Can your boss read your emails and check your online activities?

hajime

macrumors 603
Original poster
Jul 23, 2007
5,651
787
Hello, I asked a colleague to order something for me online. She told me that she has to do it after work because the workplace has some kind of tracking software to track online activities.

My mac at work is owned by the university but they only manage the Windows partition. Under the Mac OS, I can only use the browser. I cannot even connect to the printer nor network drives. My questions are:

1. If I send/receive emails on my laptop, can my boss read the messages:
a) if I use work email account
b) if I use private email account (e.g. yahoo, hotmail) that has been logged on using this work computer at work

2. If I browse the internet and use the mac on the workplace network

3. Is the only secure way is to use my private computer and a private email account (not logged in under the workplace network) on a non-workplace network?
 

pdjudd

macrumors 601
Jun 19, 2007
4,041
65
Plymouth, MN
The answers to your question depends on how things are configured further down the pipe so to speak, but in general, yes - employers can and do have the ability to monitor and restrict all forms of traffic. You need to ask the IT department about what their policies are, but with private email I can tell you that they cannot read the messages themselves - they don't have access to the servers. Corporate email, yes, private generally no. They can check for traffic on private email but unless they have a specific policy against it, they won't bother.

Question 2 is yes they can monitor web traffic. Lots of companies do it and there are lots of ways to do it.

Question number 3 isn't a question of security but of privacy. That your employer can monitor traffic is to be expected - you don't own the pipe and therefore you don't get to dictate terms. They stuff your employer does can be done on your own network. That doesn't make it any more or less secure since these measures are by design. If you are concerned about privacy don't use your employers internet pipes to do things. If you have any questions about what is allowed or not, ask a manager of your IT department or HR.
 

hajime

macrumors 603
Original poster
Jul 23, 2007
5,651
787
with private email I can tell you that they cannot read the messages themselves - they don't have access to the servers. Corporate email, yes, private generally no. They can check for traffic on private email but unless they have a specific policy against it, they won't bother.
If I logon to my private email account (e.g. yahoo, hotmail) on a computer (be it private or company owned) under the workplace network, they can get the password and userid as these information need to be sent to the remote yahoo/hotmail server. So, they can read the messages. Am I wrong?

If I want to talk about bad things about the IT department and my boss with my friends, which is the most secure way?
 

pdjudd

macrumors 601
Jun 19, 2007
4,041
65
Plymouth, MN
If I logon to my private email account (e.g. yahoo, hotmail) on a computer (be it private or company owned) under the workplace network, they can get the password and userid as these information need to be sent to the remote yahoo/hotmail server. So, they can read the messages. Am I wrong?
No, they cannot intercept your credentials assuming they are sent using SSL. They cannot get into your private mailbox that way unless the host is not using basic security. They can tell what sites your go to, but they can't read specific emails or anything. They can tell that you may be accessing Gmail for example, but they cannot tell that you are emailing your mom. They would have to break several laws to break into a third party company.

If I want to talk about bad things about the IT department and my boss with my friends, which is the most secure way?
Sorry. As an IT professional, I am not going to tell you any methods that are going to be secure at work. Do it on your own time and your own dime. I can tell you that IT departments are concerned about enforcing your policy and we have rules too, but if I had good cause to think you are creating a hostile work environment , I would still report you to HR - but I wouldn't do it by spying on you without just cause. Not only is that unethical, it would get me into trouble as well. If you think it's not appropriate to to verbally, don't use company resources to do it.

And word to the wise, badmouthing any employee is just going to get you into trouble in some fashion. Most employers do not take kindly to such things.
 

yg17

macrumors G5
Aug 1, 2004
14,911
2,480
St. Louis, MO
No, they cannot intercept your credentials assuming they are sent using SSL. They cannot get into your private mailbox that way unless the host is not using basic security. They can tell what sites your go to, but they can't read specific emails or anything. They can tell that you may be accessing Gmail for example, but they cannot tell that you are emailing your mom. They would have to break several laws to break into a third party company.
They can absolutely get into his personal inbox if they're using a keylogger. Or they could be using a screen recorder to see what he's doing. This would be an extreme and I wouldn't want to work for a company that did that sort of thing, but it's not impossible.

If I want to talk about bad things about the IT department and my boss with my friends, which is the most secure way?
Use a personal phone or computer that the IT department hasn't touched. Or do it in person.
 

hajime

macrumors 603
Original poster
Jul 23, 2007
5,651
787
They can absolutely get into his personal inbox if they're using a keylogger. Or they could be using a screen recorder to see what he's doing. This would be an extreme and I wouldn't want to work for a company that did that sort of thing, but it's not impossible.


Use a personal phone or computer that the IT department hasn't touched. Or do it in person.
You mean a computer that has not been on the company network as well?
 

pdjudd

macrumors 601
Jun 19, 2007
4,041
65
Plymouth, MN
They can absolutely get into his personal inbox if they're using a keylogger. Or they could be using a screen recorder to see what he's doing. This would be an extreme and I wouldn't want to work for a company that did that sort of thing, but it's not impossible.
They could do that, but IT departments tend not to do that sort of things unless they actually have just cause since it can expose themselves to serious legal threats. I work in a pretty heavily regulated company and we don't even do that. We just block any mail services but our own via a firewall. That is way easier to do that.

Installing a keylogger is kinda pointless - we just control what they can and cannot get at. Far easier. Screen recording would't be done without cause though - most IT folks have better things to to than playing big brother. I was trying to be realistic based on what a company is likely to be using.

My only advice to the OP is if they want to badmouth the IT department, don't do it at work period. Not only is it likely to be against an HR workplace policy, it's just a stupid idea in general to do it on the companies dime.
 

velocityg4

macrumors 601
Dec 19, 2004
4,639
1,216
Georgia
You mean a computer that has not been on the company network as well?
Just your own personal computer they haven't done anything physically to. They would still know what websites you visited or that you accessed email. Just not what exactly.

If you want to be even more secure you could use a VPN service with your personal computer like AirVPN. That way as far as the work is concerned you are just connected to that one VPN. All traffic between the VPN and your laptop is encrypted.

You could also just get a 4G hotspot or card for your laptop. Then you can browse the internet without using the schools resources.

Although since you work at a university. I'd wager that the IT department is way too busy to give a rat's ass about what you are doing on the computer and record your activity. They've got thousands of students constantly accessing the internet.
 

hajime

macrumors 603
Original poster
Jul 23, 2007
5,651
787
How do I check if they have installed keylogger or a screen recorder under Mac OS?
 

hallux

macrumors 68030
Apr 25, 2012
2,777
485
How do I check if they have installed keylogger or a screen recorder under Mac OS?
The point of such applications dictates that they be invisible, you won't be able to tell.

Typically, in order to gain access to network resources of any kind, one needs to agree to an AUP (acceptable use policy) which spells out what you can and can't do while utilizing those resources. It would also spell out what the company or employer reserves the right to do with regards to monitoring activity.
 

benwiggy

macrumors 68020
Jun 15, 2012
2,186
15
How do I check if they have installed keylogger or a screen recorder under Mac OS?
It's not really worth an employers' time and effort to monitor all their employees' internet usage -- that's a lot of man hours.
It's much more likely that they will have a proxy server, preventing access to FaceBook etc, and they will make you sign an agreement about acceptable usage, as already mentioned.

If you really want to find out what the company is doing, buy one of the Techies a drink.

Otherwise: if you want to do something and you don't want the company to know about it, don't use their resources to do it.