Facebook passwords: many employers can snoop them, and don't need to ask

US senators are calling for action on employers' habit of demanding employees' Facebook passwords, but no one seems to notice that many companies configure their computers so that they can eavesdrop on your Facebook, bank, and webmail passwords, even when those passwords are "protected" by SSL. In my latest Guardian column, "Protecting your Facebook privacy at work isn't just about passwords," I talk about how our belief that property rights -- your employer's right to control the software load on the computer they bought for your use -- have come to trump privacy, human rights and basic decency.

Firms have legitimate (ish) reasons to install these certificates. Many firms treat the names of the machines on their internal networks as proprietary information (eg accounting.sydney.australia.company.com), but still want to use certificates to protect their users' connections to those machines. So rather than paying for certificates from one of the hundreds of certificate authorities trusted by default in our browsers – which would entail disclosing their servers' names – they use self-signed certificates to protect those connections.

But the presence of your employer's self-signed certificate in your computers' list of trusted certs means that your employer can (nearly) undetectably impersonate all the computers on the internet, tricking your browser into thinking that it has a secure connection to your bank, Facebook, or Gmail, all the while eavesdropping on your connection.

Many big firms use "lawful interception" appliances that monitor all employee communications, including logins to banks, health providers, family members, and other personal sites.

Protecting your Facebook privacy at work isn't just about passwords

Update: To everyone who says that your employer has the unlimited right to spy on your computer use because you're on company property, here's a paragraph from later in the piece:

Besides, there are plenty of contexts in which "company property" would not excuse this level of snooping. If you met your spouse on your lunchbreak to discuss a private medical matter in the break room or car park, you would probably expect that your employer wouldn't use a hidden microphone to listen in on the conversation – even though you were "on company property". Why should your employer get to snoop on your private webmail conversations with your spouse during your lunch-break?


  1. This is why I don’t conduct personal business on work computers.  It seems like common sense.  Do people not think that their employer has access to every action their own computers make?  Regardless if it is “password” protected or not?

    I can wait until I get home to log onto my bank account.  And I have Twitter on my smartphone.  I also don’t log into my personal email at work.  I would encourage everyone to do the same.

    This is not out of some sense of righteousness or need to be productive.  It is simply protection against nosy employers.

    1. Unfortunately, it’s pretty solidly established in the law that the employee has very little expectation of privacy anywhere in the workplace, and this is what establishes a worker’s “rights”. The example of bugging the lunchroom would probably be in violation unless the employer gave notice such bugging was being done, maybe even a general one at hire time would be sufficient.

      It’s pretty clear that there is NO such expectation with company computer systems, and that even password sniffing, keyboard loggers etc would reasonably be expected these days.

      The goal should be to get your skillset to the point where you can simply set a personal policy that you would never accept work for an employer who would engage in such practices. That way the Big Brother outfits have to pay more money in exchange for less talent.

      A big competitive edge for companies willing to cut their slackers some slack 8-)

  2. “which would entail disclosing their servers’ names – they use self-signed certificates to protect those connections.”

    I’m no expert on ssl certs, but I’m sure we[1] use the *.company.com(or *.blar.company.com) cert rather than buying one for every server.  

    Not sure that helps with the bigger issue here though. FYI some internal networks ban SSL, they prefer to be able to sniff everything at will :)

    [1] That’s “we” as in “I hate F*****g SSL certificates, you do it.”

  3. While the issue of demanding passwords needs to be dealt with, this does seem like something of an educational issue for the employees, not the employers. Don’t use the company vehicles for personal errands, don’t steal from the stationary cabinet, don’t photocopy your ass at the Christmas bash, and don’t do anything you want to keep private on the company computer that you know is being monitored.

  4. I can honestly say I have never stolen time from my employers by using their machines for my personal business, so I have never put myself in the position to have them steal back from me as I stole from them. 

    1. This sort of paranoid, grasping relationship where either party jealously protects its own interests, snoops and spies on the other, and is generally abusive is what makes the employer/employee relationship so trusting, rich and fulfilling. It’s like being part of a family.

      Or, hey, how about: employees are human beings, ADULT human beings, in fact, not slave drones who need to be controlled by the ubermind. The idea of “work” as a mere exchange of labor for remuneration is incompatible with the health of the human mind. It’s impossible for someone to spend nine hours a day doing something without making it a part of their life. Especially if, say, you have kids, a wife, a sick relative, etc. Which most people do. I want a world where dealing with other aspects of my life in the course of doing my work is not something which should be viewed with opprobrium.

      1. Exactly right.  Using my work machine for personal business is no more ‘stealing’ from my employer (as long as it doesn’t interfere with my work) than my employer is ‘stealing’ from me when I answer a work email from home.  (And if I want to bank online during my lunch break, it’s none of my employer’s business.)

        If you’re wasting even minutes of brain time worrying about this, you have / are a sucky employer.

        1. Really? because theft of time is how they justify spying on you.

          Crank at me all day for pointing that out to you, but many of the people you work for, suck ass. 

    2. I’m really tired of this idea that checking your e-mail during downtime is considered “stealing”.  It’s not. We’re not slaves. Checking your e-mail IS NOT stealing. Even implying as much is ridiculous.

    3. Do you also give your boss a key to your house so he can come in and examine you when you call in sick?

  5. I am of the opinion that my employer has the right to my time and my talent in exchange for monetary compensation.  It starts and ends right there.  This is why I refuse to participate in the touchy-feely “team-building” exercises. Being subjected to armchair psychoanalysis is not part of my job description.   This is also why I think that employers are doing nothing wrong by monitoring traffic on their network. If an employee is on Facebook for half the day, they have the right to know that.  And they hardly need to use the procedures outlined here to see what is being posted on Facebook when they only have to pull up that monitor and watch.

    1. Absolutely. Couldn’t agree more. The touchy feely stuff seems designed to encourage everybody to snoop on their co-workers anyway – huggy wuggy stabby wabby.

      1. When your boss tells you that the office is like a family, that means that he plans to act like he’s your father. Run. Fast.

  6. Things like that are why I assume that anything I do on the company network is being intercepted and logged. If I can do it on my home network if I feel motivated enough to set it up, I have to assume the company can too and probably is. Easy enough to SSH to my home systems if I need to do anything personal (X11 FTW).

    As far as doing personal stuff on work time, I note this: my employer specifically says I do not have fixed work hours. I’m salaried exempt, they aren’t paying me for a fixed number of hours a day, they’re paying me to work when needed, as needed. That’s in the employee handbook, and in the employment paperwork I signed. The flip side of that is… I’m not working fixed hours. As long as I’m getting my work done in a timely manner, I don’t consider it a violation of the agreement to go “off the clock” when needed (just like they don’t consider it a violation of the agreement to demand I go “on the clock” at 2am Sunday morning when there’s an emergency needs dealt with when normal work hours are 8-5 Mon-Fri).

  7. This is one of the many reasons I like working for a small company.  The owner  couldn’t care less about what we do with our computers, as long as we work.  Any scheme to monitor employees would be considered more trouble than it’s worth.  If someone is not doing their job, then we talk to them about it.  

    It’s so simple.

    1. Big companies can have similar freedom, for similar reasons — the human in the loop is expensive.
      Where I work, I assume they monitor most of our Internet use, but they don’t seem to act on the data unless there’s already a problem that’s come to surface. (And I’ve seen pretty flagrant acceptable use violations go largely ignored.) The rumors I’ve heard of people getting in trouble were, not surprisingly, were porn or excessive facebook infractions, and they were caught not because of computer services but because a) someone saw it on the screen and b) the company was likely planning to fire the individual anyway because of poor job performance. Similarly, I knew someone fired for timecard fraud, but he was ‘busted’ based on poor work output and coworkers ratting him out — the computerized correlation of the building badge readers and the time card database, which in theory could be done all the time, was done just to gather evidence against him.

      But this is a different thing. I can’t imagine companies actually snooping passwords… well, that’s not true, it is one of the first things I thought when I logged into my personal email for the first time. But it is pretty dispicable.

    2. Good managers manage productivity, not whether or not you scratch your ass while you’re at work. Unfortunately, many managers get side-moted into management because they weren’t productive as employees and it’s a nuisance to fire them.

  8. Of course some employers just require you to become their Facebook friend, giving them access to much—though not all—of what they would get with your password. I hope the congressmen working on this issue consider that as well.

      1. Not necessarily. Since you have no way to prove that you don’t have a FB account, your employer might construe that argument as a refusal and a falsehood.

  9. In the Coda that Cory appended, I don’t think that “speaking in the lunchroom” is quite the same scenario as “using your computer to access the internet”.

    A scenario a bit more analogous would be “A call center agent spoke to their spouse over their call-center telephone line, and discussed personal information”.

    Call center phones are recorded.   it’s for QA purposes, and you get the message every time you call into a call center.  Most of our call center agents have either two phones, or two lines on the same phone.  All traffic in and out of the call center line is recorded. 
    My company goes to great pains to ensure that non-call center lines are NOT recorded, which can make a design and engineering solution a lot more complicated than some easy to shim in alternatives. 

    The employee _should_ be made aware of the implications/limitations of the call center phone, and should be make conscious decisions to not use it. 

    So now that I’ve established that the call recording in well understood environments is being logged for a valid reason-  that doesn’t mean that every call that is recorded is actually listened to by an outside party.  The calls are supposed to be listened to only with intent, and personal information should be disregarded.  Company policy and company intent does NOT (unfortunately) prevent somebody from abusing that power.  It may give the company retroactive authority to punish somebody that’s eavesdropping on calls, but it can’t stop somebody from making a bad decision.

    That said, my company also runs full webproxies between the user desktop and the internet.  It’s not in place for purposes of snooping on employee surfing habits.  It exists to give an air-gap between the internet and host OSes.  It exists to scan and detect well-known malicious payloads.    An artifact of this is that we generate gigabytes worth of traffic logs every day. 

    As a network admin, is it possible for me to track down a user and search their browsing history for the day?  Yes.  is it against policy?  Yes.  Are there scenarios in which chain of command could request these access logs for a given user?  Yes.

    So the ability to digitally eavesdrop is an artifact of the technology being deployed.  Companies don’t generally deploy hidden microphones everywhere as a matter of course.  So I think there’s a case to be made that “reasonable expectations of privacy” differs in some situations. 

    Also as a network admin-  just use https to browse the web, and while I can see that you hit facebook, I can’t even be accused of intercepting your passwords.  I don’t want to know.  I don’t want to even be put in a position where somebody’s going to ask me to find out.

    Are there scumbag admins out there that might take a bit more joy in that kind of information flying through their network?  Unfortunately, probably.  Is a company policy going to deter them?  Not until an airtight case proving their abuse comes to light, unfortunately.  And then I’m not even sure what level of abuse it’d entail for a company to discover and take that kind of action.

    1. “Also as a network admin-  just use https to browse the web, and while I can see that you hit facebook, I can’t even be accused of intercepting your passwords.  I don’t want to know.  I don’t want to even be put in a position where somebody’s going to ask me to find out.”

      Well, yes, unless your employer requires you to accept their key into your trusted root, as many employers do, and then snoop on your SSL traffic as well, as many lawful intercept appliance vendors brag.

      1.  Entirely possible.  I can only speak to my environment where SSL is unmolested, rather than MITM’d.  There’s a time and a place for cracking SSL, but it’s usually for business reasons, rather than eavesdropping on employee workstations.  (At least this is the case in scenarios in which I’ve been involved.) 

  10. “A scenario a bit more analogous would be ‘A call center agent spoke to their spouse over their call-center telephone line, and discussed personal information’.”

    Analogous: I do not think it means what you think it means.

    1.  I thought it meant ” bearing some resemblance or proportion”.

      Talking on a recorded phone line resembles browsing the web on a monitored environment, more so than talking in a open space without visible or previously discussed monitoring equipment?

      1. When speaking over a recorded phone line in the context of a call center, one is implicitly aware of corporate policy as pertains to the calls, and of the relationship between employer and employee.

        When using a company computer that doesn’t preclude use of Facebook, email, online banking, etc, etc, via firewall or clear-worded policy, one would be reasonable in expecting a modicum of privacy.

        In that way, I do not think your example is analogous. It seems tenuously accurate, if at all.

        On the other hand, if it is stated policy that the company will monitor ALL internet traffic, or has gone to lengths to stop employees from accessing those sites, then I think your analogy works better.

        That said, many organizations and local governments do not have clear, incisive protocols for internet usage in the workplace. Mine certainly doesn’t. The corporation I worked for before this did not either.

  11. I wouldn’t be surprised if FB terms prohibit using someone else’s password the same as they do giving it away.

    1. This.

      There is nothing illegal about a company logging the pages you view and the submissions you make (including usernames and passwords). If they were to access your information using those passwords, that would be in breach of privacy laws (and possibly fraud or unauthorised access to protected systems). They own the data being fed to your computer because they pay the bill. It is their right to snoop on what you do with their resources – but only douche bags would…. You hear me IT?

      PS: It is my personal policy to befriend and be as helpful as possible to IT. If you do they may give you extra privileges and they may even help cover your tracks if a manager comes asking.

  12. One can’t argue that a company has the right to snoop anywhere on company property without implicitly allowing company placed spy cameras in restroom stalls. Where a line is drawn is debatable, but there is clearly a line.

    1.  There’s a difference between “the right to snoop” and “technological implementations which make snooping possible”.

      There may be proxies in the network, or even a large network sniffer for troubleshooting purposes which make it POSSIBLE for an admin to snoop.  That doesn’t give the green light for snooping to occur.

      On the other hand, the official use cases for cameras in the toilet are dubious.  I’m sure somebody could spin one (we’ve noticed increased cases of Toilet Paper theft!) but ethically, the toilet snooping should be fully disclosed to employees, similar to acceptable internet use policies and such.  If you’re employed at a place that installs Can Cams, I’d probably start looking for other jobs.

  13. This is why I never use the toilet at work.  Since it’s on company property, I assume they have installed a camera to record all my bathroom visits.  Plus, I wouldn’t want to steal any of my employer’s time by doing something like combing my hair at work.   

  14. I had an employer who was concerned that a few employees were grossly misusing company time and I was asked to install software that was basically a keylogger which also took screenshots at regular intervals.  I felt uncomfortable even though I knew that it was likely these employees were messing around all day rather than working.

    I convinced my boss that spying on employees would dissolve the level of trust that had been built up and all employees would begin to resent management. I suggested that looking at the browser history was sufficient to see if an unreasonable amount of time was being spent on non-work websites without violating privacy.

    Thankfully my boss found this to be acceptable.

  15. The first time round I read the update as: “To everyone who says that your employer has the unlimited right to spy on your computer use because you’re company property…”  which seemed kind of apt.

  16. Question for the attorneys: suppose employer A acquires access to the outside account (GMail, Twitter, whatever) of employees B and C.  If they actually USE that access, then I’m pretty sure they’re in violation of the AUP/TOS of those services.  But are they in violation of the law? If so, which?

    Does this analysis change based on whether employer A uses technical subterfuge (e.g., MITM attacks) or coercion (e.g., “surrender password or get fired”)?

    Side comment from a security viewpoint, not a legal one: many, MANY people re-use passwords, no matter how many million times we tell them not to.  If employer A is in possession of employee B’s GMail password, then A may also be in possession of B’s password at other services (which can enumerated by checking HTTP proxy logs, DNS server logs, firewall logs, etc. and correlating against the address assigned to B’s computer).   As someone who runs networks, I would NOT want to be A or any part of A, for this reason or any other, because my possession of that password means that I’m now on the list of suspects if anything bad happens to B’s account(s).

  17. I work for a company where recently self-signed certificates / man-in-the-middle SSL became policy.

    The change in IT policy was clearly communicated to everyone, but the implications to Joe employee checking his Facebook were not.  After questions by a few of the tech staff it was said the change was to help prevent digital IP theft and so on. I work at a bank and they are tightly regulated risk-wise, so it’s understandable – though somewhat annoying.

    If it was happening without employee’s knowledge, then that’s another story.

  18. Don’t use Facebook (or personal e-mail) at work.  What’s so hard about that?  Don’t do it.  Just work and get your work done in 8 hrs and go have your life outside of work.  Off company property.  Is that so hard?

Comments are closed.