Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Microsoft

Microsoft Will Now Snitch On You At Work Like Never Before (zdnet.com) 143

schwit1 writes: Microsoft is preparing a couple of little updates that may curb employee rulebreaking enthusiasm. Yes, this news again comes courtesy of Microsoft's roadmap service, where Redmond prepares you for the joys to come. This time, there are a couple of joys. The first is headlined: "Microsoft 365 compliance center: Insider risk management -- Increased visibility on browsers." It all sounded wonderful until you those last four words, didn't it? For this is the roadmap for administrators. And when you give a kindly administrator "increased visibility on browsers," you can feel sure this means an elevated level of surveillance of what employees are typing into those browsers.
This discussion has been archived. No new comments can be posted.

Microsoft Will Now Snitch On You At Work Like Never Before

Comments Filter:
  • by Rosco P. Coltrane ( 209368 ) on Monday November 08, 2021 @04:34PM (#61969501)

    The sumbitches have never had it so good: they're flush with cash, and they have entirely new and unexpected surveillance business opportunities.

    I hate COVID for all the usual reasons, but also in large part because it's a booster for corporate fascism.

    I also hate our elected officials for letting this happen.

    • by Lord Bitman ( 95493 ) on Monday November 08, 2021 @09:28PM (#61970231)

      My experience with remote working has been: all concerns were completely invalid. Employees are more productive than ever. Why would you add surveillance when all the productivity gains seem to be due to increased freedom??

    • Iâ(TM)ve read a few dozen replies here and all I see is that pretty much all of you are so hell bent on being MS and âoebossâ haters that youâ(TM)ve no idea what you are even railing about. Insider Threats have long been a problem. Itâ(TM)s real. The tools from MS are not new, they are just evolving. MS are on catch-up too - the pure play vendors have offered these, and they are used by most organisations, for a decade.
    • If your employees need access to do their work...
      They have access.

      Eventually people will be photographing their monitors.

      Ultimately this comes down to the fact that you shouldn't pay people poorly, treat them poorly, ask them to do something illegal...

      Trust and loyalty is built over time and only exists reliably if it exists both ways.

      Corporations want it both ways. they want their employees to be smart, innovative and thinking out of the box... but at the same time they want them to work for peanuts, and b

    • by AmiMoJo ( 196126 )

      You should lobby your representatives to make it illegal. User Germany as a model, their privacy laws are excellent.

  • by Junta ( 36770 ) on Monday November 08, 2021 @04:37PM (#61969507)

    If you can't tell if you are getting the business value from your employees except by micromanaging their computer usage, then you have a very strange sense of business value and deeper problems.

    • just put into time log logging time 30MIN+ a day.
      IF they want you to log each action.
      Also put in how much time you spend on tps reports as well.

    • by EvilSS ( 557649 ) on Monday November 08, 2021 @05:25PM (#61969651)

      If you can't tell if you are getting the business value from your employees except by micromanaging their computer usage, then you have a very strange sense of business value and deeper problems.

      So you believe that monitoring that employees don't upload sensitive or even legally protected company data to their personal cloud accounts is micromanagement and means that a company has "very strange sense of business value and deeper problems"? Really?

      • why are personal accounts (in the public internet), accessible from a secure network?

        Oh, you plugged your secure network into the internet? Oh- I see.

        And you want to talk about security risks?

        I see..

      • I bet the people doing the monitoring aren't authorised to see half the customer information I see on a daily basis. There's a leak right there

        • by EvilSS ( 557649 )
          The people monitoring don't need to see the information, only the classification of it. My bank doesn't need to know the contents of my safe deposit box in order to protect it.
      • Good luck trying to prevent this without completely disconnecting the internet connection.
        • by EvilSS ( 557649 )
          I can't prevent someone from battering my front door down either, but I still have a front door.
    • So many business tasks and projects are so poorly managed, and poorly managed by incompetents and ladder climbers that it seems unsurprising they are grasping at straws to figure out whether or not employees are "earning their keep".

      I'd say over the last 5 years I've spent half my time on utterly meaningless tasks -- and this is on *billable* client work -- and producing work products that are utterly valueless. I'm convinced that much of the time after page 2-3 of some report we could have just provided 3

    • Nobody likes to be micromanaged, period. (BDSM excepted). This is a sure fire way to end up with high turn over, employees leaking sensitive information out of spite, and the boss's coffee aquiring a funny taste.

  • by Somervillain ( 4719341 ) on Monday November 08, 2021 @04:38PM (#61969509)
    I installed it and can see every search my 8yo son made, including the ones made when I stepped out to get some coffee. Great for a parent of small children, but I'd be very uncomfortable with this at work.

    I don't even do anything inappropriate at work. However, I am not sure I want my boss seeing my work related searches. I don't want to have to worry about my search being too remedial. For example, I never remember Oracle's precise syntax. I don't want my higher-ups seeing my searches for "Oracle Stored Procedure example." Doesn't make me look too smart. I don't mind not doing bad things, but not sure I want to be judged for not searching for smart enough search terms.
    • by splutty ( 43475 ) on Monday November 08, 2021 @04:44PM (#61969521)

      No one remembers Oracle's precise syntax, because there is no actual logic to any of it over all the versions that were released, and some functions have the polar opposites as syntax...

      • No one remembers Oracle's precise syntax, because there is no actual logic to any of it over all the versions that were released, and some functions have the polar opposites as syntax...

        Agreed. I do not find PL/SQL very intuitive compared to other languages I've worked with, including T-SQL. You & I know this because we're experienced professionals. I don't want to guess what impression it sends to my manager who doesn't. Hopefully my coworkers have dumber or more scandalous searches, but I really don't want to feel a need to justify every search. I often will search for things I know already, to confirm I know them as well as I think I do as well as to see if they're still the be

    • Great for a parent of small children, but I'd be very uncomfortable with this at work.

      If you work for a company of any size with a halfway competent IT department, they already have all that information without any OS level assist. This feature is for small companies who don't have the money, or know-how, to set up the right kinds of traffic analyzers.

    • by AmiMoJo ( 196126 )

      Even 8 year olds know how to use Incognito mode.

    • In a market where you can get fired because the boss thinks your suit is the wrong shade of grey, employees will be doing everything to ensure that they give nothing to give their employer to hang them for.

      Expect more secrecy, more cloak and daggar type behavior, more employees disappearing from the office because they landed a new gig behind your back. More cliques, more "snitches get stitches", more corruption and blackmail amongst employees, more of everything you don't want in your company.

    • "Geez, my employees spend half their day on StackOverflow, they must be idiots"
  • So what? (Score:4, Insightful)

    by Brain-Fu ( 1274756 ) on Monday November 08, 2021 @04:38PM (#61969511) Homepage Journal

    You are using a company-provided computer, on a company-provided internet connection to do company work on company time (for which you are paid). It's ok for your company to spy on what you do under those circumstances. And you shouldn't be screwing around, anyway. That's what your smartphone is for.

    • Re:So what? (Score:4, Insightful)

      by sharikone ( 7696460 ) on Monday November 08, 2021 @04:48PM (#61969537)
      I completely agree. The computer I got from my company is used just for that. My job. I have a different PC I use for all of my personal use. I would not have any problem at all to have my work monitored since it is pretty clear that I do my job. Just as I don't mind my superior looking at my screen physically when they pass by. However, there is a big issue. I don't like to be monitored by anyone who is not my superior. I don't like to be monitored by Microsoft data collection, or by the NSA for that matter. All those technology enable silent monitoring by anybody who has access. This is a huge amount of power, especially for government entities. With that, yes, I have a problem
    • by Junta ( 36770 )

      Of course the increased interest in this area is because a lot of companies are letting people use their personally purchased computer on employee paid internet to remotely connect and do work and managers are worried they can't tell if people are slacking. Of those 'on company time' is a fair thing to mention, though it suggests micromanagement that can be the wrong combination of intrusive and futile (hey look, a second device that the first device doesn't even know exists).

    • Don't forget to do all this in a broom closet, so at the end of the day you can leave everything, "company" in it and close and lock the door.

    • I don't screw around at work but I'd still feel uncomfortable if someone sat next to me and just watched everything I did.
    • Not when working at home, I am using my provided internet. Also if I log in to my bank account at work during lunch time, its none of the companies business, even though I am using their infrastructure.

      If we are at it maybe we the CEOs computer usage should me made available to the shareholders, after all they are using company resources to do that and should be held accountable. Once that happens I will be happy for them to track my usage.

    • by Somervillain ( 4719341 ) on Monday November 08, 2021 @06:29PM (#61969849)

      You are using a company-provided computer, on a company-provided internet connection to do company work on company time (for which you are paid). It's ok for your company to spy on what you do under those circumstances. And you shouldn't be screwing around, anyway. That's what your smartphone is for.

      You're correct, but this is pretty invasive stuff. It's the same as parental view. They can view every search you've made and when. Do they have a right to? I suppose there is no law against it, but it's definitely a lot more data than they need and I don't see the business value. My fear is that it could be used against me. For example, if I search "how do I update a link in JavaScript"...I SHOULD know this without looking it up. However, I am not sure if the way I know is still the best practice. My specialty is DB/Java, so I am never confident I have front end stuff memorized. If my boss doesn't like me, he could use and tell HR it's evidence I am not qualified to do my job. Now it's his word against mine. Am I doing this search query because I don't know the answer and am a moron?...or am I doing it to confirm my way of doing things is still the best practice.

      It is much different than what we have seen before. It is uncomfortably invasive. It's a bad idea and not healthy for a relationship between employee and employer. It is legal and their right, but kind of shitty. Also, this is one of those things you can't "vote with your feet." So my employer gets invasive...I can look for a new job, but #1, it makes me look really sketchy to ask in an interview how invasive their browser monitoring is and #2, lets say I find a great company...now they decide, on whim, to be super-invasive or maybe they just do it and don't tell anyone.

      I don't think it's very ethical, personally.

      As a funny side note, when I view my 8yo son's history, I can see the times I step out of the room and his searches go from "get free Robux" "custom Robox avatar" to "say bad words" "stuff that isn't for kids" "people getting hurt." These are the things we tell him he can't watch on youtube.

    • Re: So what? (Score:4, Insightful)

      by Z00L00K ( 682162 ) on Monday November 08, 2021 @07:09PM (#61969957) Homepage Journal

      The problem comes when there's someone in the organization willing to abuse their power. It can even be an IT service person that's looking for shit on you.

    • by sjames ( 1099 )

      I am a professional in good standing who expects to be treated as an adult and not have someone breathing down the back of my neck all day.

      During a break, I may well use the browser for personal interests (SFW).

      • Like your subjectâ¦so what? My organisation has significant monitoring for problematic behaviours including insider threat detection. We donâ(TM)t give a shit what you are browsing, and your productivity is your line managers problem. Just donâ(TM)t steal or leak our IP.
    • This is a tricky one, I'd say it's never OK for a company to "spy" on you. You need to be aware that you are monitored.
      It needs to be completely transparent what the rules are and what you can and cannot do on company hardware on the company network.

      Then an employees overall performance needs to be assessed. If an employee isn't performing well, the first step is the line manager, who should be "monitoring" this through open discussion with the individual concerned.
      If it is then decided that this employee i

  • by Thelasko ( 1196535 ) on Monday November 08, 2021 @04:47PM (#61969529) Journal
    Just as long as they don't read my Slashdot posts.
  • Privacy/Ownership (Score:2, Insightful)

    by rtkluttz ( 244325 )

    As someone who is VERY big on privacy, I don't see this as a problem. The owner of a device SHOULD have complete authority to know everything that is done or passes through that device. If we are talking about corporate owned devices, it is their right and doing so makes good business sense. It is NOT a breach of privacy. If we are talking about this on personal devices, then fuck that.

    • by Sique ( 173459 ) on Monday November 08, 2021 @05:04PM (#61969591) Homepage
      So as an owner of a bathroom, you have the right to take pictures of the intimate parts of your customers, right?

      As a landlord and owner of an appartement, you have the right to install cameras in the bedroom, right?

      Ownership of a device does not per se gives you the right to record everything happening with the device. You always have to show an interest that outweighs the interest of the user of the device.

      • Nice false equivalency you have there.

        He did say "device" not "room" or "apartment"

        • Never access you bank account at work, maybe to check you pay went through. Or even use a password at work to log into a work system. If someone at work asks you for you password to even a work system you should say no. What about if you want to raise a sexual harassment complaint, should IT automatically be able to trace if you visited the complains site.

        • OK, just playing devil's advocate a little here. What if someone who owns the bathroom put a camera in the bowl of the toilet? And then another device that tracks how many times the toilet is flushed, or how much toilet paper is used each time? Each of those would be devices, so should be more analogous to the initial claim.

        • by sjames ( 1099 )

          So how would you like your landlord to instrument your toilet to report time and volume (or weight) to a fetish site?

    • As someone who is VERY big on privacy, I don't see this as a problem. The owner of a device SHOULD have complete authority to know everything that is done or passes through that device. If we are talking about corporate owned devices, it is their right and doing so makes good business sense. It is NOT a breach of privacy. If we are talking about this on personal devices, then fuck that.

      BYOD blurs this distinction, though. It might be my device, but connected to the company's services.

      I've already had a similar argument with my company's IT department over AV: I insisted that Sophos antivirus was better than Windows Defender, and had the stats to back up my point (although in truth they are very, very close); they insisted that Windows Defender was the company-approved AV and insisted that I use it (all being monitored via InTune). I was content to lose that battle; it really didn't make

      • Comment removed based on user account deletion
      • by endus ( 698588 )

        If your company allows BYOD, they're probably not going to invest the time and effort to set up (and monitor) browser based DLP.

      • by khchung ( 462899 )

        BYOD blurs this distinction, though. It might be my device, but connected to the company's services.

        The answer is don't do BYOD. Your company should provide the necessary tools for you to do your job. If my company try to force me to BYOD, I would *buy* a new machine and expense it back to the company and use that machine only for work. Or failing that I will look for a new job.

        • Exactly this. I needed a laptop for work email The last thing I needed was another laptop, but for that job, every single thing goes through it. My personal stuff is untouched (and un-Discoverable, legally)
    • by gweihir ( 88907 )

      No. In-detail surveillance of employees is not only a human-rights violation, it is exceptionally stupid because it _decreases_ productivity and increases sick-days because it creates a lot of stress. The people doing this have a "slave holder" mind-set, not a productivity-focused one.

    • This technology is not focused on the device or your behaviours as such. Has anyone actually read the MS roadmap or doc that is seemingly so offensive? I have - and itâ(TM)s unrelated to what youâ(TM)re all crying about.
  • At work? Or using work's computer? Do work things on the work computer.

    Do personal things on a personal computer. Or a phone /tablet that's not hooked up to company wifi.

    Easy peasy, no? Christ on a crutch, people overcomplicate.

    This still doesn't absolve the managers who rule with such iron fists they need to know everything fucking thing their employees do, when they do it, and how. Fuck that.

    Similarly, fuck MS for facilitating the micromanager's dreams.

    But you worker drones -- myself included -- don'

    • by tepples ( 727027 )

      Do personal things on a personal computer. Or a phone /tablet that's not hooked up to company wifi.

      What are useful tips to negotiate enough of a raise to cover the monthly cost of a personal hotspot?

  • Christ on a cracker (Score:5, Informative)

    by EvilSS ( 557649 ) on Monday November 08, 2021 @05:11PM (#61969603)
    Whoever wrote this article has zero understanding of what they are writing about. Here is what is being monitored:

    Web browsers are often used by users to access both sensitive and non-sensitive files within an organization. Insider risk management allows your organization to detect and act on browser exfiltration signals for all non-executable files viewed in Microsoft Edge and Google Chrome browsers. With these signals, analysts and investigators can quickly act when any of the following activities are performed by in-scope policy users when using these browsers:

    Files copied to personal cloud storage
    Files printed to local or network devices
    Files transferred or copied to a network share
    Files copied to USB devices

    Insider risk management is about controlling sensitive, protected (PII, HIPAA, PCI, etc), and corporate data. It's doesn't care if you are being productive or not. It's looking for people doing stuff with company data they shouldn't be.

    Yes, there are products out there that DO snoop on "productivity" and things like browser habits, but this isn't it.

    • by Jerrry ( 43027 )

      "Insider risk management is about controlling sensitive, protected (PII, HIPAA, PCI, etc), and corporate data. It's doesn't care if you are being productive or not. It's looking for people doing stuff with company data they shouldn't be."

      Good luck with that. Sure, they may be able to detect people copying data to USB devices or uploading it to a cloud server, but how are they going to detect things like someone displaying a file on the screen and then taking photos of it with a cell phone?

      • They're not. The problem with most companies is not that they're full of James Bond type espionage villains, it's that they're full of numbskulls who can't be bothered to understand or are incapable of understanding regulations regarding sensitive documents.

        They don't stop somebody from taking a photo of a screen because a) aren't inclined to try and b) couldn't even if they wanted to.

      • Comment removed based on user account deletion
      • This is not about espionage prevention. The average user is for want of a better word a "fucking moron", They don't think twice about dropping a copy of a document into their personal dropbox as they want to work on it at home or popping it onto an unencrypted USB for convenience. They have no malicious intention so they don't give it a second thought that they are breaking industry regulations or laws by doing so and potentially putting the business at serious legal risk.
      • Again, a majority of posters here havenâ(TM)t got any context of what this is about. In environments where using a phone to take a photo is an issue, you canâ(TM)t take phones into the office. This is common in regular outsources, and no, not in anyway liked to government or defence. Why is everyone here so hell bent on making a issue where there isnâ(TM)t one?
    • It's not so much "my boss", or "the owner of the laptop" getting this information that worries me.

      It is being able to get this information for ANYONE.

      It is one very small step from "this information goes to the owner of the laptop" to "this information goes to law enforcement", and one very small step further to "this information goes to the government spy agency that requests it at the point of a secret court order".

      > It's doesn't care if you are being productive or not.

      Whether I am being productive or

    • Incorrect and redundant. ACL's on directories always had this function, and security people has dumbed down tools to report wide directory traversals. In addition most secure places, the multifunction printer has a special buffer. Now this might be of use if everyone is administrator anyway. But you still need administrators to inspect these logs as well, and in a timely fashion. Better skilled people will extract it off the backup tapes, and put an exit into the backup program/routine, or make hay during t
  • ... sort of surveillance the basis of the movie Antitrust [imdb.com]? If I was a boss in an unrelated industry, I might welcome Microsoft helping me to look over employees shoulders. But if my business in any way overlapped Microsoft's, or was something they thought they could sell to a competitor, I'd be keeping my coders off Windows platforms, Visual Studio and anything else that could conceivably send it's telemetry through a Redmond server.

  • The GDPR likely does not allow any recording here.

    • That is what this system is exactly for, that you can define rules that keep personal information from leaking outside the company.

      You can define patterns that keep data where it belongs, inside your organization.

      I'm really wondering about the negative tone here.
      I know of companies that if they would have certain parts of their data leaked to the public, or data gets stolen and falls into the wrong hands, they would cease to exist.

      Ethics is about what you decide to do with a system.
      • by gweihir ( 88907 )

        The GDPR forbids _recording_ personal information here. It does not matter whether it stays within the company.

  • My proxy server already keeps a pretty detailed list of what people are doing in their browsers.

    Only had to go through it twice in 25 years.

  • Comment removed based on user account deletion
  • by know-nothing cunt ( 6546228 ) on Monday November 08, 2021 @06:18PM (#61969817)

    so I should be well above suspicion.

  • by bloodhawk ( 813939 ) on Monday November 08, 2021 @06:24PM (#61969837)
    someone obviously didn't read what the feature does before writing the article/headline. Hint it is not monitoring your web browsing beyond certain risky behaviour, it is reporting risky behaviour such as sending files to external storage like cloud, USB etc. This is awesome that this is finally coming to the compliance center rather than having to implement CASB or 3rd party solutions.
  • by endus ( 698588 ) on Monday November 08, 2021 @06:27PM (#61969843)

    The article is incredibly poorly written fearmongering which provides no useful information at all. Looking at the author's brief bio, it seems he has zero background in security. The fact that he's a consulting creative director also suggests that he probably does not have a background working in regulated environments.

    If I had to guess after reading this horrendous article, I would guess that Microsoft is working on bringing DLP capabilities to Edge in the same way those capabilities exist in Chrome today. That's a good thing.

    If you think your employer can't see what you're doing with your web browser...I hate to tell you but it's not 1996 anymore and that has been a "thing" for a while. You're on a company device using a company network.

    There is so much shadow IT and mishandling of information out there, monitoring is extremely necessary. I suspect many companies will be very surprised what is being done with customer/company confidential information as this becomes more common. There's also the thing where companies block employees from emailing their personal credit card number and social to people.

    People get all worked up over this stuff, but they never think it through. Requiring your bank teller or your doctor to use their home computer to access OnlyFans because their work would like to make sure they don't email your account numbers and anal diameter to Chinese hackers is a small price to pay.

  • If this is like most Microsoft features then it is Microsoft centric and only works with Edge for Windows. If your computer has any other browser than Edge you walk right past Microsoft data gathering.

  • The core purpose of technologies like this is that the end to end connectivity of HTTP/2 and later support encryption even in headers.

    As almost all websites on earth today are hosted on CDNs, the only way to protect users and companies from bad actors is to inspect headers from the browsers themselves. This is common for antivirus and anti malware tools as well.

    The idea is, if you cannot see what is in the packets, you cannot detect naught stuff like viruses, worms, etc.

    Also, I believe you will find that be
  • Logs everything you do, copy and move around, and reports back ? North Korea called...they want their Red Star OS back....
  • If you want a robot, buy a fucking robot.
  • Unless you stop the extraction of ZIP files, this is rather meaningless is I can download and extract the software or if I am able to install to the %appdata% folder.
  • by reanjr ( 588767 ) on Tuesday November 09, 2021 @11:43AM (#61971401) Homepage

    If you expect me to field emergencies after hours, then I expect privacy on my work-provided laptop in exchange. You don't get to have it both ways. You can't ask me to respond at 10pm on a phone I pay for, to use the Internet I pay for, and not expect me to do my banking at 1pm on your computer and your Internet. And if I'm doing banking, you don't get to spy on it.

  • I am greatful that I had a chance to grow up in a world where people had freedom and didn't have to worry about being micromanaged to death with the aid of high technology everywhere.

      Sux for those who are being born right now. Freedom will only be the stuff of fairy tales for them.

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...