Don't Let Your Work Device Betray You: Keep Your Personal Digital Life Separate
Protect your privacy and your job by keeping your work and personal digital lives separate. As an example, the scrutiny of federal employee's viewpoints and firings of those not "loyal" enough.
In light of the ongoing attack against US federal employees, I thought I would resurface this June 2024 post about the importance of not using work devices for personal use.
A quick history lesson: Did you know that the Civil Service system was created in response to the cronyism and corruption that resulted from the spoils system, which allowed jobs to be used as political rewards by the US President? Chester A. Arthur signed it into law in 1883 to establish a merit-based approach for hiring government employees (source).
That aside, what’s been happening to federal employees recently is just the latest of many examples of people having their personal activities result in action against them (Google example, Apple example). If you use your “official, company-provided device” to do personal activity (email, text, post on social media, etc.), you are exposing yourself to unnecessary risk. Organizations have complete visibility (legally and technically) into all the information and activity on their own devices and networks.
This is why, regardless of who you work for (government, company, or some other organization), my recommendation is:
Don’t use your work device for anything personal.
Keep your digital work life separate from your digital personal life.
Many people work for companies that provide their employees with devices like computers and phones. Most companies also allow personal use of these devices, and many people do. I understand it is convenient to have one computer and phone in your life that you use for everything, including work and personal business, but don’t do this!
I have carried a work phone and a personal phone for almost 15 years, first as a Special Agent in the US Secret Service and then while working for Google and other companies. It’s telling that 99% of the people I worked with in the government (in the national security community) had both a work and personal device. This is because government employees are very aware of the government’s ability to track and monitor the usage of those phones, and people don’t want to risk their personal information and privacy. Government phones are for government use, and personal phones are for personal use. Keeping those lanes separate is essential. I’m not sure about the rest of the civil service, but I suspect many people use their government computers for personal use because it’s convenient.
In the private sector, I have seen the opposite. The vast majority of people I’ve met have one phone, which they use for personal and company use. This phone might be a work phone or a device they brought (BYOD).
Many people also have just one work computer that they use for both personal and company use. I think this is because people falsely assume that a private company can’t access your personal data or that it’s harder for private companies to access your personal information on their devices than the government. It’s the opposite! The US Government is beholden to the Fourth Amendment (against illegal search and seizure by the government - they use consent to get around this for government employees). In contrast, private companies are not subject to the Fourth Amendment.
If you read your IT policy or the disclaimer when you log in to your work computer or device, you will almost certainly see a clause stating that your company monitors all activity. It’s becoming increasingly common for companies to install software specifically to keep tabs on what employees are doing on their computers (source article).
If you use your work devices to conduct personal business, the organization that owns that device has visibility into that personal business. I highly recommend that you don’t do this.
Because work devices are subject to monitoring and control by the company that owns them, anything you do or put on your work device, including personal messages, emails, files, or photos, can probably be accessed by your company.
If you want to learn more about this, Privacyrights.org has some articles that detail some of these concerns.
Don’t mix your personal digital life with your work digital life!
Keep your personal and work digital lives separate. If you have work devices, don’t use them for personal use. If you have personal devices, don’t use them for work. This separation will protect your privacy and keep your data safe.
Here are the reasons to keep them separate.
Data Loss
A company device is owned and managed by the company. The company almost certainly has remote management capabilities such as remote lockout, wiping, and tracking. This makes sense — companies do this to manage expensive assets and sensitive information in case of loss or theft. However, this also means that if the company wants to, they can remote lockout, wipe, or track your devices. If you are using that device for your personal business, and the company decides to do that (reduction in force, dispute with the employee, etc.) — you no longer have access to your personal data and anything stored on that work computer.
There are many well-publicized examples, including one involving Google (article).
Personal Privacy
Companies require you to sign IT agreements that acknowledge or consent to their access to and monitoring of your activity on company devices and systems. This is almost universal practice for all companies except the smallest ones. This means the company has the legal right to access any files you store on company systems (on your computer, in your email, in the cloud—Google Drive or Microsoft Sharepoint, etc.).
The company could decide to access your private communications (text messages, emails, etc.), which would be legal. If you ever had a dispute with your company, this could be information that is collected and potentially used against you.
And if the company (or government) doesn’t approve of your political views or your “loyalty”, this personal activity could reveal that. It’s trivial for LLM models to search vast amounts of text, email, and other data to identify such topics.
This also means that there are employees at the company who have access to your information (Security, HR, IT, etc.). If someone has access to your activity, that access can be abused. Hackers could obtain the credentials to the internal tools that allow access to employees’ devices and gain access to personal information. Or, a rogue employee could use this access for their own reasons. There are many examples of employees abusing internal, sensitive information like this (here’s just one example).
Intellectual property
If you are running a side hustle or have a personal business in addition to your work business, and you do this personal business on company assets (including when you are paid by the company) or on company devices, the company may consider it their intellectual property since company assets were used for that purpose.
Every tech company I have worked with had a clause about this in the employment agreement I signed when I joined. This means that by using your work devices for personal use in this way, your company could make a legal argument that this personal intellectual property or personal work product is theirs.
Life balance
Another great reason to have two phones and two devices is that it makes it easier to separate your personal life from your work life. With just one phone, it’s hard to turn off notifications for work-related alerts but enable notifications for only personal messages.
If I haven’t convinced you with the personal privacy argument, maybe life balance is the reason for you (and privacy is the side benefit).
Do’s and Don’ts of Work Devices
Don’t do BYOD (Bring Your Own Device). Ask for a work phone if you are expected to be responsive when not at the office. This way, you can keep your work and personal digital lives separate.
If you are forced to do BYOD, ask questions. Pay attention to what you’re required to agree to in order to BYOD. Are you adding special software? A special partition? Be sure to read the fine print and understand what access your company is getting to your personal device.
Don’t set up personal accounts or sync files on your work devices (computers or phones).
Don’t put your personal email into the email clients on your work computer or phone (Apple Mail, Outlook, or Gmail app).
Don’t access your personal email on the browser on your work computer.
Don’t create a personal browser profile tied to your personal Gmail or other personal account on your work computer (this doesn’t protect you)!
Don’t link your personal iMessage, WhatsApp, Signal, or other messaging app to your work computer. If something is viewable on your computer screen, your employer can see it too.
Don’t sync your personal photos to your work computer’s photos app (Apple Photos or Google).
Don’t access personal social media and post on your work computers.
Don’t use your personal devices for work.
Keep your work-related communications and files on your work device, not your personal device.
Have two phones (a work phone and a personal phone).
It might be a bit of an inconvenience, but it’s not that bad. Plus, you look more important with two phones. It’s definitely worth it.
Have two computers (a work device and a personal device).
Stay Safe!
Tate
Not even SD's and USB's, even On shared printers. The ownership of intellectual property is really unfair if it is not strictly work related.