129

This is an attempt at a canonical question following this discussion on Meta. The aim is to produce basic answers that can be understood by the general audience.

Let's say I browse the web and use different apps while connected to the network at work. Can my employer (who controls the network) see what websites I visit, what emails I send, my IM messages, what Spotify songs I listen to, etc? What are they able to see?

Does it matter if I use my own computer, or one provided for me by my employer? Does it matter what programs I use, or what websites I visit?

INV3NT3D
  • 3,977
  • 3
  • 14
  • 25
  • 30
    It would be nice to see a nuanced answer for those who cannot afford the tinfoil. "There is no absolute security" doesn't clarify the situation. Just because they monitor the traffic that doesn't mean they can read your private Facebook messages. – Arminius Nov 16 '16 at 19:22
  • 14
    Offcourse there is nuance in "what are they probably doing", but this question is "can they". Since it's possible, the answer is Yes. And seeing as the question explicitly states "employer", an answer/advice should probably also rather be cautionary than dismissive: **assume they can, assume they are. Don't do anything you wouldn't want to be seen**. – Konerak Nov 16 '16 at 19:38
  • 5
    Would some visualisation help? http://i.imgur.com/pSEI13C.png as a start? – Konerak Nov 16 '16 at 22:23
  • Of course they *can* if it's important enough to them, the question to me would be "is your work environment and company culture such that they *would* be looking over your virtual shoulder at everything you do, or do they trust you to just do your work?" –  Nov 17 '16 at 13:15
  • 3
    While simple "Yes, they can see everything if they want to" answers are absolutely correct, surface level explanations of the protocols and processes at play would be deeply appreciated. While we want the answer to be simple, we also want it to be informative as to *why* they can see everything they can. "SSL", "MitM", "Proxies", are words we use in InfoSec constantly, but these are concepts that someone asking this sort of question would have no general understanding of. So technical documentation of SSL: no; high level overview of what and why these things are happening: perfect. – INV3NT3D Nov 17 '16 at 14:14
  • 1
    "while connected to the network at work" Does this mean 1) At work and on the work network; or 2) Not at work but connected (by VPN or other means) to the work network? I read it as the second, but reading the answers it seems like it's likely the first. – Joel Rondeau Nov 18 '16 at 19:05
  • 1
    I work at a bank, they go as far as installing SSL certs on our machines that allow them to decrypt the traffic before it even gets to us. They can see all of our secured traffic. – Tony Nov 18 '16 at 22:16
  • Related: [Is it common practice for companies to MITM HTTPS traffic?](https://security.stackexchange.com/q/107542/141087) – Stevoisiak May 03 '18 at 16:50

11 Answers11

175

Yes. Always assume yes.

Even if you are not sure, always assume yes. Even if you are sure, they might have a contract with the ISP, a rogue admin who installed a packetlogger, a video camera that catches your screen... yes.

Everything you do at the workplace is visible to everyone. Especially everything you do on digital media. Especially personal things. Especially things you would not want them to see.

One of the basic rules of Information Security is that whoever has physical access to the machine, has the machine. Your employer has physical access to everything: the machine, the network, the infrastructure. He can add and change policies, install certificates, play man in the middle. Even websites with 'SSL' can be intercepted. There are plenty of valid reasons for this, mostly related to their own network security (antivirus, logging, prohibiting access to certain sites or functionalities).

Even if you get lucky and they cannot see the contents of your messages, they might still be able to see a lot of other things: how many connections you made, to which sites, how much data you sent, at what times... even when using your own device, even using a secure connection, network logs can be pretty revealing.

Please, when you are at work, or using a work computer, or even using your own computer on the company network: always assume everything you do can be seen by your employer.

Konerak
  • 3,938
  • 2
  • 16
  • 16
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/48718/discussion-on-answer-by-konerak-can-my-employer-see-what-i-do-on-the-internet-wh). – Rory Alsop Nov 18 '16 at 13:41
  • In Europe there is now a precedent for this not only being possible but also legal. See the case of Bogdan Mihai Barbulescu for more info. – Chris Petheram Nov 18 '16 at 16:25
  • 2
    @ChrisPetheram AFAIK in that case the *contents* of the communications were not used against him, just the fact that he used his working email & other accounts for personal communications. In other words: there is no precedent that says "the employer has the right to watch all your communications", but only that "if the employer notices that you abuse the communications for personal use, *only looking at the recipients*, then you can't complain if you get fired". – Bakuriu Nov 18 '16 at 22:12
  • 4
    @ChrisPetheram The concept of precedent doesn't apply in most of Europe, where most jurisdictions are civil law systems. Unlike in common law systems (e.g. US), judges are bound only by the law, not by precedents. Different judges may interpret the law differently. Also, privacy law in the EU prohibits collecting personal data without consent of the person concerned. Unless you signed an agreement that prohibits private use of business IT resources and/or in which you acknowledge that your actions will be monitored, doing so is illegal in the EU, even if it is technically possible. – user149408 Nov 21 '16 at 00:44
  • 1
    What about remoting *out* of your work computer into your home computer via something like Teamviewer, Logmein, etc.? Doesn't that use a secure tunnel that encrypts all traffic? The employer might see an outbound connection but would he be able to see the content? – user249493 Nov 22 '16 at 01:47
  • 1
    @user249493 They can still potentially install both keylogger and screen-snooping software on your PC in order to see the content. – pjc50 Nov 22 '16 at 14:37
  • @user249493 Also, you have to assume that the employer can determine it's a tunnel. In that case you'd look pretty bad if tunneling out is not at all part of your work. – MauganRa Aug 17 '17 at 08:46
  • But if you were to connect to the guest wifi with your dual boot work laptop (Linux installed from stock iso) then your traffic would be mixed together with tons of other devices and you'd avoid any direct monitoring. Am I missing something here? – Gabor May 22 '18 at 06:27
  • 1
    if one uses Google drive to view files, can the company only know that the person accessed Google drive or they can also see what files are there/viewed in that drive? – firstpostcommenter Nov 29 '19 at 13:22
51

Is it your device?

There are two ways you can be monitored - either what you do on your computer is being logged on your computer, or the internet traffic it generates is being logged somewhere else on the network.

There are many ways to prevent snooping on the traffic while in transport, but if it is not your computer (or smartphone or tablet) it is always possible that some kind of logging software is installed that could potentially monitor everything you do on the device, no exceptions. The same goes if you have allowed your employer to tamper with the device, e.g. install some software.

Now this might not be as likely as your traffic being logged, because many employers who do not work in a high security area might not find it worth the effort, but it is still a very real possibility. Therefore, if you are using a device provided by your employer they can potentially see everything you do no matter what precautions you take.

When browsing, are you using HTTPS?

So lets say you use your own device and your employer has not installed anything on it (maybe you connect your private smart phone to the office Wi-Fi). Can they still see what webpages you visit by monitoring the network traffic?

This depends on if you use plain HTTP, or if you use HTTPS. If the adress you visit begins with https:// it means that the communication is encrypted - the S stands for Secure - but if it begins with http:// it is not. You can also check if there is a padlock icon in the URL bar - see instructions for Firefox here.

There are some big caveats here, though:

  • What domains you visit will still be visible. So if you visit https://example.com/secret your employer will be able to see that you visited example.com, but not that you specifically visited the secret page, what was written there, or anything you posted.
  • If this device is office-issued or has been tampered with by your employer, it is trivial for them to read all traffic going either way. This is done by installing a certificate on the device. Once done, they can intercept data from the server or from you, decrypt it, re-encrypt it and sending it to the recipient with no one the wiser. HTTPS will not help you.

For other apps, are they using encryption?

We do more on the internet than just visiting webpages with a browser. Both your computer and your phone probably have dozens of apps installed that uses the internet somehow. What about those?

Sadly, this is a bit more opaque. By default the owner of the network can read (and modify) everything you send or receive over it. To stop that, some kind of encryption must be used.

If any specific app uses (correctly implemented) encryption or not is hard to know, unless the makers of the app actively advertise it (and you trust them...). Some apps, such as WhatsApp, famously uses encryption while others don't. I would recommend you to assume that the traffic is not encrypted unless you know that it is.

TL;DR

It depends. To be on the safe side it may be a good idea to assume yes, and just do any sensitive business from your own private home network.

Anders
  • 65,052
  • 24
  • 180
  • 218
14

In order to make an efficient argument, we will investigate the possibility of how snooping can be done.

It should be noted: not all companies will monitor your behavior, even if given the opportunity. This is a strictly hypothetical investigation. We are only investigating the possibility of snooping, not how your employer utilizes it. How you assume your employer to behave is between you and your employer.

With those things said, there are pivotal points to be considered when investigating the degree of possibility of snooping:

  • Who owns the hardware you use?
  • Whose network are you using?
  • Who is around?

Who owns the hardware you use?

If you use empolyer-owned hardware, this is probably the worst-case scenario. Your employer has a broad spectrum of tools to choose from when determining how to snoop. If you use your employer's hardware, anything is possible: everything can be monitored. Employers have complete autonomy when setting up hardware. Keyloggers, screen recorders, packet manipulators, and annoying reminders to keep working are just a small list of what can be installed on the computer without your consent because it is not your computer. It is impossible to verify that something has been tampered with any confidence. Even if you manage to use a different network (unlikely), the data can pass between any number of hardware before reaching your monitor. As stated before, this is probably the worst scenario to be in.

You work at a video production company. The software essential to the purpose of your position is expensive and resource-intensive, so you're provided with a company-built machine with an Adobe software suite, Blender, etc. to use while you're in the office. Your team lead seems to hint that he knows a lot about the details of the project you've been working on, so you decide to investigate the software installed on the computer. Fortunately, the "uninstall a program" window inside of Windows Control Panel doesn't show anything suspicious.

Then you remember that article on how programs can be hidden from control panel. The only way then is to view the registry, which is not possible when you don't have the administrator account (you don't). No administrator account, no assurance.

Whose network are you using?

Anyone who has used Kali Linux before can tell you, networks can be vulnerable (and usually are). But monitoring/manipulating with Kali and monitoring/manipulating your local network are two completely different ball games. Having control over the network gives you access to all traffic from all MAC addresses. Sometimes the traffic will be garbled (encrypted), sometimes it will be plain text (unencrypted). However, traffic is all monitoring is limited to. Only things you do over the network are view-able; if it isn't networked, you're safe*.

Unencrypted traffic is dangerous. Anyone who listens in can see what goes in and out of your ethernet/wireless card and where exactly it goes. This is not good if you want to mask what exactly you're sending across the wires (a comment on a blog post, a file sent to an FTP server, or an email sent over an SMTP server not using SSL). To be safe here, using TLS/SSL will keep you safe-er. This will encrypt the information sent over the line, keeping the content inside the packet between you and the server.

However, you must also consider that even with TLS/SSL, possibility for snooping is still present. "Metadata", or data about your data, can still be collected due to the nature of how your computer makes requests over the network. You still have to inform the router connected to the internet of where you want information from, or where it needs to go. Virtual Private Networks add protection from this level of snooping** by encrypting all network traffic and sending it to a router somewhere else, masquerading as you.

You decide to bring your own workstation to work after the previous privacy fiasco. After connecting it to the network, everything goes smoothly. However, you notice that your team lead brought up a topic of discussion that reminded you a lot of the comment you made on a message board. Like before, you decide to investigate. You read up on security.stackexchange.com and find out that you might have had your information snooped. In defense, you begin to encrypt all of your traffic using a VPN. After many more blog posts, you notice that the conversations tend to happen less fluidly. Success!

*: Careful here, as some software not used on the internet may still send usage information in the background. It is best practices to notify the user of this in advance (Check here to send anonymous usage statistics to X company), but not all will.

**: It is possible to block VPN's by MAC address or by using an alternate DNS to prevent connections to VPN's. This is common practice by some ISP's.

For the last point, we will begin with our example:

Suddenly, your employer starts mentioning those topics similar to the message board you follow again. You think to yourself, "But wait! My hardware is secure and my traffic is behind a VPN! How is this possible?!"

Who is around?

Sometimes, the easiest way to collect information is to look for it. Literally look. Cameras, peeping over your shoulder, using binoculars to look at your screen across the room, looking at your computer while it's still logged in and you're in the bathroom, etc. These "medieval methods" of snooping may be crude, but I would rather walk up to someone's computer and find out what I want to know compared to doing all the hard work of network/hardware snooping.

Also, this is arguably the hardest to defend against without making serious changes in your physical behavior and space, some of which may not be possible inside the confines of an office. I leave examples and solutions to those paranoid enough to worry about and solve these problems, as some are extremely tedious (imagine using two-factor authentication combined with a biological scan and...you get the point).

Kris Molinari
  • 251
  • 1
  • 6
11

Yes. Whether they do, or to what level they monitor, is a question for your company. Usually, you will find the monitoring policy in your companies employee handbook and usually, there is an acceptable use section or another entire document dedicated to this.

Keep in mind that certain industries are regulated and your company not only has the right to monitor all your electronic activity they may be required to by law.

A good general rule of thumb is whatever you are thinking of doing on the companies Internet, if you would not do that with your boss sitting next to you watching, then you shouldn't be doing it.

Regarding the part about your private computer, if you connect that to your companies network the activity you do over that Internet is subject to your employer's policies. It is a bad idea for a company to even let a device not under their control connect to their network. A lot of companies will have a policy that prohibits this, and it becomes problematic for you if you do this even if you've not done anything that is a violation of their acceptable use policy.

Thomas Carlisle
  • 809
  • 5
  • 9
3

Most likely... Especially if on a company computer. This being said you should always assume you are being monitored. There are a few main ways they could be watching you.

  1. Using router logs. Unless you use a service like tor or a VPN (which you probably shouldn't as it would probably upset your employer) they will always be able to see the websites you visit and the data you send if the site isn't using HTTPS (and possibly even if it is, see below)
  2. Your employer may have broken HTTPS. Because of the way HTTPS works, there are these things called "Certificate Authorities." These are trusted authorities that vouch for the identity of sites and their encryption keys. If you are on a company machine they may have set it up so they are considered a certificate authority by that computer. This means that they can perform a "man in the middle attack." Basically they say they are an HTTPS site, google. They take your traffic that is encrypted with their key (remember they are installed as a CA on your company machine) decrypt it, then forward the packets onto google and vice versa.
  3. Your employer may have a key logger/remote administration software on your company machine. This would allow them to see all traffic and all the files on your company computer regardless of the the other factors listed above.

Remember, always act as though you are being watched at work. Even if you are on a personal computer there may be a security camera pointed at your screen, your boss could unexpectedly walk in, etc.

Further Reading:

  1. https://en.wikipedia.org/wiki/Man-in-the-middle_attack
  2. https://en.wikipedia.org/wiki/Certificate_authority
Mitchell
  • 159
  • 4
2

In normal cases, your boss wouldn't be interested in what you are doing with the network. However, he might decide to check periodically. Answering your question, any network can be monitored by the owners of the network.

Whether or not you are using your own device will only affect the total control that they have. For example, if you are using a provided desktop computer, the chances are that it is being monitored. However, if you are using your own it won't (unless you are connected to their network, of course). Nevertheless, the owners of the network will still be able to monitor their network's traffic flow, meaning that they can monitor the information that you send through.

This can be avoided by using a proxy or encrypting network packets. The disadvantages of using a proxy at work are:

  • It is relatively easy to detect
  • It could represent a threat to your device if it is a malicious proxy
  • The owners (Or IT departments) will not like it.

Additionally, the use of a proxy may be partially blocked (Proxy Set-Up functions could be locked) or the network may not allow to access it.

The other option is encrypting Network packets. The main disadvantage is that it may be a lot of work (although you could always use a program that encrypts all the outflow of information from your computer).

These two last options come from the assumption that you are using your own devices. You should not do any of those if you are using a company-provided computer, as it could anger some people...

In summary, in a company provided device, they can monitor and control everything they want, and in your own device, they can't unless you connect to their network.

If I had to give advice, I would say that since a system manager may not dislike all the sites you visit (For example, I doubt it would anger them that you are using Spotify), you should to talk to them. See what they allow, and what is forbidden, and respect it. Whenever you need to use a type of messenger, use it, but if you want to keep your boss out of your private conversations, use mobile data or another connection.

Hope my answer was useful.

Kiwii
  • 27
  • 4
1

I'd say it depends on the company. Smaller ones probably don't or can't. Larger ones have the resources, but then there is the question of what is at risk.

If your job requires you to access personal data typically covered under HIPAA rules, the answer is probably yes, because companies can't afford the lawsuit if you screw up by downloading malware.

If your company has lots of trade secrets or patents, the answer is probably yes, because they don't want to lose them to competitors.

If your job requires accessing information vital to the survival of the company - investor information, market conditions, personnel changes, pending lawsuits, etc, then the answer is probably yes, because companies can't afford the fines from the SEC or courts.

There are many commonly available tools that are used to snoop on employee internet usage. Packet captures, proxy servers, and software built into the servers, routers, and workstations.

Remember: you are being paid to do a job, not surf the internet or check your eBay bids. Do your job, and have a justification for going out of the company to get at the information you need.

Andrew Jay
  • 184
  • 1
  • 3
  • Wouldn't snooping on employees mean that more people have access to information? Under HIPAA rules, if some (very reliable) IT guy can snoop on the information that I use and that way see confidential patient data, wouldn't that be illegal? – gnasher729 Nov 19 '16 at 19:40
  • Not necessarily. Companies who perform a task which involves use of your personal data are given blanket permission to see and use your personal data, which generally includes the same IT guy snooping on you as he does backing up the data you view. This is not necessarily illegal; but if the IT guy used that data in a way against HIPAA regs, then yes, he's in for a world of trouble. – Andrew Jay Nov 27 '16 at 07:10
0

It will depend on the size of the company and how much they invested into their network/security infrastructure.

Do you need any authentication when using the Internet? Do you have any content filters stopping you from accessing social media or humor sites? It will usually come with a Forcepoint or BlueCoat message.

If you are working for a financial institution or the government the answer is most likely yes.

They will get a list of URLs and IPs that you visited, on YouTube they will be able to see the URL and from that see the video that you watched.

The in-house emails and IM services will be visible.

vanPlaas
  • 17
  • 2
  • 2
    Is there a warning banner when you log in? (US government sites must display a warning banner to indicate monitoring; others have implemented similar policies.) – MCW Nov 16 '16 at 18:43
  • 3
    @MarkC.Wallace Can you cite a source on this? I have never heard of this requirement and worked on government online properties in the past. – Bacon Brad Nov 16 '16 at 19:15
  • 3
    [NIST 800-53 AC-8](https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-8) – MCW Nov 16 '16 at 20:00
  • I find AC-8 to be silly. Policy/law trumps it, and it can't always be displayed. Connecting to a computer via SQL port won't be able to show this banner. – MikeP Nov 17 '16 at 16:26
0

YES

No matter if you used your own internet on the device given by your company. They always can track you.

For example, many software installed in the system directly track what is opened in browser and where all web-request goes. Software Like Activatrak do all these without even let user know what is going on the system.

If you are using the internet from company's router they can track you by using any network tracking software. For example wireless network watcher

You can only opt out from this tracking when you have your own device where you have used your own internet.

MCW
  • 2,572
  • 2
  • 16
  • 26
0

Does it matter if I use my own computer, or one provided for me by my employer?

Yes. If you use a computer/mobile device provided for you by your employer, they can (even though not necessarily will) see everything, including any kind of activity, on any program. They can even see your screen as you do stuff. This is also valid if you installed any program/app from your employer in your own computer (like VPN software), even when using your home network.

Does it matter what programs I use, or what websites I visit?

Yes and No. If the hardware is not yours, see above. If it is yours, you didn't install any app from work but you use their network, they can still see anything done on any unencrypted protocol (HTTP, FTP, DNS, BitTorrent, ...). Remember that most sites and programs/apps don't really care about exposing what you do online: they just use HTTP.

If you only use encrypted protocols (HTTPS, FTPS, SFTP, SSH, ...) they can only see what domains you use (no matter the program) and how much data you transfer. This can still get you into trouble, because domains many times reveal something about what you're doing.

However, even using secure protocols, they may still see data if the app you use does not correctly implement the secure protocol. For example, any modern browser (untampered with) will detect if the company tries to intercept your HTTPS connections, but some (maybe most) other apps may just use HTTP or may not check the validity of the certificate.

And as always, even using your own mobile, on mobile carrier networks, there can always be a camera or prying eyes around.

-2

Anybody with the right level of access can, in theory, look into everything that happens on any network, especially on your office network.

What a network administrator can learn depends a bit on what kind of security and monitoring tools/systems are already in place or could be activated and what gets logged and recorded for posterity. If networks access is easily correlated to specific users or not also depends.

Your network connection
Your network may require that every user authenticates before any form of network connection is allowed in the first place, which allows all online activity to be tied to a particular person or your network access might be more open.
Smaller WiFi networks frequently have a single password shared among all users, but corporate networks typically require signing in with a personal credentials, a user ID and password or SSL certificate.
Similarly wired network connections may have IEEE 802.1x configured that requires each client device to authenticate before network access is granted, or alternatively simply plugging in a network cable may already grant you access.

Network access control lists and firewall policies then determine if you have completely open internet access, somewhat restricted access or no direct internet access at all and are required to (sign in and) use a proxy server.

Although it is much more likely that an organisation that requires you to use a proxy server will monitor the sites you access and maybe even apply policies to disallow certain (categories of) sites, even completely open acces can still be monitored. Most enterprise network equipment allows for a mirror port to collect a complete copy of every bit and byte transmitted, typically to feed that into intrusion detection/prevention systems but also for law enforcement taps and internal monitoring/compliance systems.

DNS
DNS is a low level protocol that is required to translate easily remembered hostnames such as Facebook.com, webmail.example.com etc. to the IP-addresses that are needed to contact those services over the internet.
DNS is a clear text protocol that makes it trivial to record that you did visit Facebook or read your webmail even when using HTTPS obscures the specific pages and email messages you accessed from those sites.

HBruijn
  • 1,345
  • 10
  • 13