43

I work from home most of the time. I use my corporate laptop for work, and I keep my personal laptop open as a second monitor, for internet research. Whenever I open Google Translate or Linguee on my personal laptop, I get a pop-up window on my professional laptop telling me that a translation website must not be used to disclose protected information.

So it means that there is a software on my professional laptop constantly monitoring all the network activity, and the websites accessed by any device on the network (even personal devices). Is this legal under the EU laws?

Glorfindel
  • 3,001
  • 5
  • 26
  • 36
user4780495
  • 517
  • 1
  • 4
  • 7
  • 7
    Are you using a VPN from your personal machine? – Erik Nov 03 '21 at 08:19
  • 21
    OP, this is probably not the right venue for your question. Although your question arose in a work-related context, your question concerns the legal framework. https://law.stackexchange.com/ might be better suited. However, given that legality likely depends on technical implementation https://security.stackexchange.com/ is likely to have experts (often with basic knowledge of the legal framework) with the right background. – MvZ Nov 03 '21 at 09:22
  • 27
    Wait a minute, when you say you use your personal laptop as a second monitor, do you mean you have it connected directly to your work laptop and it is acting as another screen? Or are they separate computers? – Seth R Nov 03 '21 at 15:31
  • 11
    Thank you for the answers. Some clarifications: I don't use a VPN on my personnal laptop. The two laptops are not physically connected (it may be misleading when I wrote "secondary monitor", I meant secondary device). The only link between the two laptops is that they are connected to the same WiFi network. – user4780495 Nov 03 '21 at 19:12
  • 5
    As a test, on the personal machine, install Firefox (or another browser that's independent of what you've already got; if you've already got Firefox, set up a new profile). Don't sign in to anything. Visit the same websites. This will test whether your Google or MS account is being used to keep track. In theory an incognito Chrome window (again on your personal machine) should do the same, and would be quick to test if you run Chrome anyway, but I'd start from clean to be sure. – Chris H Nov 04 '21 at 08:38
  • 1
    Another test on your personal machine, like all my ideas: if you have the means to use an independent network connection (e.g. disconnect from WiFi and tether to your mobile phone) then load the sites that cause the problem. If the first test comes up clean but this doesn't, they're doing something strange and nasty on your WiFi (and you should be sure to shut down your work machine when doing anything personal on your personal machine) – Chris H Nov 04 '21 at 08:41
  • 3
    Yet another thought: Have you ever set up your personal machine for working from home? If so what exactly did you do? A lot of people without work laptops had to early in the pandemic when everyone was working from home. – Chris H Nov 04 '21 at 08:47
  • Are the 2 laptops connected to WiFi separately or through WiFi tethering, WiFi direct or similar indirections? – Pablo H Nov 04 '21 at 13:45
  • 7
    Are you in any way sharing accounts between the two computers? – Thorbjørn Ravn Andersen Nov 04 '21 at 14:02
  • 4
    You can edit the question after you first write it. Recommend you do that for the key "secondary monitor" --> "secondary device" issue, because that's pretty important and possibly confusing. – Daniel R. Collins Nov 04 '21 at 15:25

3 Answers3

84

If you place your personal laptop let's say on the kitchen table and connect it to your wi-fi and your work laptop on your desk and connect it to your work (probably using your wi-fi and a VPN) There should be no way that your professional laptop can know what your personal laptop is doing.

If it does, that would be considered hacking/invasive and certainly against EU law.

Now... I don't think your employer does it. It is a lot more likely, that your setup of computers at home is not as strictly separated as I described. You probably have your personal laptop somehow connected to your professional laptop. Either because you use it only as a second monitor as described, or maybe because it's connected to the work VPN, too.

Please also note, that if you are logged in with for example your Google account in the Chrome browser on both laptops, it will synchronize between those two. You can turn it off, but if you don't, yes, your employer will find out what you did on your personal laptop.

Again, it is very unlikely that your employer has any kind of criminal hacking activity going on, it is very likely that you get something wrong in your own setup of devices and online accounts.

If you have a specific question about your specific setup, you can probably get help on Information Security SE. Be prepared that they need a lot more technical details to give you a good explanation for what happens.

Glorfindel
  • 3,001
  • 5
  • 26
  • 36
nvoigt
  • 138,739
  • 73
  • 318
  • 416
  • 5
    This is the correct answer. @user4780495 please let us know what part of your setup was bridging your work and personal laptop once you figure it out. – Gregory Currie Nov 03 '21 at 10:50
  • @user4780495 have you considered connecting your work laptop to a standalone monitor to see the behaviour and in a separate isolation session. Is your laptop connected with an isolated work profile or your main profile when you have connected in this way? I agree with the other posters, it sounds like the issue is accounts and not network related. Personally I'd look at a monitor rather than laptop to research on, as that keeps work on the one device and personal on another. Work research is still work so should have no issues keeping it on that device – DeveloperGuy Nov 03 '21 at 12:02
  • 2
    You don't think two devices on the same WiFi network can talk to each other?? – deep64blue Nov 03 '21 at 14:58
  • 15
    @AlanDev not without some deliberate action to make them talk to each other, no. – Seth R Nov 03 '21 at 15:05
  • 1
    If the VPN is split tunnel then network traffic would still be routed through OPs Wi-Fi. On split tunnel work network would not know what sites OP is visiting. All they can see is how long the VPN connection has been active – Dan K Nov 03 '21 at 18:02
  • 9
    I don't use a VPN on my personnal laptop, and there is no physical connection between the two devices. An interesting point that you raised, is the synchronization of my browser history due to my Google account sync on Chrome. I will try with another browser and let you know. – user4780495 Nov 03 '21 at 19:14
  • 22
    @user4780495 a good practice is to have a separate, throw-away gmail account for logging into work computers and the like if necessary. Having your personal e-mail logged into a work computer is all sorts of risky. – T. Sar Nov 03 '21 at 20:08
  • 5
    @user4780495, I suggest you take it a step further than just using a different browser. Make sure you are not logged into any Google account on your personal machine. Even with a different browser, Google accounts will stay connected if you are logged in, especially when using a Google service like Translate. – Seth R Nov 03 '21 at 20:26
  • 1
    @user4780495 This thread is relevant: https://workplace.stackexchange.com/questions/75267/company-policy-violation-due-to-browser-history-syncing – Michael McFarlane Nov 03 '21 at 21:00
  • 3
    These days, very often MacOS and iOS devices default into trying to communicate with each other, especially with (somehow identifiably) "the same user". Trying to be helpful... – paul garrett Nov 03 '21 at 21:51
  • 1
    The Google account & Chrome thing is also true about Edge and a Microsoft or corporate Azure/M365 account. If both computers are in some way logged on to the same cloud Microsoft account, services like Advanced Threat Analytics could be monitoring actions on both devices – Todd Wilcox Nov 04 '21 at 00:52
  • @T.Sar I don't actually disagree, but in other places it's common to sign in to Google for your calendar etc. on a work machine. I don't use gmail or chrome (signed in) much at all, so there's not much to sync - but thunderbird on my work machine is signed in to my primary personal email. This is academia though, where there's a bit more freedom and a rather fuzzy line between personal and work – Chris H Nov 04 '21 at 08:45
  • Most corporate VPNs are going to be split tunnel nowadays, since having all traffic from all employees go through the company's VPN servers would overwhelm those servers, and everyone is working remotely nowadays for some strange reason. – 2rs2ts Nov 04 '21 at 18:30
  • 1
    I confirm that it is the Google Chrome account synchronization that allowed the employer to monitor my personnal activity. In Chrome on my work laptop I have the message: "Your browser is managed by your organization". I simply disabled the history synchronization. – user4780495 Dec 01 '21 at 10:45
9

I would call your company's IT department and have them figure out what's going on. They shouldn't know what your private computer is doing. They don't care what your private computer is doing. They most likely don't want to know because it only can cause problems. Like your wife might come into your room and use your private computer, that's a legal mine field if the company records what she is doing.

They may be able to figure out what's going on. For example, my private laptop can access the internet through another laptop of the same brand if I set up both computers accordingly, and in that case the company would probably see everything my private computer does because it's actually the work computer accessing the internet and passing everything on to the private computer.

gnasher729
  • 169,032
  • 78
  • 316
  • 508
4

I am not a lawyer, so the legal question is answered only to a "probably, to my layman understanding" level (Germany).

Assuming that this is more than a coincidence:

This probably depends on the country and the means by which it is achieved, and the fine print which you signed when you got the laptop from you employer.

Things which come to my mind are:

  • Passive monitoring (Although i am not 100% sure how that would work on a wifi network) of IP traffic, and flagging DNS requests: Not nice, but as long as you signed something probably legal if the device does not store this information but only warns you.

  • Inserting the own machine via acting as a DHCP Server: Not nice, not reliable, a lot of hassle, would be very much like your business laptop "sharing" it's internet connection and competing with your router.....

  • Inserting the professional laptop via ARP spoofing and intercepting the connections to the router actively. Definitely hostile, probably illegal even if general permission to monitor the network is granted.

So i assume that it is passive, and (assuming it was listed hidden in the fine-print) legal as long as certain provisions (no storage of the data) are kept, probably legal.

  • Use a VPN on your personal laptop
  • Connect one of your laptops to the "Guest" network of your router and see if it continues

If it continues, something else is happening.

Sascha
  • 17,910
  • 2
  • 39
  • 67
  • 9
    I don't believe even point 1 can be legal in Germany in any way, even if it is part of the employment contract. OP is allowed to have a family member or basically anyone using their personal WiFi network. These people have rights and OP can't sign them away. –  Nov 04 '21 at 11:34
  • 1
    "depends on the country" - with the EU being the big exception to that rule, and this question is tagged EU. In the EU this rapidly rises to the level of criminal offense. – MSalters Nov 04 '21 at 15:40
  • @MSalters this would break all kind of privacy laws, to the point that I find it hard to imagine a company would be crazy enough to implement something like this – user3399 Nov 04 '21 at 15:44
  • @Roland: But if they sign that they carry the work out on a separate isolated network, it's another story. Also, a passive monitoring with no data storage/collection or transmission intercepting unencrypted traffic is per-se not necessarily affected by privacy rules. – Sascha Nov 04 '21 at 19:38