Employer VPNs, what are your legal, technical rights?

My apologies if this issue has already been discussed but I haven't seen it anywhere.

I recently received an email from my employer's IT team, attached was seven pages of instructions telling me how to configure my computer so that I run through the company's VPN while working. Now I can totally understand why in this age of hacking my employer would like to have this facility, what I am not so comfortable is just how it affects me.

I dare say there are many other people out there working from home who will find themselves in the same position. So basically I would like to know what sort of access does this give my employer? I would think at the very least while I am on the VPN the IT team has access to my online activity, fair enough I suppose, if I am on company time I shouldn't be accessing dead rodent sites. But like most people I am likely to forget to log out of the VPN when I knock off, so presumably they can happily monitor my activity then.

But it's more than that, I would like to know what other access it gives. If I am checking personal emails (job offers, salary packages etc.) can they be accessed? What access does it give the IT to my physical computer? If they decide to send anti-virus software to my computer can they do so and can they access my personal files etc? If a disgruntled IT member is fired does he get the chance to wreak havoc on my device before he goes?

When in the office using a company-owned pc I have absolutely no problem with this sort of monitoring, as I have no problem with the CCTV over my desk, but I'm damned if I am going to let them set up a CCTV in my spare room, even if it is only to monitor me while I am working.

Has anyone else had experience of this? I should stress this is my personal computer at home, not a company-provided device.
 
Too many unknowns here to give a definitive answer and don't want to bore you with the technical details.

If I were you I'd be demanding a work provided computer for work and keep your personal device for personal matters. Or access your private email from your phone.
 
My apologies if this issue has already been discussed but I haven't seen it anywhere.

I recently received an email from my employer's IT team, attached was seven pages of instructions telling me how to configure my computer so that I run through the company's VPN while working. Now I can totally understand why in this age of hacking my employer would like to have this facility, what I am not so comfortable is just how it affects me.

I dare say there are many other people out there working from home who will find themselves in the same position. So basically I would like to know what sort of access does this give my employer? I would think at the very least while I am on the VPN the IT team has access to my online activity, fair enough I suppose, if I am on company time I shouldn't be accessing dead rodent sites. But like most people I am likely to forget to log out of the VPN when I knock off, so presumably they can happily monitor my activity then.

But it's more than that, I would like to know what other access it gives. If I am checking personal emails (job offers, salary packages etc.) can they be accessed? What access does it give the IT to my physical computer? If they decide to send anti-virus software to my computer can they do so and can they access my personal files etc? If a disgruntled IT member is fired does he get the chance to wreak havoc on my device before he goes?

When in the office using a company-owned pc I have absolutely no problem with this sort of monitoring, as I have no problem with the CCTV over my desk, but I'm damned if I am going to let them set up a CCTV in my spare room, even if it is only to monitor me while I am working.

Has anyone else had experience of this? I should stress this is my personal computer at home, not a company-provided device.
At a very basic level:

If the VPN tunnels ALL your traffic, including DNS, through it, then your employer can see every website that you visit. If those sites are encrypted (HTTPS) they cannot see the actual traffic UNLESS they have also insisted you install/accept certificates from the VPN server which allow the traffic to be decrypted/re-encrypted.

If the VPN uses "split tunnels" so that traffic to employer systems is tunnelled over the VPN but everything else goes outside the VPN then they cannot see your traffic to other sites - they might still see the DNS if that is being tunnelled over the VPN.

Legally there is a grey area - it's your equipment but on company time using company resources (the VPN).

You should have been provided with something along the lines of an "employee's handbook" with respect to IT systems, check what that says too.
 

Nobbygas

Old-Salt
My apologies if this issue has already been discussed but I haven't seen it anywhere.

I recently received an email from my employer's IT team, attached was seven pages of instructions telling me how to configure my computer so that I run through the company's VPN while working. Now I can totally understand why in this age of hacking my employer would like to have this facility, what I am not so comfortable is just how it affects me.

I dare say there are many other people out there working from home who will find themselves in the same position. So basically I would like to know what sort of access does this give my employer? I would think at the very least while I am on the VPN the IT team has access to my online activity, fair enough I suppose, if I am on company time I shouldn't be accessing dead rodent sites. But like most people I am likely to forget to log out of the VPN when I knock off, so presumably they can happily monitor my activity then.

But it's more than that, I would like to know what other access it gives. If I am checking personal emails (job offers, salary packages etc.) can they be accessed? What access does it give the IT to my physical computer? If they decide to send anti-virus software to my computer can they do so and can they access my personal files etc? If a disgruntled IT member is fired does he get the chance to wreak havoc on my device before he goes?

When in the office using a company-owned pc I have absolutely no problem with this sort of monitoring, as I have no problem with the CCTV over my desk, but I'm damned if I am going to let them set up a CCTV in my spare room, even if it is only to monitor me while I am working.

Has anyone else had experience of this? I should stress this is my personal computer at home, not a company-provided device.
I work in a Financial environment, and initially when I started working from home I was using my own PC to access work. All of my work is recorded and monitored. It has to be this way for legal reasons etc. I was not happy with this arrangement because I knew that they would be able to monitor everything I did on my own PC.
After a month or so they provided me with a ThinkPad and another two monitors. This connects via a VPN and is totally separate from my personal PC. I would suggest that your company provides you with a ThinkPad/Laptop for work access and that you keep your personal PC totally separate. It doesn't really cost them much money.
 
My apologies if this issue has already been discussed but I haven't seen it anywhere.

I recently received an email from my employer's IT team, attached was seven pages of instructions telling me how to configure my computer so that I run through the company's VPN while working. Now I can totally understand why in this age of hacking my employer would like to have this facility, what I am not so comfortable is just how it affects me.

I dare say there are many other people out there working from home who will find themselves in the same position. So basically I would like to know what sort of access does this give my employer? I would think at the very least while I am on the VPN the IT team has access to my online activity, fair enough I suppose, if I am on company time I shouldn't be accessing dead rodent sites. But like most people I am likely to forget to log out of the VPN when I knock off, so presumably they can happily monitor my activity then.

But it's more than that, I would like to know what other access it gives. If I am checking personal emails (job offers, salary packages etc.) can they be accessed? What access does it give the IT to my physical computer? If they decide to send anti-virus software to my computer can they do so and can they access my personal files etc? If a disgruntled IT member is fired does he get the chance to wreak havoc on my device before he goes?

When in the office using a company-owned pc I have absolutely no problem with this sort of monitoring, as I have no problem with the CCTV over my desk, but I'm damned if I am going to let them set up a CCTV in my spare room, even if it is only to monitor me while I am working.

Has anyone else had experience of this? I should stress this is my personal computer at home, not a company-provided device.
I’ll second what Nobbygas said

I work in a Financial environment, and initially when I started working from home I was using my own PC to access work. All of my work is recorded and monitored. It has to be this way for legal reasons etc. I was not happy with this arrangement because I knew that they would be able to monitor everything I did on my own PC.
After a month or so they provided me with a ThinkPad and another two monitors. This connects via a VPN and is totally separate from my personal PC. I would suggest that your company provides you with a ThinkPad/Laptop for work access and that you keep your personal PC totally separate. It doesn't really cost them much money.

I work in the Civil Service - when it first started kicking off we went to minimal manning and shut everything down that we could.

After about a month of this pretty much everyone got given a Thinkpad So they could work from home. Whilst we often criticise the profligate waste of government if you work in anything like a competent employment then they should be able to fork out for one if the stingy CS can manage it.

If they drag their heels just say that your son/daughter needs your laptop in the school holidays to do projects for school/wife is working from home and using it/it is starting to regularly fall over.

For the last one just keep turning off Teams whilst in the middle of meetings - they should take the hint.
 
All the information we received was a brief email from IT providing the technicalities of configuring my computer changing the settings etc, including the installation of a regedit.

I am more than happy to work this way if the company provides a dedicated device but I am extremely uncomfortable with the geeks and misfits in our IT department having access to my personal family computer.
 
All the information we received was a brief email from IT providing the technicalities of configuring my computer changing the settings etc, including the installation of a regedit.

I am more than happy to work this way if the company provides a dedicated device but I am extremely uncomfortable with the geeks and misfits in our IT department having access to my personal family computer.
They likely won't 'have access', but they will be able to see every web site you've visited and may be able to block access to certain ones. if they choose to. You really should demand a work laptop.

As for your rights, you'll have to check your company IT security policies.
 
They likely won't 'have access', but they will be able to see every web site you've visited and may be able to block access to certain ones. if they choose to. You really should demand a work laptop.

As for your rights, you'll have to check your company IT security policies.
What about the regedit? Does that not hand them a degree of control over the device's settings? And let's say they wanted to do a virus scan or run some other security issue, would they be able to do that on my computer remotely?
 
What about the regedit? Does that not hand them a degree of control over the device's settings? And let's say they wanted to do a virus scan or run some other security issue, would they be able to do that on my computer remotely?
Regedit makes a change to the registry. Without knowing what it is no-one can tell you what it does. You can post it if you like, it's just text.

Virus scan? Depends on the VPN client. If it's a simple VPN client then no. If it is one of the more sophisticated ones then it will be able to do many things such as check when a virus scan was last run and which patches you have applied to your PC, which software (and version numbers) you have installed, etc, etc
 
As others say, if you're required to access a VPN on your personal computer, then they should provide you with a computer.

Considering it's a family computer, I suspect there may also be a data protection/GDPR issue here too - from both sides (your work data and also your families data). Not to mention if you have kids and your employer is able to access your webcam etc (as one friend who works for a bank told me - he runs the IT services for a bank and they are able to monitor employees through their webcams etc), then that's really not on.
 
Regedit makes a change to the registry. Without knowing what it is no-one can tell you what it does. You can post it if you like, it's just text.

Virus scan? Depends on the VPN client. If it's a simple VPN client then no. If it is one of the more sophisticated ones then it will be able to do many things such as check when a virus scan was last run and which patches you have applied to your PC, which software (and version numbers) you have installed, etc, etc
It appears to be:

AssumeUDPEncapsulationContextOnSendRule

We are then instructed to enter "2"
 
I'd do what others have suggested and get a dedicated work laptop. With so many homeworkers it's enabled hackers an easier way in to companies networks where they can place ransomware so I would think somewhere in the reams of paperwork you've got there'll be a caveat about keeping antiv software up to date which should be their job to provide you with otherwise if you get hacked the 1st thing they'll do is try and found out how it got in and the second find the current bitcoin value of a million or so.
 
I'd do what others have suggested and get a dedicated work laptop. With so many homeworkers it's enabled hackers an easier way in to companies networks where they can place ransomware so I would think somewhere in the reams of paperwork you've got there'll be a caveat about keeping antiv software up to date which should be their job to provide you with otherwise if you get hacked the 1st thing they'll do is try and found out how it got in and the second find the current bitcoin value of a million or so.
Yes, that seems to be the only solution, I have an ancient laptop lying around somewhere, I will resurrect it and use it only for work purposes. A bit of an annoyance and I think I am more pissed off about the curt nature of the demand to switch over my computer to their control, even if it is during work hours. I wouldn't tolerate them installing a CCTV in my home office so I feel it's the same principle.
 
I work for a French company that does both military and commercial stuff but Im based in UK. I have a laptop they sent over which is VPN configured so i can use it on the French server and access other stuff when it comes to mil projects. Otherwise it runs without a VPN operation. They would not expect me to use my own computer and to the OP, that should be your employers point of view.
 
For the last one just keep turning off Teams whilst in the middle of meetings - they should take the hint.

I used to use Teams on the odd occasion I had to work from home due to childcare. The IT department kept pinging me snotty emails and requesting I uninstall it due to security issues.

At a project meeting once, I was sat next to the Global Logistics VP from the the US. He had a Teams icon on his Laptop toolbar. I asked how he liked it. 'Perfect, as I'm moving about a lot, etc.'

I emailed the IT department saying that the Global VP thought it a wonderful piece of software and thoroughly recommended it. I never heard as much as a whisper from them after about my downloading habits
 
Yes, that seems to be the only solution, I have an ancient laptop lying around somewhere, I will resurrect it and use it only for work purposes. A bit of an annoyance and I think I am more pissed off about the curt nature of the demand to switch over my computer to their control, even if it is during work hours. I wouldn't tolerate them installing a CCTV in my home office so I feel it's the same principle.
make it so ancient it doesn't support the sw and they'll have to send you one.
 
Yes, that seems to be the only solution, I have an ancient laptop lying around somewhere, I will resurrect it and use it only for work purposes. A bit of an annoyance and I think I am more pissed off about the curt nature of the demand to switch over my computer to their control, even if it is during work hours. I wouldn't tolerate them installing a CCTV in my home office so I feel it's the same principle.
You're not listening. If work want you to work from home they need to provide the laptop. Not you.

And that regedit is harmless: Configure L2TP/IPsec server behind NAT-T device - Windows Server
 

Sarastro

LE
Kit Reviewer
Book Reviewer
My apologies if this issue has already been discussed but I haven't seen it anywhere.

I recently received an email from my employer's IT team, attached was seven pages of instructions telling me how to configure my computer so that I run through the company's VPN while working. Now I can totally understand why in this age of hacking my employer would like to have this facility, what I am not so comfortable is just how it affects me.

I dare say there are many other people out there working from home who will find themselves in the same position. So basically I would like to know what sort of access does this give my employer? I would think at the very least while I am on the VPN the IT team has access to my online activity, fair enough I suppose, if I am on company time I shouldn't be accessing dead rodent sites. But like most people I am likely to forget to log out of the VPN when I knock off, so presumably they can happily monitor my activity then.

But it's more than that, I would like to know what other access it gives. If I am checking personal emails (job offers, salary packages etc.) can they be accessed? What access does it give the IT to my physical computer? If they decide to send anti-virus software to my computer can they do so and can they access my personal files etc? If a disgruntled IT member is fired does he get the chance to wreak havoc on my device before he goes?

When in the office using a company-owned pc I have absolutely no problem with this sort of monitoring, as I have no problem with the CCTV over my desk, but I'm damned if I am going to let them set up a CCTV in my spare room, even if it is only to monitor me while I am working.

Has anyone else had experience of this? I should stress this is my personal computer at home, not a company-provided device.
There is a simple workaround to this if you are concerned. Almost all employer VPNs are software-run, not hardware defined. Assuming you use Win or MacOS, and if for whatever reason your employer won't provide a dedicated machine for you, just make a work-specific user account in the operating system. Set up the VPN to work on Work User, and not on other users. It's fairly simple and quick on most modern OS to switch user without major problems.

The structure of the operating systems means your Personal User account will not be visible to the Work User account. Organise your drives so they are specific to a user account, and whatever data you have on your personal drive will also not be visible to your work account.

It's far from a bombproof setup, and won't stop a determined hacker, but it will ensure that your employer has to cross the line to hacking / spying on you if they want to access your personal files, which they aren't likely to do. It's also a good setup for, as an example, having a "Zoom" user account which doesn't have anything on your desktop other than your video conf software, so you aren't ever going to accidentally show video participants things you don't want.

The best solution however, as @Just_plain_you said, is to require that your employer give you a work laptop, and just keep everything physically seperate.
 
Top