506 comments

[ 2.8 ms ] story [ 363 ms ] thread
Glassdoor has posted a notice on ZURU's page regarding this: https://www.glassdoor.com.au/Reviews/ZURU-Reviews-E2286297.h...

It appears a few other companies are doing this too, including Kraken (https://www.kraken.com/) as you can see here: https://www.glassdoor.com.au/Overview/Working-at-Kraken-Digi...

EDIT: If anyone from Glassdoor is reading this, please advise on a way to either unlink my profile from my identity - or remove my profile and contact information altogether. I believe GDPR may provide some assistance here.

> Glassdoor Alert: Employer Legal Action

> This employer has taken legal action against reviewers and/or Glassdoor for the reviews that have appeared on this profile. Please exercise your best judgment when evaluating this employer. Learn more about Glassdoor Alerts.

i.e. "FFS stop writing reviews, but assume the worst is true and stay the hell away from these clowns"

Wow. That statement is the worst kind of review any potential employee could ever read.
Yeah. Definitely Streisand effected themselves. Wonder if they can sue their own legal counsel for causing themselves so much monetary loss (given that's the grounds they're using to de-anonymize the reviewers)?
Yah. The reviews didn't even look that bad.

Nothing like getting lots of press for suing critical employees to improve your rep.

They didn't sue the employees.
Not yet, but they need to know who the employees are, first.

In their filing against Glassdoor, they declared their intent to sue the employees.

The judge's order only permits them to use the information for the purpose of pursuing defamation actions in New Zealand:

> 5. Zuru may use the information disclosed by Glassdoor only for purposes of the anticipated defamation action in New Zealand.

https://casetext.com/case/zuru-inc-v-glassdoor-inc

Agreed. This banner is the new warrant canary [1]

The Legal Action Canary?

[1] https://en.wikipedia.org/wiki/Warrant_canary

A canary is something which is present when everything is fine and removed when the situation changes. It’s a stealthy technique for when you can’t be explicit. Adding a giant red warning at the top of a page is the opposite of a canary.
Ha, like poking more holes in a sinking ship!
That's actually a fantastic response.

- Reminds reviewers to avoid libel, since it may undergo legal review.

- Tells potential employees or customers that this is how the company responds to bad press/negativity (i.e. disproportionately).

- Doesn't subject Glassdoor to potential libel since the statement is objectively true (see court records).

Although I won't get too positive about Glassdoor as I've read negative reviews disappear[0].

[0] https://www.reddit.com/r/sysadmin/comments/8tfhxv/glassdoor_...

If they really wanted to make a statement they would boot them from their platform.
This is both more fair and more informative than censoring the company altogether.
I was hired via a consultancy firm (Ness Technologies) that would have me work in PayPal chennai office back in 2012. A new CEO came and basically reduced work force drastically, the worst mass layoffs I have ever seen. The environment then changed to worse rapidly etc. etc.

I decided to quit the toxic environment. Contractually I was supposed to get 2 months of basic pay, but Ness and Paypal conspired together and concocted a story where I have falsely accused someone of sexual harassasment and since it is false, I can be fired without that 2 months of money. Then they asked my to nicely sign a letter where I forfeit that salary willingly or they will report "this gross misconduct" to future employers.

My review in Glassdoor lasted a year.

PayPal wouldn’t open themselves up to that risk. 100% the type of shit I see consultancies pull, especially smaller ones or regional ones. Any with HQ in US wouldn’t risk it.

Unless the 2 contacts from each company had a personal vendetta against you. Then I can see it.

I think you're violating a couple HN guidelines here: assume good faith and "Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something."
Reminder that libel vs truth is dependent on where you are. In the US you don’t risk libel when speaking the truth but there are places where this isn’t the case.
To add some specifics, I think the common case outside of the US is one where the published elements must both (a) be true, and; (b) have been published for some "legitimate purpose". The phrase "legitimate purpose" is generally understood to mean "whose primary purpose is not to cause harm or nuisance". An example of legitimate purpose would be governmental transparency. An example in which something true could still be considered libelous might be notifying your ex-spouse's employer of his/her public intoxication charge for the purposes of stunting his/her career.

(I'm basing this general comment on my understanding of French law. I believe it works similarly in many, if not most, European countries. I hope some actual legal experts can weigh in!)

My understanding is that a statement can only be found to be libellous if it is false. If it’s true, it’s not libel.

You are saying this isn’t the case in some places outside the US. Which places, and how so?

It would surprise me if it is called libel in those countries. The more likely translation would be defamation.

In Sweden for example there is publisher responsibility which can limit truthful but harmful statement. Anti-doxxing laws has a similar purpose. There are also countries where people have a right to be forgotten, especially once a person has served their time in prison.

Look at the recent reporting around Shinzo Abe's death in Japan for a really good example of different libel laws. In Japan the burden of proof lies with the entity publishing the information.

A lot of the initial headlines were things like "Abe collapses at rally, shots heard" even though the article itself had a video of him getting shot and then falling down. Others just had a headline that equated to "Abe collapses during rally, currently in critical condition" without even mentioning a shooter.

Here's an interesting article about it: https://www.tofugu.com/japan/sued-in-japan/

Zuru's actions here speak volumes. Glassdoor's warning is more of a red flag than any review could ever be. They Streisand Effected themselves.
That may not help former zuru’s employees but obviously is a clear message to prospective ones. A nice FU from Glassdoor.

More interestingly it’s a nice way to forestall future lawsuits as well.

They're going to have a heck of a time hiring. I hope this gets a lot of media attention globally.
Not a good look on the current employees either that their firm sues for bad feedback. Probably good idea to start looking to move on to firms with better practices.
(comment deleted)
That’s really gonna help the Zuru recruitment effort
> It appears a few other companies are doing this too, including Kraken (https://www.kraken.com/)

Kraken is still silly for going after them, IMO, but the Kraken case isn't as cut and dry. The person who had left the review on Kraken had accepted a large severance package that was conditional on signing a NDA.

I think the bad PR Kraken got for going after them wasn't worth it (especially as the review wasn't really even that bad) but the ex-employee was also not really in the right there either, having violated their NDA.

Who cares if they violated an NDA? NDAs are supposed to protect company secrets, not prevent criticism.
It’s a contractual agreement to not air dirty laundry in exchange for money. If you want to bitch about the company publicly, don’t accept a payment not to.
Unfortunately, this is not true. An NDA is not a free pass to being able to censor whatever you want, even if the person signing the NDA took a fee, or received payment.

"NDAs do not prohibit people from reporting suspected corrupt conduct to an appropriate authority. The Crime and Corruption Act 2001 and the Public Interest Disclosure Act 2010 provide safeguards that allow people who have signed an NDA to report suspected wrongdoing, including corrupt conduct, maladministration and the misuse of public resources.

Under no circumstances do they oblige people who have signed them to maintain secrecy about suspected wrongdoing. You can still report suspected wrongdoing despite signing an NDA."

[1] https://www.ccc.qld.gov.au/sites/default/files/Docs/Publicat...

I don't know that I'd consider Glassdoor "an appropriate authority" to be reporting corrupt or illegal conduct to.
(comment deleted)
It can protect whatever the contract says. Usually, severance packages include a nondisparagement clause. I highly recommend requesting that they amend it to say "mutual nondisparagement" and re-word the terms to apply to both the employer and employee. That way you get paid to shut up, but they are also forced to abstain from making potentially disparaging statements about you. It's a good ask.
Being a shitty employer isn't the sort of thing an NDA is made for. It's not a trade secret that they treat their employees poorly.
Idk... a lot of companies "secret sauce" seems to be squeezing the life and passion out of employees to make as much money as they can. Sounds like a trade secret they'd need to protect.

/s

NDAs are sometimes not in the public interest and should be violated in those cases.
NDAs have got nothing to do with public interest whatsoever.

If you disagree with what the NDA covers, don't sign the NDA.

NDAs exist for a reason. If they don’t serve public interest, why allow them to exist?
Contracts between two parties exist to serve the interest of those parties.
Sometimes NDAs purport to cover things that NDAs cannot legally cover.
> At this time, we do not allow members who have created their accounts with Facebook or Google+ to edit their Account Settings. We apologize for any inconvenience as we work to change this.

:)

Opened the Glassdoor page and content was obscured (including part of the warning banner) with a large unskippable overlay to “Sign up for free to continue using Glassdoor”. In light of these news, perhaps they should reconsider that policy.
This is excellent. I'll never work for a company with that warning message.
Web3! For people who can't count up to four but intend to make profit off those who can't count up to two!

Chain!

I think maybe NFTs or blockchain solution. We could additionally try AI(if statements). /s
A decent outcome here would be if Glassdoor revealed all employers that attempt to go after former employees with alerts like the current one on the Zuru page.
Glassdoors business model is selling the ability to take down bad reviews. Why would they out their customers?
You can pay them to remove bad reviews?
How do I pay Glassdoor to take down a review? Is that on their website somewhere?
presumably you simoly wait for someone from the glassdoor sales team to contact you , the owner.

they will present is as a review optimization strategy.

this is how yelp did it back in the day.

i dont know if glassdor does or did it, just pointing out other review sites did do it and never posted it on their "pricing" or "services" page for employers...

> this is how yelp did it back in the day.

Yelp no longer does this?

Yelp now just send oven a couple of large men with baseball bats who say “Nice business you got here. Would be a shame if something happened to it…” to cut out the foreplay.
False and an unhelpful / irrelevant comment. Perhaps parent was trying to be funny but I found it confusing.
The rumor has long been that they contact you about it. Presumably they figure it based on page views and review volume to determine your hiring rate and churn etc and sentiment analysis of your worst reviews so they aren't just shotgunning these offers at every company that has reviews on their site.

Just passing along rumors I have no particularly informed insight here or verifiable reason to believe this is true, though I do believe it's in the plausible-to-likely range.

How else does Glassdoor make money, then? So somehow it's payola.
Every single review site that you don’t pay to access is funded by shady conflicts of interest and perverted incentives. Yelp, BBB, Amazon, Wirecutter. The whole lot. Yeah some are worse than others. But every one of them is entangled in ways that Consumer Reports or the old Angie’s List aren’t. (Angie’s List later became just another marketing channel. Originally it was a subscription service, though I don’t remember if they were double dipping or not.)
I'm surprised no-one has posted the email from Glassdoor suggesting this. You'd think one would get a lot of attention. Maybe they don't contact many companies about it.
Do you have proof or are you just throwing shit to see what sticks?
It's a rumor many years old at this point that I have also heard from many different sources. That doesn't make it true of course but it's not like they made it up on the spot today for this HN thread.
Hmm, that doesn't correlate with what they say[0] on their support site: "No! Employers cannot pay Glassdoor to remove reviews."

That said, it seems like negative reviews can easily end up violating one of the many other terms of use[1] around review content. Specifically that a user will not: "Post Content that is defamatory, libelous, or fraudulent"... and "Act in a manner that is [...] otherwise objectionable (as determined by Glassdoor)". That's really broad, and negative reviews can easily be framed as "defamatory" or "objectionable" even if they are factual...

[0] https://help.glassdoor.com/s/article/Can-employers-pay-Glass...

[1] https://www.glassdoor.com/about/terms.htm

> Hmm, that doesn't correlate with what they say[0] on their support site: "No! Employers cannot pay Glassdoor to remove reviews."

They could easily be telling the truth there, but still be effectively selling a good rating. They'd just have to sell a service to help monitor the reviews in some way for violations of ToS. Suddenly ~all of the bad reviews are "spam", "libel", etc. It's amazing how broadly things can be recognized as abusive if your pocketbook depends on it.

I have _no_ idea if they're actually doing this or not, but it's along the lines of the scam many review sites use.

This is as old as the BBB - you never ever "pay to remove reviews" you just, as a paying member in good standing, have the ability to request review of reviews, and the working ability to make sure things are "accurate and resolved".
This is what I presume is happening too.

I have worked at several companies that received a lot of poor reviews and often what happens if you keep track of those reviews over several months is that they "mysteriously" disappear. Of course by that point the person who left the review has probably moved on to a new job and can't be bothered writing another review that is sufficiently vague as to avoid potential removal. One company I worked at even had its overall rating significantly messed with (over 0.5 change within a month), as those old reviews disappeared and "mysteriously" a bunch of vapid positive reviews appeared.

All that said, I still check Glassdoor before every job I interview for. You just need to be mindful - especially for larger companies who can afford the time to curate their reviews - that the score is perhaps a little inflated, and that the reviews that remain are as tactfully-worded as possible to avoid deletion.

I’ve noticed what I think is a trick to hide the negative reviews with default filters. When you first go to the reviews page it will say something like “Showing 30 of 35 reviews” and the filters are “English” and “Full Time”. Sometimes reviews don’t have those tags and most people don’t notice they are just being subtly filtered.
A factual review cannot be "defamatory, libelous or fraudulent" by definition.
Semi-related scheisty Glassdoor anecdote: I worked at a company Foo which appeared as 2 separate companies on Glassdoor: Foo, and separately Foo Technology.

Foo Technology unambiguously did not exist as a separate company in any form.

Thing is, Foo was the unlikely company where the line workers were more satisfied than the Technology employees - the company overall was very decent but the technology org was toxic.

Accordingly, Foo Technology had lousy ratings and negative reviews, while Foo has largely positive reviews and a strong rating. The difference was on the order of Foo~=4.0 while Foo Technology~=2.0, both derived from a significant number of employees.

You can imagine the pitfall this could create as a prospective technology employee contemplating a stint at Foo.

As a disgruntled Foo “Technology” employee I contacted Glassdoor to notify them that a nonexistent company was distracting many genuine reviews away from a legitimate company.

Glassdoor notified me that they would not provide any corrective action unless the formal owner of the Glassdoor account for Foo agreed to it.

This told me that accuracy of reviews on Glassdoor comes in a few positions shy of their top priority.

Although in full disclosure, a year or two later the 2 separate “companies” did get merged on Glassdoor. I don’t know what the impetus finally was, but they certainly didn’t give a shit when I notified them of the snafu with their system.

A company I used to work for did something almost exactly the same. Makes me wonder how often companies do this to skirt negative reviews.
If that were true, then it would seem their asking price is greater than the cost and risk of de-anonymizing and suing former employees.
Ego+Pride is a helluva drug.
The companies that go the lawsuit route probably didn't pay glassdoor to get the review removed in the first place.

The companies they'd be outing aren't valuable to glassdoor.

A decent outcome would be Glassdoor covering the users' legal fees.
They do, at least in some cases.

Another comment here suggests the following Google query:

  "Glassdoor Alert: Employer Legal Action" site:glassdoor.com
Which does indeed highlight many other companies that have taken legal action against their reviewers.
Glassdoor is in no way taking the side of employees. It's business model is based on selling out to the employers.
It’s amazing that companies with billions of dollars of revenue make such poor moves. All I think when I see a story like this is “well I guess there isn’t much competition in NZ toy companies”.
>Glassdoor’s FAQ goes into a little more detail about how they will defend user anonymity. They know this is vital their success:

If glassdoor cares so much about anonymity, why didn't they engineer their site in such a way that prevents them from being able to deanonymize reviewers? For instance, not keeping identifying user details after they have been verified?

Like most things in the modern world, it's built on bullshit and hopes that no one notices. In this case someone noticed and going to clean house.
Devil's advocate: Spam and abuse are ongoing problems, and are often the answer to "why we cannot have nice things?"
Probably because doing so is hard. You not only have to verify that a review is coming from an actual current or former employee, but then you have to ensure that the same employee cannot write multiple reviews. If you discard all links between a reviewer account and a review, how do you do that?

I imagine there's some sort of zero-knowledge magic cryptographic thing you can do (or maybe something simpler, like a... Bloom filter?), but perhaps Glassdoor didn't want to go for the effort and expense to implement it.

Just goes to show you, unless you can prove anonymity client-side, never assume you're anonymous on the internet, anywhere.

> You not only have to verify that a review is coming from an actual current or former employee, but then you have to ensure that the same employee cannot write multiple reviews. If you discard all links between a reviewer account and a review, how do you do that?

Just FYI, Glassdoor does NOT try to prove that reviewers are current or former employees. Anybody can post claiming to be an employee, and Glassdoor will accept their review.

"The same employee cannot write multiple reviews" - they can create new accounts.

But even if you want one account to not write multiple reviews, you can flag that an account wrote a review for a company without tying it to -what- review.

You can even disassociate that; hash usernames with the company and store that to track who has written a review. Then, you can only confirm that a given user account has written a review for a company, but not which review is theirs, and given a company you can't determine what users wrote those reviews without attempting to hash every username against it.

And that's if you -absolutely- have to try and prevent an account writing more than one review (again, noting that you can just create another account).

> without attempting to hash every username against it

Given even a few million users, this is trivial. Other than that, I agree with you.

Certainly, but it moves it from a "we just have some legally-should-be inactionable data laying around" to "we don't even have that data laying around".

The fact that it's impossible to comply with "who wrote -this- review" is probably sufficient, but "and we don't even readily have access to who wrote -a- review" can help prevent fishing expeditions, since presumably a judge will be less amenable to such fishing expeditions if you can show it will have negative material effect to comply, while still not providing any legal path forward to sue for the prosecution.

But that also makes assumptions both of user counts, and rounds of hashing. 50 million users (seems reasonable with Glassdoor), with a sufficiently slow hash that takes a second to compute (easily done) means you'll have to wait a year and a half for results for a given company, or start to parallelize things, and, oh, look, now you have dev time and CPU resources and, well, this has a materially adverse effect on our business, and we'll be left with usernames we still can't release since this discovery order only is valid for this -one- review, and we have no way of knowing which it is.

> Probably because doing so is hard. You not only have to verify that a review is coming from an actual current or former employee, but then you have to ensure that the same employee cannot write multiple reviews. If you discard all links between a reviewer account and a review, how do you do that?

It doesn't seem hard to me.

1. when making a review, send a verification link to the email on file

2. after the email is verified, post the review, but delink the email from the actual review.

3. to prevent the same email from being used to spam reviews, add a coarse grained timestamp (eg. rounded to the nearest month, depending on how much activity the company gets) of when it was last used.

4. if you want users to be able to update reviews afterwards, display a secret key to them and keep a hashed version on file. The user must present the secret key if he wants to update his review

Glassdoor makes no attempt to verify employment ever took place. In fact, they don't even allow making an account without an employer, so the unemployed have to lie if they want to read reviews.
(comment deleted)
Can’t you hash the email and then store only the hash? If your hashing alghorithm is heavy enough you could easily figure out that a review is already posted, but brute forcing the original value would be impractical.
Email addresses aren’t usually secret though. If an employer happens to know the personal emails of a large fraction of its workers, it isn’t going to be meaningfully slowed down by a hash. 1M addresses * 1 second/address = ~12 days (and in practice a lot less since hashing is nearly trivial to parallelize)
>Zuru hasn't simply alleged that it suffered a loss; Zuru’s cofounders declared, under penalty of perjury, that because of the negative reviews, Zuru had to spend more money to recruit job candidates for a particular position.

Does Zuru have proof it's because of negative reviews and not other causes?

Yeah, this line almost made me laugh out loud. "We promise that this happened and these evil reviewers are why! Believe us!"

Um... no? I don't. At all.

Their proof (or lack thereof) would generally be evaluated at the trial stage. This is a pre-trial procedure, so it's mostly take at face value.

If another party so moves, they could ask the court to stop the plaintiff, and the judge will make a decision. But that's not automatic--somebody has to specifically ask for it.

You're right, but this is still a very funny sentence that only a lawyer could take seriously. "Zuru didn't just allege it, they DECLARED it!"
Sounds very SovCit
I think your inference may be backwards... Sovereign Citizen types sound like this because they're aping "legalese" in an attempt to sound authoritative to ignorant people.

But this weird, kinda archaic, jargony, overly-specific English is just how regular motions are written, by real lawyers in regular courts.

(And yes, it does sound funny, if you're not used to reading/writing it.)

I get why it sounds funny to us, but it's mainly a highly jargon-y form of language used for motions in court. When you're writing this stuff, you're expected to phrase yourself in the appropriate fashion.

There are also certain specific legal terms and phrases that work kind of like reserved words or functions in a programming langauge, because they invoke a specific legal effect in how the court needs to handle them. If you don't phrase your motion properly, your motion could be denied because it. Or maybe the judge let's it slide, but you piss them off and wear down their patience.

Anyway... For us, it sounds funny because we're ignorant of it. Just like how programming languages may sound funny to non-programmers: "If X then Y else Z" is similar enough to English, but it'll make the kids giggle if you ask them to read it aloud.

I mean, they’re gonna have to spend a hell of a lot more on recruiting now that the Streisand effect has kicked in.
I don't think they really thought this through.
I think Glassdoor being member access only limits Streisand effect a lot.
It does, unlike you try to sue people and your company is plastered all over the news
If you search for legal help with bad glassdoor reviews, most legal firms even advise not to go after glassdoor through the courts.
They'll have a hard time arguing that suing their ex-employees doesn't make this moot. Any reputation they were trying to salvage is lost.
Does Glassdoor actually have any business operations or webservers in NZ that would be subject to this order if it was issued from a court in NZ?

Since when does a NZ order apply to a non NZ company. For example, American media regularly publishes the names of persons charged with crimes in Canada where the name may be banned from publication by a Canadian court. It's a first amendment thing.

If US companies start obeying orders like this, how is it any different from getting a court order from a "totally neutral" court in Hong Kong, actually controlled by beijing, to de-anonymize the users of an american-based web service.

Looking at the details, it appears that they were sued in a us court in California, so the order does apply.

> Does Glassdoor actually have any business operations or webservers in NZ that are subject to this order?

The court order itself is from a california court. They can't just tell that court to fuck off.

But why is a US court telling Glassdoor to do something because of a New Zealand law?
It’s a great question. I don’t know the answer, but I have a sneaking suspicion. Something something Kim Dotcom? There must be some treaty…
Congress already passed a law to prevent foreign libel judgements (well, ones which wouldn't pass 1st amendment muster), from being enforceable by US courts.

And now we just have US judges deciding they should apply NZ law without applying the 1st Amendment?

https://en.wikipedia.org/wiki/SPEECH_Act?wprov=sfla1

I think maybe this is because the user who left the review is a New Zealand national residing outside the U.S., so they do not have any first amendment rights. If the user was American, I think they could assert a first-amendment right to anonymous speech to prevent being identified. (Although such a right is not absolute, there is a balancing test involved: https://storage.courtlistener.com/recap/gov.uscourts.cand.36...)
I read the ruling. It is apparently because of this law in the US statutes: https://www.law.cornell.edu/uscode/text/28/1782 which authorizes a judge to "order [some person] to produce a document or other thing for use in a proceeding in a foreign or international tribunal ... The order may be made ... upon the application of any interested person"

It is mostly up to the judge's discretion, but case law establishes 4 discretionary factors to consider: 1) whether the request is from a potential lawsuit participant, 2) nature of the tribunal 3) whether discovery can be obtained by other means, and 4)whether compliance is burdensome.

Interesting. Thanks for the research!
Zuru's entity spans multiple regions, a Californian court can compel a US-based entity to hand over records for data held in another region. It's the reason why some organisations refuse to work with any organisations that can be compelled under the PATRIOT Act (about 98% of tech companies).

Also see: Kim DotCom. Broke no laws in New Zealand, will eventually be extradited for a civil matter. He's delayed it a long time though.

Meh they was extradite him asap now that he supports Russia, is anti vax, and spreads China propaganda.
Please stop with these inane "but can we get away with ignoring the law elsewhere????" comments - it pops up every single time a US corporation is held to account for laws in a country where it violated them and it never stops being tedious.
I'm sorry, no, US corporations and people should not be held accountable to every foreign country's arbitrary laws, unless you want to set a precedent of legal action against the webservers of Human Rights Watch and Amnesty International for publishing information about the state of things in Xinjiang province or Uzbekistan freedom-of-press.
I read through all the reviews. https://www.glassdoor.com.au/Reviews/ZURU-Reviews-E2286297_P...

I don't see anything out of the ordinary, and there are definitely some common threads amongst negative reviews.

Wouldn't they have to prove the allegations are false?

>Wouldn't they have to prove the allegations are false?

That's mostly a US thing. England and many former english colony countries have quite liberal (illiberal?) libel laws that puts the onus of the person making the claim to prove it's true.

>defamatory statement is presumed to be false, unless the defendant can prove its truth

https://en.wikipedia.org/wiki/English_defamation_law

Why you should never leave Glassdoor reviews using;

- Your real name

- Your real email address

- Your real salary and job title

- Your normal vocabulary and idioms

- Any of your devices (as in, go to an internet cafe or something)

They can deanonymize as much as they like all they're going to find is that "dbcooper42069[at]hotmail", using non-region specific language, took a very dim view of company X's management style and pay rates.

> - Your normal vocabulary and idioms

I think that this one is way harder to avoid than you might think, short of having someone else write the review for you (which might not be a bad idea!).

You might be able to get by with something like throwing it through Google Translate to a different language, then back, and then fix only anything that's _unreadably_ awful. Might be too blunt of a tool though.

The other thing I can think to try to do would just be avoid any complete sentences, just give short bulletpoints or something. Resticting the amount of text should make it harder to get anything like a real match.

Yeah it's not easy, having someone else write it like you said is probably the easiest way.

In a few reviews I've left (using different accounts etc for each one to avoid fingerprinting!) I've written the review myself, changed it to a formal register, thesaurus-ed a few words, and also threw in a few red herrings to make which team I was from appear ambiguous (for example, whine about sales tooling/CRM when you're an engineer that has nothing to do with sales).

I've never used glassdoor myself, but don't you need to use your company email while leaving the review to prove you actually work there, so leaving an anonymous review isn't even possible? Why would anybody use glassdoor if that's the case?
I think you have the option of saying that you're a former employee, and in that case you only need to validate an address not one tied to a specific domain.

In any case the idea of a company email is a little hard to define from the perspective of a 3rd party that deals with millions of companies; different TLD's, domains, sub domains etc make it very hard to nail down exactly which pattern is the definition of any given companies real email addresses.

I’ve never used Glassdoor, so it’s a big surprise that they collect and retain identity information in the first place. I would never, ever provide my real name while talking about my previous employers, even if I was told that I would remain “anonymous”
I'm curious does it matter if its a previous employer? what could they possibly do?
I live in the US, where people and corporations are notoriously litigious and I’ve worked at some terrible places.

For example, I once had a coworker that would openly crush up and snort various pills between calls while fundraising for one of the two main political parties. This was not an issue for management.

I would never post [name of that employer] from any account that could possibly be attached to my name anywhere.

That doesn't sound great but was this person actually doing anything to interfere with you other than existing in your presence?

Just curious, and I agree it's unprofessional. I can be quite judgemental, though.

Yes. A guy railing a line of Concerta right next to me while I was on a call loudly enough for the possible donor to hear and ask about it was a problem for me.
Why would a possible donor ask about a noise that sounds extremely similar to someone blowing their nose? This comes off as moralising for the sake of moralising, nothing actually harmful has happened.
Buddy I don’t know what to tell you here other than the noise a person makes after snorting a pill that was explicitly designed and engineered to be unpleasant to snort is not a normal noise.

Edit: This is the funniest exchange I’ve had on this website, thank you. “Preferring people don’t do lines of apparently excruciating substances right next to me, at work, in an office, while I’m literally on the phone” being “moralizing” is hilarious.

It's good to know I made someone happy, even if it was entirely by accident :)
I think they do try to verify that the person posting the review actually worked at the company they're reviewing. Otherwise it would be filled with spam and competitors trying to badmouth each other.
Does Glassdoor even have a legal presence in NZ? If so, why? If not, why are they even bothered by this?

Could they theoretically not just play hardball, ignore the NZ courts entirely on the basis that they have no legal entity within NZ, and see what happens? Are there cross-border legal agreements that give the NZ courts any teeth? Or would it come down to NZ having to mandate that all ISPs block Glassdoor within NZ?

This order is from a California court.
IANAL - you instinct is good generally but you missed a key point.

Zuru is suing in CA to compel glassdoor to produce information.

Zuru is not suing glassdoor for breaking NZ law in CA. That would make this case go away very quickly.

Instead, Zuru is saying they intend to sue NZ individuals in NZ, but in order to sue, they need info from US based glassdoor.

there may be some kind of cross border agreement to facilitate information between NZ and US. Politics aside, i dont know if a US company could be compelled by a US court to produce information to sue chinese or russian citizens, under those respective laws/jurisdictions?

Aha, thanks for that key point, that does change it a lot. I missed that this was in CA and for whatever reason assumed it was all going through the NZ courts.

I am sure there is some form of cross-border agreement between NZ and the US, but I don't know any details about it.

Once had a contract where my client wanted me to do "security work", which was initially meant to be for pentesting their clients, but it turned into me building their wifi auth system.

At some point in the gig, one of their clients went to them asking them if it was possible to de-anonymize someone glassdoor review since someone still-employed worked with them. They then went to me to see if I could do it for them. They didn't clarifywhy they went to me, but I legitimately think they wanted me to "hack" glassdoor. I told them in no uncertain terms that I wouldn't do it and they backed off.

A bit later they fired the employee.. I didn't hear how they found the person, but it really spoke to the lengths that some organizations will go to burn down the lives of those who speak up.

Use this google search to find more companies that do it:

  "Glassdoor Alert: Employer Legal Action" site:glassdoor.com

  https://www.glassdoor.ca/Reviews/Employee-Review-Media-Consulta-RVW23674692.htm
  https://www.glassdoor.ca/Reviews/Canidae-Reviews-E845482.htm
  https://www.glassdoor.com/Overview/Working-at-Echelon-Environmental-EI_IE1069898.11,32.htm
  https://www.glassdoor.ca/Reviews/Canidae-Reviews-E845482.htm
  https://fr.glassdoor.ca/Pr%C3%A9sentation/Travailler-chez-Echelon-Environmental-EI_IE1069898.16,37.htm
  https://www.glassdoor.ca/Reviews/Employee-Review-BW-Legal-RVW58014087.htm
DNS records of your VPN or corporate work station would be pretty easy. You can line then up with when the review was posted. Then investigate their workstation more "thoroughly".
Pretty uncool to give employers ideas on how to force their IT staff to rat out employees who speak out.

Edit: yikes, people.

I'm not for it, I'm just saying - it's trivial. I was in your position, kinda - spent many weeks "searching" but "found nothing". They fired them anyway.
Alternatively, it's a warning to employees on how they might get caught.
Once again for those in the back, never use your employer's equipment or network for anything you don't want them to see!
Insidious problems are things like sync (Google Chrome favourites, Dropbox etc.).
Refer to your work laptop as your “girlfriend”.

(SV reference)

Pretty dumb to talk crap about your employer on said employer's hardware and/or network, regardless of how true it is or not.
Nah that's a pretty obvious way to catch people and any sysadmin knows it. Browser history is a good spot to check too.

Be smart kids. Do your employer bashing at the public library.

Or cool to give employees an understanding that employers aren't their friends and can and will go to extreme lengths to screw them over if it benefits the corporation. Also just general advice to avoid doing things on your company laptop if you don't want your employer to know about them.
That's all fine and dandy and I agree that employees should be informed of these methods. My issue is more with the framing of the post, which clearly doesn't have a cautionary spirit that informs those who'd potentially affected by a vindictive employer. Instead, it's playful curiosity of how to rat out an employee.
Pretty much everyone is carrying around a pocket computer connected to the internet 24/7 with which they can do all their non work related tasks on, including badmouthing their employer.
How many get connected to company WiFi?
They all have the ability to disconnect with a swipe and a tap. Life does not get much easier.
Right, but I'm trying to consider the average user. They likely aren't aware their activity on their phone is being logged on WiFi. My assumption is that once they got it connected to WiFi, it leaves attention and isn't considered
If employees cross streams and use the same device on both the employer's network and off, and they post to Glassdoor off-network with the same device, a subpoena could reveal identifying information to the employer. Glassdoor can also choose to just hand over that information when requested, as well.
This is a good example of why not to do personal stuff on your work machine or work network.

If you care at all if your company would see it, _don't_ do it anywhere near their hardware.

Actually, since Glassdoor's protection can obviously be compromized, anyone posting on their site should do so with Tor Browser, which anonymizes access by routing traffic through a minimum of three relays in the "dark web" of the Tor network. It might also be wise to do this on a public WiFi network (not your own ISP or mobile data provider).

Any email provided to Glassdoor should be a burner on a service that is not one of the majors (no gmail) also set up with Tor browser, specifically for Glassdoor (and used for no other purpose).

Finally, the text that is posted should be somewhat disguised if possible, with altered vocabulary, atypical slang, and distinctly different grammar and sentence structure. Any facts that can reveal identity should be removed.

Under no circumstances should a native Android/iOS app be used to post or access any such review.

It sounds like we will have examples soon of what happens without these precautions.

I imagine that many reviews will be coming off Glassdoor's site rather soon.

Isn't the entire point of glassdoor that people use their work email to prove they actually work for the company?
If it’s a managed corporate laptop that uses Chrome, then they could remotely check the browser history, likely directly to the review itself.
Are you sure this is possible? I thought managed google accounts didn't allow admins to access browsing or any other history.
If they have managed Google accounts they probably have admin on your device as well.
To belay paranoia, this is not always the case.

I manage a company's google workspace, and we don't have managed browsers or devices, and no one has ever asked to have that capability.

Until the first case when an employee sends death threats from your company laptop and you need to provide the data to the police to help in investigation.

Or the first case when some shared credentials get compromised probably from an infected computer and now you need to find which of the 80 laptops is the infected one.

Or the first time employee converts his laptop into a wifi access point for the office girl upstairs and unknowingly lets her inside your companies private network.

Of course, there are workarounds and better practices for every example. You can solve it without admin access to laptops and network request logging. But company property is not anonymous either with or without full admin access - so why jump trough the hoops to not have it?

I am going to guess you don't have any security or compliance folks.
(comment deleted)
If you sign into a personal Google account on a new Chrome profile on a managed laptop, can they get access to your entire Google account (drive, emails, etc.) remotely? Can they use an auth token or something to automate the process of downloading all your data? If so, is this legal?
> If so, is this legal?

If it’s a company provided laptop then it’s a good idea to assume that every keystroke, DNS request, and network packet is fair game.

Laptops are cheap. There’s no reason to mix personal and corporate usage.

> If it’s a company provided laptop then it’s a good idea to assume that every keystroke, DNS request, and network packet is fair game.

From an OPSEC perspective, sure. But the question was whether it's legal for an employer to do it.

You might also get a phone call (on your private phone) about a private medical matter while at work, but I would hope your employer couldn't use the CCTV audio they have in the office to decide to fire you based on that information (though I don't know if US laws actually protect workers in this case -- in Australia and basically all of Eastern Europe this would be insanely illegal on several levels).

> Laptops are cheap.

Not for everyone.

If you live in a civilised country, it is illegal.
>From an OPSEC perspective, sure. But the question was whether it's legal for an employer to do it.

How often did that stop an employer?

I don't know if this is the case in the US, but in Australia it's very easy (and relatively cheap) to take your employer to tribunal over violations of employment laws (if it was very clear-cut or severe violation you could even make a complaint to the relevant regulator which could launch an action on your behalf). Something being illegal means if they did do it, you'd be owed compensation.
> Not for everyone.

Still cheaper then searching for a new job... without a current one.

Disagree, with the money I would be awarded from my employer for their breaking of both employment and privacy laws I think I could easily purchase a new laptop - and also fund a few months of vacation while searching for the next job.

(This probably doesn't work so well in the US.)

From the article: The only thing they did wrong was not more explicitly mention the monitoring. So it wasn't illegal to monitor communications, rather it was illegal to fire someone for using their work account for private communication without sufficiently warning them. All they have to do is make you sign some document on day 1 and they're covered. Also they were not awarded any damages or anything, so it's not like you'd get a payday after being fired.

>Commenting on the ruling, Pam Cowburn, the communications director at in London, said: “The European court’s ruling is welcome. In some workplaces, it may be necessary for emails to be monitored, but if employers are going to do so, they should make staff explicitly aware of it.”

>Despite finding that Bărbulescu’s rights under article 8 of the convention had been violated, the court declined to award him any compensation, saying the ruling was “sufficient just satisfaction”.

It's definitely NOT illegal in EU if the user is appropriately informed, usually in your employment contract you sign a clause about that. Even the government does it to their employees.
No, there have been all kinds cases of enforcement action in EU where the user was informed but the employer could not justify the violation of privacy; in general EU law and especially in privacy law it's quite frequent that some explicit "consent" clause in employment contracts (essentially, if it's a standard clause in all agreements and "take it or leave it") is treated as not representing true consent and void.

The largest example probably is the 2020 GDPR fine of 35 million euro for clothing retailer H&M for violating the privacy of their employees, despite the employees being informed of that.

What you're talking about has absolutely nothing to do with tracking usage of workplace computers and networks - H&M kept "excessive" (sic) records of personal data of people who were not their employees at all (family members of their employees) - and the problem wasn't that they had some data because in EU you're required to keep track of families of your employees due to tax reasons, but that they had too much of it.

In most EU countries, tracking company-owned hardware is explicitly okay, and where it's not mentioned in law there are judicates that make it OK.

As I said, even the government and its wholly/partially owned enterprises are doing it, and working as a contractor for the government here requires you to track usage of your employees' workplace computers too, so I can't see how it could be in any way illegal. Same thing with working for banks and insurance, and I bet there are more cases.

In The Netherlands, employees enjoy a reasonable level (much stronger than this scenario) of privacy even on company equipment [1]. That is: the company cannot randomly access an employee's mailbox. Of course, in case of employer-employee dispute, things become hairy - but even then, the company is not allowed to go on a fishing expedition. Though they can go on a confirmation run, looking for specific evidence, e.g. mail from Glassdoor.

Don't know about other EU countries, but at least NL deviates significantly from the sketched scenario.

[1] https://blog.iusmentis.com/2017/11/22/wanneer-mogen-mailbox-...

This is an interesting question post-pandemic where the network the laptop is using may be an employees home network, especially if there is some kind of active scanning involved.
This is a real problem, especially for InfoSec tools. Many EDR tools, such as MS Defender for Endpoint (or whatever it’s called these days) and Crowdstrike Falcon, include functionality that will scan your local network for devices in order to discover unmanaged devices…

It’s a nightmare from a privacy point, but its also a problem for the InfoSec tools… How do they distinguish between an unmanaged private device on a private network or a unmanaged device on a corporate network?

> its also a problem for the InfoSec tools… How do they distinguish between an unmanaged private device on a private network or a unmanaged device on a corporate network?

Trivially, from the simplistic (check IPs and router MACs / SSID in use) to the marginally more advanced (deploy an agent that is only reachable from the corporate network) to determine if the tool should even be running in the first place.

Every home router should make it easy for people to create separate VLANs for work to protect against this.
VLAN's aren't security. No way to force respecting the protocol.
Tag on the switch port?
Meta data leaks in frames and devices shown not to be reliable on 'respecting' boundaries.
It's really difficult to find solid guidance on how secure that is.

E.g. tag the port on the switch, run a cable to the device so that it doesn't know there's a vlan involved, block routing between vlans. As far as I can tell that's probably good but might not be.

> If it’s a company provided laptop then it’s a good idea to assume that every keystroke, DNS request, and network packet is fair game.

In the USA and other countries with subpar privacy laws.

Which countries don’t allow a company to monitor activity on company equipment and company networks during company time?
IIRC Danish law states that work email may be used for private purposes and that anything clearly labeled as private is to be considered such. For example, by moving email to a folder called “private”.

For the employer to open/read such communication would be highly illegal, akin to opening others private snail mail.

I do believe that this also extends to corporate issued phones and computers. Especially since you’re automatically taxed for “private use” of such equipment when assigned.

That doesn’t apply at all here?
> here

I think you need to specify "here" to get an answer to that question.

The thread we are in about companies monitoring people accessing Glassdoor and penalizing them in various ways for using it to say things the company doesn’t consider flattering.

That has nothing to do with putting private email in a private folder on the company mail server, near as I can tell, and nothing in that statement would address the statement about companies monitoring use of company equipment and network etc.

Since they’d need to know even in the private email case what they folder names were, for instance, to know there even WAS private email.

> Especially since you’re automatically taxed for “private use” of such equipment when assigned.

so you get charged a tax when an employer gives you equipment required for work? What happens if you can't afford that tax then?

This feels very wrong - taxing someone for a potential benefit when it is not proven that such benefit exists.

In Israel, if you are assigned an employer car, you generally have to prove you don’t make personal use of it to avoid taxation - e.g. prove it isn’t in use almost every weekend (usually done by parking in a managed lot and showing the receipts or stuff like that).

The vast majority of people prefer to also use the car privately, and pay the tax (which is reasonable, if taxation is reasonable).

Cars that keep rotating between drivers are not subject to that (but exact record keeping of driver and trip required to avoid tax)

Similarly, employer provided phone subscription is assumed to be partly private use (50% of monthly subscription cost considered a a taxable benefit iirc), not sure what hoops you need to jump through to prove it is not private use at all. (But phone plans are cheap - excellent domestic plans are $10 or so)

It's up to you if you want to use company provided equipment for personal/private use or not. If you declare that it's only used for work purposes, there is no tax. The tax makes sense, because it's effectively extra salary (eg if the company gave you a leased car).
> so you get charged a tax when an employer gives you equipment required for work?

Obviously this only happens when the equipment you get can plausibly be used for personal purposes. Such as a company car.

> What happens if you can't afford that tax then?

That's extremely unlikely.

In Germany, you need to document clear and reasonable suspicion of the employee doing something shady before you can monitor them (especially without their consent). It's not fundamentally illegal, but the rights of the employee also weigh in heavily and need to be outweighed before you can start e.g. recording their screen without their consent.
The idea that 'company time' and 'company equipment' gives the company absolute right to record and ownership of recording is almost feudal.

Imagine I were to die in the office in some embarrasing way, on company time, in full view of company CCTV, do they have the right to upload the video to YouTube to make money from it?

What if they record audio of me at home, can they publish it? Can they show it to anyone at the company?

What if audio is recorded outside of compaby time by a company laptop thats had its lid closed? What if it's recording 24/7?

Are they allowed to snoop on traffic of my home network? If I have a home camera thats not password protected, can they help themselves to that Video?

If my network drive has no password, is it okay if they help themselves to those files?

You seem to be building a straw man here?
I assume he is trying to establish a dividing line between acceptable and not. For example, I'd consider all mentioned uses to be unacceptable and hopefully illegal, but I think others may be fine with it.
I an not actually sure that they are illegal - are they?

I can't think of which law stops a company sharing a video of your death - presymably they own the copyright

Just about every EU-based company allows for network defense and visibility to include things like SSL inspection and egress monitoring. Some may consider this surveillance, but what needs to be stated from a governance standpoint is that this monitoring is reasonable from a risk mitigation standpoint and the expectation needs to be written within acceptable usage policy.

Even more restrictive countries like Germany are fine with this.

Most of developed countries except the US.

People have legitimate expectations of privacy in the office and/or during working time.

Employment means selling your skills and effort, not becoming a servant or a slave in a feudal society.

Additionally, having delicate information in the hands of the company in general or sysadm/security engineers create a ton of liabilities.

There has to be a balance between security needs, corporate surveillance, privacy and worker rights.

Practically, the company needs to administer and secure their equipment for a number of reasons, including a legal need to keep their customers data safe.

That requires them to use tools which can easily let them know, for instance, what websites someone is visiting, and what executables are executing on the machine, what devices are being accessed and when, etc.

It’s pretty fundamental. An individual looking to secure their machine would need to do the same thing.

If a company abuses that to spy on every waking moment of an employee, that is obviously abusive (barring cases of investigating legitimate suspected abuse by the employee I guess?). But you’d need to somehow codify in law the line, and I haven’t see anyone having any success here so far.

I have seen employees steal massive amounts of trade secrets, secretly steal customers from employers, run porn sites from company equipment, etc.

I’ve also seen employees so creepy stuff like stalking customers, stalking other employees, harassing other employees using this tech too.

Personally, I’ve always kept employer laptops and stuff closed and off when not used, and try to segregate personal and work equipment, but that’s been more to avoid something embarrassing coming up during a presentation or the like.

Just because it is easy and achieves a purpose doesn't make it necessary or right.

People could be making backhanded deals on their phones or they could be having an urgent confidential conversation with their doctor or spouse. Should the company record and review phone calls?

People could be stalking customers/coworkers or making deals in the bathroom. Or they could be using it for more personal purposes. Should the bathrooms have CCTV with audio?

People could be selling company data in the company parking lot, in the mall or at home near/using the company laptop/phone that is permitted to be used for personal reasons, or just mandated to be near them, or they could do the same thing without presence or use of any company equipment. Where do you draw the line, and at what point is it even sufficient to prevent losing information etc.?

Do you trust your employees? All trust can be abused, yet how can the company function if they don't trust their employees at all?

Correct me if I'm wrong but if the assumption here is that the EU prevents employers from reading private correspondence of employees then I find nothing to back that up. On the contrary, an employer in the EU explicitly seems to have such rights, given they jump through a few formal hoops first:

https://www.grcworldforums.com/business/can-employers-legall...

It depends on the country in question. In Ireland, for example, any workplace surveillance must be necessary, legitimate, and proportional. The employee also must be informed in advance of who, what, how, and when they may be surveilled.

It is very hard to see the Workplace Relations Commission (WRC - the body which handles workplace disputes) accepting that identifying a user on Glassdoor would meet the test of being necessary, legitimate, or proportional. This is particularly true as the WRC has previously found that monitoring internet usage for example for pornography is not proportionate where the employer has the option instead to block such sites and make a policy against their access.

Of course, an unscrupulous employer could also use surreptitious surveillance and find another reason to let the employee go, although firing an employee in Ireland is notoriously difficult short of gross negligence.

OK thanks interesting, although I would like to add that I did not address trying to identify and punish reviewers on Glassdoor, which may or may not be illegal all over Europe depending on the nature of the review. That point I tried to make was that the GP was exaggerating when painting the US as an outlier regarding the rights of employees of not to be monitored.

The US is more "employer-friendly" if you like, and much less complicated to fire employees (boo!) compared to Europe - yes. But generally not categorically different when it comes to the right of employers to snoop on their employees, which people here might want to be aware of.

> The US is more "employer-friendly" if you like

Understatement of the year.

Surprisingly I was at a party in SF with a bunch of Apple employees. Somehow some topic came up and I was like "I don't do anything personal on my company laptop. I especially don't look at porn". All 6 of them said they used their company laptops and phones to look at porn all the time.

Wow

I've heard some pretty simultaneously funny and Orwellian stories about this, mostly about people being fired for looking at porn using work laptops and the specific porn they were looking at.

Don't use work computers to look at porn, your employers already know about it.

I'm as sex positive as they come but even I think it'd be pretty dumb to have pornhub pop up while you're sharing your screen in a meeting or something
About as dumb as having model train collector site up, or reddit or hn or whatever...

It was actually kinda a joke with my friend when used to help him code. Leave something nasty open just for amusement.

One good reason is that porn sites are notoriously riddles with browser 0 days. To this day I get the odd Safari crash every other month.

We've decided to structure society such that some people starve, and we consider that acceptable. There are even children who are "food insecure".

Apparently nobody cares about anyone else's most basic needs like food (even our most vulnerable), I can't see how they'd care about someone else's need to jerk off.

Lol I nominate the above to the title of most entitled and out of touch comment of the month. How is this "basic human need" if online porn didn't even exist before 1990?
Neither did the internet. Or electricity before that.
And none of those are basic human needs. They're just comforts we've grown accustomed to.
Eh, you can't even apply for a job without internet access these days. I'd say internet access is essential for participation in society.
So you say it’s fine if your office had no electricity and running water?
If it's not required to do the job and they pay well, then why not. I can easily survive 8 hours without running water. Geologists (often with masters or even PhDs titles) working in the field have neither, and they like their jobs.

Moreover, seeing the right to be paid for jerking off while at work as fundamental human right is really unhinged.

You're using a different definition than i am then, and dare I say, an archaic one.

Basic human needs and rights only make sense in the context of the society in which said humans are a part of.

Homeless? Not a problem in nomadic tribes. Cities? Basic need / right.

Access to food services? Not a problem for the Buddhist monk. Cities? Basic need / right.

Electricity? Not a problem for the Amish. Cities? Basic need / right.

Internet? Perhaps not as established as the above, but definitely establishing itself very quickly in most cities.

(comment deleted)
Correct. Rape, theft, murder, and other actions can be performed along the way of people fulfilling their basic human needs, so the reasoning doesn't really justify all activities.

The way I look at it (and not saying it is the best way, just works for me) is that my public/professional person is my brand that the world sees and thinks of when I interact with them. Regardless whether that is big brother junior analyst in IT or a client CEO, I try to keep that consistent and inviting.

If on the weekend I want to only drink Soylent, trade crypto, and otherwise engage in fun but less inviting behaviors, I'll do that off company property.

Apple generally encourages employees to use their devices as they usually would to “dogfood”.
Some cynicism on the part of their engineers would be prudent despite that advice. Lots of places encourage you to use the company phone as your only phone, which is convenient, but still not a great idea.
My prior employer was the same, I wouldn't use it to make tooling or do anything that might be for my own business, or open source for that matter, they had been known to strong arm staff into giving over IP that might have ever been on that laptop or was ever created during your employment.

But they were quite frank about allowing us to do what ever we want on the laptops providing we delivered positive outcomes for the business.

If this meant the laptops were used to browse porn at home or even during business hours (clearly not on the shop floor if you were in the office) or playing video games, it was fair game.

This employer also had _incredibly_ poor standards and culture for removing misogyny and bigotry, in fact it was one of the worst I've ever seen. Not saying causation = correlation or similar but an interesting data point nonetheless.

It's very common. Most IT groups collect this information for HR and don't do anything with it. The truth is the company doesn't care if you look at porn as long as you do your job. Until the day comes that the company wants to fire you. If you claim retaliation/discrimination/etc, company just opens up your file and lists all the violations.
Once when another person in IT was on vacation, I was handed off a manager's laptop to scan for porn. There was no automated tool, so as I recall I did a search for files created or modified since the last check. I found nothing to report.

I think that the periodic checks were set up because a subordinate of the manager's had seen the porn on the machine, and had gone to HR.

None of my employers pay for Spotify.
I don't want to work somewhere where this would ever be an issue. More than happy to leave if they pull this kind of personal invasion (yeah, it's their property, but still- basic human decency dictates: don't do it).

Your advice is still sound.

>There’s no reason to mix personal and corporate usage.

Exactly! I'm always amazed at people who do ANYTHING personal on corporate resources, especially in this day and age. Even when personal computers were rare and cost thousands of dollars I still didn't do jack shit on work computers, no matter how tempting or "acceptable use" it was.

It will depend on your employee handbook, but generally any data you produce on a company laptop belongs to the company. Anything in the browser cache is fair game.
Not specifically through Chrome (managed chrome does not give your employer access to incognito or personal profile data), but if it's a company owned and issued laptop you should assume they have other ways of capturing all activity on the device.
I have actually done exactly that, copy over the sqlite broswer history sqlite database and run a query to generate a browsing history report.
I understand that this is all technically possible, but how do you feel about the morality of it?
Do you mean Chrome has some special support for this, or is this the same as for any other browser (where the adversary could copy the history db file)?
I run a Tor middle relay on one of the 8 IP addresses I have purchased as a block from a certain ISP that allows you to, I have been for around a year. The amount of traffic passing through it is heavy. Obviously, this comes with certain caveats (the middle relay's, or any TOR relay IPs are publicly available and published weekly on GitHub and as you can imagine, some places like to instant ban anything to do with TOR).

Since it is only 1 of the 8 IP addresses; the other 7 remain free from blockages of any kind and the one running the TOR middle relay is setup in a manner in which I can use it normally (for the most part) and my traffic would just "blend in" with the normal tor traffic passing through it.

You might ask, what is the purpose of this? Well, if it is normal for a lot of TOR middle relay traffic to be passing through one of my IP's on a daily basis, plausible deniability becomes a real defense as checking DNS logs becomes a moot point as there are requests being routed 24/7/365.

Edit: https://hacky.solutions/blog/2020/06/06/operating-a-tor-rela...

This is an excellent, detailed, and in-depth guide of the process of going through running a TOR middle relay. The statistics provided and data presented are simply superb, Great read!

Its a nice setup, but you can’t see any DNS data in the TOR middle relay traffic. Middle relays just pass on encrypted data to the next tor node, not “the Internet”. So any DNS requests hitting outside from your 8 IPs are still all attributable to you.
For any activity in which I do not feel safe and threatened for my Identity, I utilize the middle relay as a full on end-to-end Wireguard VPN itself to route all traffic through a VM I've got specifically built for this.

In addition, there is also this for those that do not want to go through the hassle: https://blog.cloudflare.com/welcome-hidden-resolver/

Cloudflare runs their own DNS Tor resolver.

I understand why websites would ban Tor exit nodes, but what's the point of banning middle relays? Wouldn't those only communicate with either other relays or exit nodes?
Sites that don't want Tor users should only block exit relays, but some will lazily block all relays. It's unfortunate but that is the current state of affairs right now.
'should' from whose perspective though? 'Sites that don't want Tor users' have no incentive to care do they? If anything it stands to reason such a site would block anything and everything to do with Tor, using it as a search term, usernames containing it, anything?

(I don't know much about Tor, so am I missing something about 'middle relays' that such a site would want to allow them?)

Edit: oh is the point that you're not accessing the site using Tor, just from an IP addociated with Tor use?

Exit nodes are the interface between Tor and the "clearnet" (regular internet), whereas relays just relay traffic between Tor nodes (to make it harder to trace the route). So there wouldn't be any Tor traffic from this person's IP going to websites.

Presumably most folks neither know or care about this distinction and just block all Tor related infrastructure outright, since some of the traffic coming through is malicious.

Frankly, as the OP stated, one reason to use a tor relay for direct traffic is to hide your traffic. A bit like a guy in a trench coat and fedora trying to look inconspicuous.

It's not illegal, but it's also not surprising when such folks are escorted out.

Why would an employer looking to fire you care about plausible deniability? Even if your setup worked technically, if the traffic traced back to you then you'd probably find yourself fired under these circumstances regardless.
I think this talk about tracing traffic could well be missing a bigger point. The last time I left a Glassdoor review I had to provide a company email address to do it. This means, although publicly my review was anonymous, Glassdoor knew (and very likely still know[0]) exactly who left it. If they have to hand over email addresses to the company taking legal action there's no need to get clever with traffic tracing.

[0] Even with GDPR and similar legislation all they need is a valid business reason and they can keep my PII.

This. One cannot post anything on Glassdoor today without first establishing an account. Nearly all companies that create accounts use services to “enrich” your user data via the IP, email address, etc. so they grab and keep that data. It is certainly no longer anonymous if it ever was.
> I had to provide a company email address

You mean you had to currently be working there, rather than formerly? I thought this lawsuit was about people who had already left Zuru, but I may have misread the article.

You have plausible deniability but just be careful because the cops can still get a warrant based on IP alone. Also most savvy companies wouldn't say that they're firing you for posting unfavorable reviews, but they'd still terminate you.
DNS over HTTPS would solve that, right? It's an options flag on Firefox.
Barely anyone supports it yet.
in any proper corporate IT , the workstation would already have DLP software which you can use to track Glassdoor use or any other activity ,if you wish
That's why you shouldn't use your work computer for anything but work!
Yes, it's important to separate work you do for your employer from your personal life and everything else basically.

I never understood people who use their work/school machines to do stuff that could hurt their employer/school. Or even just to cause them potential problems.

But of course, the other way around is true imo: I won't use my personal devices for work - but that's mostly to prevent me from giving free extra work time to my employer.

why on earth would someone log onto glass door with their corporate work station? are they a fool?
This Google shows all the companies listed within Google’s index with the “Glassdoor Alert: Employer Legal Action” flag; just kept removing the companies for the SERPs using the negative search operator until none were left. No idea why Glassdoor doesn’t just have a list of all the companies doing this.

https://www.google.com/search?q=Glassdoor+Alert:+Employer+Le...

"did not match any documents"
Because they removed all the companies, remove the "-company name" paramters from the search.
Manually curated list from parent process:

-Steidle

-legatum

-Medspira

-Media Consulta

-Keller, Fishback & Jackson

-ABG Accessories

-Echelon Environmental

-Admiral Markets

-canidae

-Discovery Clinical Trials

-kraken

-zuru

-bw legal

-kurland

-SynapseFI

It might be possible to do linguistic analysis (ie. What they did to catch the Unabomber) to compare the language they used in the review vs how someone usually write in things like performance reviews, manager evaluations, emails, etc
Write your review, machine translate it into Mandarin, translate it back to English, and run it through a leet speak text filter
So you have to be a CIA spy to post a workplace review. Nice.
Welcome to The Land of the Free and the Home of the Brave©
Isn't the final law here New Zealand's law?
No, they get the user information now - before any charge is made in New Zealand to justify providing access to the data.
I know it is cool to shit on the US, but:

   “We are deeply disappointed in the Court’s decision, which was effectively decided under New Zealand law.”
Yeah it was odd finding out this was an NZ decision. I was under the impression that they were a bit ahead of the US on privacy.
> What they did to catch the Unabomber

Have everyone's siblings read all the reviews and see if anyone recognized it?

Exactly. Not sure what to do about only children. Buddy system early on I guess.
(comment deleted)
And they fire the wrong person. And the real poster adds another review. It can almost be a skit.

- Oct 12, 2022 "They fired Bobby!!! Bobby's been working with us for 10 years and they fired him overnight?? Told you that place is bonkers!"

- Oct 14, 2022 "Mona's down, I repeat Mona's down!! This is a sinking ship! Do not attempt to join this place!!!"

Meanwhile in the C-suite's office.

"Seriously, who is this guy?"

This could happen even if the culprit does get fired - as far as I know, there's nothing preventing you from posting reviews despite no longer being employed by the company.
Most of the time they won't need to go that far. The review itself will usually indicate which department a person's from and what their main gripes are. Sure, this won't work for FAANG or a factory where everyone hates "long hours, low pay" though the text analysis probably won't help much either, but if it's someone from an SME's dev team (n=10), the dev team manager is going to have their suspicions as soon as they see the bullet point about rescinded work from home policies or lack of attention paid to testing deployments...

(the non-trivial possibility they'll get the wrong person isn't going to stop fingers being pointed)

Also sounds like they had no idea what they were doing, since instead of missing with the Wi-Fi, SOP would have been to MITM SSL/TLS on the office firewall (trusting company root CA on all company equipment) and log everything.
This is why corporate IT tells you they're moving to zScaler because it's "more secure"...
Another query you can use for another kind of alert is "Glassdoor Alert: Inflated Reviews site:glassdoor.com" for companies that were caught trying to fake positive reviews to flood out negative ones.
I had a company do this once after they let me go.

The place was a toxic personality cult around the owner/manager, and I left a Glassdoor review saying as much. Someone at the company found it within a couple months, and then overnight several current employees had posted glowing reviews refuting mine. Certainly we wouldn't expect a personality cult to launch an Internet brigade to protect the boss' ego.

If you experience deliberate techniques* used to erode your sanity inside-outside the company, then no matter the cost, you must make sure it gets public. There is an ongoing epidemic at certain companies where individuals who refuse to become a lapdog on all fours, who reject the brainwashing experiments and who reject the pretend you are stupid and should not excel in your job mantra are forced out.

* psyops: running/scurrying in your periphery

mentioning personal things from your personal/sex life yesterday, but addressed to others

compliment you for bad work, berate for good work

silent treatment

throwing out your performant code and replacing it with trash

employees one after each other, one by one turn against you, trying to give you the impression you are going insane... imagine you talk with someone on a daily basis and then all of a sudden he refuses to interact with you or gives you looks and avoiding you

slamming doors

doing borderline insane things before you, like getting elbow deep in the toilet then smiling at you

pretend face to face that nothing happened

"oldworld" things

etc etc

This oppressive system must be burned down, nuked big time.

> [...] then no matter the cost, you must make sure it gets public.

Is this supposed to be a moral obligation? I'd be careful about putting moral obligations on other people.

Would these companies have a case if an employee left refusing to sign the paper work agreeing to not talk shit? One company I left tied their severance package to a signature on that kind of agreement.
They would have to prove the statement is false in court and that they suffered harm due to it. Otherwise it's protected free speech.
That depends on jurisdiction. Not all countries protect truthful disparaging public remarks.
You are right. I should have added it only applies to countries that have free speech.
They aren't planning on suing for a breach of NDA. They're planning on suing under defamation law, which alone will cost the former employees tens of thousands, if not hundreds, to defend; if they can't defend their case - and as the article says, opinion is not automatically protected under New Zealand law - it appears that they will be suing for "increased recruitment costs", which sounds like it could be construed to run to arbitarily large numbers.

The point is to terrorise anyone out of criticising them, ever.

They have 5000+ employees. I don't think their recruiting efforts have been hindered. The CEO's decision to pursue this has a larger negative effect than the comments on Glassdoor. I'm evidence as I had never heard of this company, do not peruse Glassdoor, but now I know this company's name and that the CEO is a tosser.
Maybe this legal retaliation attempt speaks more than the reviews themselves...
a fatal double-bind for glassdoor’s prospects for continued existence imo.

competitors are surely celebrating this ruling. especially those who physically cannot put anonymous commenters at risk while somehow still turning a profit without being able to traffic in tracking data.

In the past I've been tempted to leave reviews for bad employers I've had. I've always come to the conclusion that the risks of doing so totally outweigh the completely minimal rewards. The risk of being deanonymised, and receiving retaliation from the company is too high. My threat model didn't include the possibility of litigation compelling the company to hand over PII. I was more concerned that I'd inadvertently betray my identity in my review. Not to mention the issues related to Glassdoor as a company, and their lack of objectivity. Why do people use their service in the first place?
I see no reason to leave a review on basically any site for anything; but especially a bad review on something like Glassdoor, except out of some spite or something.

Maybe if they paid for them.

dang, can Nick Mowbray and Anna Mowbray, the founders of ZURU, compel News.YC to hand over my information if I wrote a poor review of their company in a scathing Tell HN?
I would hope so if your review was written in bad faith
Even if the company was Facebook?
Email hn@news.ycombinator.com if you really want to know :p
I wouldn’t be surprised if there is lots of money to be made de-anonymizing Reddit users
I'm not familiar with the law here. Can Glassdoor appeal?
(comment deleted)
I just attempted to look at the reviews.

There's an uncloseable pop-up telling you to log in.

Normally I wouldn't bother, but curiousity got the best of me - I logged in with my Google OAuth.

Not so fast - you haven't contributed to Glassdoor in the last 12 months, here's another annoying pop up and you cannot dismiss it until you do.

Does anyone actually bother to use this dark pattern infused service?

There needs to be a non-profit version of this without all the desperate bullshit.
What chance would said non-profit have of surviving a lawsuit like this?
Where “this” also refers to Facebook, Twitter, Medium, Quora, Uber, Reddit etc.....
Where would you get the funding for that?
Somewhat unfortunately, yes. Those patterns are annoying and dark, but they still have some good data. Which is probably the only reason they get away with it.
First time viewers can see a page freely. So all you have to do is clear your cookies after every page load and you wont be bothered. lol.

But yeah, posting a review also gets rid of the banner permanently.

They’re super useful for demonstrating that closing just the incognito tab doesn’t clear your cookies, but closing the whole incognito window does.
You can use a firefox extension to bypass that popup as well as other paywalls.
Apparently this is the review they sued over - https://old.reddit.com/r/newzealand/comments/sv8yyv/kiwi_toy...
Can't believe they'd try to sue over that. For one, it's pretty much only critical of the Mowbrays themselves and I can't see anything in there that wouldn't be an honest opinion so safeguarded by NZ law.

So it comes across to me like the Mowbrays personally trying to stomp someone into the ground with legal fees knowing they have no case. Hopefully the legal system can protect them from that exploitative use.

Seems on song with that basis of the comment, doesn't it?

Glassdoor has systematically taken down negative reviews for companies for years. I can’t say I love any of the “board” sites who engage in this type of product, and that includes Yelp, Google Places, etc
> Glassdoor has systematically taken down negative reviews for companies for years.

For a fee, of course :)

I have never seen proof of this but that is my belief
Contact us page for Zuru Toys. I just sent them a short message explaining that previously I was not aware of their company but now this issue is the only thing that I know about them and it is not a good look. https://zurutoys.co/contact/
(comment deleted)
Who tells us that these negative reviews are always true and not posted by some disgruntled or mentally ill employee or even someone who never worked there? I know it’s easy to side on the negative reviewer side on glassdoor but it’s an anonymous place and the employer has almost no chance of fighting back.
Because a billion-dollar toy company headquartered in Shenzhen, China that has yacht parties needs the legal justice system to protect its good name by doxxing job reviews is pretty transparent on the face of it.
Yes, we don't know. But we also don't know whether the positive reviews are genuine or organised by employer (I've seen it).