Ask HN: Is it wrong to use my personal laptop for work?

46 points by throw142345888 ↗ HN
At the company I just started working at, the computer has a company profile as well as Sophos antivirus, which, from what I can see, filters all traffic. However, I have another MacBook, and there are no requirements to use a VPN. We use GitHub, which means I can work on my personal MacBook.

In my contract, I’m not obligated to use the company laptop, and I believe these software tools are just to comply with some ISO standards.

From what I’ve noticed, the IT team monitors app usage, so I could leave the IDE open all the time.

So my question is: would it be wrong to use my personal computer for development?

111 comments

[ 3.2 ms ] story [ 174 ms ] thread
Legally, yes. Practically, no. But we go to work with a contract, and that contract usually includes something about security.
What do you mean by wrong? Would the company be against that if you asked them? Most likely. Is there a commandment against that? Not really. Do people do that? Some do.
I need to. The integration tests won't fit in the RAM of my work laptop.
Then you need to raise it up to your manager to provide it for you. Never use your personal laptop.
???

That's an excellent reason _not to do work_ until your work provides you with a better laptop.

Or at the very least only run these tests from CI, which will slow you down. But it's not your fault or your responsibility.

It is wildly unnaceptable for your work to require you to use a personal device because of this. Unless this is what you agreed on when signing the contract, I guess - but I gather this is not the case since your work provided you with a work laptop in the first place.

Oh that's how it's been the past 18 months, and it hasn't been a complete showstopper. We're very microservicy and it's only the integration tests which require spinning up all the containers that makes me run out of ram.

I've since (as of a week ago) moved team to a monolith stack, so I thought I'd be free of that nonsense, but it's worse. Just having Rider open on the codebase uses like 40GB lol.

The new laptop's coming in 3 weeks? I'm not going to not work for that long.

Oh, glad you got this sorted out then!
“Wrong” depends on an ethical or legal framework. Your employer gave you a computer set up for work. Presumably they expect you to use it for work.

You can always ask your employer, they will probably have a more definitive answer than you will get here.

Yes.

Always use the work laptop, don't ever use your personal. If the work laptop is not powerful enough, it's the duty of the company to give you something that has enough memory, disk space etc. If not, run away from said company.

Your contract won't say anything about this directly, but it will undoubtedly contain an obligation for you to follow the company's policies and its lawful directions. There will likely be a policy that says not to do this.
> In my contract, I’m not obligated to use the company laptop

It’s also not in my contract, but in the IT policy I need to acknowledge once a year.

> I believe these software tools are just to comply with some ISO standards.

“Some ISO standards” may be cumbersome or even pointless — but they help your company sell their products. Ignoring them is not a good idea.

Besides: if you use your private laptop, it may be subject to a legal hold in case of a lawsuit, giving someone else access to it.

Especially if it becomes the vector of an attack.
Each violation will be a security exception that the security and IT staff will have to account for. The penalties for violating the security protocols should be described in the policy. They probably start with a warning and proceed up to firing. How quickly they proceed depends on how much headache you cause people and how willfully you do so.
Wrong? Probably not too egregious, unless your contract or IT policy states otherwise.

Unethical? Definitely. Just use your work-supplied hardware for work-related purposes. Leave anything personal off it.

Yes - it's a mistake to use your personal laptop for work.

The laptop you use for work, whether it be personally supplied or supplied by the business, is subject to legal discovery and may be confiscated by law enforcement. Your company has no control over this. If you attempt to delete evidence from your personal laptop then you've committed a felony.

The only way I'd use a personal device for work is if I were using it to access a work-provided and maintained VDI.

Fun question: my company security policy required that, when I installed Linux on the laptop, I enabled disk encryption at rest. If it's seized for legal discovery, am I obligated to unlock it for them? Who is in trouble if I refuse? (me, obviously, because the resulting interrogation will be unpleasant, but it's the principle of the thing)
I am not a lawyer, but I would presume you would be in legal trouble.

If the company refused to tell you to unlock the laptop, they would be in trouble for refusing legal discovery, and if they were wanting to refuse legal discovery, they wouldn't have handed over the laptop in the first place.

If the company ordered you to unlock the laptop and you refused, you would be violating a lawful order of the court and would be held responsible.

That said, once again, I am not a lawyer, so I could be completely wrong

What if he forgot the password with all the stress from the lawsuit?
It's been attempted and they were charged with contempt of court

https://www.digitaltrends.com/computing/contempt-of-court-de...

Pretty sure it’s per-case per-judge basis, not a general rule. Generalizing over a half-confessed guy makes a good scary headline. In the article the guy unlocked his phone app (a hint he was initially talked into confession). Which gave extra evidence to what his sister claimed. And it was a csam case which rendered him way less sympathetic. Remove any of that and the balance may change. The judge has to find a reasonable cause for contempt first. Would they charge him with contempt if he just lawyered up and forgot everything from the start?

All that said it doesn’t mean you want to risk it for some company, even remotely. The guy probably weighted both deals after realizing where he’s in and chose a lighter one. You may want to not get either one.

You should be keeping all your passwords in a password vault, at a minimum. Even better would be to use a password manager. You should have too many passwords of too high of complexity to commit them all to memory.
How would you get into such a password vault without first decrypting your disk? On my Linux machine with full disk encryption, the system doesn't even boot until I type in the password.
I doubt it. The companies that require whole disk encryption should have the keys. They generally implement multi-key setups or keep the key at the IT and block the user from changing it. If they didn't and you forgot your key -- ah well. My 2c.
You can be held in jail indefinitely for contempt of court. I believe there are currently people incarcerated for exactly this right now.
I don't think it's wrong in an ethical sense as long as you aren't violating an agreement by doing so. I think it's very unwise, though, regardless.
I can't comment on the morality of the situation, but it would certainly be foolish.

At a previous job, my team found ourselves in a similar situation. After being acquired into a very large company, where the official standard corporate development laptop did not support the tools we wanted to use and came bogged down with overhead from antivirus and other nonsense, it became difficult to get work done.

Instead of individually going rogue and potentially getting ourselves into trouble, our manager bought us all MacBooks we could use alongside our corporate machines. We were still doing all our work on company-owned hardware this way, operating over the company intranet, everything kosher and above-board: but we still got to work on machines which suited us.

Perhaps your manager can help you find a similar solution.

> In my contract, I’m not obligated to use the company laptop, and I believe these software tools are just to comply with some ISO standards.

This is SOP for basically all enterprise IT. If I didn't follow it I'd get a rap on the knuckle at best, and maybe fired at worst. I bought a separate laptop for contract jobs simply to ensure it stayed separate from personal stuff.

Other thoughts:

malware risks -- often aggressive efforts targeted at organizations compared to individuals; way more likely they get hacked first, and then it spills over to you. or, now you risk bringing down the company cuz you lookin at Pronz and get hacked and that gets back to their Active Directory, etc.

legal risks -- what happens if something legal goes down and there are fights about IP and ownership. looks like your laptop is seized. in every job I've had, anything I developed in on or around company property was theirs, and this may run afoul of that.

what happens if something breaks? now you're on the hook to fix it, and it may impact your ability to work and get paid. meanwhile if your work laptop is fried you call IT and it's on them until you're back.

It is incredibly risky to use your personal computer for work. If you are pwned by malware that could put the company at risk. Vice versa if the company gets in some legal situation and you need to submit your work laptop as evidence, that could be extended to your personal laptop. These are both extreme examples, but they do happen.
> gets in some legal situation and you need to submit your work laptop as evidence, that could be extended to your personal laptop. These are both extreme examples, but they do happen.

Can confirm this happens. And yeah, the "extra-curricular" images they find will make their rounds and everyone will know.

Dude, just hold your head high, give a wink and nod to the oldest & homeliest of the office ladies (it'll screw with the others), and wear the reputation with pride: you earned it King! :^)
To be clear, in case my wife reads this, I was on the other side of that investigation. I was not the investigatee. :-)
This is the biggest risk. Even just a spurious lawsuit could result in a legal hold on your laptop, phone or any other device that touches the business.

The entire contents will be copied and everything will be reviewed by a human. By both the lawyers suing and your own company’s legal team.

In my ignorance of youth I used to use my company devices for personal use (within reason, nothing bad) but a long time ago I made a clean cut.

My work phone is boring as hell. Same with my laptop. Nothing but work related info.

That could happen even for a byod phone? Wow.

I would definitely not give that up. If I did have to turn it in I'd wipe it first.

But I thought this couldn't happen because our phone apps are all cloud stored anyway so they can get to everything there. On my byod phone I'm not even able to download anything locally.

Ps: I'm not in the US but in Europe and we have pretty strong privacy protections so I couldn't imagine this would be a thing.

But even for legal holds in the US (which is incredibly much more litigious anyway) our company just freezes cloud assets afaik.

I just looked it up for Germany, because I was pretty sure you had to hand over your phone, but it’s a bit more complex. If you wipe your phone before handing it over, and you do it to protect your employer, that would be „Strafvereitelung“ which is illegal. If you do it to also protect yourself because the data on the phone would incriminate you, too, that would be legal because you don’t have to help the state to prosecute you. Since you wiped it, it would be hard to prove why you wiped the phone. Apparently, the fact that you wiped the phone can be used as an indication of guilt against you though, because it means you have something you want to hide.

I’m not a lawyer though, so I’m happy to be corrected if my understanding is inaccurate.

I would not do it to protect my employer (I don't care about them) but to protect my privacy, not to protect myself from any illegal actions because I'm not really doing any :)

But I'm very principled on this and I will never willingly give it up.

You don't "need" to wipe it, you probably won't remember the high entropy passphrase you used to encrypt it though and that should be good enough.
^ this is the biggest reason. Everything on a computer used for work can end up subject to court discovery. If there’s something you don’t want to discuss in court don’t say or do it on a computer used for work. They image the whole machine and both sides pour though it. Then there’s some back and forth as the lawyers decide what’s relevant to the case, but they review everything.
I've never used company laptops or phones. I simply refused. Their alternative was to fire me. And I didn't care.

I was never fired. Fedora was my daily driver.

Same. I never had it in writing, but spoken contract. I'd wait til after negotiations and 'one more thing' them.

Two companies didn't care at all. One did - the worst it ever got was asking me to boot up their supplied Windows laptop once a month for updates, so they could pass security audits.

I am surprised; why is this your policy? I am sure you have a good reason, but I can't guess what it might be.

My approach is exactly the opposite: I never do anything work-related on personal hardware, nor do I ever use work machines for personal projects.

If they provide you with a laptop and there are various profiles and security software on it, you should use it.

There might not be a specific rule to point to yet, but you don’t want to be the reason they make that official rule.

I know at my company, if I were to put company details on my personal laptop I’d be walked right out the door. How many company secrets are in the code and when you leave the company they don’t want to take your word for it that you’re not keeping all of that and doing who knows what with it. It’s a huge liability on both sides.

Agree. It's disingenuous to work around the company's security controls, it's also foolish as you're potentially exposing customers secrets to theft.
Or if the company gets sued then your laptop could get seized for evidence.
Or using your laptop could get you embroiled in a lawsuit with that very employer regarding IP. You could cause yourself a lot of headache if someone gets upset that the code you work on leaves the building every day.
Almost everybody here is going to say to not do it but I’ll go the other way.

You only live once and you want to do it, so why not?

Because there might be some malware that’ll screw things up? Unlikely on a Mac.

Because there might be a lawsuit where your personal computer ends up as evidence? Almost certainly not going to happen.

Be cause it’s good evidence for a vindictive boss to use to fire you? Yeah whatever if somebody wants to fire you they’re going to do it anyway.

If you can accept that this is a weird thing to do and might have some risk associated with it, go nuts.

I liked this comment because it said what I was basically thinking. In my last job I kept everything seperate, a lot of people didn't and when we all got made redundant, I just closed my work laptop and walked away, some of the others were scrambling to disentangle everything and had all sorts of problems.

But in my new job I'm doing work on my personal laptop. It started because, I travel by plane to work regularly. I was carrying three laptops, my personal one, my work one, and one provided by my current client. It was just so much easier to combine everything into one laptop and just carry that. It's working out really well. Before I was constantly moving from one laptop to another just to check messages.

I think doing work on your personal computer is less bad than having personal stuff on your work computer, I wouldn't do that.

People can be very judgemental here but I've done it for the past 15 years. I only use the work laptop to access stuff I know IT is logging, so they see the correct device with the correct serial making the connection, otherwise personal laptop for everything.

I also use separate browsers (chrome for work, firefox for personal stuff) cause I'm not a psycho.

Also I see people are conflating the use of a work laptop for personal stuff with using your personal laptop for work, those are very different and people doing personal stuff on the work laptop full of corporate spyware are the real psychos.

I think the answer to the question is that clearly, using personal equipment when company equipment is available is the wrong answer.

But, knowingly picking the wrong answer can be ok if you get some benefit from it. Personally, it's not too hard to keep home and work computers mostly separate; at times, I might do a smidge of work on a home computer, or a smidge of home stuff on a work computer, but hopefully it's pretty ephemeral: I don't want work content to stay on my home computer, or home content to stay on my work computer. At my last job, I was subject to legal holds all the time and compliance is easy if corporate has access to everything and I don't really need to do anything. By the same token, I had to administer legal searches of email, and sometimes that caught personal matters which nobody else needed to see (including me); avoiding that kind of access would be great.

Otoh, keeping personal and work phones separate is just too hard for me. I don't want to carry two phones.

Not wrong, but dumb. Your company now probably legally owns everything on your laptop.
If the company were to be sued, would you be happy turning over your laptop to your company’s lawyer indefinitely for them to search and find documents that might be relevant to the lawsuit?
oh gods, this yes. Take this seriously.
I would never use my personal equipment for work - even though my work has a policy stating it is acceptable provided certain conditions are met (AV software, lock screen, not a shared device etc).

If you are just a regular user using it to VPN in to check email, maybe . . . but if you are a dev, or admin, with elevated privileges or access to source code or secrets, you are just asking for trouble if anything goes wrong.(eg, malware that you may have acquired from some random software, or repo you tried)

Do not put company data on personal devices. Just by putting their data on a device outside their control, you may be in breach of whatever IP agreements, compliance requirements, or even company handbook. The fact that you have to fake IDE usage should be a huge red flag.

Don't risk it, just use their machine.

There are so much better, more important and meaningful things to fight.

My personal laptop and my work laptop are identical, down to the amount of memory and the color :-)
If this is an open-source project that accepts contributions from people outside the company... go nuts. Otherwise, use the company laptop.
If your company gets pulled into a lawsuit, lawyers on both sides might demand your personal machine for evidence.
If you have a doubt about the right thing to do insofar as the company is concerned, you should ask the company. The fact that you asked HN first suggests that you already know the answer.
Probably there's a handbook rule or policy your employer has that you must use their hardware. For example, it could be a data/IP protection policy that doesn't allow any company data on any storage medium not owned by the company (and that includes your personal laptop).

Another matter is software licensing. You mention the IDE. Is your IDE properly licensed for commercial use on your own laptop? If not, the company may need to throw out all that you do when they find out, or they risk losing all their commercial licenses.

If you really want to use your own hardware, I would seek a letter from HR/legal with a statement to the effect that the company allows it. But given that the company gives you a laptop with a software image, it's likely they have to for a real legal reason.

Or you could become a consultant/outsourced supplier where it will be expected, in most cases, that you will use your own hardware. Though not always.

If you don't properly handle this, the likeliest scenario is that you will be fired when they find out. If you are lucky, they won't tell this to your future employers when they ask for references. I think it's common to be lucky in that regard to be honest, but not everyone is. And if the org loses licenses or has to throw out a chunk of their codebase, you may find yourself in a lawsuit (possibly between a client/supplier of your employer and your employer). Of course, if it's a small start-up, personal consequences are less likely. But don't act this way towards a small company.