This is something that genuinely runs the gamut across different companies—plenty don't even know the serial numbers of company-owned machines, never mind which devices individuals have, while others do effectively have live feeds of every employee's screen available to managers at all times. In between you have many businesses that manage their devices but only insofar as to enforce some basic protection and reserve the right to investigate it in the case that something does go wrong. In having conversations about this kind of stuff with company leaders, many will strongly reject any of the most invasive tracking stuff, believe it or not.
I do agree, though, that for any type of surveillance, the rise of AI presents a really problematic opportunity to allow more targeted observation, since nobody has to spend their own time looking for what people are doing, they can ask an AI to keep tabs and look out for the things they care about.
On that note, I think one of the more realistic risks for an everyday person doing personal things on a work machine is probably insider threat from a rogue IT admin, whose access allows them insight into company devices without enough oversight.
I think IT departments also tend to underestimate the risk they pose when they manage machines. Look at Stryker, where intruders used Intune to wipe all the company's devices. The ability to do that shouldn't exist, but the IT department happily rolled out the means of their own destruction in the name of compliance and making their lives easier.
Device management is definitely a big hole to punch into each machine, but, once you're above a handful of staff, managing devices manually is not really tenable, and I do think the restrictions provided by device management have tangible benefits (it's amazing what people will download and run without a thought).
Arguably the risks of the MDM should be assessed and mitigated with some kind of defense in depth approach—highly sensitive things like bulk wipe disabled with multi-person approval required to re-enable, hardware MFA requirements, anomaly detection + alerting for weird behavior, etc etc. I'd argue the risks stem more from badly configured MDM where a compromise of one sysadmin's browser has a company-wide blast radius, rather than the fundamental presence of device management itself.
I think I'm probably coming at this from a different perspective than IT people.
I've worked on IoT products where we've deployed fleets of thousands of devices without user interfaces placed all over the world in random, inaccessible places, hanging off cellular radios. We're definitely not managing those manually. Architecting management systems for that is always interesting. Sometimes the question would come up, "why don't we do X?" where X necessarily included the ability to brick the entire fleet (and probably kill the company) in 5 minutes. My philosophy was that certain things are too dangerous to exist, no matter how useful they might be.
Are you IoT devices ALSO used by humans directly, where they would be forced to have some admin permission to do their work if there was no MDM system?
MDM are clearly a possible SPOF for certain attack vectors, but are also the only defense against others (unless you want to hire a legion of IT helpdesk specialists)
There are also individual-level risks. If you capture everything, you might capture bank account numbers when setting up direct deposit or credit card numbers from corporate purchases (these are clearly valid uses of company equipment). In a only slightly less valid use, you might submit a medical claim (using a company benefit), and surveillance software gets part of your medical record.
There are underappreciated liabilities companies take on with this monitoring.
Yeah, many companies don't want the liability issues. Like what happens if I open my bank account on my work computer? You could argue I can expect someone to be watching but I have no warning that someone is? Here in the EU that would probably be an easy lawsuit.
Why would you ever login to a sensitive account on a device you don't own and have root on? Like I trust my employer not to do anything shifty with my banking info, if I were to use it, but I'm not going to take that chance for a dozen reasons.
> Why would you ever login to a sensitive account on a device you don't own and have root on?
You mean like the phones that everyone uses with banking apps?
I don't. No financial transactions for me on something so easily lost or stolen, with any number of possible exploits lurking out there. Phones should be treated as compromised from day one.
I have my problems with this as well, but at least no one else already has root on my phone.
You probably use direct deposit in which case your employer already has your banking info
They have my account and transit number and stuff, sure, that's different than my username and password for online banking. We print them out on cheques that can be (reasonably) safely given to my plumber.
patio11/bitsaboutmoney has some good writing about this
In most cases, that's an external payroll service, not the actual employer that has that info.
People often have accounts at multiple banks…
your employer knows how much they paid you and what account they paid to. They don't know your balance, where else you might be getting money from (selling science fiction short stories eh, Cosgrove?! This job should be enough for you!!), that you have donated money to the Democrats recently!! We suggested that was bad!! And lots of other things that come under banking info.
What are the reasons?
Can’t speak for the EU, but the companies I’ve worked for in the US explicitly state what they do not track in their privacy/use policy when giving out laptops/phones/tablets.
E.g. their anti-virus or firewall system may ignore URLs related to banking, medical, or political affiliation and chose not to log or decrypt that traffic
Once I was trying to find a scene from a TV show at work for a joke with colleagues, and the quote I used ended up triggering a very NSFW search. Did not get fired, not even talked to. Thank goodness!
A lot is tolerated, until they want to get rid of you. But in the EU i'm pretty sure they can't use regular non-compliance stuff (general browsing, etc) in evidence. In DE you can't even identify an individual.
Moreover: what is the upside?
Spying on employees is not free. If you want to spend serious resources doing it, there has to be an upside.
How do you expect an employee to prove their banking actions on the company computer were spied on? I imagine this impossible to prove.
If the employer is spying on everything, it's quite easy.
In discovery you can ask for the records. Of course you would need some initial evidence to show it’s likely it exists.
By having it in a small window that's always on the screen.
Isn't Facebook training their AIs on their finest engineer's computer use so the AIs can become better computer users?
In this case, the more insidious yet subtle risk and attack vector for humans using these Facebook computers, is that Facebook begins to use this data to discriminate (legally) on performance metrics. They can then use these to automatically disseminate performance improvement plans, lead to higher productivity (perceived, as whats measured no longer ends up being a useful metric) and control and urge people to do more of what they desire.
And my curiosity is: does what Facebook desire align with what the humans who work for Facebook desire? I think with AI, that's a no. The company desires as low a labor/workforce/compensation cost as possible, while the humans desire as much compensation as possible.