Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
samuel 2 hours ago

I agree with the sentiment, but I think it's a pretty naive view of the issue. Companies will want all info they can in case some of their workers does something illegal-inappropiate to deflect the blame. That's a much more palpable risk than "local CA certificates being compromised or something like that.

And some of the arguments are just very easily dismissed. You don't want your employer to see you medical records? Why were you browsing them during work hours and using your employers' device in the first place?

itopaloglu83 37 minutes ago | parent | next [-]

I’m all for privacy of individuals, but work network is not a public internet either.

A solution is required to limit the network to work related activities and also inspect server communications for unusual patterns.

In one example someone’s phone was using the work WiFi to “accidentally” stream 20 GB of Netflix a day.

immibis an hour ago | parent | prev [-]

In Europe they prefer not to go to jail for privacy violations. It turns out most of these "communist" regulations are actually pretty great.

johncolanduoni an hour ago | parent [-]

Does GDPR (or similar) establish privacy rights to an employee’s use of a company-owned machine against snooping by their employer? Honest question, I hadn’t heard of that angle. Can employers not install EDR on company-owned machines for EU employees?

apexalpha an hour ago | parent | next [-]

Yes, at least in the Netherlands it is generally accepted that employees can use your device personally, too.

Using a device owned by your company to access your personal GMail account does NOT void your legal right to privacy.

zeeZ 35 minutes ago | parent | prev | next [-]

They can, but the list of "if..." and "it depends..." is much longer and complicated, especially when getting to the part how the obtained information may be used

Msurrow 4 minutes ago | parent | prev [-]

Yes. GDPR covers all handling of PII that a company does. And its sort of default deny, meaning that a company is not allowed to handle (process and/or store) your data UNLESS it has a reason that makes it legal. This is where it becomes more blurry: figuring out if the company has a valid reason. Some are simple, eg. if required by law => valid reason.

GDPR does not care how the data got “in the hands of” the company; the same rules apply. Another important thing is the pricipals of GDPR. They sort of unline everything. One principal to consider here is that of data minimization. This basically means that IF you have a valid reason to handle an individuals PII, you must limit the data points you handle to exactly what you need and not more.

So - company proxy breaking TLS and logging everything? Well, the company has valid reason to handle some employee data obviously. But if I use my work laptop to access privat health records, then that is very much outside the scope of what my company is allowed handle. And logging (storing) my health data without valid reason is not GDPR compliant.

Could the company fire me for doing private stuff on a work laptop? Yes probably. Does it matter in terms of GDPR? Nope.