61

Is Google hangouts encrypted? Would my work's IT guys be able see pictures and text I send while on a work computer? Yes I know I shouldn't be sending stuff I don't want them to see while at work, but it wasn't at work. I use hangouts on my phone as well and just realized I use the hangouts Chrome plug-in at work and it was syncing all my conversations.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Jack
  • 713
  • 1
  • 5
  • 4
  • You can get around this by logging out of the browser plugin when you are away from your desk. It then won't sync *very much* to your desktop hangouts unless you scroll up in the chat. This will still sync some conversation if someone you were talking to on your phone talks to you while you are logged in at your desktop. – Quentin Skousen Aug 21 '14 at 15:47
  • Better use a personal computer to avoid the risk of having who knows what software installed on it. – user1306322 Aug 21 '14 at 16:28
  • 6
    @logixologist That doesn't actually prove they are doing that though. Even if it was something so obtuse that it convinced you it was scanning what you wrote, you can't really prove that it was. You very well might be right, but let's stick to facts and not assumptions and anti-Google biases. – patricksweeney Aug 21 '14 at 20:44
  • 6
    @patricksweeney that's pretty much their business model: targeted ads. Whether that's evil is personal opinion, of course. Regardless, it doesn't really have anything to do with what the OP is asking. – DA. Aug 22 '14 at 05:19
  • Perhaps. I know that Facebook chat messages are sent over HTTP, even if you visit the FB page via HTTPS. So all chat messages are readable in the logs – BlueCacti Aug 22 '14 at 19:25
  • 3
    @logixologist Google is quite open about analyzing site content (including, of course, user-generated content on Google sites such as Gmail) to select which ads to show: see [1](https://support.google.com/adsense/answer/9713?hl=en) [2](http://www.dailytech.com/Google+Yes+we+Read+Your+Gmail/article33184.htm) and [3](http://www.theguardian.com/technology/2014/apr/15/gmail-scans-all-emails-new-google-terms-clarify). The real question is, (1) what are the limits of what these "automated systems" do with the information, and (2) can any humans access the information? – Kyle Strand Aug 22 '14 at 20:12
  • 1
    In other words, those who trust Google are trusting it to limit its use of such information to the obvious functionality- and ad-related uses, rather than to, say, store it and/or sell it to other companies. – Kyle Strand Aug 22 '14 at 20:13
  • 3
    @logixologist: *"This means they transcripted it and then sent me unsolicited targeted ads based on a keyword."* They did, of course, **tell you** they were going to do that when you signed up and accepted the T&C's. You may not have "solicited" their sending you ads, but you did consent to it. – T.J. Crowder Aug 23 '14 at 12:06

6 Answers6

96

You should assume that they can. There are various ways they can do it, but whether they actually do it depends on company's standards and practices. Some of the options:

  1. It's possible to install additional root certificates on company's machines and use that to MITM all the traffic (traffic goes through company's gateway/proxy anyway, and having friendly root certificate on user's PC allows to do a full MITM);
  2. It's possible to install "employee monitoring software", which is essentially a key logger + process monitor + screen grabber. Some tools have capacity to locally intercept received messages in chats.
  3. It's possible to use remote access/collaboration tools to monitor what's happening on the screen of a particular PC.

In short, if you don't have control over the PC you're working on (and with company's workstations you typically don't), you cannot assume it's free from such surveillance implants.

Hope that's not too scary :)

Andrey
  • 2,236
  • 17
  • 14
  • 2
    Good points, you could deep packet inspection technology too – BigBob1000 Aug 20 '14 at 06:27
  • 4
    Echoing the above, technically its perfectly feasible. Practically, does the data actually get looked at? As a Sysadmin myself, I would suspect not. Even on slow days, there's lots more interesting stuff to do than see if we can catch a co-worker doing something they shouldn't! :D – GeoSword Aug 20 '14 at 09:27
  • Depends on the country you're in (I guess it's legal in some jurisdictions and sort of grey area in others) and particular circumstances (e.g if the person in question is suspected of some wrongdoing). Many data leaks for example are confirmed/identified this way (it can be automated to large degree though). – Andrey Aug 20 '14 at 09:45
  • Probably not the place for legal questions but how would this not be highly illegal (with severe penalties) in most civilised countries (I mean, it's large scale circumvention of people's encrypted internet communications - SSL)? I mean it'd be one thing for the NSA to do it but a private company couldn't pull this kinda thing and not expect hard jail time right? – thomasrutter Aug 20 '14 at 11:24
  • I'm referring to the MITM attack and faked certificate authority scenario of course - inspecting the contents of your work PC or using monitoring software is a different thing which many companies openly do. – thomasrutter Aug 20 '14 at 11:30
  • I agree, this looks like a violation of rights, but it also looks like it's rather commonplace e.g. in US (http://it.slashdot.org/story/14/03/05/1724237/ask-slashdot-does-your-employer-perform-https-mitm-attacks-on-employees). The main argument is "Our hardware – our rules", which also sort of makes sense (remember, we're talking about employer monitoring traffic from devices that he legally owns). – Andrey Aug 20 '14 at 11:38
  • 14
    @fjw It would be considered legal in the U.S. because almost every employer has their employees sign an Acceptable Use Policy that will include a provision stating something like "You have zero expectation of privacy on our network and/or hardware, and all of your communications are subject to monitoring". So the employees are giving consent to the employers to do this. – Craine Aug 20 '14 at 13:54
  • What's the difference between 2 and 3? A "support tool" is also an "employee monitoring tool" the moment it doesn't require authorisation of the employee to watch their screen content. – user10008 Aug 20 '14 at 17:57
  • @CraineRunton I am aware of employee agreements which sign away expectations of privacy, but I don't see how this could override the fact that a MITM attack on SSL would be a *criminal* act, not civil. Organisations can and do monitor employee activity, and may do so by any legal means (including any client-side monitoring software which captures activity on the PC itself), but are you trying to tell me that it is not a criminal offense to conduct a MITM attack on SSL, or are you claiming instead that an employee agreement can somehow make an illegal act legal? – thomasrutter Aug 20 '14 at 23:51
  • 1
    I'm happy to be wrong on this if there is no such law, but I have a hard time believing that in a country where it is a *criminal* act (not just civil) to circumvent the encryption on a DVD, that there is no similar law about circumventing SSL. – thomasrutter Aug 20 '14 at 23:58
  • 1
    @fjw: there is not (AFAIK) any statutory prohibition on MITM attacks on SSL in and of themselves. If the SSL was being used to protect copyrighted content then you might run afoul of DMCA. It's criminal to circumvent a copyright-protection measure, but (again AFAIK) there's no such criminal prohibition in general on circumventing security measures that don't protect copyright. It's also potentially criminal to use a computer system without permission, but that doesn't apply here since the employer ofc has permission to use *their* system. – Steve Jessop Aug 20 '14 at 23:59
  • 2
    Anyway, laws don't spring into existence just because it would seem sensible and consistent to have them, they exist because someone wrote them and Congress passed them. In practice that generally happens because someone lobbied for them. In the case of most copyright law that "someone" is Disney (actually more than just Disney, but media), and Disney isn't all that interested in SSL. And finally the company might not (legally speaking) circumvent SSL anyway, since the employee has chosen to use the company's root certs, that authorise the company's proxy to present itself as any domain. – Steve Jessop Aug 21 '14 at 00:01
  • @CraineRunton: It is standard practice with some major companies I know (and from that I conclude it's common for _most_ companies), not only US based ones. Corporate (automated) MITM and monitoring software happens pretty much on _every computer_. Reality is, sadly, even in jurisdictions where this is illegal, the bottom line is simply: _fuck your rights_. Employer brings forth a paper that you are to sign, and if you want to keep your job (or in the mean time, as it's already in place: if you want to get hired), you do sign it and don't complain. – Damon Aug 21 '14 at 10:29
  • @fjw - If your employer OWNS the machine you're using, it's legitimate to install certificates that allow them to terminate SSL traffic (a.k.a do a MITM "attack"), and *there is no **attack** going on*. It's a simple configuration of their own possessions. Ignorance that SSL won't make you immune from observation doesn't make their actions criminal (just as, if your employer informed you that cameras were in use, and you tried to hide actions from cameras but failed, you'd have no recourse). If they state that you have NO expectation of privacy, you should NOT expect privacy. It's that simple. – ErikE Aug 22 '14 at 02:22
  • As long as I have no way of knowing the legal qualifications of the people responding to me I don't have an indicator of how much I can trust these responses. I should probably have not brought it up here for that reason. ErikE, in particular, your answer centres on terminology: whether you can use the word "attack" to describe this method of circumventing SSL with different certificates or not (from a tech (not legal) standpoint, MITM *is* an attack). Whereas other comments, that seem more convincing, have informed me that there is no such law making circumvention/attacks on SSL illegal. – thomasrutter Aug 22 '14 at 02:25
  • @fjw - it is legal in the EU for a company to record all incoming/outgoing communications using any means available. The controls are based on what happens to the message content; any human working with the material should stop doing so as soon as they establish it is personal and can take no action on it. Employers acting on information from personal messages have resulted in prosecutions. – James Snell Aug 23 '14 at 09:31
  • 4
    The only confusing part of this to me is why someone might think they have a "right" to misuse company resources. – Michael Hampton Aug 23 '14 at 20:26
  • @Michael How is this misusing company resources? Many companies allow an acceptable amount of personal use of internet/computers at work. Some even promote it since there are studies that show workers are more productive when you don't try to restrict access to certain websites at the workplace. But even when it is encouraged, there is still the question of whether it is monitored. – J.Money Jul 16 '15 at 15:25
  • Doesn't Google use certificate pinning to prevent MITM? – J.Money Jul 16 '15 at 15:31
22

Yes if your Google Hangouts data has synced onto your work computer the IT department could view it. However don't freak out yet, unless they are looking for it, it's extremely unlikely that they will see it.

There are three places that the IT Department could see it:

In Transit

When syncing your hangout data if your IT Department monitors traffic over the network they could have seen it. As BigBob1000 says it's encrypted (HTTPS) however many enterprises install trusted certificates on their computers and then basically Man-in-the-Middle their own computers to decrypt all HTTPS traffic. Chances are even if they were doing this they would not have recorded the data, just that you connected to Google.

At Rest

This is a more plausible issue but still incredibly unlikely, Chrome (all browsers) cache things. So rather than downloading the same image from Google a hundred times it downloads it onto your computes hard drive once, then uses that each time. I'm not sure what Chrome caches for hangouts, but an educated guess would be that it's profile pictures of your contacts and other images but not the text of your conversations.

You can clear your cache your IT Department might still have a backup but most places don't backup desktops, only servers.

In Memory

Honestly I'm just putting this one in for completeness. EDIT: After seeing Andrey's answer, he brings up a good point, this is more plausible than I though. There could be employee monitoring software that records chat logs.

Hybrid
  • 4,198
  • 2
  • 21
  • 23
  • 1
    I think more common than any of those would be screenshots at x (or random) intervals (for the actual content) - "In Transit" is going to be more likely implemented first. – user2813274 Aug 20 '14 at 17:52
  • @user2813274 screenshots are probably the most efficient and fool proof way to control what the user is actually doing. – Davidmh Aug 24 '14 at 11:24
  • There's also the issue that even if technically able (likely) they may not be legally allowed to do so (under some jurisdictions, personal communications are confidential, and if you haven't signed some blanket statement...). So if they accidentally logged it and you discovered that, you might have a good case against them for spying. – Ángel Aug 24 '14 at 19:59
  • @Ángel Even assuming that's true, I don't really think it's relevant. If they see something they don't like, they can fire you. At that point, you're likely to have a long, expensive, and painful, battle. So, for all practical purposes, you should assume they can and will do it, and that you don't have any re-course. – Patrick M Aug 25 '14 at 08:25
  • @Patrick-m, I don't consider it too relevant to questioning _if they can_ (I agree he should have his chats not synced), but it's interesting on the issue _if they will_ actually go so far to do that (secretly, without notifying you). That something is illegal can be a good incentive not to do it :) – Ángel Aug 25 '14 at 21:31
10

While it's certainly possible, the more applicable question is "how likely is it that my IT department cares?" (Unless you're doing something that could get you fired or arrested, naturally.)

In addition to that, the other consideration is that it costs a lot of money to actually store everyone's web traffic, so the content of messages and web requests is generally not stored for any significant period of time - it costs a lot of money to store that information and make it searchable, and there's rarely any business reason to do so.

Take it from an IT guy - you're not that interesting, and I resent requests to "look into" other employees' activities. I have better things to do than spy on people's social media use or web browsing, so even when I'm explicitly directed to do so, I don't look any harder than I have to in order to comply with my orders. At my workplace, that involves emailing off a canned report to the requester with high level stats on a user's activities - how many web requests made over a certain period, which domains those requests were made to and a break down of those requests by website category - and this is only when I can't get away with saying "no" to requests about what some employee is doing online.

HopelessN00b
  • 3,385
  • 1
  • 19
  • 27
  • Not every I.T. guy feels the same as you. I bet you could come up with that one gung-ho donkey in your organization that would relish the experience of catching someone _abusing_ company resources as part of their job. – Kristopher Oct 30 '15 at 12:40
  • @Kristopher Sure, that's why I said the more applicable question was whether the IT department cares. I don't. Other people/jackass control freaks might. – HopelessN00b Oct 30 '15 at 14:11
9

If your company has a product named "Google Vault" installed then yes your IT department, or anyone granted access to Vault, can read your unencrypted Hangouts messages and pictures.

Google Vault is an eDiscovery platform - https://support.google.com/vault/answer/2462365?hl=en

The only way they would not be able to read your Hangouts messages is if you have turned the history "off" for each chat. In Google Chat this option is named "Chat off the record". In Hangouts it is named "Hangout history". Anything typed after turning off the history is not recorded.

To see what your IT people can see: Open your Gmail in the Chrome browser and click on the "Chats" label found after expanding the "More" button. Deleting what you find in this label won't help you because once it exists it exists forever or until the Google Vault policy expires it.

Josh Bond
  • 191
  • 1
  • 3
    @Jack implies that he isn't using his company Google Apps account to send personal messages over Hangouts. As I understand, if he is using his personal account then the company can't access his Hangout chats through the Vault. Unless, of course, I'm missing something. – pedro_sland Aug 24 '14 at 22:18
4

Yes - you really should assume that anyone can read anything you do online anywhere, anytime. If they own the network then doubly so. If they own the computer you're using, triply-so-with-knobs-on.

From another angle, if you are doing stuff on the work computer or in the work environment that you don't want work to know about, you probably shouldn't be doing it. Murphys law tells us this WILL go wrong for you at some point.

Assuming the IT department are models of benevolent permissiveness and/or ignorant/incompetent, it only takes one colleague who takes a dislike to you (possibly because you spend too much damn time on hangouts when you should be working, f'rexample) to peer over your shoulder, or one computer crash mid-session, or some unexpected computer virus, or a new and exciting bug in Google Hangouts that brings your machine down, to expose whatever it is you didn't want to be exposed.

Then again, by the sound of it, the day your mobile phone gets lost/stolen someone has a load of great blackmail material on you anyway. The problem with things you put on the internet is that they're on the internet.

John U
  • 367
  • 1
  • 6
3

Depends....easy way is to simply ask the I.T. department:

You: hi, I'm curious if our IM chats and emails are backed up or stored for compliance reasons. If I need to recover a chat from google hangouts for legal reasons, is it possible?

I worked in finance where 100% of all communication was recorded in our office as per government regulations including phone calls, chats on any IM client(we had a special software dedicated to it), etc.

Chances are you are not actively monitored but your browsing habits might trip an office firewall for repeated violations which may cause some scrutiny if it's ridiculous(tons of porn, obscene bandwidth usage, constant upload/downloading 24/7 such as torrents or spotify).

Emails yes if you are using thier domain or sending to a work email domain.

EDIT: one thing to watch out for is building security. If the I.T. department set up or paid for the cameras like I did, we can 100% spy on you at any time and even have zone triggers to alert us. One D-bag I know got building security to record entry times to tag late workers without them knowing despite the company merely being a renter. If you can,tell security to deny any requests to access that information from a third party becuase it will be used against you if possible.

udonsoup16
  • 31
  • 2
  • Strict country, or a sell-side trading floor: "I worked in finance where 100% of all communication was recorded in our office as per government regulations including phone calls, chats on any IM client." – Ellie Kesselman Aug 22 '14 at 21:14
  • USA....we got fined heavily for missing records so the company records everything. If your company has piss poor storage/recording and you get targeted by regulators....your gonna have a bad time. – udonsoup16 Aug 26 '14 at 16:46