Some places have laws that require employers to disclose to their employees what kind of monitoring they do. I expect we'll see those become more common.
I've seen employment contracts that just include a general catch-all for any kind of surveillance, even if they "don't do it right now". This in California.
I take your point though that you're saying some laws require explicitly enumerating them (from how I understood your comment).
Presumably these companies would like to follow up with finding out __why__ work is not getting done. Not that I agree, but these companies seem to think that coming to the office increases productivity.
// Actual productivity is not something they want to measure here, what they want is control
This doesn't seem to be a logical conclusion. When you hire someone, do you care more about what they are delivering for you or do you just get some weird kicks?
If that were the case they would be measuring productivity, which we know they are not.
Similarly if you actually cared about productivity you would never consider any kind of open or semi-open plan office, yet these are exactly the companies that do just that.
They way I see it is that execs have no idea how to measure productivity meaningfully but they believe as long as people are coming into the office more things will get done compared to employees working from home.
They think, “oh if you have 10 mins for doing the laundry during a work day, if you come into the office you won’t be doing that in office and perhaps use that 10 mins everyday to produce some additional non-zero value to the company”.
In their minds those 10-15 mins from everyone add up. I am not agreeing but that is what it seems to me.
3. That being said, the only places where I've seen it actually used is where an employee is fired for a cause, fights it, and then company retrieves logs and hammers them with proof.
4. But still I agree - it's a nasty sleezy slippery path. I am a manager of people and managers and have zero desire for anything like that.
Does anyone know if on company-provided macOS/macbook, can these kinds of tracking programs turn the microphone or webcam on without it being indicated in the system?
Obviously, it is a device that's not yours and the company can do all kinds of things such as installing rootkits and other things to do whatever, but putting that aside, short of that level of commitment, is anyone familiar with these kinds of programs and whether or not they indicate in some way (e.g. macOS-level indicators that some app is using the microphone/webcam).
I'm just curious if I have my work laptop in clamshell mode and it goes to sleep, to what extent is it not a 24/7 active bug? Maybe I should be shutting it down every single moment that I don't want to risk being spied on?
Is "sleeping" the macbook and closing it shut, enough? Is it low-level enough of a block, or can apps circumvent even that?
I'm specifically putting aside Pegasus-level circumventions here, since then all bets are off. I'm just thinking about 'off-the-shelf' level apps that companies can license and use.
MDM software only allows to do so much. We use it my company. We can remotely wipe a Mac or reboot it but that pretty much it. I’m not aware of any 3rd party software that can turn on the camera (remember the green light) or capture the screen without the user knowing it’s happening. Checkout Jamf it’s a pretty standard 3rd party tool, whatever they say they can do is what’s possible from a corporate “non-hostile” perspective.
Unless Apple specifically prevents it - and maybe they do - it's not hard to do. I remember an old story of a school district in the US that gave the high school kids laptops, though I don't recall the brand, and used the camera to watch and take remote photos 24/7 without notifying anyone or getting permission; I think it might have taken photos automatically on a schedule too, but I'm not sure. I think the excuse was to prevent illicit use of the laptop.
IT pros, stop and think for a moment about the risks. How long did that take you? Apparently the school administration and IT personnel completely overlooked them.
They were watching and photographing underage kids in their bedrooms, not that spying on anyone anywhere is ok. They thought they caught one with drugs (it was candy) in their bedroom and showed the images to the parents. The parents sued the school district and it was in national news (maybe on HN). Somehow I never saw child pornography charges, even though I don't know that they could have prevented it - just turn on the camera at the wrong time.
I blame the IT personnel too, especially the CIO / IT director who failed to point out the risk and stop it, and even the low-level people should have stopped when they first saw the inside of a teenager's bedroom.
Unless they use MDM to push a profile that authorizes a specific application/developer to access system resources without prompting the user. This is a common practice for deploying security applications - e.g. crowdstrike requires full-disc access and there’s a policy thats deployable via MDM to enable it automatically during the next beacon from a host.
>Michael and Holly Robbins of Penn Valley, Pa., said they first found out about the alleged spying last November after their son Blake was accused by a Harriton High School official of "improper behavior in his home" and shown a photograph taken by his laptop.
...which is pointless, because in the last two major MacOS releases (well, now three) an Apple Silicon system will not only remain connected to any bluetooth audio devices and wifi (even if "wake for network access" is set to "never"), it will actively seek connections with bluetooth audio devices that are turned on or come into range.
Not only is this a huge potential privacy issue, it's extremely annoying, because on many bluetooth headphones, it makes it impossible to, say, connect your phone to the headphones.
The issue with remaining on wifi is also extremely annoying if you're connected to a hotspot device. I discovered well into a vacation that my macbook was remaining connected to a hotspot and using up data - despite both "low data mode" (which has a penchant for magically turning itself off) and "wake for network access" set to never.
There was an option to disable allowing a bluetooth device to "wake" the system, which stops the mac from keeping bluetooth connections active during sleep, but that was removed in Catalina.
There's no excuse for removal of such an option, nor is there any excuse for not setting some logic such that only keyboards and mice retain active bluetooth connections.
The dumbification of MacOS marches on, as some anonymous mid-tier executive at Apple continues his or her mission to turn MacOS into iOS. We also lost wifi network priority a couple releases ago as well - a move that is so unfathomably stupid it defies belief. You used to be able to set a hotspot as high priority and then, say, a cafe's free (and far less secure) wifi network as a lower priority, and when you wanted to do something on the hotspot, you could just turn it on, and your mac would prefer that network. Now it's a roll of the dice at best.
Companies doing this have to be extremely careful. California is a two-party consent state. If an employer is found recording a personal conversation in the employee's home, they could find themselves in court with an unsympathetic jury.
Almost every state is one or two party consent. That means you have to be a party to the conversation at the very least. I don't know any state that allows passive recording of conversations in private.
Many employers during the pandemic engaged in all sorts of electronic monitoring on employees with seemingly no legal repercussions. The corporate law firms of America lawyers have almost certainly devoted much time to dreaming up extensive legal arguments and language to slip into employee contracts, agreements, and 'handbooks'
When you're fired for saying something derogatory about your employer that is picked up by your company-issued computer sitting in your home office, do you have the resources to fight them in court, especially given your employer's law firm almost certainly has a cozy relationship with the judiciary in your area?
> Many employers during the pandemic engaged in all sorts of electronic monitoring on employees with seemingly no legal repercussions.
But there's a key difference. If employers want to track what time you're on the company laptop or if it's connecting from an IP address in the location you claim to be working from, that's legal. Monitoring nominally mic-off personal conversations isn't.
If you don't have root, and sometimes even if you do, then you cannot be entirely sure. That's why hardware shutters and physical disconnects are a thing.
If you have root you still cannot turn on the camera without the physical light turning on, and I believe you’d need at least a kernel exploit to disable the screen indicator for the microphone.
If you as a company decide to RTO and it’s an expectation your employees are in fact in the office I don’t see how tracking badge swipes can be considered Orwellian. I draw the line at software installed in employee PCs to grab screens and track keys. I get it’s a slippery slope but tracking attendance doesn’t feel like “surveillance” while the other software does.
> For example, if your team is meant to be in 3 days a week, this number [days swiped out of possible] should equal 60%
Oh geez. That tells me that less than 30 seconds of thought was put into that line in the policy. Surely, there are PTO days, sick days, business travel days, and other reasons to have that figure show as less than 60%.
Said differently, if it was 2019 and the team policy is 5 days a week, does HR imagine that figure would be 100%?
You remember the interviews with HR? Those wanting to "know you better"... which what you told them ending being used as a leverage to push you hard to leave by yourself?
My whole professional career was only betrayals following each other. Once I decided "Stop!" and actually doing things to prevent that to happen again: have been unemployed for more than a decade.
I’m having a hard time following what you’re saying. The person you replied to said HR is your enemy, which I interpret to mean - as an employee, HR is not on your side. They are on the company’s side. They may also coincidentally be on your side if it so happens to align with the company’s best interests, but not because they care for you.
How does this relate to your situation? And why have you been unemployed for a decade? Most of the time, interaction with HR is super minimal, so I don’t see how this would prevent you from being employed anywhere.
In nearly all my jobs, I was lied to and betrayed. Now I require that most critical things which were agreed on during the job interview to be added to the contract, that, in order to not be used against me (which did happen nearly in all my jobs because I did trust HR & the "manager").
But you are right, only one time the hiring process was stopped explicitely upon adding what we agreed on in the contract (basically, everything coming out of their mouth were lies).
And nowadays, I have some health conditions which make things even harder, not to mention that I am fighting big tech (lawyers, looking for hard technical regulation, etc).
The HR people were comically evil and it was a useful learning experience. Those guys would burn the building down to “beat” the union over some bullshit issue.
Without a contract and a counter-party they usually deploy a more banal evil that feels more like incompetence. But when the chips are down, they’ll gleefully bone you.
FAANG recruiters, as most recruiters, know less of tech than pretty much every engineer out there. They have little to no exposure to this kind of information, so they probably read it somewhere (on HN, perhaps!)
If you're turning to machines to check attendance, is that tacit acknowledgement middle managers are just as opposed to RTO as ICs? Why would you need to turn to an HR dashboard unless your managers have undermined your plans already? Either the managers are bringing people in and enforcing it or they're ignoring it because they aren't in alignment, which seems like a bigger issue to your ability to execute.
Employer provided and managed hardware is treated as a hostile entity on my network. Separate SSID, separate VLAN, no access to local resources whatsoever. I don't even let them talk to my local DNS server, they reach out to Google and/or Cloudflare.
Further, I don't put any personal accounts on employer provided hardware. For example, I always use a dedicated GitHub account for work stuff and the key and password never leave that machine. This ensures a clean break when I'm no longer at that employer.
I find it annoying how social GitHub has become. Posting notifying others when I work on public repos. I don't care for my coworkers to know when I am up at 2am working on open source. I also use separate accounts now.
Same here. Not trusting endpoints go both ways - I don't trust it either. I don't have a fancy router, but it supports guest wifi, so I use my work computer with that.
Yikes. I use a company Macbook to WFH - the company also offers Linux desktops that you have to self-admin, I wonder if "no one develops for linux" is actually a feature, and would let me avoid the bossware.
I worked at one of these companies. Yes, office attendance is tracked by badge swipes, but that's no secret. There's an intranet page where employees can see their own attendance and the minimum required. Everybody knew that there was a minimum attendance upon taking the job.
I read a post on Reddit a few months back saying that everybody's body language in the office was being fed into a machine learning algorithm to analyse their emotions and stress levels to feed it back to their managers. Which is complete horseshit. They also said that everybody's laptop camera was being used to scan the surroundings for evidence of alcohol/drug use. Again, totally nuts.
> everybody knew that there was a minimum attendance upon taking the job
I have to point out that a lot of people were hired when companies were still saying "as long as your team/organization is ok with working remotely, you don't need to come in office" until they completely changed their mind.
> analyse their emotions and stress levels to feed it back to their managers
I’ve spent too much time doing analytics to believe stuff like this. The report is in CSV and there’s a comma in one of the fields on line 48,329 which caused the ready of the feed to be silently discarded.
Any one working for a company that requires this BS should take a hard line: your job is 9-5, there is not communication outside of that work period. There is not “crunch” bs, there are no longer nights, there is no work during the weekend.
If work can only happen in the office at prescribed time, then work only happens then. If you waste your time and money forcing people to work in a shitty and distraction filled environment and then why should they be interested in donating their time to help you compensate for poor management.
As far as JPMC goes, insider threats are the biggest threats they face. It makes sense from a security/compliance standpoint to "spy" on your employees, to a degree. Imagine if you could spy on your biggest enemy. You'd be dumb not to.
There are limits to everything, but for finservs, there's a reason why they do these things.
Source: I am/was infosec at JPMC and other large finservs.
Just wait until the SW that let's you remotely activate cameras and mics and record screen grabs gets compromised. Congrats, now an attacker can see what every one of your employees is doing at any time.
While not good I equally think OK and what are they gonna do with that info? I don’t need them so if anybody brought it up I’d just shrug and say whatever. Then continue as before. I only use work resources for work though as I have zero need for them otherwise.
It's not just work hardware. It's everything connected to your WiFi; everything. For Amazon, this means exploiting known security vulnerabilities in Microsoft, Google, and Apple to spy on employees, largely without their knowledge or consent. Further, there is no internal regulation for people who are executing these attacks. Individuals can access the personal data of their fellow employees at anytime, including managers.
If you recall, at the end of 2022 into 2023, Apple laptops and iPhones suffered from a series of webkit vulnerabilities which allowed root access.
Were these vulnerabilities repeatedly exploited by companies such as Amazon? Yes.
On personal, non-work devices? Yes.
Is this a gross (and federally illegal) misstep by Amazon, JPMorgan, and similar companies? Yes.
63 comments
[ 2.6 ms ] story [ 244 ms ] threadI take your point though that you're saying some laws require explicitly enumerating them (from how I understood your comment).
Actual productivity is not something they want to measure here, what they want is control.
This doesn't seem to be a logical conclusion. When you hire someone, do you care more about what they are delivering for you or do you just get some weird kicks?
Similarly if you actually cared about productivity you would never consider any kind of open or semi-open plan office, yet these are exactly the companies that do just that.
They think, “oh if you have 10 mins for doing the laundry during a work day, if you come into the office you won’t be doing that in office and perhaps use that 10 mins everyday to produce some additional non-zero value to the company”.
In their minds those 10-15 mins from everyone add up. I am not agreeing but that is what it seems to me.
2. To reiterate, I agree :-)
3. That being said, the only places where I've seen it actually used is where an employee is fired for a cause, fights it, and then company retrieves logs and hammers them with proof.
4. But still I agree - it's a nasty sleezy slippery path. I am a manager of people and managers and have zero desire for anything like that.
Obviously, it is a device that's not yours and the company can do all kinds of things such as installing rootkits and other things to do whatever, but putting that aside, short of that level of commitment, is anyone familiar with these kinds of programs and whether or not they indicate in some way (e.g. macOS-level indicators that some app is using the microphone/webcam).
I'm just curious if I have my work laptop in clamshell mode and it goes to sleep, to what extent is it not a 24/7 active bug? Maybe I should be shutting it down every single moment that I don't want to risk being spied on?
Is "sleeping" the macbook and closing it shut, enough? Is it low-level enough of a block, or can apps circumvent even that?
I'm specifically putting aside Pegasus-level circumventions here, since then all bets are off. I'm just thinking about 'off-the-shelf' level apps that companies can license and use.
IT pros, stop and think for a moment about the risks. How long did that take you? Apparently the school administration and IT personnel completely overlooked them.
They were watching and photographing underage kids in their bedrooms, not that spying on anyone anywhere is ok. They thought they caught one with drugs (it was candy) in their bedroom and showed the images to the parents. The parents sued the school district and it was in national news (maybe on HN). Somehow I never saw child pornography charges, even though I don't know that they could have prevented it - just turn on the camera at the wrong time.
I blame the IT personnel too, especially the CIO / IT director who failed to point out the risk and stop it, and even the low-level people should have stopped when they first saw the inside of a teenager's bedroom.
Edit: as an example https://pickorchard.com/deploy-crowdstrike-with-jamf/
>Michael and Holly Robbins of Penn Valley, Pa., said they first found out about the alleged spying last November after their son Blake was accused by a Harriton High School official of "improper behavior in his home" and shown a photograph taken by his laptop.
For Apple silicon-based (and newer Intel-based), yes: https://support.apple.com/guide/security/hardware-microphone...
Not only is this a huge potential privacy issue, it's extremely annoying, because on many bluetooth headphones, it makes it impossible to, say, connect your phone to the headphones.
The issue with remaining on wifi is also extremely annoying if you're connected to a hotspot device. I discovered well into a vacation that my macbook was remaining connected to a hotspot and using up data - despite both "low data mode" (which has a penchant for magically turning itself off) and "wake for network access" set to never.
There was an option to disable allowing a bluetooth device to "wake" the system, which stops the mac from keeping bluetooth connections active during sleep, but that was removed in Catalina.
There's no excuse for removal of such an option, nor is there any excuse for not setting some logic such that only keyboards and mice retain active bluetooth connections.
The dumbification of MacOS marches on, as some anonymous mid-tier executive at Apple continues his or her mission to turn MacOS into iOS. We also lost wifi network priority a couple releases ago as well - a move that is so unfathomably stupid it defies belief. You used to be able to set a hotspot as high priority and then, say, a cafe's free (and far less secure) wifi network as a lower priority, and when you wanted to do something on the hotspot, you could just turn it on, and your mac would prefer that network. Now it's a roll of the dice at best.
When you're fired for saying something derogatory about your employer that is picked up by your company-issued computer sitting in your home office, do you have the resources to fight them in court, especially given your employer's law firm almost certainly has a cozy relationship with the judiciary in your area?
But there's a key difference. If employers want to track what time you're on the company laptop or if it's connecting from an IP address in the location you claim to be working from, that's legal. Monitoring nominally mic-off personal conversations isn't.
Oh geez. That tells me that less than 30 seconds of thought was put into that line in the policy. Surely, there are PTO days, sick days, business travel days, and other reasons to have that figure show as less than 60%.
Said differently, if it was 2019 and the team policy is 5 days a week, does HR imagine that figure would be 100%?
How does this relate to your situation? And why have you been unemployed for a decade? Most of the time, interaction with HR is super minimal, so I don’t see how this would prevent you from being employed anywhere.
The HR people were comically evil and it was a useful learning experience. Those guys would burn the building down to “beat” the union over some bullshit issue.
Without a contract and a counter-party they usually deploy a more banal evil that feels more like incompetence. But when the chips are down, they’ll gleefully bone you.
Further, I don't put any personal accounts on employer provided hardware. For example, I always use a dedicated GitHub account for work stuff and the key and password never leave that machine. This ensures a clean break when I'm no longer at that employer.
Vlan is a good idea. Doing that now. Thanks.
MalwareBytes keeps a small structure in memory for every file it found during a scan. Sadly my computer had files on it and ran out of RAM.
SentinelOne's filtering scaled like linear search so as the ignore list got longer everything got slower.
I read a post on Reddit a few months back saying that everybody's body language in the office was being fed into a machine learning algorithm to analyse their emotions and stress levels to feed it back to their managers. Which is complete horseshit. They also said that everybody's laptop camera was being used to scan the surroundings for evidence of alcohol/drug use. Again, totally nuts.
That was https://news.ycombinator.com/item?id=35958286
I have to point out that a lot of people were hired when companies were still saying "as long as your team/organization is ok with working remotely, you don't need to come in office" until they completely changed their mind.
I’ve spent too much time doing analytics to believe stuff like this. The report is in CSV and there’s a comma in one of the fields on line 48,329 which caused the ready of the feed to be silently discarded.
If work can only happen in the office at prescribed time, then work only happens then. If you waste your time and money forcing people to work in a shitty and distraction filled environment and then why should they be interested in donating their time to help you compensate for poor management.
There are limits to everything, but for finservs, there's a reason why they do these things.
Source: I am/was infosec at JPMC and other large finservs.
If you recall, at the end of 2022 into 2023, Apple laptops and iPhones suffered from a series of webkit vulnerabilities which allowed root access.
Were these vulnerabilities repeatedly exploited by companies such as Amazon? Yes.
On personal, non-work devices? Yes.
Is this a gross (and federally illegal) misstep by Amazon, JPMorgan, and similar companies? Yes.