trying to write the shortest possible emails, and trying to respond to people with in-person responses when possible, to avoid proliferating paper trails of my own conversations.

The only thing I am saying is that this is a two-way street. If employers are allowed to investigate networks because of some socially constructed and arbitrary property (e.g. it is "work-related") then why aren't employees allowed to do the same thing, or to ensure that a certified third-party arbiter can do so on their behalf.

My issue is not that employers can see what employees do on employer-owned property. My issue is that employees should also be able to see what employers do, to verify that they are acting in the best interest of the employee in situations where an employee has a right to expect that. If it is "the company" that owns these things, machines, HR files, etc., then why does only one 'class' of corporate citizen get to have the access (the executive class, generally administered through a layer of HR/legal/compliance officers) while huge other classes of corporate citizens, regular workers, who are just as much "the company" as anyone else is, are never allowed symmetric access to make sure of the issues that could affect them.

Saying that "the company" owns things is not helpful, because if we're all equally "the company" then we all have our professional lives riding on adherence to company policy, verifiably not committing fraud, and so forth. Yet courts consistently side with the ruling classes within a company and clearly support the idea that employees do not get to have such access.

The other point I raised is that, even granting the company has the right to investigate what transpired on its owned equipment, why does that mean that the company itself gets to be the entity that performs the inspection? If we wanted to (a) determine whether or not a worker inappropriately used company property and also (b) protect that workers privacy, at least as far as it is related to the employer, then we should be willing to let a neutral third-party arbiter perform the investigation and agree in advance to be bound by its decision.

I guess what I'm saying is that it's much more complicated than "Company owns the machine. Company can do what they want." No. They can do what we determine it is right for them to do. Maybe that is doing X but not Y if we value protecting Y. We can make these laws or make them part of negotiated employment agreements, but rather than doing so, we allow ourselves to be asymmetrically treated as a lower class within the organization, and we rationalize reasons post facto for why this should be so.

'Just one example - giving employees open access to company materials affects the privacy rights of other people, not just the company. So in order to protect the privacy rights you do have vs the company, they will have to restrict other people's access to your information."

I'm not sure this is a good example. Bear in mind that 'the company' is just other employees. I am not aware of any particular set of 'rights' limiting which employees have access to your information - just policy which is entirely decided by the power hierarchy.

I truly believe we've had a paradigm shift in how workers are viewed in this country. Even Paul Graham thinks if a labor union exists, there's opportunity for disruption in that industry.

People are commoditized and anything but a race to the bottom with employee wages and rights is an inefficiency.

(comment deleted)
As an employer, I understand that a labour union rises my costs and makes my business less flexible. As a humanist, I understand that a labour union is just about the only way workers can have their voice heard, and progress from wage slavery to somewhat bearable working conditions can be effected, and the corresponding backwards slide resisted. Those viewpoints are not contradictory.
The entire employment system veers towards these biases. It's shown even in simple things like "you'll need to give us 10 minutes after you're supposed to be finished working this evening, but don't you dare consider taking 10 minutes off tomorrow".
Behavior like this (from the employer/manager) is only acceptable because we let it be acceptable.

I hear examples like this a lot but it simply hasn't been my experience, and I haven't always worked in developer-run (or even developer-friendly) industries or companies.

I 100% accept that I might just have been lucky in my previous and current employment, but any time I've had a doctor's appointment or had to run to the vet or anything like that, I've either made the time up that evening or the next day (one time for a long Wednesday AM appointment, over the next two days).

I say this not to discredit the very real fact that employers like this exist, but only to suggest that this is on the same level as poverty wages and forcing someone to buy their own office supplies. If you work in an environment like this, moving on (either simply by employment or geographically) should be among your top priorities.

> which could be damaging to and unapproved by the employee

Because unless you work for some sort of co-op or a very specific subset of unionized labor, employees by definition do not have the right to approve anything

It's a question of ownership. Property rights and such.

If the company owns the infrastructure, the subscription, the accounts, whatever, they can decide what to do with it.

In contrast, an employer can't, say, search your car without your consent.

Is that the case even if you are using your vehicle for a delivery service and they suspect you of stealing stuff?
Yes, if it is your car, they cannot search it. (Unless, as others said, it is a secured area, and by entering you give permission to search your person and property.)

But if you deliver for Papa John's, and they think you swiped some stuff, they can't search your cat.

Of course, law enforcement may acquire a search warrant, but that applies to everything, employer and employee.

> But if you deliver for Papa John's, and they think you swiped some stuff, they can't search your cat.

I think that this discussion is old enough now that it is safe for me to say how much I enjoyed the mental image conjured up by this typo.

In the Defence industry, they can and will search vehicles and property. Accepting a job is assumed (sometimes explicitly contractually stated as) giving consent. You must generally assume that company machines and comms means are monitored at all times.
Plenty of employers can and will search your belongings/vehicles you bring on their premises. Think the NSA or prison workers for example. Or even bank employees. Anyone who works in a secure facility (Think civilian employees who work on a military base) are subject to search as well.
Again, property rights. If you choose to park on their property, they can search, just as the TSA searches people who enter airports.

(There's some more rules, since this is a case where property rights conflict, so generally they have to notify about the situation upfront.)

In Europe, you do have the right to request any files that HR/personnel hold on you. (In the UK, it's called a data subject request). I've certainly seen it used multiple times as part of the recruitment process, where an unsuccessful candidate has requested the notes made on them.
This is really interesting as well, and I'm of the opinion at least a shred of 'corporate information' should be more widely shared among employees, specifically as it relates to company health, longevity and compensation programs.

There's only so much that can be learned from publicly available statements. So, when somebody might want to point out "Hey look our company has been profitable and growing at 3% for the past XX quarters so why are you not even giving small-fry employees a COLA raise?" it could be a reasonable discussion. I don't see that happening, as you say, based on the "might makes right" platform of ranking.

It's a pretty bad situation for employees in my opinion, and yet I don't think there's any established 'format' or 'platform' where such information is more widely shared or discussed in US workplaces.

> established 'format' or 'platform' where such information is more widely shared or discussed

That's the very definition of union meetings that happen in preparation to collective bargaining. Commonplace where the workplace is unionized.

Yeah I'm all for that labor arrangement but unfortunately it has not been even a remote possibility in my professional career in the US thus far. Maybe that will change in time. I hope so.
Because companies are considered people, but not the employees...
"why are these laws never symmetric?"

They are, in a cooperative company, that is, in a company owned by their workers, it is symmetric and transparent.

In a company that is owned by someone else, obviously this someone else decide what is done in the company.

"Why can't employees also access things possessed and used by the employer, like, say, HR personnel files, or executive emails, so that employees can verify the company is not committing fraud, engaging in discriminatory practices, etc.?"

Some employees have access to such information on any company, but those employees are trusted by the owner.

Employees are not saints. If a design of a prototype is valued in millions of euros and they have access to it, they could have the temptation to sell it to the competition and become rich, or just compete with the original company with the info without having done the investments.

This is valid to anything that could be considered "trade secret" that if competition knows, could simply destroy your company. Information like geomineral prospective studies that took millions of dollars to make in the end is so simple like "here there are so many tons of gold or platinum". With this info in a phrase a competitor could save millions.

You can extract all the info you want about a company if you have access to their private communications.

Maybe it's legal, but after learning all this would you still apply for a job there?
If finding work is tough and you needed to pay rent and eat, like in the real world, then all this "you agree to their policy" stuff is frankly sinister. Basically unless you're lucky enough to be desirable enough to the diminishing amount of companies that don't treat their employees like cattle, you have to basically suck up having your privacy shat on.
absolutely, but we don't talk about unskilled workforce, this guy is an engineer. And even if work is hard to find and you have to take it, you probably will be actively looking for a better job very quickly. So ultimately company that is enforcing such strict and hostile rules is going to loose all the best people very quickly (because they will be first to get a better job)... and that's bad for business and at the same time I doubt that it improves performance significantly, so it's pretty stupid strategy IMHO...
> in a completely benign way that you might expect of a real human being, not a slave or serf.

No reasonable person can advocate in good faith that employees should actively ignore workplace policies and rules, because they're "real human beings"... and further, that there should be no consequences for these deliberate actions.

Sure they can... If those policies and rules are arbitrary, illogical, and backwards. Nobody follows all the rules all the time, and those that do are generally seen by the rest of society as stodgy and inflexible.

Also less effective. Example: Shadow IT exists for a reason, and that reason is not some variation of sticking it to the man.

> Sure they can... If those policies and rules are arbitrary, illogical, and backwards

Don't abuse company owned equipment, and don't use company owned equipment for personal reasons (especially during work hours) is certainly not an "arbitrary, illogical and backwards" policy.

> Also less effective

If you truly believe an IT department ensuring their systems are maintained properly and function as they should is "less effective" than just allowing chaos... I'm not sure what to say really.

> Shadow IT exists for a reason

Have you worked at a company which had different departments all using whatever they wanted? It's a nightmare, and not just from an IT perspective. Nothing is compatible with each other... transferring from one department to another results in a slew of new applications and practices to learn (and which are not necessarily better)... and when IT does need to step in and fix this new system a bunch of non-IT department staff cobbled together... it gets even worse. Soon these departments complain to the IT department when their "shadow IT" system breaks down and demand it be fixed promptly. It's not a net good for any company.

> Nobody follows all the rules all the time, and those that do are generally seen by the rest of society as stodgy and inflexible

Don't be ridiculous. It's not your property - you don't get to do whatever you want with it. It's really, really simple.

You have an unnecessarily strict and unreasonable point of view that benefits no one, and I'm quite happy I don't work anywhere near you.
A company who blames the uses of a private gmail is dysfunctioning, and a country should rather get rid of such companies rather than the employees. Economic excellence, by keeping companies who know how to manage the motivation of employees.

OTOH there are problems with salespeople communicating with customers on their private emails, like, ugh, the director of the CIA who was recently caught by a teenager.

If it is upon employer equipment and time, then it is reasonable for the employer to expect it to be work related. In this case the chap blurred those lines and even using a personal account for work related stuff is going to violate and respectable data policies a company may have and indeed many a work contract alone.

The headline does make it sound a bit oft when you read the article and not the best choice when you read it is not as clear cut as the headline portrays.

Still never mix business with pleasure being the moral on this one and not a mass panic my private emails can be demanded by HR.