Microsoft Will Now Snitch On You At Work Like Never Before (zdnet.com) 143
schwit1 writes: Microsoft is preparing a couple of little updates that may curb employee rulebreaking enthusiasm. Yes, this news again comes courtesy of Microsoft's roadmap service, where Redmond prepares you for the joys to come. This time, there are a couple of joys. The first is headlined: "Microsoft 365 compliance center: Insider risk management -- Increased visibility on browsers." It all sounded wonderful until you those last four words, didn't it? For this is the roadmap for administrators. And when you give a kindly administrator "increased visibility on browsers," you can feel sure this means an elevated level of surveillance of what employees are typing into those browsers.
COVID has been a godsend to Big Data (Score:5, Insightful)
The sumbitches have never had it so good: they're flush with cash, and they have entirely new and unexpected surveillance business opportunities.
I hate COVID for all the usual reasons, but also in large part because it's a booster for corporate fascism.
I also hate our elected officials for letting this happen.
Re: COVID has been a godsend to Big Data (Score:5, Insightful)
My experience with remote working has been: all concerns were completely invalid. Employees are more productive than ever. Why would you add surveillance when all the productivity gains seem to be due to increased freedom??
Re: (Score:2)
Just do your personal stuff on the personal computer....I would have thought this would be common sense?
Re: (Score:2)
Is it that difficult to have your personal computer on the same desk as your work computer when working remotely from home?
You need a desk big enough for both towers, enough space for such a desk, an Ethernet switch to give Internet access to the work computer, and a suitable KVM switch. I've had to return a few KVM switches to the store as unsuitable, often losing the connection between my USB devices and the computer to which they are connected.
Re: (Score:2)
Well, I have a rather long desk...I have two monitors on the desk, with two different keyboards, mice...etc....to each computer.
One is a tower and it sits below the desk, the other i
Re: COVID has been a godsend to Big Data (Score:2)
There is no shortage of narcassist micromanaging task masters in this world who get a raging boner at the thought of controlling people like they are their slaves.
M$ (and everybody else) is just tapping into that lucrative market.
Re: COVID has been a godsend to Big Data (Score:2)
Re: (Score:2)
But MS is THE pure play vendor of the pure play vendors. They've been doing this since Windows 95 AFAIK.
Re: COVID has been a godsend to Big Data (Score:2)
It starts with security, and it goes to monitoring how long people took a bathroom break in a hurry.
Hell..good intentions..you know the drill.
Re: COVID has been a godsend to Big Data (Score:2)
Re: COVID has been a godsend to Big Data (Score:2)
True, but there is nothing good about tools used to monster employees with more and more fine tuned micromanagement. At least not for the lower level employees.
How to spot the narcassist soul sucking micromanagers in a crowd? Check the hands being raised when you pop the question, "Who likes this?".
Watch for the Analog Hole.. This is basically DRM (Score:2)
If your employees need access to do their work...
They have access.
Eventually people will be photographing their monitors.
Ultimately this comes down to the fact that you shouldn't pay people poorly, treat them poorly, ask them to do something illegal...
Trust and loyalty is built over time and only exists reliably if it exists both ways.
Corporations want it both ways. they want their employees to be smart, innovative and thinking out of the box... but at the same time they want them to work for peanuts, and b
Re: Watch for the Analog Hole.. This is basically (Score:2)
Yeah, a good old fashioned pad and pen is enough to get some juicy corporate espionage tidbits.
I have a feeling this will just be a task master/"efficiency expert"'s wet dream come true that just happens to catch secrets being leaked now and then.
Re: (Score:2)
You should lobby your representatives to make it illegal. User Germany as a model, their privacy laws are excellent.
If you need this level of monitoring.. (Score:5, Insightful)
If you can't tell if you are getting the business value from your employees except by micromanaging their computer usage, then you have a very strange sense of business value and deeper problems.
just put into time log logging time 30MIN+ a day (Score:2)
just put into time log logging time 30MIN+ a day.
IF they want you to log each action.
Also put in how much time you spend on tps reports as well.
Re:If you need this level of monitoring.. (Score:4, Insightful)
If you can't tell if you are getting the business value from your employees except by micromanaging their computer usage, then you have a very strange sense of business value and deeper problems.
So you believe that monitoring that employees don't upload sensitive or even legally protected company data to their personal cloud accounts is micromanagement and means that a company has "very strange sense of business value and deeper problems"? Really?
Re: (Score:2)
why are personal accounts (in the public internet), accessible from a secure network?
Oh, you plugged your secure network into the internet? Oh- I see.
And you want to talk about security risks?
I see..
Re: If you need this level of monitoring.. (Score:2)
I bet the people doing the monitoring aren't authorised to see half the customer information I see on a daily basis. There's a leak right there
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
So many business tasks and projects are so poorly managed, and poorly managed by incompetents and ladder climbers that it seems unsurprising they are grasping at straws to figure out whether or not employees are "earning their keep".
I'd say over the last 5 years I've spent half my time on utterly meaningless tasks -- and this is on *billable* client work -- and producing work products that are utterly valueless. I'm convinced that much of the time after page 2-3 of some report we could have just provided 3
Re: If you need this level of monitoring.. (Score:2)
Nobody likes to be micromanaged, period. (BDSM excepted). This is a sure fire way to end up with high turn over, employees leaking sensitive information out of spite, and the boss's coffee aquiring a funny taste.
They already have this in parental view (Score:5, Interesting)
I don't even do anything inappropriate at work. However, I am not sure I want my boss seeing my work related searches. I don't want to have to worry about my search being too remedial. For example, I never remember Oracle's precise syntax. I don't want my higher-ups seeing my searches for "Oracle Stored Procedure example." Doesn't make me look too smart. I don't mind not doing bad things, but not sure I want to be judged for not searching for smart enough search terms.
Re:They already have this in parental view (Score:4, Interesting)
No one remembers Oracle's precise syntax, because there is no actual logic to any of it over all the versions that were released, and some functions have the polar opposites as syntax...
well put! (Score:2)
No one remembers Oracle's precise syntax, because there is no actual logic to any of it over all the versions that were released, and some functions have the polar opposites as syntax...
Agreed. I do not find PL/SQL very intuitive compared to other languages I've worked with, including T-SQL. You & I know this because we're experienced professionals. I don't want to guess what impression it sends to my manager who doesn't. Hopefully my coworkers have dumber or more scandalous searches, but I really don't want to feel a need to justify every search. I often will search for things I know already, to confirm I know them as well as I think I do as well as to see if they're still the be
Re: They already have this in parental view (Score:3)
Great for a parent of small children, but I'd be very uncomfortable with this at work.
If you work for a company of any size with a halfway competent IT department, they already have all that information without any OS level assist. This feature is for small companies who don't have the money, or know-how, to set up the right kinds of traffic analyzers.
Re: (Score:2)
Even 8 year olds know how to use Incognito mode.
Re: They already have this in parental view (Score:2)
In a market where you can get fired because the boss thinks your suit is the wrong shade of grey, employees will be doing everything to ensure that they give nothing to give their employer to hang them for.
Expect more secrecy, more cloak and daggar type behavior, more employees disappearing from the office because they landed a new gig behind your back. More cliques, more "snitches get stitches", more corruption and blackmail amongst employees, more of everything you don't want in your company.
Re: They already have this in parental view (Score:2)
You're right, I'll give my 8yo total freedom (Score:2)
In other words, total surveillance is ok, as long as you're the one doing it and not the one suffering under it.
Your boss said the same thing. Great that you agree on this matter.
Yup, you're right. My autistic 8yo needs total internet freedom. It's exactly the same thing. Thank you for putting me in my place. I should treat my literal children differently than an employer would treat a trusted employee. I need to give my small children total internet autonomy so they can be fully productive during the work day!!
oh, you got me there (Score:2)
hypocrite.
Yup, parental controls (which are the default for Children's accounts in Windows) for an 8yo are THE EXACT SAME THING as my employer monitoring me. So which is it, should my employer treat me exactly like a dad?...or should I treat my 8yo like an employee and give him more autonomy to be a more productive employee? You really showed me there, dude!
Re: (Score:2)
Re: (Score:2)
So what? (Score:4, Insightful)
You are using a company-provided computer, on a company-provided internet connection to do company work on company time (for which you are paid). It's ok for your company to spy on what you do under those circumstances. And you shouldn't be screwing around, anyway. That's what your smartphone is for.
Re:So what? (Score:4, Insightful)
Re: (Score:2)
Of course the increased interest in this area is because a lot of companies are letting people use their personally purchased computer on employee paid internet to remotely connect and do work and managers are worried they can't tell if people are slacking. Of those 'on company time' is a fair thing to mention, though it suggests micromanagement that can be the wrong combination of intrusive and futile (hey look, a second device that the first device doesn't even know exists).
Re: (Score:2)
A browser running on a personal computer that is not logged in to company MS services cannot "snitch"
Just use Edge for your work stuff and whatever other browser you want for all your personal stuff.
Re: (Score:2)
Unless they use a keylogger, do they use a keylogger?
Re: So what? (Score:2)
That's why I do all my "typing" by copying and pasting letters and words from the Internet.
Keylogger is just ^C, ^V, ^C, ^V, ...
Re: (Score:2)
Or moving the mouse around and typing elsewhere...
Re: (Score:3)
Don't forget to do all this in a broom closet, so at the end of the day you can leave everything, "company" in it and close and lock the door.
Re: (Score:1)
Re: (Score:3)
Don't work in the porn industry.
Re: (Score:2)
Not when working at home, I am using my provided internet. Also if I log in to my bank account at work during lunch time, its none of the companies business, even though I am using their infrastructure.
If we are at it maybe we the CEOs computer usage should me made available to the shareholders, after all they are using company resources to do that and should be held accountable. Once that happens I will be happy for them to track my usage.
Do you want your precise searches monitored? (Score:4, Insightful)
You are using a company-provided computer, on a company-provided internet connection to do company work on company time (for which you are paid). It's ok for your company to spy on what you do under those circumstances. And you shouldn't be screwing around, anyway. That's what your smartphone is for.
You're correct, but this is pretty invasive stuff. It's the same as parental view. They can view every search you've made and when. Do they have a right to? I suppose there is no law against it, but it's definitely a lot more data than they need and I don't see the business value. My fear is that it could be used against me. For example, if I search "how do I update a link in JavaScript"...I SHOULD know this without looking it up. However, I am not sure if the way I know is still the best practice. My specialty is DB/Java, so I am never confident I have front end stuff memorized. If my boss doesn't like me, he could use and tell HR it's evidence I am not qualified to do my job. Now it's his word against mine. Am I doing this search query because I don't know the answer and am a moron?...or am I doing it to confirm my way of doing things is still the best practice.
It is much different than what we have seen before. It is uncomfortably invasive. It's a bad idea and not healthy for a relationship between employee and employer. It is legal and their right, but kind of shitty. Also, this is one of those things you can't "vote with your feet." So my employer gets invasive...I can look for a new job, but #1, it makes me look really sketchy to ask in an interview how invasive their browser monitoring is and #2, lets say I find a great company...now they decide, on whim, to be super-invasive or maybe they just do it and don't tell anyone.
I don't think it's very ethical, personally.
As a funny side note, when I view my 8yo son's history, I can see the times I step out of the room and his searches go from "get free Robux" "custom Robox avatar" to "say bad words" "stuff that isn't for kids" "people getting hurt." These are the things we tell him he can't watch on youtube.
Re: So what? (Score:4, Insightful)
The problem comes when there's someone in the organization willing to abuse their power. It can even be an IT service person that's looking for shit on you.
Re: (Score:2)
I am a professional in good standing who expects to be treated as an adult and not have someone breathing down the back of my neck all day.
During a break, I may well use the browser for personal interests (SFW).
Re: So what? (Score:2)
Re: (Score:2)
Some workplaces have micro-managing nosy assholes running them.
Hmmm, it can work in other ways too (Score:2)
This is a tricky one, I'd say it's never OK for a company to "spy" on you. You need to be aware that you are monitored.
It needs to be completely transparent what the rules are and what you can and cannot do on company hardware on the company network.
Then an employees overall performance needs to be assessed. If an employee isn't performing well, the first step is the line manager, who should be "monitoring" this through open discussion with the individual concerned.
If it is then decided that this employee i
Re: So what? (Score:2)
Don't Care... (Score:3)
Privacy/Ownership (Score:2, Insightful)
As someone who is VERY big on privacy, I don't see this as a problem. The owner of a device SHOULD have complete authority to know everything that is done or passes through that device. If we are talking about corporate owned devices, it is their right and doing so makes good business sense. It is NOT a breach of privacy. If we are talking about this on personal devices, then fuck that.
Re:Privacy/Ownership (Score:4, Insightful)
As a landlord and owner of an appartement, you have the right to install cameras in the bedroom, right?
Ownership of a device does not per se gives you the right to record everything happening with the device. You always have to show an interest that outweighs the interest of the user of the device.
Re: (Score:2)
Nice false equivalency you have there.
He did say "device" not "room" or "apartment"
Re: (Score:3)
Never access you bank account at work, maybe to check you pay went through. Or even use a password at work to log into a work system. If someone at work asks you for you password to even a work system you should say no. What about if you want to raise a sexual harassment complaint, should IT automatically be able to trace if you visited the complains site.
Re: (Score:2)
OK, just playing devil's advocate a little here. What if someone who owns the bathroom put a camera in the bowl of the toilet? And then another device that tracks how many times the toilet is flushed, or how much toilet paper is used each time? Each of those would be devices, so should be more analogous to the initial claim.
Re: (Score:2)
So how would you like your landlord to instrument your toilet to report time and volume (or weight) to a fetish site?
Re: (Score:3)
As someone who is VERY big on privacy, I don't see this as a problem. The owner of a device SHOULD have complete authority to know everything that is done or passes through that device. If we are talking about corporate owned devices, it is their right and doing so makes good business sense. It is NOT a breach of privacy. If we are talking about this on personal devices, then fuck that.
BYOD blurs this distinction, though. It might be my device, but connected to the company's services.
I've already had a similar argument with my company's IT department over AV: I insisted that Sophos antivirus was better than Windows Defender, and had the stats to back up my point (although in truth they are very, very close); they insisted that Windows Defender was the company-approved AV and insisted that I use it (all being monitored via InTune). I was content to lose that battle; it really didn't make
Re: (Score:1)
Re: (Score:1)
Re: (Score:3)
If your company allows BYOD, they're probably not going to invest the time and effort to set up (and monitor) browser based DLP.
Re: (Score:2)
BYOD blurs this distinction, though. It might be my device, but connected to the company's services.
The answer is don't do BYOD. Your company should provide the necessary tools for you to do your job. If my company try to force me to BYOD, I would *buy* a new machine and expense it back to the company and use that machine only for work. Or failing that I will look for a new job.
Re: (Score:2)
Re: (Score:2)
No. In-detail surveillance of employees is not only a human-rights violation, it is exceptionally stupid because it _decreases_ productivity and increases sick-days because it creates a lot of stress. The people doing this have a "slave holder" mind-set, not a productivity-focused one.
Re: Privacy/Ownership (Score:2)
At work? (Score:2)
At work? Or using work's computer? Do work things on the work computer.
Do personal things on a personal computer. Or a phone /tablet that's not hooked up to company wifi.
Easy peasy, no? Christ on a crutch, people overcomplicate.
This still doesn't absolve the managers who rule with such iron fists they need to know everything fucking thing their employees do, when they do it, and how. Fuck that.
Similarly, fuck MS for facilitating the micromanager's dreams.
But you worker drones -- myself included -- don'
Re: (Score:2)
Do personal things on a personal computer. Or a phone /tablet that's not hooked up to company wifi.
What are useful tips to negotiate enough of a raise to cover the monthly cost of a personal hotspot?
Re: (Score:2)
One employer won't permit browsing the East/Asis. The support documents for several servers (old & obsolete OS) were on a vendor's server in South Korea.
When you filed a request with the IT department for an exception to browse this vendor's support documents, what was the gist of the response?
I used my personal device (at home and at work) to access these necessary support documents.
When you filed a request with your manager for a reimbursement for the fraction of your personal hotspot's data quota used to download this vendor's support documents, what was the gist of the response?
Christ on a cracker (Score:5, Informative)
Web browsers are often used by users to access both sensitive and non-sensitive files within an organization. Insider risk management allows your organization to detect and act on browser exfiltration signals for all non-executable files viewed in Microsoft Edge and Google Chrome browsers. With these signals, analysts and investigators can quickly act when any of the following activities are performed by in-scope policy users when using these browsers:
Files copied to personal cloud storage
Files printed to local or network devices
Files transferred or copied to a network share
Files copied to USB devices
Insider risk management is about controlling sensitive, protected (PII, HIPAA, PCI, etc), and corporate data. It's doesn't care if you are being productive or not. It's looking for people doing stuff with company data they shouldn't be.
Yes, there are products out there that DO snoop on "productivity" and things like browser habits, but this isn't it.
Re: (Score:2)
"Insider risk management is about controlling sensitive, protected (PII, HIPAA, PCI, etc), and corporate data. It's doesn't care if you are being productive or not. It's looking for people doing stuff with company data they shouldn't be."
Good luck with that. Sure, they may be able to detect people copying data to USB devices or uploading it to a cloud server, but how are they going to detect things like someone displaying a file on the screen and then taking photos of it with a cell phone?
Re: (Score:2)
They're not. The problem with most companies is not that they're full of James Bond type espionage villains, it's that they're full of numbskulls who can't be bothered to understand or are incapable of understanding regulations regarding sensitive documents.
They don't stop somebody from taking a photo of a screen because a) aren't inclined to try and b) couldn't even if they wanted to.
Re: (Score:2)
Re: (Score:2)
Re: Christ on a cracker (Score:2)
Re: (Score:2)
It's not so much "my boss", or "the owner of the laptop" getting this information that worries me.
It is being able to get this information for ANYONE.
It is one very small step from "this information goes to the owner of the laptop" to "this information goes to law enforcement", and one very small step further to "this information goes to the government spy agency that requests it at the point of a secret court order".
> It's doesn't care if you are being productive or not.
Whether I am being productive or
Re: (Score:2)
Re: (Score:2)
Microsoft shill and apologist spotted.
OK Sheep
It's more than that. Even downloading a lot of files is risk behavior.
https://docs.microsoft.com/en-... [microsoft.com]
And? Yes that can be a risk identifier. If my customer service agent is suddenly downloading a bunch of stuff, that SHOULD raise a red flag. If an IT user is doing the same, then that may well be expected behavior and you would put a policy exemption for that indicator in for them.
Either way, you would have to be a moron to jump to the "Da mAN iS SpYInG oN mE!!" bullshit the author of that article did. Or a sheep who believes anything they read without actually looking into it. Like you for inst
Re: (Score:2)
Re: (Score:2)
Wasn't this ... (Score:2)
Probably criminal in Europe (Score:2)
The GDPR likely does not allow any recording here.
Re: (Score:2)
You can define patterns that keep data where it belongs, inside your organization.
I'm really wondering about the negative tone here.
I know of companies that if they would have certain parts of their data leaked to the public, or data gets stolen and falls into the wrong hands, they would cease to exist.
Ethics is about what you decide to do with a system.
Re: (Score:3)
The GDPR forbids _recording_ personal information here. It does not matter whether it stays within the company.
Yawn. Nothing to see here (Score:2)
My proxy server already keeps a pretty detailed list of what people are doing in their browsers.
Only had to go through it twice in 25 years.
Re: (Score:2)
I do almost nothing on my work computer (Score:5, Funny)
so I should be well above suspicion.
Re: (Score:2)
So... you're my CEO?
someone didn't read feature details (Score:5, Informative)
Wow, horrible "article" (Score:5, Insightful)
The article is incredibly poorly written fearmongering which provides no useful information at all. Looking at the author's brief bio, it seems he has zero background in security. The fact that he's a consulting creative director also suggests that he probably does not have a background working in regulated environments.
If I had to guess after reading this horrendous article, I would guess that Microsoft is working on bringing DLP capabilities to Edge in the same way those capabilities exist in Chrome today. That's a good thing.
If you think your employer can't see what you're doing with your web browser...I hate to tell you but it's not 1996 anymore and that has been a "thing" for a while. You're on a company device using a company network.
There is so much shadow IT and mishandling of information out there, monitoring is extremely necessary. I suspect many companies will be very surprised what is being done with customer/company confidential information as this becomes more common. There's also the thing where companies block employees from emailing their personal credit card number and social to people.
People get all worked up over this stuff, but they never think it through. Requiring your bank teller or your doctor to use their home computer to access OnlyFans because their work would like to make sure they don't email your account numbers and anal diameter to Chinese hackers is a small price to pay.
Microsoft features (Score:2)
If this is like most Microsoft features then it is Microsoft centric and only works with Edge for Windows. If your computer has any other browser than Edge you walk right past Microsoft data gathering.
A necessity with HTTP/2 (Score:2)
As almost all websites on earth today are hosted on CDNs, the only way to protect users and companies from bad actors is to inspect headers from the browsers themselves. This is common for antivirus and anti malware tools as well.
The idea is, if you cannot see what is in the packets, you cannot detect naught stuff like viruses, worms, etc.
Also, I believe you will find that be
Already in Wide Circulation, sort of (Score:2)
Fuck you (Score:2)
This is rather worthless (Score:2)
It's very simple (Score:3)
If you expect me to field emergencies after hours, then I expect privacy on my work-provided laptop in exchange. You don't get to have it both ways. You can't ask me to respond at 10pm on a phone I pay for, to use the Internet I pay for, and not expect me to do my banking at 1pm on your computer and your Internet. And if I'm doing banking, you don't get to spy on it.
Nice world we are building (Score:2)
I am greatful that I had a chance to grow up in a world where people had freedom and didn't have to worry about being micromanaged to death with the aid of high technology everywhere.
Sux for those who are being born right now. Freedom will only be the stuff of fairy tales for them.