17

My husband currently uses his personal computer for virtual work. The agency he works for insists that all employees install monitoring software that can see everything on the computer. I have heard people mention Virtual Machines as a possible solution. We are both low-tech people and are looking for advice on how to handle this. The company is not interested in supplying its outsourced workforce with machines and seems unwilling to make other arrangements.

Improve this question
5
  • 1
    Hi and welcome on Stackoverflow. The legal aspect might be a better fit on law.se. Also can you clarify the terms "virtual work" and "outsourced workforce". Virtual might mean home office, but is it? "outsourced workforce" suggest that using your hardware was mandatory?
    – Marcel
    Commented Jun 3 at 9:18
  • Consider this very similar question asked in the Workplace StackExchange: workplace.stackexchange.com/questions/158357/…
    – Brondahl
    Commented Jun 3 at 15:20
  • 6
    Why doesn't the employer provide a VM for their users to use, then OP can remote desktop onto a computer that is completely owned and controlled by the employer? IMO no sane employer would WANT their employees computer on their network, and personally, I wouldn't want my employer monitoring everything I do, with the option to remote wipe it, if they see fit (or by mistake).
    – Neil
    Commented Jun 3 at 15:46
  • 2
    @Neil you overestimate the wisdom of small companies in low margin businesses. If you're hiring chat support for minimum wage, or just above even a crappy computer sent to the employee or a VM farm for them to remote into is a non-trivial expense. In most cases I suspect those employees have access to very little sensitive data - working via a web site with access controls enabled. They're also most likely to be baited by a license for Huckster Co Spymaster 9000; and least likely to either have employees pitching a fit or care about those who quit in protest (because of high turnover).
    – Dan Is Fiddling By Firelight
    Commented Jun 3 at 21:44
  • Is this a legitimate employer or is this a scam ?
    – Criggie
    Commented Jun 4 at 2:23

4 Answers 4

Reset to default
38

Whether or not the employer has the right to demand the installation of monitoring software is a legal question, so it's off-topic for an information security community.

As to the technical aspect, I strongly recommend against using a VM, because both employers and providers of monitoring software are well aware of this “trick” and how to look for clues. If the employer does detect the use of a VM, this could be seen as an attempt to circumvent the monitoring and lead to negative consequences (the legality is again a different question).

Instead, install a completely separate operating system, ideally on a separate disk, so that you can unplug the disk with the personal OS during work and ensure the monitoring software cannot access personal data. Alternatively, you could buy cheap hardware for work, like a (used) small-form-factor PC (e.g., an Intel NUC) or a laptop. This provides even stronger separation, but of course it's also more expensive.

Improve this answer
7
  • 9
    I would suggest that the "legality question" goes both ways, not just that the OP might upset their employer by circumventing the system with a VM. What if the OP has a data breach of any kind on any of their accounts? Surely the employer is now a prime suspect for the breach if they are monitoring all activity (how is anyone, even technically-minded, supposed to know the limitations of this software?).
    – roganjosh
    Commented Jun 2 at 10:40
  • 8
    @roganjosh Or even just collecting the data. Depending on the jurisdiction, if the collection software collects any non-work related activity (which may or may not be limited to actitivty outside work hours), that may well be a violation of the employees rights.
    – user1937198
    Commented Jun 2 at 14:54
  • Regarding the suggestion in the penultimate sentence, one reason for using my home machine (unmonitored, some stuff running in a VM if it needs Windows) is that it's far better than my work desktop - so running cheap hardware is only an option for certain tasks
    – Chris H
    Commented Jun 3 at 8:30
  • 1
    @SalmanA: Because the idea of monitoring is to see all activity on the device. If monitoring is limited to a VM, then the employer cannot control what's happening on the host system. Of course monitoring will always have limitations -- for example, the employee can simply use a separate device in parallel. Personally, I also have my doubts about about how effective monitoring even is. But that's not the topic here.
    – Ja1024
    Commented Jun 4 at 15:10
  • 1
    Emphasis on "unplug the disk with the personal OS" (and all other storage units). Simply not mounting them is not enough.
    – Mindwin Remember Monica
    Commented Jun 4 at 15:43
52

My husband currently uses his personal computer for virtual work.

Stop doing that.

There are some workarounds that you can use such as having a separate encrypted operating system for personal use, or using VMs (and hoping the software plays nicely with them, which a lot of it won't) - but those aren't very practical things for non-technical people to implement and support (and fix when it goes wrong).

Get a cheap second computer/laptop for work, so that you can keep work and personal isolated from each other. Or find an employer that has enough respect to give you the tools you need to do the job.

Improve this answer
9
  • 23
    for a low tech person, this is probably the 'right' answer. That said, and employer who won't supply necessary work gear seems a little suspecious to me
    – Journeyman Geek
    Commented Jun 2 at 10:46
  • 17
    @JourneymanGeek actually an employee not providing equipment isn't that strange nowadays. However, not supplying equipment, AND insisting on installing monitoring software is very strange.
    – schroeder
    Commented Jun 2 at 11:12
  • 27
    @schroeder I think you're over-estimating the depth of thought most companies put into this. The reasoning goes something like this: 1) "now that we're hiring remotely, we can save money by making employees pay for things that we used to provide for them"; 2) "we don't trust our employees, and ShiftyCorp is offering us software that lets us spy on them"; 3) "let's insist that employees install ShiftyCorp software on their own equipment". It's a stupid idea, but stupid ideas that save money are really appealing to a certain kind of executive.
    – IMSoP
    Commented Jun 2 at 14:20
  • 4
    @IMSoP a corporation's oversight should not become your problem. Most all security breaches are someone's oversight. This one is particularly egregious and I wouldn't settle for these terms. If I really wanted to keep this job, I'd fight the idea but, most likely, I'd walk away from a company with this policy
    – roganjosh
    Commented Jun 2 at 15:06
  • 7
    @roganjosh Oh, I totally agree. I already said it's a stupid idea. But I'm not in the slightest bit surprised that management would think this way, or that they'd find enough people who weren't technical enough to understand the risks, or weren't in a position to argue back or walk away.
    – IMSoP
    Commented Jun 2 at 17:17
13

Others have already answered that getting a second PC is the right solution for this.

In addition to what the others have said, this also reduces the risk of malware spreading from one machine to the other: You don't want to be the one bringing ransomware to your employer because of some software you installed on your private PC. This also works in the other direction: If your employer's network gets compromised, the private PC you use for online banking will probably still be safe.

(This is one of the reasons why sane employers won't allow you to use your private PC for work, and, conversely, won't allow you install private software on your work PC.)

I also recommend that you get a KVM switch in addition to a (cheap) second PC. That switch will allow you to use the same keyboard, mouse and monitor for both PCs.

Improve this answer
5
  • "You don't want to be the one bringing ransomware to your employer because of some software you installed on your private PC" Why not? This looks like a completely foreseeable scenario, in the vein of "someone will be the guy who uses the last sheet of toilet paper". Surely the company is aware that something like this will happen?
    – Jan
    Commented Jun 3 at 15:45
  • 5
    @Jan: Sure, it's absolutely forseeable. Yet, somehow, my gut feeling tells me that the company will try to blame it on the user, and I don't want OP to get into trouble.
    – Heinzi
    Commented Jun 3 at 17:25
  • @Jan as with germs, there are simple steps that we can all take together to massively reduce collective risk of software viruses. Keeping a barrier between work and home computer data is one such, and improves personal privacy against employer spying as well. Perhaps ransomware wipes your company's data as often as running out of toilet paper; I suggest improving your digital hygiene if that is the case.
    – Iiridayn
    Commented Jun 5 at 9:09
  • @Iiridayn I am totally aware. In fact the IT guys in my company would probably beat me up if I were using my private computer for work (and rightly so). That is why I am so surprised about OP's company. They are kind of asking for it?
    – Jan
    Commented Jun 5 at 9:53
  • 1
    @Jan they are either ignorant or shrug off the risk. In either case, if it happens it is likely that OP will be blamed for it, not the lack of proper security.
    – Tom
    Commented Jun 5 at 13:01
-1

Virtual machines would indeed be a good answer, and these days it's easy even for non-techies to use them.

If you are up-front with his employer about this, I don't see the issue. A simple mail saying:

Be advised that to separate work and private data, I am using a virtual machine for all my work stuff. I hope that won't pose any issues with CreepySpyMalware 1.2.

Sincerely...

Make sure to install their spyware [monitoring software] inside the VM, not on the host.

Dual-booting, like others have suggested, is another idea. In that case, make sure your private disk is encrypted, because an unencrypted disk can easily be read otherwise.

However, speaking from experience, dual-booting is a PITA.

Improve this answer
11
  • There indeed can be an issue with using a VM. If one of the concerns by the employer is screen shotting and screen scraping, or data transfers, this would be a no-go because the employer wouldn't be able to see that he was being done. I'm also not seeing how this answer is any different from the others before yours.
    – schroeder
    Commented Jun 5 at 8:02
  • An employer worried about screen shots should be told that smartphone cameras are a thing.
    – Tom
    Commented Jun 5 at 8:11
  • If your sole point here is to express your opinions on the practice then this answer can just be deleted...
    – schroeder
    Commented Jun 5 at 12:17
  • 1
    In an ideal world, I'm sure VMs would be a decent solution. But since the OP explicitly said this is for a non-tech job, we cannot assume that the employer has any technical knowledge whatsoever. When you google for "monitoring software" and "vm", you'll quickly find articles about how employees try to trick monitoring software with VMs and how the software can detect that. If the employer thinks VMs in the context of monitoring are fishy, and if the software pops up warnings saying that the employee tries to circumvent the software, this can take a nasty turn.
    – Ja1024
    Commented Jun 5 at 12:59
  • 1
    @Tom: The OP specifically said that the employer is unwilling to make any other arrangements. That doesn't sound like somebody who is happy to have a discussion about the legitimacy of VMs.
    – Ja1024
    Commented Jun 5 at 13:32

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .