> Around 2009 or 2010, the company decided to try to pull a fast one on some of us. They said that our original NDA somehow hadn't gotten signed (what?), and that we needed to re-sign it...Sure enough, they delivered, and sent me the original NDA. Note: they didn't send me AN original NDA they were using circa 2006 when I started. They sent me THE original NDA, complete with my signature from the day I started! Yes!
> So then I started reading along, doing my best to do a 'diff' in wetware, and found that they had actually added some clauses. One of them amounted to 'taint' for your personal devices. Basically, if you signed in to your corp gmail from a device, they claimed the right to audit it at any point in the future.
This kind of psychotic behavior is one reason I'll never work at a megacorp. I'm sure some smaller companies do it too, but it seems less common, and they won't have as many lawyers on retainer just waiting for the chance to justify their salary by pursuing it.
And if I ever did find myself at a company that tried to pull something like this, I'd probably quit on the spot. I won't work in an environment where I'm having to constantly watch my back.
What I don’t understand about this is they were most likely an at-will employee. So the company could have just said “new policy, sign it”.
I had an employer do this - I was working there a few years, owner came in and said “we’re doing background checks, fill this out and sign it”. I asked what happened if something came back on it, and he said that I’d be fired.
Google employees are sort of known for being willing to make stands on moral and ethical convictions. As well as advertising itself as a company that welcomes that type of person, paying as much over the local median as they do likely means many employees can afford to lose their job and have at least a few months worth of living expenses saved up. Combined, these mean Google employees are probably very likely to make a stink about something if you trigger those traits, IMO.
Sometimes, how you say it is as or more important than what you say. Giving benign plausible explanations for red flag behavior is expected from big corporations. This isn't their first rodeo, or at least not for the people they've staffed that deal with this.
The thing about collective bargaining is that it's collective and a strategy to help yourself, and even when it's a stand to help some other union, it's to help strengthen unions in general, which helps your own Union, and those your own bargaining power.
Oh, and it's all done under a group to make help avoid consequences.
All sane choices to make, but not exactly what I meant to convey by taking a stand on moral or ethical convictions. I more meant being willing to deal with the consequences when you don't really have enough power to force that change. I wasn't trying to paint Google employees as overly noble, just somewhat that and also priveleged and naive. And of course that's just my perception from the outside.
Maybe it's different where you are - but here in the UK working-class unions do often take stands on moral and political issues outside their own interests.
A major example is the massive action they took against South African apartheid in the 1980s - a political issue many thousands of miles from their interests.
I don't think that's true anymore. Google employees value their careers higher than anything else, otherwise they wouldn't put up with all the bullshit. Just working for Google itself is a huge red flag in their personalities.
I can confirm based on my experience that smaller companies do it this too. They may not have many lawyers on retainer but being small, they can (threaten to) walk you out immediately with no consequences, cut-and-paste irrelevant passages from other companies in the new NDA, and other assorted unnecessary nonsense.
A couple of days ago I was talking with my wife about events in Afghanistan, and saying how life is going to get a lot worse for women and girls under the Taliban.
She replied, "yes, but everyone has their oppressors"*, to which I quipped, "yes, ours is HR".
----
* Some context here. My wife is Māori. For North Americans, think "First Nations". Oppressors? We got 'em. Most of us are them.
I wasn't talking about history. Inheritance has nothing to do with it.
In the present day, Māori have lower incomes, poorer access to housing and so poorer health, and they are discriminated against by health professionals when they do present. Māori have less access to finance and are discriminated against for jobs, and their children by primary school teachers. Racism: we has it.
As far as I can tell the same is true for First Nations people.
Yet all those affluent, successful Chinese, Vietnamese, Malaysians, Koreans, Arabs, and Indians somehow get a free pass from the local racists?
For racism to be the ONLY reason, the Pakeha (Europeans) would have to have somehow come together at some secret congress in the past and agreed to ONLY discriminate against the Maori (and Pacific Islanders) - and then secretly pass this pact down generations and induct new European immigrants into the pact.
All the while intermarrying with the oppressed at an increasing rate and deifying them in All Black jerseys?
How else do you explain that multiple groups of non-European folk find NZ (filled with racists according to you) to be a venerable paradise, yet the only community that is armed with 1) its own dedicated government department, 2. dedicated cabinet minister, 3. reserved parliament seats, 3. privileged access to land and sea resources, 4. its own courts, and 5. drowning in public funding cannot compete with the children of immigrant shopkeepers?
It really is a primary school analysis.
Or - unspeakable alternative b) - there are other reasons for the disparity other than clan members with a kiwi accent?
But, that said, you are fortunate enough to be born in a time and place where simplistic, progressive analyses that accuse entire population groups of racist crimes are now considered acceptable in polite society - so go for it. Mate.
This has always been required for the mega-contracts I've had to sign, which have sometimes spanned hundreds of pages. Not only initial each page, but to have the pages cascaded so there's initials running over the margin of consecutive pages - this was required.
I had a job where I lived on planes and in airports (this was just before smartphones existed). The first day on the job, I logged in to the corporate network. It told me bluntly `This is the BigCorp network; there is no right to privacy'. The entire time I was there, I travelled with two laptops.
I don't blame BigCorp for their policies; their equipment, their rules. But I strongly recommend separating the use of business and personal devices.
And, no, if an employer demanded I install an app on my personal phone, I'd refuse.
>if an employer demanded I install an app on my personal phone, I'd refuse.
I did that once. In very polite terms I told them that I like to keep personal and work activity separate as much as possible for personal and work security reasons and that if they issued me a phone with an app I'd be happy to carry it.
I got a very positive response. Ultimately they didn't think it was worth issuing me a phone and everyone went on happily.
Do you really consider your payslips as work stuff? From a legal point of view it seems unlikely that they could claimed your device was used for work if it was used to transmit payslips. To me this doesn't seem comparable to having Slack/Email on your personal phone which means that some corporate possibly classified info made it to your device.
It's the installation of a work specific app that would be the concern. We already know apps track behaviour, but your company knows exactly who you are and can track behaviour without aggregating it, thus getting a very clear view of what you do outside of work.
while I would for sure check the permissions of the app (and double-check my employment contract for the possible implications of installing that specific app and logging in with my corporate account).
Playing the devils advocate though: installing an app is not necessarily super invasive, especially if the app don't get any permissions (and / or is one of the apps that are ok with getting installed in for instance an android studio-style android emulator).
That said, for sure it would be super nice to be able to get a "real" information on what tracking things happen (unfortunately that's not realistic) and if there are requirements from the company for me to use the system (that would theoretically rely on the install of an android app for instance) I would personally require that I either get a company cell phone to install them on, or some sufficient guarantees (on the level of physical paper contracts signed signed by the head of HR) of what they will do.
Or if they would accept me installing the app (and their app manifests etc) on an android vm on my laptop (like you can get in android studio), in that case I guess it would maybe be kind of acceptable to do it (at least on the work laptop).
The limit I will personally go to on my personal devices is installing a (generic, unrelated to what the company asks me to do) TOTP app and registering 2fa auth in that app.
> which needs to be installed on a personal phone of course
I personally have never had a request for a company-provided work phone/tablet denied, if they required me to do anything on my personal phone that was critical for work.
If they ask why, I tell them I have a BlackBerry :) never been a problem
The day I needed to install anything on my phone for my mega-corp employer I went out and bought the cheapest Android phone I could find.
What was an interesting discovery was that PingID doesn't require a cellular data connection to work, so I was able to use the phone unregistered (so no network charge) and permanently in flight mode (to preserve the battery).
Even now after leaving that company I still haven't registered the phone or taken it off flight - I just connect to a personal wi-fi as necessary.
I did this at my current employer (NZ govt uses shitty third party services which really want to invade your privacy). Basically, nope, I'm not installing this closed source third party app (whose only job is to issue MFA tokens for access to the intranet) onto my personal phone. If you want me to install it, give me a separate phone. After a lot of finagling I finally learned this was just TOTP, and there was a way to get my TOTP seed so I could use any old TOTP client. No indication of this while talking to support or looking at the registration website, of course.
Just today (possibly related) someone else tweeted:
Sooo, #Apple has pics of my boobs. During a discovery thing 3yr ago, legal forced me to hand-over all my texts. They refused to let me delete anything, even "fully personal," even when I said "by fully personal I mean nudes." They said they're in their "permanent evidence locker"
I questioned this aggressively. Apple R&D pressures us to have one iPhone for work & personal (so we can "live on" / dogfood). I said, if there's texts that aren't with employees and have nothing to do with work, I should be able to delete them or at least attachments. "Nope."
Apple already had her (and everyone else who iMessages) nudes: iCloud Backup is not e2e and is on by default and escrows either the iMessage plaintext or the iMessage sync keys to Apple, encrypted with Apple keys.
Apple can read all of the stuff you text or iMessage if you (and all the people you text with) haven't disabled iCloud Backup.
This goes for every iOS device in the world, not just Apple corporate ones.
They even have my nudes (despite my not using iMessage, SMS, or iCloud) because I send them sometimes on Signal to people who save them in their iOS camera roll and have iCloud still enabled by default. (iCloud Photos, like iCloud Backup, is also not e2e.)
(If your employer is pressuring you to do something you are not legally required to do and don't want to, it should immediately sound alarm bells and harder personal boundary defense.)
> If your employer is pressuring you to do something you are not legally required to do and don't want to
One should always put a price on actions your employer wants you to do, so that there's an economic back pressure. For example, if an employer forces you to use work phone as a personal phone for dogfooding purposes, you must extract a price out of your employer for giving up this privacy. Or quit, if the price the employer is too high for an employer to pay.
> I realize that many people do not have the option to just go and drop a couple hundred bucks on an additional phone and then add another $100/mo to their budget for the service.
I'd never pay a monthly fee for a work-only device. If they give me a work-only device, it should come with a data plan. If they don't give me a work-only device but want me to sign over access to my personal device, then I'll use an old device and just use wifi. No way I'm paying a separate monthly fee because my employer puts me between a rock and a hard place.
I took that to mean, not everyone who is provided a corporate device can afford a separate personal device and plan. I've never heard of a corporate device coming without a plan paid by corporate.
Agree that corporate devices typically come with data plans. I took the $100 bit as a reference to the Lyft situation, where she was required to load a bunch of apps onto a mobile phone, but wasn't given a work device. So she bought a dedicated device with a one-time cost and apparently paid an ongoing monthly fee as well.
Can you be more specific? I pay over here €10/month (phone not included) for unlimited calls and text in all EU and many other places abroad plus 100GB (I have an old plan, now it's 120GB for the same price) locally with decent coverage, and consider myself lucky. Actually there are cheaper options, although those companies have been a lot less user friendly. With this one (iliad.it) at least I can use a prepaid card to avoid unpleasant surprises and cancel anytime in a click.
This seems quaint to me. The real reason to not use a personal device for work is discovery. As soon as you do work someone can trace back to that device, there’s the potential for someone to seek a warrant for that device. Even if it’s some chucklehead you don’t even know within the corporation who’s being investigated, all you had to do was send an email to someone they sent an email to. And now the courts can demand your stuff. Let’s assume everything everyone does is perfectly legal, it’s still a massive inconvenience tax, and that alone is a good reason to not do it. I carry two phones and two machines (Corp laptop, personal iPad). They want me, they can give me the machines to contact me.
> If you're like the younger version of me and can't afford to pick up another phone just to keep your work and personal lives separate, you may have to make some compromises in the name of not rocking the boat with your employer. If this happens, don't feel too bad about it. Every day, people have to suck it up and deal with relatively sketchy treatment from their employers, and can't speak up without fear of reprisal.
Or, you know, we could also get the most egregious behavior banned.
Once again these are technical solutions chasing a regulatory problem. Does it work? Sure, if you have the time, the money, the sophistication, and do everything perfectly in advance of an unlikely event.
If you want to help most people, update the rules.
Unions aren't a technical solution. They are the natural opposing force. The state and corporations are nearly one, they cooperate, sometimes at the expense of individual companies to maintain labor peace.
Right, I should have started with "And" instead of "Or." The rest of this thread is full of technical solutions. Unions are an excellent tactic for this.
The most interesting thing about this is the linked article about the employer that tried a bit of sharp practice to insert additional clauses into the NDA: https://rachelbythebay.com/w/2011/11/09/signs/
There's definitely a few morals to this story (but note: not legal advice! I am not a lawyer!):
1. You should keep your own copy of anything you sign as part of your employment contract.
2. You should maybe keep a record of when you handed that to your employer ("I did in fact sign a copy of the NDA when I began my employment, and handed it to [person] on [date]. I hope this helps you to locate it.")
3. If the NDAs are so long that it would be impractical to visually diff them, you can just ask the company: "Can you please ask [name of company lawyer] to send me an email confirming that this is the same NDA that I signed at the beginning of my employment on [date]?" If they do, and then later rely on a clause that has been inserted, I suspect they would have a hard time convincing a court to enforce that clause.
4. In the author's situation, they sound like they were over a bit of a barrel economically and it's hard to push back in that situation. If you are willing to push back, remember that your employer is asking for something from you, i.e. a change to your contract. And if that change is that they can audit your personal devices, that is not a small concession! "This NDA does differ substantially from the one I originally signed, and would represent a significant change in the conditions of my employment. I understand if the company has new security concerns, and I am willing to work constructively to find an acceptable solution. For instance, if you are uncomfortable with me being able to access work e-mail on my personal device, you can issue me with a separate device over which you would have auditing rights."
I once had a company ask everyone to sign updated employment contracts that changed the vacation policy to "unlimited PTO".
So I opened up my original contract and compared them... and wouldn't you believe it? There were other changes in the contract: they'd added non-compete and non-solicit clauses, and tweaked the IP language to make it broader.
I talked to the company lawyer to ask for an explanation, and they became very embarrassed and they walked back all those changes, claiming that they'd used a new law firm and this happened because that firm had used their "standard boilerplate". They sent everyone a new copy with just the PTO change.
Of course, then I refused to sign the updated one, because I'm a jerk who thinks "unlimited PTO" is a scam. :)
> Of course, then I refused to sign the updated one, because I'm a jerk who thinks "unlimited PTO" is a scam.
Unlimited PTO is only a scam if you are a) bad at taking care of yourself, and b) have a shitty manager.
I've been taking every other Friday off since last summer, and in addition to that take 4-5 weeks off during the year (a week or two at a time). Hasn't been a problem because I get my work done, and I have a manager who understands we all need downtime to be healthy (and productive).
In my experience, most of the people who end up taking less time off when their company switches unlimited PTO are just bad at taking care of themselves, and (incorrectly) believe they'll be penalized for taking time off.
Incorrectly believing you'll be penalized is still the company's fault, because you're going to be penalized at some point and the company is hiding what that point is. Taking the PTO becomes a gamble.
Nobody would accept a job where the company told you "well, it's unlimited pay. Just tell us when you need some money and if it's not unreasonable we'll give it to you."
I don't think unlimited PTO is necessarily a scam, but it's only a benefit if you're a highly productive employee that takes more than 15-20 days off per year.
there is one major downside of unlimited PTO. I don't take very much PTO. maybe I should, but I don't (and especially haven't during quarantine). as a result, I am pretty close to maxed out. whenever I leave the company, I will get an additional check for one month's salary. with unlimited PTO, I would get nothing.
I'd add to also keep a copy of any substantial agreement/clarification alongside the proper legal paperwork. The PTO wording was a bit confusing, you ask for clarification and they tell you it's 21 work days and not 3 natural weeks? Keep a copy of those email/slack/etc., preferably one from HR and one from your manager where they both agree. Just push them in the same binder, they are probably not so many situations to make this bothersome but it can be helpful.
Luckily I've never needed it in any kind of legal situation, but a couple of times they saved me of a "he said she said" kinda conversation.
Actually maybe I should also add: keep not just the text of those e-mails, but also the from, to, date fields etc. If you ever get into a I-said / they-said about this, your employer might claim that your e-mails are a fabrication. If you get as far as a discovery process, and the company has to turn over e-mail records, that's going to make it much easier to locate the e-mail in question.
If you’re putting things in binders, print out the full headers of the emails. Maybe even the raw mail; though I admit html mail makes that very unpleasant.
"I did in fact sign a copy of the NDA when I began my employment, and handed it to [person] on [date]. I hope this helps you to locate it."
I'm not sure how important this is. Of course they still have the old NDA, and in any perjury situation they would readily admit that. Managers and (especially) HR people regularly "fib" (synonym of "lie") in hopes of distracting attention from the monstrous demands of capital. If an employee made a big stink, that employee would be reminded that employment is at-will and thus contingent on signing whatever is required at any time. The worst NDA amendments could possibly be contested in court, if one wants to spend five figures on attorneys. Probably a better way to avoid surprise "renegotiations" is to unionize...
A union is definitely the gold-standard defense against nonsense like this. But a lot of places have significantly higher employment protections that the US.
Remember, it's not always you that has to go to court to fight an NDA clause though. If you've resigned, and the company is insisting that it can search your devices because the NDA says so, the company is the one that needs to convince a judge to grant a court order allowing it to do so. (Again: not legal advice! But my understanding is that's how most contract rights need to be enforced.)
> the company is the one that needs to convince a judge to grant a court order allowing it to do so
Except they still have the legal advantage of more moneys and lawyers. There is no easy win unless the judge intervenes before you pay lawyers too much.
You can also just string it out, and on the first day you are due in court say "ok here it is". You dont need to pay a lawyer anything, the company just has to prove that it is really committed to getting this info. To go as far as having a court date set and lawyers ready to turn up. Personally I would arrive at court to ensure they sent some actual lawyers and then if I couldn't argue my point happily hand it over at no expense to myself other than taking a day off to attend court.
True, but it still puts the work of filing etc. on them. You can always self-rep. It's usually not a good idea, but here your argument is really very simple: "I signed this NDA on the basis of specific assurances, which were false. I have a record of those assurances from [company lawyer]."
>If an employee made a big stink, that employee would be reminded that employment is at-will
This applies to the US only. I wonder if American employees understand that their employers exist/operate in the EU too and the employees there are treated very differently vis a vis employment rights.
New contract changes are unenforceable without compensation in most cases. If you're getting a new NDA or somesuch rolled out it's why it usually comes with "Free 10$ starbucks gift cards for everyone surprise!" but a lot of the time any contract you sign that does nothing to benefit you is illegal - you can also refuse to sign new contracts and, depending on the company, they might just shrug and carry on with the old contract.
What ever happened to the future we all predicted or were told was coming a few years ago where we ran our phones like a hypervisor, and could actually segregate different controlling accounts into separate phone VMs? I imagine it was probably because it was too power intensive.
She's entirely right IMO with the advice. Separating work and personal time is already so hard to do in some cases, and having my phone be a pseudo-work communicator does not help with that problem in any way. Disentangling them at the end of a employment relationship is likely much much harder (luckily I've only had to deal with this minimally).
I'm pretty sure you can do exactly that. On Android it's called a Work Profile, and I assume Apple has an equivalent although I don't know anything about it. It's not a VM, but the access is sufficiently constrained that it should be good enough against anything but a really malicious actor of an employer.
The problem is when corporate policy considers that the device you work with essentially belongs to them and can be managed remotely or audited at any moment.
If you're using work profile and the company doesn't literally own the phone, there's not much they can do.
Remote management (such as remotely doing a factory reset) only impacts the work profile. I think the only thing they can do outside of the work profile is check what version of Android you're on to see if you have the latest updates
Hmm, I recall profiles being talked about in the past, but seem to have missed when they rolled out, or forgotten about them. I don't think they necessarily solve the problem entirely, but I'll definitely look into them to see if they're useful to me now that you've reminded me. Thanks!
> A work profile can be set up on an Android device to separate work apps and data from personal apps and data. With a work profile you can securely and privately use the same device for work and personal purposes—your organization manages your work apps and data while your personal apps, data, and usage remain private.
There are other features aside from keeping apps separate. You can deny location data to apps running under the work profile. You can pause a work profile so you don't get work interruptions on the weekend. You can make phone calls from a separate dialer in the work profile, and it keeps a separate call history.
I was thinking about something similar along these lines—why draw the boundary at the physical device in your hands? From the article:
> So then I started reading along, doing my best to do a 'diff' in wetware, and found that they had actually added some clauses. One of them amounted to 'taint' for your personal devices. Basically, if you signed in to your corp gmail from a device, they claimed the right to audit it at any point in the future.
But iOS apps are supposed to be sandboxed! So as long as I install a separate Mail app for my work email, my company should have no justification for auditing anything else on my iPhone, right?
Or, going in the other direction—what if my company wants to audit every device connected to the same wifi network as my work phone? Why wouldn’t they want to do that? Is it really any different?
> If iOS apps are all supposed to be sandboxed, I should be able to just install a different Mail app for my work email, and continue on my way with my one iPhone, right?
If you're talking about keeping them logically separated on the device, you already get this on any Android phone. You can install different mail apps and use a different one for each account if you like. You can even do it with GMail accounts if you're willing to use GMail through IMAP (but I think you're out of luck for whatever Google calls their chat platform this week).
The problem is that it's hard to distinguish between work and personal notifications when not working (and vice versa). Giving me the ability to take a VMs running and mute them (or mute them except if they blow up with notifications, or provide a single notification on the main interface telling me there's X notifications waiting on the work VM that updates once every hour or so) would be a real benefit. Not as much as a totally separate device, but also it wouldn't necessarily be as expensive or require more physical space.
BB10's implementation of this was the best... you couldn't even copy paste between the work space and the personal space.
Completely separated environment which allowed your work to just terminate the work environment remotely if you no longer needed access to it. You could even wipe the phone's work space when going through customs and remotely restore it from the BES Server.
No, it was not completely separated. For example, admins could set a policy that required you to have a password on your personal space and could specify that it was a minimum # of digits, etc. I had a BB and this is one of the things that really soured me on BYOD. I didn't want a long alphanumeric password on my personal space that I had to change at the same frequency as the corporate password.
> BB10's implementation of this was the best... you couldn't even copy paste between the work space and the personal space.
Whether you think that's the best might depend on whether you're a an employee or employer. As an employee, I could see that being really annoying if someone pasted me a recreational link at work but I want to view it outside of a work context. For an employer that sounds like a nice way to keep data from leaking quite as easily though.
What I don’t really understand is how we ended up at the point where invasive MDM is even acceptable. People mix their work and personal lives all the time: even if I take my work laptop home and use it, it would be a massive overreach to show up at my house and demand that I let them search it. Why do we accept the equivalent for phones? Ok, I put company email on my phone: you should be able to wipe just that and retain a copy (which, running a central server, you do of course). Why should you have any right to do more than that?
Because collectively we've given up caring about digital privacy as a society. You and I and maybe most of the HN crowd care, but most people don't. Not really. This is just a reflection of that broader value system.
BYOD have clear separation of work and personal containers. Wiping all work stuff comes down to deleting the work profile from your personal device. This automatically removes all work related apps, accounts, media, etc.
> Even now, if I go to the app store, the little icon for FB and their many other apps still says [GET] instead of the little cloud download thingy that means "you had this already".
… and …
> There is one thing I need to mention for anyone going the separate iCloud account route on corp devices: you probably should make sure you have it logged in from a personal Mac or something like that, or some other place where you can have passcodes sent. The reason is that if you should quit, you lose access to the authorized devices (phone, laptop) which will receive auth codes.
> Assuming you ever want to turn that off, you're going to need some way into the account. If you don't have a way to approve the login and provide the passcode, fixing that is going to be rather difficult.
> For this reason, you'll probably want to go create a separate non-admin account on your Mac, then associate it with that "burner" iCloud account, and just let it sit there. Don't use that account on the machine for anything else. Then, if you ever need to get back in and shut things down to stop the autopay stuff, you'll have a way.
Use iCloud Family and make child accounts for corp devices.
As the “parent” account, you control the “child” account, even if the company controls the device, and you can allow the child account to use the apps or music you own, track where the device goes, etc. etc..
This feels like a solid tip, thank you. One question: can you specify separate payments methods per child account? It would be useful to have, for instance a personal Amex & corp Amex setup on the parent, and only the corp Amex available to the child.
If a company offers me access to slack/email/whatever if I BYOD that's nice... but it's not something I'm going to take them up on unless 1) they're extremely young and don't have the infrastructure to manage things or 2) the responsibilities I'm taking on are so heavy that I feel the need to be always on call (and receive appropriate compensation).
Otherwise, if you're hiring me as a developer, I will develop with all my effort during work hours... and then go home. If you occasionally need me to stay late to supervise an off-hours deploy that's cool - no worries... but if it ends up running 4+ hours over a normal work day I expect time in lieu (possibly just starting late the next day).
I feel like I'm at the sort of ideal balance of defensiveness and compliance for an employee - I want to help make your company run better... but we signed an agreement on what I'll be compensated for that effort and what the expectations are and we'll stick to the agreement excepting sane and reasonable requests for minor deviations - a BYOD policy is not one of those. I am not pulling down half a mil - I don't even make six figures US - but I'm still expensive enough that a good work setup: computer, chair, keyboard that doesn't suck and phone if you need me to have it - are entirely incidental costs compared with my salary, employer taxes and health care costs. If you, as an employer, are going to try and make both of our lives more complicated over a one time 200$ cost to the company (and plan cost - which could be non-existent if wifi-only works for the phone) then you don't have your priorities straight (unless, again, you're like a three person startup then whatever - I get there's already way too much crap each person is trying to handle).
I disagree with Rachel in the fact that I don't think it's ever a good idea to BYOD - even paying for it yourself. Cleaning company software off the device is going to be a pain - and it's going to be a pain when your employment ends which is a period in every job's life that could always use every advantage it can get to be drama free.
It always blows my mind a company will pay an employee 5-6 figures (ish) (on top of all the other expenses an employer pays per employee) then refuse to hand out 3-4 figure equipment (cell phone + plan, performant workstation, etc)
I think she was advocating for a completely separate BYOD/work device so the cleaning phase would be "wipe phone and sell on eBay" or simply "throw phone in the trash" (e.g. pay for a corporate-only device out of your salary)
I agree with a lot of her points - but pushing that cost onto the employee (if the understanding is that BYOD just means the employee with be buying a new device) goes against a lot of labour standards around tool usage. Employers are expected to generally provide employees with the tools they need to get the job done - this is one of the big separations between FTEs and contractors.
The device discussion is really interesting on so many levels. Especially for non-phones and remote working.
Let's say you live in a studio apartment and you have your own personal workstation set up how you like it. That would be a desktop workstation, couple of monitors, adjustable standing desk, some chair that you like, internet, etc..
Now a company wants to hire you and they want you to use a company issued laptop. This becomes a serious physical burden on both yourself and your limited space. Using a laptop without external monitors is horrible posture but if you're in a studio apartment you might not have enough space to use a completely separate desk, chair, couple of monitors, keyboard, mouse, etc.. We'll ignore the money aspect of having 2 distinct set ups which in the grand scheme of things isn't too big of a deal.
There's not too many reasonable options here. The company's policy might not allow you to bring your own device and even if they let you use your personal computer, allowing them to audit that or install some remote desktop sharing software that they have free reign over would be total madness.
It's also not that painless to quickly switch around HDMI (or even worse DVI) monitor cables. I suppose you could rig some type of HUB that lets you flip a switch to control which computer your monitors, keyboard, mouse, headphones, microphone, etc. are active for. This way you can use your desk setup for both, but now you can't use them at the same time which has its own set of issues. There's also issues like wanting to copy files from your personal machine to the work machine. So you might think ok I'll just allow SSH connections locally but now you've linked both machines to a point where having separation is useless, or maybe you decide to use an external drive that you can swap between both. In either case the work machine has been tainted.
It's not really that hard. They make KVM switches that will swap everything with one button. I've found those to be somewhat unreliable. Instead, I've got a USB switch that handles the keyboard + mouse. Monitors are always connected to both and I swap the input at the monitor.
It mostly works fine except for the piece of crap Mac. Never know what arrangement my monitors will be when I boot up in the morning.
I used to RDP into my work laptop (wired gigabit Ethernet in the same room) from my 5K iMac and it worked great. I’m pretty sure VNC is going to be a much worse experience but maybe it’s improved since I last tried it a few years ago.
> I suppose you could rig some type of HUB that lets you flip a switch to control which computer your monitors, keyboard, mouse, headphones, microphone, etc. are active for
This is the only sane option imo. I have been aggressively (during pandemic) switching to USB C and optimizing my desk setup. My personal macbook is usb c, my work macbook is usbc and my in-progress new gaming pc will be usb c.
I have a single usbc hub with one cable that i will move from device to device at home and deal with that as the minimum difficulty solution.
I plugged my company laptop into my LAN, closed the lid, and tucked it near my router so I can use it as a jumpbox into the corp network to do my "actual work" from my battle-station while everything looks like it's coming from the laptop.
I also got IT to buy me a tablet for Slack/GMeet/whatever else doesn't work over ssh, and hide that away in a drawer during non-work hours. When they asked why I couldnt use my smartphone, I told them I have a BlackBerry and wouldn't mind them paying for a new phone :^)
You don't need to be a single bachelor in a studio apartment to have this problem. I'd argue most people who worked from home due to lockdowns have ran into this.
My home office, while adequate, wasn't exactly setup to be writing code and hosting meetings in for 8 hours a day. I'm certainly not going to go out and buy a desk and chair just for my work laptop... I ended up buying a nicer desk and monitor stand. As someone else pointed out, I purchased a KVM switch to flip my monitor between personal and work machines.
After a year of this I've just moved to setting my personal laptop to the side for music/email/etc and stopped using the KVM switch. It really wasn't a big deal and I wouldn't call it all that interesting.
I have essentially this setup -- A decently powerful Win10 machine connected to three large monitors and I connect via X11 over wired gigabit Ethernet to my Linux work machine using Mobaxterm in Win10. It's the best of all worlds -- personal and work machines are completely separate, work apps show up as individual windows on my desktop machine, pure Linux dev environment that matches the prod environment, and no messing around with multi-monitor HiDPI setups in Linux when it "just works" in Windows.
That sounds like a good set up. I've used Mobaxterm (now VcXsrv) to run graphical apps inside of WSL but that would totally work with a separate Linux machine too. The user experience was really good. Google is hinting that this should be doable even if you want to forward apps from macOS to your main Windows box. Only downside is the taint factor is still there too since it's SSH'ing from your personal box into your work box.
You can get a switch that lets you select between HDMI signals, and quick-disconnect magnetic USB cables, that's how I deal with this problem.
Realistically I don't switch it more than once a day; during work hours I don't need my personal machine and away from work hours I (generally) don't need my work machine.
Why not just use something like VNC/RDP in your local network?
That way you can use your private device for viewing videos and browsing the web in the background, while your device's screen(s) are visible as a window that you can switch to do work.
KVM switches are often too expensive in comparison to some software.
> Basically, when you quit, you have to go through this process of getting your number released from their mega-account with ATT or whatever, and that's just one more bit of turmoil in a time when you just want to be done with it.
I did this about a month ago at the same company Rachel is talking about. It was dead simple. I created a task where I mentioned my personal email account. The next day they mailed me a porting key, which I relayed to my new carrier. It started working within a day. Haven't had an issue so far.
I always felt that some of the writing on this blog had a tendency to make mountains out of mole hills. I can't say for sure about the rest of it, but this is definitely a mole hill.
As someone who no longer shares devices / numbers / ... with employers partly due to NDA shenanigans in the same vein as in this article and when I left that company they tried to make my life as difficult as possible and tried to withhold compensation and so on.
Sure, in the happy path porting number is easy. But this assumes that
* the company will be ok with you porting it out (and not just hold onto it out of spite, which I believe the company I worked for might have done)
* the company will handle that kind of tickets in a reasonable amount of time
* the company will not need to escalate this sort of request to levels where they will then be ignored
* the company will be technically competent to handle this sort of request
I'm not saying that all or even most companies will have these problems but the issue is that if the first thing you do when joining the company is port your number over, how can you know what the internal company culture is and if they will make it feasible for you to get your number back later on?
This also ignores the big selling point of keeping your work accounts / numbers separate: being able to disconnect. Just being able to put your work laptop and phone away and know that you won't get called has it's own fairly large value.
Oh yeah for sure lol. Don't know how I could miss that since one part of the NDA shenanigans with the particular company I was talking about was that another company bought it during the same period that I started there and a lot of things changed essentially overnight (at least according to colleagues who had worked there for a long time).
The full story is ridiculous / hilarious:
The acquisition meant that between the period that I got the official contract (which was supposed to be the new parent companies contract but their HR department refused to send it out to the then daughter company, so I ended up with the old default contract for the daughter company) and signed the contract, and when I started working (which was a couple of months due to reasons) they had an updated "NDA" which actually was a new employment contract with a lot more terms than were in the original contract (and that were illegal in my country, at least according to my legal counsel).
So my first day at that place a new "NDA" waited for me on my desk which turned out to actually be an employment contract. And apart from it having illegal provisions in it, there were references to me accepting an NDA rider that was not available to me at that point so I asked for a copy of that.
In the actual NDA there were even worse provisions. One clause in the contract expanded (it wasn't explicit but that was what it meant) to me not being able to get a mortgage (or even a bank account) in my country (because I would not be allowed to do any kind of "business" with any company who was a customer of my company, or that was a customer of our customer due to them using our software (and we provided FX software for banks).
Another clause explicitly said that all intellectual property that I produced from the time that I signed the NDA were properties of the company, and they would own all intellectual property that I produced UNTIL THE DAY I DIED (including after leaving the company), so after leaving that company I would not be able to work at any place that would expect me to provide intellectual property for them (unless I fought that admittedly illegal agreement in court).
Obviously I refused to sign the new contract and sent an email to the daughter company CEO (we were less than 40 employees) asking to set up a meeting. I then never got a reply until ~6 months later when I was threatening to leave (partly because of this, partly because of payment disagreements, partly because ~25 employees of the daughter company had resigned and left from when I started to that point). Then he really apologized and admitted in a private meeting that no, the employment contract was not enforceable in our country and that even presenting it to employees as something that they might be asked to sign would be grounds for sanctions for the company. And then he managed to convince the parent company to get me a counter offer to get me to not leave which was super insulting (~50USD/month raise), combined with trying to get me to take over as head of operations for the daughter company (because, apart from me and one other person the whole ops department there had resigned).
So obviously I left. And after I resigned the parent company refused to pay out overtime because "there is no explicit agreement with the /new/ company about overtime compensation", and they did some other things to try to screw me over.
There are also some hilarious stories about the guy who stayed and what they promised and how they "fulfilled" those commitments. But that's not my story to tell.
Anyway sorry for ranting, apparently I still have some sore spots regarding this company lol.
And tl;dr: just because your company might be cool right now and you trust it, it might get bought up tomorrow and everything changes overnight.
edit: I got around the "requirement" for me to sign the new contract / nda by getting an email from the local HR asking for me to send in the NDA and me responding with a PDF of the signed origal contract and an email saying "here is the contract that I have signed", and then it freaked out the parent companies HR person during the exit interview when they looked me up in the system (because they had a history of making a point of saying that their intention was to enforce the NDA + employment contract as harshly as possible) and I then told her to check the related PDF.
This one aspect aside (porting out barriers/risks/complexities) do you disagree with the advice to separate personal and work accounts and devices? I don't. I've disburdened my personal apple ID and made a work one about 3 years ago, and separated my Google identity precisely so that I don't face these risks. (Google can be ferocious about closing off access to your life, if they deem e.g. you abused advertising norms and t&c, and my company had some risk of this)
BTW you replied in about 5 places to re state your experience of this porting thing. That read as slightly obsessively detailed and specific hence my question because not once have you stated a view about the rest of her piece, except mildly disparagingly.
Yes I actually disagree with the advice. This might seem crazy, but maybe I’ll just prefer to work for people who aren’t complete psychopaths. Like the company that apparently assigned all IP till the day the employee died.
It’s a point of view. Certainly there are people who feel that every interaction with their employer needs to be contentious. I prefer to trust and assume good intent. Will I be disappointed on occasion? Definitely. I’m ok with that.
I didn’t reply in 5 places. I replied once and then sent a similar response to 3 people who said pretty much the same thing. I can’t help it if they don’t read the other responses and rush to comment identical things.
No, bad for me. You added one point, four times, your one point has substance: you actually worked for the same company, and did do the phone transfer, and it was hassle free. And, you answered my direct question we just disagree about the substantive motivations to separate work and personal devices. I agree with the original poster, it's too much liability and personally invasive.
your company made it easy... If you left on bad terms, or with an immature company/boss/process, you might need days to go through the process... Or the company might argue and say your number is on to many cards/documents/etc and want to fight you to keep it... Even if it's clear on paper the number is yours.
I get where Rachel is coming from here. I think a decade ago when I had a separate phone for work was my least stressful time working... Unfortunately (in this case) I work for a University which I also attended school as a benefit, so the work/personal line got blurred for 6-7 years. Even though I finished my masters degree, it's become familiar to have "work" on my personal device now, when I used to be like Rachel -- separate work phone for the first 7-8 years I was working.
I'm happy she wrote this article, it's encouraging me to consider a low cost provider like Google Fi with an old phone and going back to the work/personal separation.
Like I've pointed out to others, I have nothing to say about other companies. I speak only about this one company where Rachel claimed that it would cause turmoil if you attempted to transfer your number out.
Rachel didn't actually raise a request for number transfer, so this was conjecture. I've gone through the process, and it was smooth. That's why I think it's a mole hill.
Everyone is saying "yes but at other companies...". Sure. I concede that. Just not at this one company.
Normally no. But it’s based on the exact same company that OP made the assertion based on. And the relevant bit is this - I actually used the process, they didn’t. They were sharing conjecture, I was sharing experience.
At a big co, competence of whoever you are dealing with in HR might vary a lot depending on who you happen to be working with that day. Maybe they could also have improved some processes since she worked there.
I share an employer in my work history with her. I feel she captures some things I didn't like about the place pretty well, without hyperbole.
> I always felt that some of the writing on this blog had a tendency to make mountains out of mole hills. I can't say for sure about the rest of it, but this is definitely a mole hill.
The thing is that the "fast path" or "happy path" of things is always nice and streamlined. It's when things start going wrong that it matters. If you marry yourself too heavily to a company you start losing your leverage. Depending on where you are and who you work with, things can get real dirty, and if your stuff is all intertwined with their stuff, that can add up to a lot of pain and suffering.
This is not a universal experience. I had to go through this recently with a large technology company, and it took multiple weeks of back and forth between the company and a major US carrier to confirm that the company wanted to release the number. If I had lost access to the internal ticketing system in the meantime, I am not sure what I would have done short of asking a coworker to take on the cause.
Most importantly, I had no idea a priori how long and involved the process would be.
Agree that it's not hard to port numbers. I think the larger potential issue is if you are working for a smaller company that is not as smooth with these transactions, or if you end up with an acrimonious situation where — whoops, we forgot to give you the porting key and now your phone number has been lost and there's literally no way to pull it back.
My employer doesn't even really allow personal electronic devices on the network, though there is some provision for visitors of course. So if you need a phone they have to provide you one, same for a computer. The same security constraints also basically prohibit accessing work stuff from a personal device. We can't even get webmail, we have to access a managed desktop-as-a-seevice and get our email from there if we are on a personal device. And the facility is big enough that cell service sucks.
I really appreciate the work/life firewall. Impossible to work on personal devices, impossible to use personal devices at work. And the security posture of them can be different
I worked for a healthcare company where the deal was you could get email on your phone but only if you installed am app that would allow IT to remote-wipe your whole device at their discretion. I declined.
I'm astonished some companies push the "user your own phone, which we now basically can control" angle. I mean, that's really shitty.
I've been working for the same small software shop (single owner, and I trust him) for 14 years, so the entire development of the modern mobile ecosystem happened while I've been in this job.
I use a personal laptop for all my work. I do this because I have Strong Preferences, and there's no way for the company to interfere with my computer. I can say this because (a) I trust the guy and (b) it's not actually possible for our corporate stuff to affect my personal stuff. (My computer isn't on the domain, for one thing; for another, we've all increasingly moved to "remote desktop into a VM in the colo" as a work pattern, even the devs, because it puts us all closer to the app servers and database servers. What device we use to reach the corporate environment is increasingly irrelevant.)
But this is a post about what OTHER people should do. Most people aren't in my position. Anybody who works for a big corporation -- which I define as "anywhere your boss has a boss" -- should absolutely assume that Bullshit and Chicanery Will Ensue at some point, and treat your personal computing security accordingly. Don't cross the streams if you can at all avoid it. If you must, minimize exposure.
Understanding what I do is not something most people can do, and understanding I work 100% remote (as does our entire company), and understanding there is no way IT policy in our org can affect my hardware: How?
I believe the other poster is saying that by sending a work email from your laptop or probably even by connecting to the company servers through it, your device could be theoretically investigated as part of a lawsuit. If you don’t use it for email and just type SSH on it then admittedly they probably won’t have much to find, but they could still get access.
One reason I’ve been in this job so long is the behavior of the owner. He’s scrupulously ethical and fair. We frequently give away time in implementations just to be sure the customer is on a solid footing.
It’s enlightened self-interest, obviously — our reputation in the our market is now of a very, very high level of customer service, and that sells software - but it’s also just the right thing to do.
Yeah, it's never felt good to me to mix work and personal devices. I used to travel a lot and took two laptops with me; the work-issued laptop, and my own laptop. Work was done on the work laptop, everything else was done on my own. I heard rumors that screenshots were taken occasionally on work laptops, so I didn't really trust it for anything. I have no idea of those rumors were true. (Both were Chromebook Pixels, hilariously, and honestly the personal one was running my own build of Chrome OS so if Google wanted to spy on me, they could probably sneak the code past me. It's a big codebase.)
I think the more interesting case is the growing startup. I mix work and personal, because work doesn't require any special software. I push code to Github and message people on Slack. But the day will come when for compliance reasons we need to be able to state that nobody who accessed production had a virus, or whatever, and I think that will be very interesting. Either we'll have to ask people to install what will be perceived as spyware, or we'll have to buy everyone a "work computer", which will probably be less powerful than whatever personal computer they have. I personally hate maintaining two computers -- I don't have the space for two desks, and I don't enjoy making the same customizations to both (no, dotfiles on Github doesn't cover everything unless I make a NixOS image with all the ancillary software I use). But, I also don't enjoy spyware on my personal computer. So I guess all I can do is hope that it never comes up as a compliance strategy -- but you know what they say: hope is not a strategy! ;)
I’ve had two phones in my pocket the last 6 years. How this isn’t the obvious way to go is beyond me. I would cringe every time someone took a photo of Top Secret plans on whiteboard, where they get mixed right in with pics of their kid’s birthday party.
> I also was given a PCI Express (see, I told you this was a long time ago) cellular device which would let me get online with the company laptop from anywhere it had service.
Was this supposed to be PCMCIA or ExpressCard? It's not obvious to me how describing a laptop peripheral as being PCI Express-based is particularly effective at highlighting its anachronistic nature.
> Well, if you end up using any amount of storage (like backing up the device), they are going to want you to pay for it. You'll probably end up typing in a credit card number and all of that stuff.
I don't get this bit. Are you expected to pay for the cloud backup of your work laptop with your own money?
It is insanity that a company as “big” as Lyft is not providing a Corp phone to employees and forcing them to install and connect to so many work related apps and network elements on their own non-work-supplied phone. Absolute insanity.
That's the second time I've seen that phrase in this thread. What does dog fooding mean in this context? Is it that dogs will eat anything? I don't understand.
“Dog fooding” comes from “to eat [one’s] own dogfood.” An analogy to a dog food producer claiming their product is so good that it’s tested by their (human) employees.
The term has been around in IT for quite a long time too. It predates my career in tech for sure. I just read Showstopper! published in 1994, and the term was used in that book referencing when the NT developers were directed to use Windows NT on their systems way early on in the dev landscape of NT.
This is another reason why I Remote Desktop to corporate machines from my personal ones. Fully insulated access to corporate stuff (I turn off file and printer sharing, obviously, although they’re usually disabled anyway), but I get to use my monitors, keyboard, mouse, etc. and don’t have to physically plug in anything.
I would like to do the same but I don’t want to run my employers vpn software on my machine (they don’t need to see my local machines network traffic). Does your work not use a vpn?
Depends on the VPN; at a previous job that used one, it was anyconnect, so I could just use openconnect on my local machine and never need anything that the company truly controlled locally
I guess I have been lucky to work in groups that were fairly focused on operational and personal security which requires quite a bit of separation between business and personal. Although the larger organization always has broad-brush security measures that lump it all together.
Pretty sure my next phone will be a feature phone.
If you’re working a tech job, you almost certainly have the bucks to get the extra device. Personally, I think it’s a bit scummy that a business would ask employees to do work on a device they didn’t pay for, but that’s a digression.
The long and short of it, I think, is that you should keep things separate because a job is not forever so you should remain prepared to leave, and to keep them from snooping in your personal business. Yeah yeah that probably won’t happen, but if you keep em separate you know it won’t.
MDM and similar also give them the ability to wipe the device at any time, for reasons that could have absolutely nothing to with you. You know, as a precaution, of course.
I'm of the opinion that until I retire, I do not have the "extra money" to do anything for my job out of my own pocket. They can pay me for their requirements if they go against my better judgement.
My current job does not require that I put anything on my phone, though I've chosen to check my work email there. I could take it off at any time, though, without repercussions. They've treated me well, there's nothing in my contract about their data on my devices, and I like to keep up with what's going on. If any of that changed, I'd remove it from my phone.
The shameful thing is that there is no earthly reason why we need separate devices. There should be appropriate isolation mechanisms so that corp-ware stays in corp-land and personal crap stays over on its side of the fence. We have dual sim devices now, so we can even assign entirely separate plans to different device partitions. Separate devices just create more senseless e-waste.
> There should be appropriate isolation mechanisms so that corp-ware stays in corp-land and personal crap stays over on its side of the fence
This already exists and I use it every day: separate work and personal profiles on the same device or app.
I think most browsers support this out of the box. My phone's work profile actually shuts off automatically on vacation days from work and I have to consciously enable it if I want to check work email or chat.
This works fine from a technical perspective, but how is it from a legal perspective? eg if the company gets sued and they want to freeze “your device”, will the lawyers be happy freezing the corp partition, or will they demand the full physical object?
> The shameful thing is that there is no earthly reason why we need separate devices. There should be appropriate isolation mechanisms so that corp-ware stays in corp-land and personal crap stays over on its side of the fence.
And we have that. Companies not trusting the tech is a separate problem.
The problem is that someone has a full control over that device in the end (to keep this argument simple, let's ignore how apple or google fits into this picture). And you and a company you are working for may not agree on who that admin should be. On a device I own and fully control, I would be able to create a separate user profile for work, but the company may not like how I manage the device nor can it ensure that I follow a company security policy when using my personal device. And vice versa, I won't be comfortable with creating a private profile on a company controlled device.
> So then I started reading along, doing my best to do a 'diff' in wetware, and found that they had actually added some clauses. One of them amounted to 'taint' for your personal devices. Basically, if you signed in to your corp gmail from a device, they claimed the right to audit it at any point in the future.
This kind of psychotic behavior is one reason I'll never work at a megacorp. I'm sure some smaller companies do it too, but it seems less common, and they won't have as many lawyers on retainer just waiting for the chance to justify their salary by pursuing it.
And if I ever did find myself at a company that tried to pull something like this, I'd probably quit on the spot. I won't work in an environment where I'm having to constantly watch my back.