I worked for a big company that had various spyware thingies installed on all the company laptops, but they let you use your personal mobile devices for work (including iPad which was pretty nice) -- and wanted you to install their preferred spyware on it. I didn't do that but I expected they would eventually tell me to do it or stop using my personal iPad.

It seems like now that it's technically feasible, big corporate IT managers want their spyware of choice running everywhere. Someday you will have an arm full of Apple Watches, one for each client. You should embrace this future and price it in.

TLDR; Make sure MDM profiles are gone and the laptops are cleared before doing anything personal :D

Should we though? what you and the parent outline is a most sensible way of accommodating it while minimising invasion of privacy, however I question the underlying reasoning, and therefore whether or not we should encourage it. What perceived gains are to be had beyond merely box checking for accreditations? and in those cases why is it part of those accreditations, what is the intended effect? I can think of a few but they are all flawed or attempting to enforce something impossible:

1. Preventing leaking code/IP (But if you can't trust them they could just as easily take a picture of the screen, capture the HDMI, copy the drive, even log their own keyboard... there are always side channels unless you physically control the environment).

2. Preventing them from doing something malicious... But if they are writing code for you and they are untrustworthy, isn't it already game over?

3. Bean counting, monitoring time spent at keyboard etc - which we all know is not an accurate metric of productivity for cognitive work.

4. Similarly to #1 and #2, unintentional breach or security issues, i.e you trust the person but not their device or their ability to secure their own device - In which case spyware seems wholly inadequate to cope with this situation, if you are serious about this, you should be controlling the hardware and OS (which lots of orgs with highly sensitive info do).

In all these cases spyware is futile. Am I missing something?

Very much required for compliance, zero trust, protection of IP, and foundational to a reasonable security plan.

On second thought, this _is_ the answer... they are making a compromise on security, it's an economic decision. Maybe it makes sense from a business perspective: check some boxes, get a bit of security (not much) for almost nothing - but as you can probably tell, I think it's both pretentious and disrespectful.

That said, a lot of users _want_ to use their own devices (maybe they have better equipment, maybe it's less locked down, maybe they don't want duplicates). It's not sane for the business to allow a device that is more likely to be compromised and/or have poor security hygiene on the network.

I'm a fan of privacy but... At least on my team, we're definitely not spying on you, we're making sure you have a password, encryption, antivirus, and updates installed before you can connect to resources. It's shocking how many people don't have authentication enabled and run as root, if they have a choice, on their home system. That said - we could flip switches and do a lot more spying if it was mandated :/

Not if they are at the point where they need SOC2 cert, and where they install agents on their employees computers (and want to extend that to their suppliers).

But there are a couple of our contractors that rejected this for exactly this reason (they had other clients). For one of them, we just bought him a laptop that he does all our work on (it cost less than 1 day of his time, so it was a no brainer), and the other, we realized we didn't have to as long as he did periodic (documented) reporting of screenshots of his OS version being up to date, Disk Encryption enabled, and screen saver settings are appropriate. And they legally attest that they make a best faith effort to delete any sensitive data off their laptops (if they ever download it).

We've talked to a couple of auditors and that seems to be sufficient and pragmatic as it accomplishes the same goal.

Every company I’ve ever worked at, and that includes very large ones, will have legal, HR, and finance tell you at some point that “you must do X”. Sometimes X is no big deal and you do it. Sometimes it’s hard, and you ask the business to fund it or remove the requirement. Sometimes it’s nonsensical in your context and at that point the job becomes understanding why X is a requirement and how you can satisfy that requirement in some more pragmatic way.

At the end of the day, these functions are there to support the business.

One day they sent out a particularly onerous "agreement" that said that we agreed not to use a phone while driving a car and doing so would be cause for termination etc.

I went down to HR and asked them if they were really trying to regulate what I was doing in my personal vehicle with my personal phone and they replied "No, its only meant for when you're in a company vehicle or using a company phone."

But the agreement itself clearly stated any phone any car.

The workaround I came up with was this-- a friend of mine and I swapped forms, and signed each others names. HR had their illegal, unenforceable agreement, and life moved on.

I got my "revenge" 6 months or so later. HR was frantically calling me for some reason-- I was stuck on the freeway as is our custom in Orange County. I ignored them for something like two hours, and explained that "I was stuck in traffic and as they were no doubt aware, we are prohibited by company policy from using our phones while operating a vehicle."

The HR gal was visibly pissed off, but to be fair, I could have been fired for answering that phone call.

I am not a lawyer, obviously, but what I meant was, threatening someone to sign a legal document can't be legal, even if its your employer.

If the company made the mistake of creating a policy that they use this software as one of their controls, then the auditor will ding them if they don’t use it.

It’s an absurd system.

A PCI question asks if all outbound traffic is explicitly authorized. I took that to mean getting a list of all the IPs for the APIs of services we hit, and even constructed that entire list except for one, the payment processor itself.

The payment processor did not have any stable IPs, and could not give me a list. Their official solution was to have our policy be that we explicitly allow _all_ outbound traffic.

If such an option is allowed by PCI, what is even the point of making it a requirement?

I made that joke to a VP once, and he brightened up and said "Yes! Exactly! Because until you're actually following explicit processes, you don't even know what you're doing wrong, in order to fix it!"

So I'm a lot less cynical about auditing certifications like this now.

The point of all those certifications (I took companies through the processes required for PCI, SOC2, and ISO27001 ) is security theater, a path in the back for the execs, the ability to have "I'm not to blame, I have this cert" in case of some shit happening, and the ability for sales to throw TLAs to prospects to show how Seriously(tm) the company takes security. Oh, and to check boxes to be able to transact with some large corporations.

There are plenty of stories of highly certified companies that were deeply penetrated and exposed, and all their security theater did not help.

The problem isn't these low bars, but rather the market for services to "help" people clear them, and the widespread perception that the bars are higher than they actually are.

My point is that if/when you get to need a SOC2 certification, you put the resources towards this, and you definitely have the financial/org means to procure hardware to suppliers if required.

Just remember to put some customized adhesives telling what laptop is rented to what customer.

That's not OP's problem.

Noooo. Armfuls of watches are just for hilarious movies and such. It's not supposed to have a corporate elementttt. The cyberpunk vibes are too much with this.

I wouldn't offer this. You're still going to need to login to Github/email/wherever with your personal password, manage private keys, and stuff like that. Just say no.

At one point I had 3 sets of machines: Two different 14" laptops from two different clients and my own machines. At some point you simply run out of space on your desk and end up constantly either working on screens that are too small (14" really isn't enough to be productive), or plugging laptops in to and out of screens as you're context-switching. Carrying three laptops with you when you're travelling if you anticipate having to work for both clients during that timeframe is also not exactly my definition of great fun. And you end up duplicating a lot of effort around managing that IT, like tweaking settings the way you like them etc.

The argument "we own this laptop, so we can do with it whatever we want, including spying on you" is just not valid. They're either doing things that I'm okay with, in which case I'm okay doing it on my own hardware. Or they're doing things I'm opposed to, in which case I'm opposed to it no matter who owns the hardware.

Also: In many European countries, authorities are clamping down hard on practices whereby companies pass people off as contractors who really are employees. They usually work off of lists of criteria of what makes an employee, and if you fit too many of those criteria while, on paper, passing yourself off as a contractor, then you and your client can be in for a world of pain. One of the criteria that makes you look more like a contractor and less like an employee to the government is providing your own facilities like the computer you work with.

And, last but not least, it's just not a good way of dealing with the planet's resources.

Off the top of my head, remote wipes/resets make sense. Frankly, I prefer the company has that option, just in case I lose my work laptop. Encryption should cover it, but I'll take the backup.

Compliance agents also have a legitimate reason to exist, but I don't want them on my personal PC. Some places maintain lists of allowed software (I think in part so they can track/inventory them for compliance stuff). I respect that they have the right to restrict what I install on my work laptop, but I reserve the right to install whatever I please on my own computer.

It would also not be insane for a company to do automated backups of company laptops to company servers. You want a way for Joe in marketing to get his data back when his cat pees on his laptop. I do not want all my personal documents on company servers.

The amount of compromising content we've seen and or found on investigations is mind blowing. No one needs that on a work computer. Keep your private life private from your employer.

The above two comments however seem to be arguing from the viewpoint "this is just an individual person and any individual person surely needs babysitting by a big mighty corporate IT department because otherwise they can be expected to do stupid things like losing storage media with important data and not having backups, never doing updates, having their computers full of spyware, intermingling private stuff and work stuff from different clients in such a way that there's data leakage, etc. etc."

If you want to truly treat a contractor as a contractor, you should think about it as your IT needing to interface with their IT in such a way that it makes sense for both parties. And "here, use this laptop" is just frequently a bad solution from the point of view of the contractor's IT.

I also heavily object to the notion that any expectation of privacy goes away on a company laptop.

Ideologies and realties are different. If you care about personal data, don’t put it on the company. The company however has a huge liability with your personal data. I’ve mentioned else where I have dealt with issues of personal data becoming an issue for the company via blackmail, or in a couple cases, the company was legally required to report child pornography. So yeah, if you don’t want the company to know, don’t put it on their equipment. If you buy dedicated equipment for work, use it for work and work only. If you want to use your machine for Everything, that’s fine, but understand the risks and the lack of an expectation to privacy.

But I'm not sure what country and what legal concept it is that you are referring to when you say "it's been held up in court multiple times that..." I'm based in Germany and have recently undergone GDPR-related training with a lawyer specializing in privacy law. In the training, the lawyer explained court cases that involved regrettable intermingling of work and private data in a company's IT. The result was that the law then started looking at that company's IT as being more akin to a telecommunication provider, with similar legal provisions coming into effect regarding telecommunication privacy.

Also: Anyone who lets their mind jump straight from "privacy" to "porn" is missing a big part of the picture of what privacy is all about. The way I think about it, it's a basic psychological need. Your psyche can be in a "public mode" where it assumes that any and all information flows emanating from you are out there for everyone to see and do with as they please. The result is that you have to put up huge amounts of self control which is psychologically exhausting. Therefore, the psyche seeks private spaces, where you don't need to control yourself as much because you know that nobody is watching.

The fight for privacy in the digital sphere is about ensuring that, just because our psyches are nowadays constantly linked to digital devices, this doesn't result in our psyches having to operate in "public mode" all the time.

It's about establishing clear delineations of who gets to receive what information flows relating to you and how they can potentially use that information against you.

For example: A company does time tracking through Excel sheets, but they also have IT security logs that keep track of people logging into and out of work machines. One day the company decides to run a project: They put the two data sources side by side and identify employees likely to be cheating on their time sheets. They fire the employees. ...this sets in motion a psychological effect in the remaining employees: They realize that they have a very poor understanding of what information the company's IT is collecting, and they don'T know how that information might one day be used against them. So all they can do is assume the worst. That means putting their psyches in "public mode" all the time, assuming the machine knows and sees everything, and the employer will use that information against employees at whatever time and in whatever manner suits them. The psychological damage done by this is precisely what we need to avoid!

And the GDPR will usually actually prohibit such things: The company's register of data processing activities will tie the security logs to the purpose of providing IT security. And it will tie the Excel timesheets to the purpose of time tracking. If you start using the security logs for time tracking purposes, you are using the data cross-purpose and are in violation of the GDPR and risk a hefty fine. This is a model usecase of what the GDPR is actually good for, and it clearly relates to protecting individuals' reasonable expectations of privacy in relation to their company's IT.

I had informed the client that I will be disposing of them when I’m back if they don’t handle it and that any and all third party liability well fall on the direct supervisor if he can’t organize the transfer.

Needlessly to say even me connecting them directly to the courier was not enough.

My guess is that the OP depends on the money otherwise he wouldn’t be asking for help. So either but a cheap laptop and then control it with barrier[1] from your main driver and don’t ask(because whatever you ask they will probably say no). Or let them ship theirs to you, but I’m willing to bet that it be worse than whatever second machine you get.

In the meantime I would suggest you look for a new client because judging from experience there is a lot more pain to come. I didn’t do it in time and ended up paying dearly for my lack of initiative on that front.

[1] https://github.com/debauchee/barrier

Would you like them to have some controls in place to prevent that?

Would you like that to be enforced consistently and audited?

Would you like them to provide you with a certification that their procedures to ensure that doesn’t happen meet some minimal standard?

Congratulations, you have invented ‘demanding SOC2 compliance from vendors’.

And the upshot of it is that some contractors have to put up with jumping through some hoops.

I work primarily from a 13" xps. Given the high-res display + that I can switch desktops easily via i3, it's really a non issue for what I do.

You can also use a dock. For my work laptop, I use the Caldigit TS3+ thunderbolt and it's great.

You want to separate your customer's work from your personal or other clients' data, even if they don't install any spyware on your computer. How are you supposed to ensure that you don't accidentally breach any NDAs (that you, no doubt, had to sign) if you are commingling the stuff?

I’ve recently been contracting and the only private account I used was GitHub, and that was a conscious decision to maintain a single public developer identity.

Otherwise, I expected them to provide all hardware and software required to perform my role.

And likewise, for security purposes, that’s exactly what they wanted as well.

Tho I would note, they wanted to perform a background check prior to starting. And while i didn’t have a problem with the employer having those details (for the period of the contract) they performed this function through a 3rd party, who has stated they won’t delete my data (I will be following up post-contract). I was not happy for a 3rd party to have this data.

I would also not login to or install any apps, or certificates on my phone. Again, if that’s required, send me a phone.

The company I was working for had SOC2 / ISO2700 / what ever and I think this is exactly why they wanted all this. But it suited me to seperate things as well.

Virtualized desktops have been solved. All the major players offer them. FFS, you can run Xbox One games in the cloud and play in your browser now.

For large companies supplying VDI to consultants tend to be an standardized package that gets billed back to whatever project is hiring the consultants but for mid-sized organisation VDI is a big scary word that's going to require special handling.

Most desktop support teams are completely dependent on standardization to the point where they tend to turn into complete control freaks, that panic at the thought of anything that is not "by the book", so they often just apply the book without additional budgets to external consultants.

It’s not a hard rule. It’s just one of a number of tests. But contractors are generally expected to provide their own tools.

I probably was more of a “temporary employee” than a contractor. But what’s the difference at that point? I was paid more than the value of entitlements as cash. It suited both parties, and was mutually agreed.

In hindsight, having them provide the hardware, and then handing it back at the end of the engagement would be my preference. It reduced any risks for them and me.

Tho I can easily imagine on/off or short infrequent contracting scenarios that this would not work for.

If you’re a temporary employee, the employer is responsible for payroll taxes, and has additional obligations to you (depending on the state). You’re obligations— both to your employer and to the IRS—are different as well.

I’m addition to unlawfully skirting regulations, misclassifying an employee as a contractor is essentially stealing from the employee by reducing the company’s tax burden and increasing the employee’s.

If you want to be really cheeky, could get some value-added margin on it too, and as a bonus, AIUI it would be yours to keep after the engagement, rather than having to return hardware they've assigned to you.

Might be tough to get past finance though, unless they really want that certification :)

Yeah like sending invoices arranging contracts I use my main mail account. For doing customer things I rather setup new email account or get one from the customer.

You can always make separate github accounts, SSH keys, and so on, specifically for the job.

Uh, hell no. You should have business accounts.

Personal and business never mix.

a lot of developers have separate everything

this can be bad when encountering the recruiters and hiring managers that still look at github activity as clout, but these days you still have to pass the technical interview no matter how much clout you have so I wouldn't worry about it

And they will install a trojan which would eavesdrop your talks, scan your home network and analyze its traffic.

Someone has to start stopping this madness and protect less informed people. We are all steering into a dark future. And i lose hope when i see all these smart programmers complaining but not stepping up.

Whatever the app they would ask you to install would do probably is going to be allowed by its EULA (and I bet the EULA is also going to prohibit you from analyzing the app and whatever it does/communicates) and chances are you don't read it. And even if you do you most probably agree because you know all EULAs are brutal and there never is a button to object its specific part and continue.

What we need is legislation to recognize all the data and metadata about your PC, all its software, your home networks&devices and their usage a kind of personal data and apply the same rules GDPR applies to tracking cookies - giving you the right to continue without agreeing to be spied on.

Most companies don't want to spy on their employees' free time. They want to 1- make sure they are compliant with the law and their confidential stuff is secure and 2 - make sure that you are actually working for them when you say you are.

Installing something to listen to non-work related stuff serves neither of these goals, and would open them up to lawsuits and PR nightmares.

(I should say that intentional monitoring of my private comms was never a concern for me when I freelanced, but I was somewhat worried about infections in my clients' devices moving laterally to my home network.)

The type of network segmentation being discussed is not rocket science, but it's not trivial either. VLAN segmentation can have tricky edge cases that cause things to break in a non-obvious way, nothing that can't be worked around but for someone who "isn't well versed in networking" would probably be more than you're up for. Also keep in mind that you can't do this with most consumer networking gear becasue it's too complicated to setup and support without some experience and knowledge.

I'd not recommend VLAN segmentation unless you want to become someone who is more versed, which I don't oppose, but it's not a switch you can flip in 5 seconds and never think about it again.

The more obvious solution would be to get a separate WiFi router and internet connection strictly for work purposes.

At that point you could also consider it a 100% home office expense and it may be tax deductible (talk to your accountant).

I then went back and configured the OpenWRT box to create a WiFi hotspot and serve DHCP on a different subnet to that used by the home network. I configured an OpenVPN client tunnel from the router to pfSense, then set up a NAT ("masquerade") from the segregated network into the tunnel. I think I actually left a couple of ports open on the OpenWRT from the segregated network, but properly I should have firewalled them off so that the router was only accessible from the home network, since I doubt OpenWRT has been seriously pen tested by anyone. I'd probably also use Wireguard if I did it again.

The above config worked, but the CPU on the TP-Link was too underpowered to get more than a few Mbit/sec throughput. Since I didn't particularly care about having a VPN (I was going to throw this traffic on the internet anyway), I messed around and managed to change the tunnel type to L2TP. L2TP pretty much just takes the packet you give it and adds a UDP header for routing, so that approach gave me full bandwidth. I think I had to mess around a bit more getting MTUs set correctly to account for the L2TP header, and maybe had some trouble with auto-restarting the tunnel on failure.

One of the (flagged) responses to my original comment was "Who the fuck has the time to do that?" I actually think that is a fair comment. This all took a day or two to set up and debug, it isn't something that the casual user is going to do and, to be honest, I probably wouldn't have done it either except that I wanted to play with pfSense.

I'd do it again, though -- it was fun.

[1] https://openwrt.org/

[2] https://silasthomas.medium.com/how-to-import-a-pfsense-firew...

I do cyber/data stuff, often on the network-y end.

  - $CORP devices are on a VLAN + Wifi that has access to the internet, but no other internal networks
  - Internal network for file servers/printers and the like
  - Personal device network, think laptops/phones/tablets that are mine, can reach internal network
  - IoT network - Think sensors/robot vacuums/"smart devices"
  - Guest network, for well visitors to my home
  - AirPlay network, has all my Apple devices on it to allow for music to be airplay'ed to TV's/HomePods, can be reached from internal/personal/guest network

This is not something the average home user or consultant is going to setup/configure/manage and I don't expect it either.

The worry that the $CORP device will be abused to "validate the security of the network its connected to" is very much a possibility. Most corporations have no desire to do so, and endpoint protection is their primary goal, and they don't need to scan your home network to do so, it is all local to the device. It's about protecting the integrity of the device, not the rest of the network around it.

They WILL

> which would eavesdrop your talks

That absolutely WILL - use the microphone and listen to everything being said (why not the camera too and watch everthing?)

> scan your home network and analyze its traffic.

That absolutely WILL - do all this stuff

I mean if this is definately going to happen, then the company can go ahead and cut an 8 figure cheque straight away. Which company and where do I sign up?

Because who doesn't have a lid/sticker over their webcam yet?

I have also kill-switched the built-in mic in the BIOS set-up but I'm not sure how secure this is. I would prefer there to be no built-in microphones in any hardware (except phones) at all. Sadly every modern laptop is equipped with a mic.

Tugging against this evolutionary pressure is really hard, not only for individuals but also on the society level.

"Just quit LOL!" is a commendable act of grassroots activism, but not everyone is able (or willing) to afford such luxury.

Because, until last week they didn't.

Now I have to figure out if I'm just an unreasonable, stubborn old guy, or if this requirement is out of band.

In my case, I just outright said "hey, you guys I really want you to be my client but I'm gonna need a new laptop". So we bought a new laptop as part of the contract.

You have audio-video input sensors on all sort of programable devices nowadays, even some TVs can be turned into two way communication devices. That's a nice 1984ish vibe to ruin your late night matrimonial TV browsing.

If brute force isn't working, you're just not using enough of it yet.

Sure you might get a bad actor voyeur, but as a matter of policy, companies just don't care what you're doing at home as long as their security interests are protected.

I have a separate network for work machines at home, which goes straight to Internet and can't route in or out of my actual home network which is behind its own firewall.

Your employer isn't your friend.

It might be an awesome company to work for perhaps, but it's still a company (unless you work for like a 2 person startup). A company subject to audits and regulations and all kinds of other pressures (some of them actually valid, though many are theater) to monitor and control data and flows on their hardware.

You don't want those monitors etc on your personal data and network which has nothing to do with work.

So, keep them separate is the best possible advice.

But they are not allowed to scan my home network and other devices, and they have no reason to break the law. I trust them to not do that more than half of the devices running on my home network.

No reason to trust, better to isolate.

You'd also need a firewall, and to configure it correctly.

I also had email account specific to each client, so that I could have a mail program on that ThinkPad access only the respective account.

There are many reasons to do one laptop per client (especially if you're WFH, not traveling), including not exposing personal and other-client stuff to whatever weird stuff is in the build environment of one client.

Another reason, though this never came up for me, is that there can be legal orders to permit inspection of the computer, online accounts, etc., including by computer forensics. If that happened for one client, that could be in conflict with your obligations to another client (as well as in conflict with your SO's private vacation photos, if they were on the same device). Being able to reassure that everything for a client was compartmentalized to certain devices and accounts might come in handy.

At one point, I even had color-coded labelmaker tape to help keep track of what was compartmentalized to what. And photos of the devices with the physical labeling on them, in case I ever needed to convey that I took it seriously.

(Related: One time, I had a hard drive fail such that (despite encryption) I couldn't do an approved wipe of it before disposal or warranty return. That client's compliance policies required that I physically destroy the drive platters, and ship the remnants to them via Registered Mail. It was a slightly fun/cool exercise, especially since the platters shattered nicely. And the neighborhood of $100 lost was well-invested in professionalism goodwill with a client who paid a few orders of magnitude of that amount over time.)

(In some ways, I'm now happy to no longer be running a consulting business, mainly because a predictable, consistent amount of money just appears in my bank account every couple weeks. :)

That's what Statnett in Norway did when I did some work for them a year ago (Lenovo X1 Carbon). The difference being that installing anything on it was pretty much impossible. All traffic went through the Statnett VPN. It's the most security conscious company I have had any experience of.

But I was also able to use my own laptop by installing the Citrix client and that was much better. I had never used Citrix before and was pleasantly surprised at how fast it was.

1) Keep all software related to work for their company segregated inside a VM. Then you can install whatever they require without interfering with your main system or potentially exposing data for other clients.

2) If they want a separate physical system, tell them you would be happy to provide it for a fee: an upfront fee for the cost of the system and an ongoing fee for maintenance of it. Be sure to mark everything up as you don't work for free.

Since you're not an employee, you really shouldn't be asking them to provide hardware as (in the U.S., at least) this could create tax problems.

This tends to be more of an issue for solo contractors rather than contract houses as the IRS tends to look the other way on most of the larger contracting outfits.

You don't 'require' anything on equipment you don't provide. full stop. period.

Not only that, in some EU countries it's even illegal for a freelancer to work for 1x customer.

How does that work? Is it more "exclusively for one customer" similar to the how the IRS rules work?

Both France and Germany have such laws but other countries do too.

The point is that many companies would otherwise stiffle workers by forcing them into becoming freelancers because then they don't have to provide legally prescribed healthcare benefits, paid vacation, contributions to pension, etc. that employees get.

And at the same time those workers don't have really the position to meaningfully negotiate their contracts to e.g. include extra pay for that missing vacation or healthcare/pension insurance. I.e. we are not talking about IT consultants but delivery drivers, cleaners, etc. - low paying jobs.

I.e. Uber's business model - and that's exactly why it was banned/had big problems in many EU countries (in addition to completely flouting the existing taxi service regulations).

The reason is companies were abusing self employment laws by only recruiting freelancers even for full time roles so they didn’t have to provide sick pay/parental leave/holidays/pensions/etc.

I talked to an Intel HR person (informal chat, I never applied there nor planned to) 2-3 months ago and after I stated that after a decade of remote work, I see pandemic-driven introduction of harmful concepts like spying on previously trustworthy contractors by control-freaking managers that have no idea how to prove themselves in new reality, I was given a look which would usually be reserved for a psychotic person believing that they're being watched 24/7. Quite an unique experience, contrasting with how HR folks are trained to do sect-like "love bombing".

You want me to work for you and deliver results? My pleasure - that's what I do.

You want me to hang a company logo in my place and sit in front of camera multiple times a day, log every minute of my time and creep on me in other ways? I never worked in "Office Space"-like environment and I'm not planning to. Go fuck yourself, I'm out.

Was it great when I was the only one with adblocking software? Yeah, for me. But it was worse for society as a whole, most of whose members had no adblocking whatsoever.

So I guess we're winning?

So poetic.

* Drata is a vendor that helps a company navigate your SOC2 compliance process, by organizing all the controls and helping you gather evidence that you have done so. For instance, they'll connect with Github and make sure everyone with access to your repos is a company employee. If you don't use Drata you have to gather this evidence yourself, repeatedly over months, and it's a pain.

* The Drata agent is a pretty innocuous thing. It checks you have done things like turn on disk encryption, have updates enabled, and that the screen locks if you walk away. It does NOT monitor employee's activities. These kind of security checks are incredibly common and are required for certifications like ISO27001 and SOC2. SOC2 is not really optional for large enough b2b SaaS.

* The poster says "Their business model (in my case) seems to be to take money from companies to spy on their employees/contractors, and then they sell the employees/contractors private information to "targeted advertising".

Do you have any evidence for this?? I've just been involved in selecting Drata as a vendor for SOC2 compliance planning for our company. If this is true it's a huge deal and totally against my understanding of their business model. It honestly sounds like bullshit to me! But if you have evidence that they do this, please let us know.

* As a freelancer, whether you are required to install security monitoring software is definitely an open question. If you're delivering work separately and not connected to company systems, then ok. If you're basically just acting like any other employee, and connected to the company systems, then you will probably have to do this. Because otherwise they would fail SOC2 and managing your legal status as "Freelancer" vs "Employee" (for tax reasons??) is not worth not being certified.

I read their Privacy Policy. They are quite explicit about what they plan to do to you. I raised the issue with them in an email (among 5 other issues). Their reply is in the header. Another issue I raised is that they expect me to accept undisclosed terms and conditions.

That said. I have worked with computer security at an advanced level, including consulting, training, penetration testing, design/implementation of x-platform server agents for monitoring and alerting, design/implementation of firewall. Once I designed an implemented a system to deal with NATO secrets (not very sensitive secrets, but still secrets) for a military subcontractor in EU. My computer is relatively secure. I follow best practices - and more. A hostile agent would decrease the security on my network. That was my first thought when I got that awful email.

Also, I don't get it why that need such a thing on my PC. I don't have credentials to production systems or production data. I am a software developer. I work with code and documentation. That's it. Anything I produce is reviewed by other developers and then tested independently by QA.

I am careful to be a freelancer, and not an employee, for several reasons. It means that legally I'm my own boss. That feels good (I have a great boss!) It also make it unproblematic to work on open source projects, without getting into discussions about who owns the intellectual rights to that work.

OK, well, I've skimmed it and I can't see anything that suggests they are going to spy on our employees and sell the data to advertisers. I hate to drop it back on you but which passages make you think they do that?

These things do often sound terrifying because things like "I'm going to use Google Analytics to see which parts of the product people aren't using so we can email them reminders" get turned into passages like "We will upload all your activity to a third-party advertising company for marketing purposes".

> I have worked with computer security at an advanced level ... A hostile agent would decrease the security on my network. That was my first thought when I got that awful email.

I believe you! 100%!

But you are unusual, and without verification a control such as "All laptops should have screens that lock after 5 minutes" won't be followed by everyone. NOT EVEN CLOSE to everyone.

> Also, I don't get it why that need such a thing on my PC. I don't have credentials to production systems or production data. I am a software developer. I work with code and documentation. That's it.

Sure. Another commenter in the thread has said that because of that this isn't strictly required for SOC2. I'm sure they're right.. but I'm not sure I want anyone working on our codebase at all who doesn't have basic security settings set on on their laptop (Again, I know YOU do :) )

Back to the using your own computer thing again - this is why I think lots of companies say "You use our hardware for all company work but IF you really really want to do BYOD then you have to accept some of these agents". Not sure if that's the attitude at your firm, but that seems reasonable.

"We, our service providers and our third-party advertising partners may collect and use your personal information for marketing and advertising purposes: ... Interest-based advertising. ... We may also share information about our users with these companies to facilitate interest-based advertising ... We may create anonymous, aggregated or de-identified data from your personal information and other individuals whose personal information we collect ... and share it with third parties for our lawful business purposes"

Such "de-identified data" is often trivial to re-identify. There are research papers about that. It's well known in the security and privacy community.

Also, they use dark anti-patterns for opting out from them even using your personal data for their own advertising. "You may opt out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us at ..."

If Drata intended to be a nice, trustworthy security partner, use of any personal data for targeted marketing, or sale of any personal information would be opt in, not "out out if you can figure out how ...".

I have not read their terms of conditions or even their glossy information about the agent. I never got that far, as I declined to accept the terms and conditions for using their website. Already at that point, I saw red flags the size of Australia.

I don't believe for one second that Drata has any intention of showing any decency or that they act in good faith towards their customers or anyone else. If they did, they would have developed reasonable terms and conditions. What they have don't even distinguish clearly between the roles of a customer and an employee or contractor for their customers. Hell, they don't even define the term "Customer".

That would seem to only pertain to their website. Yes, they're going to want to market it to you, so that makes sense.

The actual privacy policy for the product the OP is using is likely found in the contract Drata signed with the client company.

Source: I am the Drata CISO

May be you should go over your user agreement documents and:

1) Make sure that all relevant information is available, so a user can make an informed decision.

2) Distinguish between the user roles, and have different agreements for the different roles. One role is your customer. A second role is the employee of your customer. A third role is the contractor for your customer. A potential fourth role is the person(s) working for the customer that is responsible for dealing with personal and confidential information related to you, employees and contractors.

As of today, your user agreement is a mess, appearing as something you have copied and pasted together without much thought, except for how to cover your own asses. Including the ridiculed clause Microsoft is infamous for, warning that your software is unfit and unusable for any purpose.

I think you have 4 options:

- If you use a company-provided computer, install it on their computer. It's their computer, not yours.

- If you use your own computer, set up a VM for this client and install the agent in the VM. Then do your day-to-day work inside of the VM.

- If you use your own computer, buy / expense a dedicated computer for the job

- Politely refuse to install it and accept the consequences. (IE, you might be out of a job.)

Remember that you are paid to do a job. If you don't like the conditions of the job, you can always walk away. As an earlier poster mentioned, this tool appears rather benign.

Regarding company hardware and tracking: Many companies set up things like automatic backups, snapshotting, ect. These aren't meant to track you, but if you're doing personal stuff on your computer, it's very easy to accidentally leak things into the company backup that you might not want there.

Maybe run it inside a VM?

> I read their Privacy Policy. They are quite explicit about what they plan to do to you.

That's not evidence, only your interpretation.

That is in their privacy policy (https://drata.com/privacy). They go into even more detail about the advertising they serve to you based on the information they collect. They suggest a drawn-out method to opt out of their advertising tracking. Honestly, this alone would rule out Drata for any similar project I was considering. How in the world is it acceptable for a security and compliance tool to gather and store personal data for the purposes of marketing?? With all due respect, how did you miss this???

The agent is not the only concern. Before you even get to install the agent, you have to provide personal information to their website (I believe - I don't now, because I rejected the TOS and don't have access to the non-public part of their website).

The thing is - Drata collects mandatory information from their customers employees and contractors trough their website. The TOS for the website is explicit about how they plan to use that information.

Source: I am the Drata CISO

Is that the 100% honest answer?

From my understanding, your website is where you collect my mandatory personal information, if I agree with your TOS. It's not just a glossy brochure for your product - it is your product.

I cannot choose what I share with you. But you can choose with whom you share what information I provide. And from your websites TOS, you seem very eager to share it.

In other words, Drata is a CYAaaS.

> The Drata agent is a pretty innocuous thing. It checks you have done things like turn on disk encryption, have updates enabled, and that the screen locks if you walk away.

Guessing it is privileged and self-updating.

And closed source, of course. Must be totally free of bugs too, like all software.

Source: I am the Drata CISO

You're a bit off on whether this would fail a SOC2 audit, thankfully. As the OP said, they don't have access to production systems, which basically means you can treat that employee however you want from a SOC2 (and ISO, and most other control framework perspectives). The company OP is working for can state "We do not require these controls on contractors without production access" and that is totally fine for SOC2. Pushing back on the agent requirement is totally reasonable!

But quite possibly you are right.

That said, it's also completely trivial (on the auditor side) for them to say "Oh, we're changing this policy to 'We monitor devices with production access'". Good luck pushing for that to happen as a contractor, though...

It would be grossly irresponsible for a contractor to rely on one client's assurances about what a third party told them its software did, and expose other clients' data to errors or abuse by that third party. Or their own personal data, for that matter.

Next client! This is potentially an indicator of a bad customer or management.

My hardware = my software (not yours) end of discussion. Don't like it? Have fun finding someone better that will put up with your nonsense.

Now if they provide a laptop with corp network access etc that is different.

I'm a professional similar to yourself. 15 years as a consultant and freelancer.

If they don't offer company hardware I don't think they can rightfully demand agents be installed. But if they do, and if you decline to use it then you have to accept agents on your own machine.

Not sure what OPs situation is - but I'd think it very reasonable to go back and say "if you want to install this you have to provide me a laptop"

If active monitoring is really required than the only solution I see is one device/customer and thus as a freelancer I'd have to request said device be provided by the customer.

What's evidence? I can't remember the exact details but imagine something like ... a screenshot of the security page of the Settings app on macOS, taken by every employee, on every laptop, once a week.

Or install the Drata Agent on all company laptops.

Perhaps a form would be enough evidence that you wouldn't have to repeatedly collect it... but I doubt it. Because otherwise couldn't ALL employees just sign a form and that would be that? Auditors know that people don't actually follow the rules carefully even if they claim they are going to.

Then there's the unintentional aspect. There is, of course, no guarantee their agent is bug-free. Data leaks and compromises happen all the time, by every facet of company (large, small, respected, hated, etc).

This is really a huge risk IMO. If anything, it's being downplayed and far from "nonsense".

True, the grey area is slightly odd situations like this where the protagonist is a freelancer rather than an employee and presumably also the company isn't willing to provide hardware to them in that case?? Because they're a freelancer?

Sounds like a case that isn't going to survive too long in any company that's getting serious about compliance and risks.

Unless their agent is Free Software, the reasonable end-user assumption is that they are doing malicious things. As we've seen time and time again, it's inevitable - either now, or in the future, they will come up with some bright idea for more features that involve being directly user-hostile. Your company may rely on their legal contract assurances, but I as an individual cannot.

My minimum policy for running sketchy binary blobs is in a VM on another machine. If you're adopting this type of software, it's incumbent upon you to make your corporate policy one of supplying computing equipment for everyone who is expected to run it. And also accept that employees will physically damage microphones and webcams to stop your supplied machines from acting as surveillance bugs of their personal dwellings.

But what the hell is your point? This is about as practical an argument as "the only reasonable software for your company to run is free software". Even if it were true, it's so far outside of industry norms that you might as well be asking them to ship all their products on BeOS.

My judgement is confined to what is reasonable for individuals to be asked to run in their own operating environments. Individuals lack recourse through the courts, barring some watershed law like a US GDPR with a provision for adequate liquidated damages.

I also pointed out a straightforward path if a company still wants their contractors/employees to run unaccountable proprietary crapware on the devices used to do work - purchase dedicated devices for contractors/employees to use for work, rather than expecting to get exclusive software installed on shared equipment. Coupled with an appropriate home network set up, this provides complete compartmentalization, assuming any sensors can be disabled.

(deliberate employee-hostile software, eg employee activity trackers, is out of the scope of this comment)

Can anyone even verify that? Is it open source?

Last time I allowed one of these "agents" into my computer, I discovered it was running in kernel mode and intercepting every single network connection.

It depends on the size of the company this person is working with. If it is large enough to be procuring Drata it means the people asking this dude to install the software is probably in a vastly different part of the company org structure as the teams our friend is working with. In addition, the "drata team" might not have yet considered their policy for contractors--in fact the "drata team" probably wouldn't even be the ones to draft a policy for that. It could be their legal teams who do that.

The solution really depends on how much of a fuss the poster wants to make of it. Personally I would be working with my clients inside that org to figure out a way to make their IT & legal department happy. If the poster has a good open relationship with their client, they'll find some solution. Perhaps the client loans the poster a dev workstation or something (which I'm sure can be structured in a way that doesn't fail the "contractor vs employee" tests).

I'm currently in the middle of our company's first evaluation window for SOC2 Type 2.

I'm not familiar with Drata, but at a surface-level, it sounds pretty similar to Vanta, who we use.

OP says "The motivation is that my client badly want a SOC 2 certification", which sounds about right. If anyone isn't familiar with SOC2, it's generally not something that you start out wanting or caring about, but eventually you get some big potential customers and they tell your sales people that they can't sign the contract unless you can show them your SOC2 attestation. Then you scramble to figure out what it is and what you have to do to get it. Depending on how your business works, it's the kind of thing that can very quickly go from "we don't know what that is" to "the future of our company depends on this". If you're a small team without experience in the area, it's a total mess and hard to understand exactly what's required. Signing up with someone like Vanta or Drata to walk you through the process and provides a bunch of tools to tick boxes and get you through an audit with a minimal amount of manual work and ambiguity (though there will still be a lot of that).

SOC2 tends to be very vague on actual technical controls and is more focused on the documentation of whatever controls you have set for yourself and gotten your auditor to agree are reasonable. You're going to have a very hard time getting most auditors to agree to something less strict than "devices that are used to access production systems or could otherwise touch sensitive data must have encrypted drives, be password protected, and kept up to date with security patches". If you have a traditional IT setup and provide hardware to all of your employees, you can probably generate some documentation showing how you enforce that policy. It's trickier in remote setups, BYOD environments, or with contractors/freelancers. Your two options are basically to have people install an agent like Dasta or Vanta's or to require them to upload screenshots of all the relevant settings on their devices somewhere on a regular basis (typically monthly), and then have an admin check them and sign off. That second approach isn't hard, but it tends to be very labour intensive and annoying as well as very easy for someone to forget and produce gaps/exceptions that then have to be explained to your auditor.

In our case, we're a fully remote company and fully BYOD (you get a hardware stipend but we don't really have an IT department so we're not in a good position to manage peoples' devices for them; we do strongly encourage people to use separate devices for work and personal). We completely understand the reticence towards installing a 3rd party agent on their own machines, so we give our employees the option of using Vanta's agent or doing the monthly screenshot thing. Boy is the screenshot thing a pain in my butt and don't I wish everyone would just use the agent. In the future, it might push us to change our BYOD policy and instead supply managed devices (but I'm not crazy about that approach either for other reasons).

One piece of feedback we've given Vanta at every opportunity (and I assume would apply to Dasta as well) is that we'd have a much easier time getting adoption of the agent among our developers if they'd make it open source so anyone with privacy concerns could audit it themselves. So far we haven't gotten any indications that they're moving in that direction. FWIW, reverse engineering and spying on the Vanta agent with eBPF and other tools to try to catch it doing something it shouldn't has become a bit of a side hobby of mine (it's mostly a wrapper around OSQuery and I've been able to log all the queries that it makes and not yet found anything nefarious, but absence of proof isn't proof of absence).

IMO, it's completely reasonable for the OP, as a freelance contractor, to refuse to install an agent on their personal machine and instead provide screenshots/etc as evidence. They say "Just for the record: I don't have credentials to production systems, and I don't work with production data.". If that's really true, then that should be fine. We have freelancers who do certain things for us (eg, market research), and if they don't have access to production systems/data, it's very straightforward for us to classify them that way and exclude them from the various secure development controls. Though they may not fully understand the scope of "production systems", which could include things like Github repos which contain code that gets deployed to production (SOC2 auditors want to see that the whole development lifecycle is secure so a compromised developer laptop couldn't be used to push out a backdoor without leaving a very obvious trail).

For what it's worth: a nit I like to pick with Vanta is that it sets a very ambitious bar for what a company should be doing with respect to IT security, where SOC2 does no such thing. I worry that things like Vanta lead teams into doing all sorts of stuff that might not be a fit, and certainly isn't required to pass a Big 4 SOC2 audit. What was your experience there?

(I ask because SOC2 is sort of looming over us, though obviously it's not something we're jumping to do preemptively).

Not really. We had no process before talking to the auditors. We told them that we didn't want to require employees to install the Vanta agent (for reasons mentioned) and asked them what they recommended. They said that screenshots would be fine. On a lot of these SOC2 things, I think people should just talk to their auditors early in the process and get a sense of what they are looking for and care about. There are some standards, but all of them are going to have a slightly different focus and the ones we've worked with have all been pretty reasonable about understanding the particulars of our company and what exceptions make sense for us.

> For what it's worth: a nit I like to pick with Vanta is that it sets a very ambitious bar for what a company should be doing with respect to IT security, where SOC2 does no such thing. I worry that things like Vanta lead teams into doing all sorts of stuff that might not be a fit, and certainly isn't required to pass a Big 4 SOC2 audit. What was your experience there?

I can't say it's really been a problem for us. Vanta and our auditors have both been pretty clear that it's not 100% necessary to have all tests passing in Vanta in order to get our SOC2 (again, it's helpful to just talk to your auditors). We run entirely on the Cloud (no physical offices or data centers) and honestly, some minimal GCP/AWS best practices and modern deployment approaches (protected branches, code reviews, standardized CI/CD) means that you're already passing about 90% of Vanta's tests on those things. We had to do a few silly things like change our resource labelling conventions to match Vanta's but otherwise nothing felt terribly burdensome or like security overkill.

I agree with your final paragraph 100%

And good luck with your evaluation!

I think the only service we had to pay was for security awareness training, and it was a site that provided security awareness videos..

But you are right. All those ceryification companies are a mafia.

> Do you have any evidence for this?? I've just been involved in selecting Drata as a vendor for SOC2 compliance planning for our company. If this is true it's a huge deal and totally against my understanding of their business model. It honestly sounds like bullshit to me! But if you have evidence that they do this, please let us know."

Do you have any evidence that they don't? If so, can you describe a few bits of your investigative process and how you reached the conclusion? For the sake of alleviating people's fears and to clear up the nonsense.

OP made a claim that Drata collects private employee info and resells it. That’s a large claim.

It’s on OP to justify that position, not on the parent to rebut the opposite.

What I know is:

1) They collect mandatory private information. They already know my name and my email, and they used that information to ask me to complete some tasks on their website. I don't know what those tasks are, because I first have to accept their TOS, which contains clauses that is referred to, but not disclosed. I declined.

2) Their "webpage" is part of their service. This is where I supply personal information (presumably more than they already have). So unless they have another TOS, after I accept the publicly available one, that's the rules: I have to give them personal data, because my employer (well, in my case it's my customer, not my employer - Drata have no agreement with my employer) signed a contract with them.

3) They give themselves the right, in the websites TOS, to sell my data.

So: 1 + 2 + 3 = Drata collects private employee info and resells it.

My impression is that HN conversations are less regulated. Someone can make a claim, and each reader can decide how much merit it deserves, and if/how to discuss it further.

It sounds like the spyware is non negotiable and I personally wouldn’t have issue with it if the client also provides a laptop on which to run it. The client is free to do whatever the hell they like with their own hardware.

What’s objectionable about situations like this is the client wanting to have their spyware cake and eat it on someone else’s computer. That’s a great deal for them — why pay $5k for a laptop when you can just pay $100 for the spyware license instead?!

I realize the economics aren’t exactly on point, but I tend to view situations like this as them stealing $5000 — my laptop — from me.

So moving forward:

1/ you are “happy to help them reach their compliance goal and move to a Drata controlled environment”

2/ to do so you “will need to isolate them, as a client, to an airgapped environment solely for their work”

3/ which will need “$5k up front and a lead time of a week to order new hardware, or for the client to ship you a preconfigured laptop with configuration X Y and Z.”

Saying yes with principled conditions is always a good route forward. Yes-but instead of no-but.

I don't know for a fact that it is spyware. For now I just think of it as an "hostile agent".

I object because a) I don't want frustrations at work. I want to focus on the problems I am there to solve (which are quite interesting), b) I don't want a hostile agent from a company selling data to "targeted marketing" in my network, c) I don't want such companies even to know my real name, d) I take security seriously - I hate security theater.

That's what I object to.

Another approach you can try is to conform to their requirements on one machine, but do all your actual work on another.

In the past I've been faced with similar situations where corporate IT required ne to run a "security agent" if I wanted to bring my own device to their network. I ended up bringing a Raspberry Pi which ran their "security agent", but then I did all my work on a laptop that connected through the Pi via NAT.

This was at a high school where I was a teacher. The "agent" did an SSL MITM attack, allowing the school IT to see all my traffic. I'm fine with needing that stuff to keep the kids safe but I objected to the school needing to inspect staff traffic. If they mistrusted me to the level of needing to read my email, what the hell were they doing leaving me in a roomful of children all day?

If you had two spare Pis you could do a three machine shit-sandwich: (1) trusted-pi is all yours and connects to your home network offering strictly controlled minimal internet access to... (2) the security-theatre-pi, running the client's weird spy/monitoring software; and then (3) your personal laptop connects via the security-theatre-pi.

I'd prefer to be direct and up-front with them – it doesn't feel great to have to be duplicitous with people the way I did / suggest you do – but a $50 pi might be able to tick their box and let you get on with the interesting stuff.

That would create a layer of cynicism between me and my work. I don't have that today, and I would rather avoid it.

Feels like the layer of cynicism is already there.

When a new manager I don't know send me an email to install some "agent" from a company I have never heard about, and that company turns out to have terms and conditions from hell (like references to undisclosed terms and conditions they want me to accept) - then I label that thing, in my mind, as a "hostile agent". It's not something that will ever get access to my lan. It's something I don't even want in a VM, because it may know how to escape from a VM.

That's not cynicism. That's risk assessment.

https://www.newegg.com/netgear-gs105e/p/N82E16833122598

And id need a VDSL Router that supported Vlans as well so that's 4 switch's plus a router.

Installing agents is a sign that the company doesn't value trust with their employees and treats them as liabilities. Companies that made me an offer who had asked me if I would have an issue installing an agent just got rejected from my employer list. If they don't trust me doing my job why should I trust them doing their job. Why not install an agent to the CEO's computer as well? After all I should trust him that he's doing his job well enough for us not to lose our jobs. I'm also dependant on him after all. These are all relationships where trust plays a major role.

After all, if you think an employee isn't performing you can just have an annual PDR (Performance and Development Review) and figure out if you have to get rid of that employee or talk to him. Why spy on all of employees? Agents are just an excuse, not the means. It's a disgusting in my opinion excuse to spy on everyone.

Whatever the case or how common this is, I won't ever accept agents to spy on me. You do you but I think everyone should do the same. I demand your respect to be mutual to my and your privacy and sense of trust. Agents are harming the remote development space and skew the perception of what it means to have a healthy team.

I have been a developer for more than 3 decades, and I have never even heard about it before.

I have worked with some DLP such as digitalguardian.com that does indeed report the time you spent focusing on each app, for instance, which is a big no-no for me too, but most of the time the company is just interested if you haven't been copying data between your computer and some thumb drive, or copying it between you corporate and personal cloud drives, or syncing your corporate e-mail to an external account, that kind of stuff.

Not only is your personal equipment yours, it likely contains information about other businesses that you probably have legal obligations to, like NDAs, and if the client doesn't understand that you can't ethically violate that for them, then they're not a client you need to be dealing with.

It doesn't help that the 3-5 "IT agents" they run are rarely doing anything useful expect fulfilling 3-5 different directors idea of spying.

I use my own equipment for my work and it's all on a VM. Everything work related is done on the VM. If I leave all I have to do is delete the VM.

I've read that Valorant refuses to work on VMs and requires full hardware access for its anti-cheat software. I can imagine "corporate security" agent software doing the same.

That part is clearly Security Theater. Having worked with real security for decades (consulting, training, building server monitoring and alerting tools, building commercial firewalls) I get quite provoked by fake security. For example, this "agent" checks for disk encryption. It does not check for password strength, or even if there is a password (you can use full disk encryption under Linux without any password). It also require anti-virus, which under Linux is more likely to do harm than any good.

What I don't understand is why they choose to do this to their engineering team. I don't know much about SOC 2, but from what I have read, the "concern" is mainly production related. Most of the engineers, including most of the really senior ones, never access production systems.

Or they just saw an opportunity :)