Can my employer see what I do on the internet when I am connected to the company network?
This is an attempt at a canonical question following this discussion on Meta. The aim is to produce basic answers that can be understood by the general audience.
Let's say I browse the web and use different apps while connected to the network at work. Can my employer (who controls the network) see what websites I visit, what emails I send, my IM messages, what Spotify songs I listen to, etc? What are they able to see?
Does it matter if I use my own computer, or one provided for me by my employer? Does it matter what programs I use, or what websites I visit?
It would be nice to see a nuanced answer for those who cannot afford the tinfoil. "There is no absolute security" doesn't clarify the situation. Just because they monitor the traffic that doesn't mean they can read your private Facebook messages.
Offcourse there is nuance in "what are they probably doing", but this question is "can they". Since it's possible, the answer is Yes. And seeing as the question explicitly states "employer", an answer/advice should probably also rather be cautionary than dismissive: **assume they can, assume they are. Don't do anything you wouldn't want to be seen**.
Of course they *can* if it's important enough to them, the question to me would be "is your work environment and company culture such that they *would* be looking over your virtual shoulder at everything you do, or do they trust you to just do your work?"
While simple "Yes, they can see everything if they want to" answers are absolutely correct, surface level explanations of the protocols and processes at play would be deeply appreciated. While we want the answer to be simple, we also want it to be informative as to *why* they can see everything they can. "SSL", "MitM", "Proxies", are words we use in InfoSec constantly, but these are concepts that someone asking this sort of question would have no general understanding of. So technical documentation of SSL: no; high level overview of what and why these things are happening: perfect.
@Arminius Agreed, the "always assume they can see everything" answer is pretty much useless as far as this being a canonical question, because the obvious followup any intelligent person will ask is, what steps can I take to mitigate or bypass as many of these things as possible, which can be done. You can remove those root certs if you have admin access, you can use a vpn to bypass their higher level filtering, etc. Any good canonical answer will address this.
"while connected to the network at work" Does this mean 1) At work and on the work network; or 2) Not at work but connected (by VPN or other means) to the work network? I read it as the second, but reading the answers it seems like it's likely the first.
I work at a bank, they go as far as installing SSL certs on our machines that allow them to decrypt the traffic before it even gets to us. They can see all of our secured traffic.
Yes. Always assume yes.
Even if you are not sure, always assume yes. Even if you are sure, they might have a contract with the ISP, a rogue admin who installed a packetlogger, a video camera that catches your screen... yes.
Everything you do at the workplace is visible to everyone. Especially everything you do on digital media. Especially personal things. Especially things you would not want them to see.
One of the basic rules of Information Security is that whoever has physical access to the machine, has the machine. Your employer has physical access to everything: the machine, the network, the infrastructure. He can add and change policies, install certificates, play man in the middle. Even websites with 'SSL' can be intercepted. There are plenty of valid reasons for this, mostly related to their own network security (antivirus, logging, prohibiting access to certain sites or functionalities).
Even if you get lucky and they cannot see the contents of your messages, they might still be able to see a lot of other things: how many connections you made, to which sites, how much data you sent, at what times... even when using your own device, even using a secure connection, network logs can be pretty revealing.
Please, when you are at work, or using a work computer, or even using your own computer on the company network: always assume everything you do can be seen by your employer.
Comments are not for extended discussion; this conversation has been moved to chat.
In Europe there is now a precedent for this not only being possible but also legal. See the case of Bogdan Mihai Barbulescu for more info.
@ChrisPetheram AFAIK in that case the *contents* of the communications were not used against him, just the fact that he used his working email & other accounts for personal communications. In other words: there is no precedent that says "the employer has the right to watch all your communications", but only that "if the employer notices that you abuse the communications for personal use, *only looking at the recipients*, then you can't complain if you get fired".
@ChrisPetheram The concept of precedent doesn't apply in most of Europe, where most jurisdictions are civil law systems. Unlike in common law systems (e.g. US), judges are bound only by the law, not by precedents. Different judges may interpret the law differently. Also, privacy law in the EU prohibits collecting personal data without consent of the person concerned. Unless you signed an agreement that prohibits private use of business IT resources and/or in which you acknowledge that your actions will be monitored, doing so is illegal in the EU, even if it is technically possible.
What about remoting *out* of your work computer into your home computer via something like Teamviewer, Logmein, etc.? Doesn't that use a secure tunnel that encrypts all traffic? The employer might see an outbound connection but would he be able to see the content?
@user249493 They can still potentially install both keylogger and screen-snooping software on your PC in order to see the content.
@user249493 Also, you have to assume that the employer can determine it's a tunnel. In that case you'd look pretty bad if tunneling out is not at all part of your work.
But if you were to connect to the guest wifi with your dual boot work laptop (Linux installed from stock iso) then your traffic would be mixed together with tons of other devices and you'd avoid any direct monitoring. Am I missing something here?