US senators are calling for action on employers’ habit of demanding employees’ Facebook passwords, but no one seems to notice that many companies configure their computers so that they can eavesdrop on your Facebook, bank, and webmail passwords, even when those passwords are “protected” by SSL. In my latest Guardian column, “Protecting your Facebook privacy at work isn’t just about passwords,” I talk about how our belief that property rights — your employer’s right to control the software load on the computer they bought for your use — have come to trump privacy, human rights and basic decency.
Firms have legitimate (ish) reasons to install these certificates. Many firms treat the names of the machines on their internal networks as proprietary information (eg accounting.sydney.australia.company.com), but still want to use certificates to protect their users’ connections to those machines. So rather than paying for certificates from one of the hundreds of certificate authorities trusted by default in our browsers – which would entail disclosing their servers’ names – they use self-signed certificates to protect those connections.
But the presence of your employer’s self-signed certificate in your computers’ list of trusted certs means that your employer can (nearly) undetectably impersonate all the computers on the internet, tricking your browser into thinking that it has a secure connection to your bank, Facebook, or Gmail, all the while eavesdropping on your connection.
Many big firms use “lawful interception” appliances that monitor all employee communications, including logins to banks, health providers, family members, and other personal sites.