Can my IT department read my Google Hangouts chats while at work?

  • Is Google hangouts encrypted? Would my work's IT guys be able see pictures and text I send while on a work computer? Yes I know I shouldn't be sending stuff I don't want them to see while at work, but it wasn't at work. I use hangouts on my phone as well and just realized I use the hangouts Chrome plug-in at work and it was syncing all my conversations.

    You can get around this by logging out of the browser plugin when you are away from your desk. It then won't sync *very much* to your desktop hangouts unless you scroll up in the chat. This will still sync some conversation if someone you were talking to on your phone talks to you while you are logged in at your desktop.

    Better use a personal computer to avoid the risk of having who knows what software installed on it.

    @logixologist That doesn't actually prove they are doing that though. Even if it was something so obtuse that it convinced you it was scanning what you wrote, you can't really prove that it was. You very well might be right, but let's stick to facts and not assumptions and anti-Google biases.

    @patricksweeney that's pretty much their business model: targeted ads. Whether that's evil is personal opinion, of course. Regardless, it doesn't really have anything to do with what the OP is asking.

    Perhaps. I know that Facebook chat messages are sent over HTTP, even if you visit the FB page via HTTPS. So all chat messages are readable in the logs

    @logixologist Google is quite open about analyzing site content (including, of course, user-generated content on Google sites such as Gmail) to select which ads to show: see 1 2 and 3. The real question is, (1) what are the limits of what these "automated systems" do with the information, and (2) can any humans access the information?

    In other words, those who trust Google are trusting it to limit its use of such information to the obvious functionality- and ad-related uses, rather than to, say, store it and/or sell it to other companies.

    @logixologist: *"This means they transcripted it and then sent me unsolicited targeted ads based on a keyword."* They did, of course, **tell you** they were going to do that when you signed up and accepted the T&C's. You may not have "solicited" their sending you ads, but you did consent to it.

  • Andrey

    Andrey Correct answer

    6 years ago

    You should assume that they can. There are various ways they can do it, but whether they actually do it depends on company's standards and practices. Some of the options:

    1. It's possible to install additional root certificates on company's machines and use that to MITM all the traffic (traffic goes through company's gateway/proxy anyway, and having friendly root certificate on user's PC allows to do a full MITM);
    2. It's possible to install "employee monitoring software", which is essentially a key logger + process monitor + screen grabber. Some tools have capacity to locally intercept received messages in chats.
    3. It's possible to use remote access/collaboration tools to monitor what's happening on the screen of a particular PC.

    In short, if you don't have control over the PC you're working on (and with company's workstations you typically don't), you cannot assume it's free from such surveillance implants.

    Hope that's not too scary :)

    Good points, you could deep packet inspection technology too

    Echoing the above, technically its perfectly feasible. Practically, does the data actually get looked at? As a Sysadmin myself, I would suspect not. Even on slow days, there's lots more interesting stuff to do than see if we can catch a co-worker doing something they shouldn't! :D

    Depends on the country you're in (I guess it's legal in some jurisdictions and sort of grey area in others) and particular circumstances (e.g if the person in question is suspected of some wrongdoing). Many data leaks for example are confirmed/identified this way (it can be automated to large degree though).

    Probably not the place for legal questions but how would this not be highly illegal (with severe penalties) in most civilised countries (I mean, it's large scale circumvention of people's encrypted internet communications - SSL)? I mean it'd be one thing for the NSA to do it but a private company couldn't pull this kinda thing and not expect hard jail time right?

    I'm referring to the MITM attack and faked certificate authority scenario of course - inspecting the contents of your work PC or using monitoring software is a different thing which many companies openly do.

    I agree, this looks like a violation of rights, but it also looks like it's rather commonplace e.g. in US (http://it.slashdot.org/story/14/03/05/1724237/ask-slashdot-does-your-employer-perform-https-mitm-attacks-on-employees). The main argument is "Our hardware – our rules", which also sort of makes sense (remember, we're talking about employer monitoring traffic from devices that he legally owns).

    @fjw It would be considered legal in the U.S. because almost every employer has their employees sign an Acceptable Use Policy that will include a provision stating something like "You have zero expectation of privacy on our network and/or hardware, and all of your communications are subject to monitoring". So the employees are giving consent to the employers to do this.

    What's the difference between 2 and 3? A "support tool" is also an "employee monitoring tool" the moment it doesn't require authorisation of the employee to watch their screen content.

    @CraineRunton I am aware of employee agreements which sign away expectations of privacy, but I don't see how this could override the fact that a MITM attack on SSL would be a *criminal* act, not civil. Organisations can and do monitor employee activity, and may do so by any legal means (including any client-side monitoring software which captures activity on the PC itself), but are you trying to tell me that it is not a criminal offense to conduct a MITM attack on SSL, or are you claiming instead that an employee agreement can somehow make an illegal act legal?

    I'm happy to be wrong on this if there is no such law, but I have a hard time believing that in a country where it is a *criminal* act (not just civil) to circumvent the encryption on a DVD, that there is no similar law about circumventing SSL.

    @fjw: there is not (AFAIK) any statutory prohibition on MITM attacks on SSL in and of themselves. If the SSL was being used to protect copyrighted content then you might run afoul of DMCA. It's criminal to circumvent a copyright-protection measure, but (again AFAIK) there's no such criminal prohibition in general on circumventing security measures that don't protect copyright. It's also potentially criminal to use a computer system without permission, but that doesn't apply here since the employer ofc has permission to use *their* system.

    Anyway, laws don't spring into existence just because it would seem sensible and consistent to have them, they exist because someone wrote them and Congress passed them. In practice that generally happens because someone lobbied for them. In the case of most copyright law that "someone" is Disney (actually more than just Disney, but media), and Disney isn't all that interested in SSL. And finally the company might not (legally speaking) circumvent SSL anyway, since the employee has chosen to use the company's root certs, that authorise the company's proxy to present itself as any domain.

    @CraineRunton: It is standard practice with some major companies I know (and from that I conclude it's common for _most_ companies), not only US based ones. Corporate (automated) MITM and monitoring software happens pretty much on _every computer_. Reality is, sadly, even in jurisdictions where this is illegal, the bottom line is simply: _fuck your rights_. Employer brings forth a paper that you are to sign, and if you want to keep your job (or in the mean time, as it's already in place: if you want to get hired), you do sign it and don't complain.

    @fjw - If your employer OWNS the machine you're using, it's legitimate to install certificates that allow them to terminate SSL traffic (a.k.a do a MITM "attack"), and *there is no **attack** going on*. It's a simple configuration of their own possessions. Ignorance that SSL won't make you immune from observation doesn't make their actions criminal (just as, if your employer informed you that cameras were in use, and you tried to hide actions from cameras but failed, you'd have no recourse). If they state that you have NO expectation of privacy, you should NOT expect privacy. It's that simple.

    As long as I have no way of knowing the legal qualifications of the people responding to me I don't have an indicator of how much I can trust these responses. I should probably have not brought it up here for that reason. ErikE, in particular, your answer centres on terminology: whether you can use the word "attack" to describe this method of circumventing SSL with different certificates or not (from a tech (not legal) standpoint, MITM *is* an attack). Whereas other comments, that seem more convincing, have informed me that there is no such law making circumvention/attacks on SSL illegal.

    @fjw - it is legal in the EU for a company to record all incoming/outgoing communications using any means available. The controls are based on what happens to the message content; any human working with the material should stop doing so as soon as they establish it is personal and can take no action on it. Employers acting on information from personal messages have resulted in prosecutions.

    The only confusing part of this to me is why someone might think they have a "right" to misuse company resources.

    @Michael How is this misusing company resources? Many companies allow an acceptable amount of personal use of internet/computers at work. Some even promote it since there are studies that show workers are more productive when you don't try to restrict access to certain websites at the workplace. But even when it is encouraged, there is still the question of whether it is monitored.

    Doesn't Google use certificate pinning to prevent MITM?

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM