> Around 2009 or 2010, the company decided to try to pull a fast one on some of us. They said that our original NDA somehow hadn't gotten signed (what?), and that we needed to re-sign it...Sure enough, they delivered, and sent me the original NDA. Note: they didn't send me <i>AN</i> original NDA they were using circa 2006 when I started. They sent me <i>THE</i> original NDA, complete with my signature from the day I started! Yes!<p>> So then I started reading along, doing my best to do a 'diff' in wetware, and found that they had actually added some clauses. One of them amounted to 'taint' for your personal devices. Basically, if you signed in to your corp gmail from a device, they claimed the right to audit it at any point in the future.<p>This kind of psychotic behavior is one reason I'll never work at a megacorp. I'm sure some smaller companies do it too, but it seems less common, and they won't have as many lawyers on retainer just waiting for the chance to justify their salary by pursuing it.<p>And if I ever <i>did</i> find myself at a company that tried to pull something like this, I'd probably quit on the spot. I won't work in an environment where I'm having to constantly watch my back.
I had a job where I lived on planes and in airports (this was just before smartphones existed). The first day on the job, I logged in to the corporate network. It told me bluntly `This is the BigCorp network; there is no right to privacy'. The entire time I was there, I travelled with two laptops.<p>I don't blame BigCorp for their policies; their equipment, their rules. But I strongly recommend separating the use of business and personal devices.<p>And, no, if an employer demanded I install an app on my personal phone, I'd refuse.
Just today (possibly related) someone else tweeted:<p><i>Sooo, #Apple has pics of my boobs. During a discovery thing 3yr ago, legal forced me to hand-over all my texts. They refused to let me delete anything, even "fully personal," even when I said "by fully personal I mean nudes." They said they're in their "permanent evidence locker" </i><p><i>I questioned this aggressively. Apple R&D pressures us to have one iPhone for work & personal (so we can "live on" / dogfood). I said, if there's texts that aren't with employees and have nothing to do with work, I should be able to delete them or at least attachments. "Nope." </i><p><a href="https://twitter.com/ashleygjovik/status/1428495420917837826" rel="nofollow">https://twitter.com/ashleygjovik/status/1428495420917837826</a>
> <i>I realize that many people do not have the option to just go and drop a couple hundred bucks on an additional phone and then add another $100/mo to their budget for the service.</i><p>I'd never pay a monthly fee for a work-only device. If they give me a work-only device, it should come with a data plan. If they don't give me a work-only device but want me to sign over access to my personal device, then I'll use an old device and just use wifi. No way I'm paying a separate monthly fee because my employer puts me between a rock and a hard place.<p>Also, MVNOs are $20/mo, not $100.
In California, most companies that require after hours duties because engineers are on-call, provide a company issued cell phone device because of California Labor Code section 2802: <a href="https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=2802&lawCode=LAB" rel="nofollow">https://leginfo.legislature.ca.gov/faces/codes_displaySectio...</a><p>The companies that do not do that are exposing themselves to unnecessary legal risk in the future.
This seems quaint to me. The real reason to not use a personal device for work is discovery. As soon as you do work someone can trace back to that device, there’s the potential for someone to seek a warrant for that device. Even if it’s some chucklehead you don’t even know within the corporation who’s being investigated, all you had to do was send an email to someone <i>they</i> sent an email to. And now the courts can demand your stuff. Let’s assume everything everyone does is perfectly legal, it’s still a massive inconvenience tax, and that alone is a good reason to not do it. I carry two phones and two machines (Corp laptop, personal iPad). They want me, they can give me the machines to contact me.
> If you're like the younger version of me and can't afford to pick up another phone just to keep your work and personal lives separate, you may have to make some compromises in the name of not rocking the boat with your employer. If this happens, don't feel too bad about it. Every day, people have to suck it up and deal with relatively sketchy treatment from their employers, and can't speak up without fear of reprisal.<p>Great reason to join a union.
The most interesting thing about this is the linked article about the employer that tried a bit of sharp practice to insert additional clauses into the NDA: <a href="https://rachelbythebay.com/w/2011/11/09/signs/" rel="nofollow">https://rachelbythebay.com/w/2011/11/09/signs/</a><p>There's definitely a few morals to this story (but note: not legal advice! I am not a lawyer!):<p>1. You should keep your own copy of anything you sign as part of your employment contract.<p>2. You should maybe keep a record of when you handed that to your employer ("I did in fact sign a copy of the NDA when I began my employment, and handed it to [person] on [date]. I hope this helps you to locate it.")<p>3. If the NDAs are so long that it would be impractical to visually diff them, you can just ask the company: "Can you please ask [name of company lawyer] to send me an email confirming that this is the same NDA that I signed at the beginning of my employment on [date]?" If they do, and then later rely on a clause that has been inserted, I suspect they would have a hard time convincing a court to enforce that clause.<p>4. In the author's situation, they sound like they were over a bit of a barrel economically and it's hard to push back in that situation. If you are willing to push back, remember that your employer is asking for something <i>from you</i>, i.e. a change to your contract. And if that change is that they can audit your personal devices, that is not a small concession! "This NDA does differ substantially from the one I originally signed, and would represent a significant change in the conditions of my employment. I understand if the company has new security concerns, and I am willing to work constructively to find an acceptable solution. For instance, if you are uncomfortable with me being able to access work e-mail on my personal device, you can issue me with a separate device over which you would have auditing rights."
What ever happened to the future we all predicted or were told was coming a few years ago where we ran our phones like a hypervisor, and could actually segregate different controlling accounts into separate phone VMs? I imagine it was probably because it was too power intensive.<p>She's entirely right IMO with the advice. Separating work and personal time is already so hard to do in some cases, and having my phone be a pseudo-work communicator does not help with that problem in any way. Disentangling them at the end of a employment relationship is likely much much harder (luckily I've only had to deal with this minimally).
What I don’t really understand is how we ended up at the point where invasive MDM is even acceptable. People mix their work and personal lives <i>all the time</i>: even if I take my work laptop home and use it, it would be a massive overreach to show up at my house and demand that I let them search it. Why do we accept the equivalent for phones? Ok, I put company email on my phone: you should be able to wipe <i>just that</i> and retain a copy (which, running a central server, you do of course). Why should you have any right to do more than that?
> <i>Even now, if I go to the app store, the little icon for FB and their many other apps still says [GET] instead of the little cloud download thingy that means "you had this already".</i><p>… and …<p>> <i>There is one thing I need to mention for anyone going the separate iCloud account route on corp devices: you probably should make sure you have it logged in from a personal Mac or something like that, or some other place where you can have passcodes sent. The reason is that if you should quit, you lose access to the authorized devices (phone, laptop) which will receive auth codes.</i><p>> <i>Assuming you ever want to turn that off, you're going to need some way into the account. If you don't have a way to approve the login and provide the passcode, fixing that is going to be rather difficult.</i><p>> <i>For this reason, you'll probably want to go create a separate non-admin account on your Mac, then associate it with that "burner" iCloud account, and just let it sit there. Don't use that account on the machine for anything else. Then, if you ever need to get back in and shut things down to stop the autopay stuff, you'll have a way.</i><p>Use iCloud Family and make child accounts for corp devices.<p>As the “parent” account, you control the “child” account, even if the company controls the device, and you can allow the child account to use the apps or music you own, track where the device goes, etc. etc..
If a company offers me access to slack/email/whatever if I BYOD that's nice... but it's not something I'm going to take them up on unless 1) they're extremely young and don't have the infrastructure to manage things or 2) the responsibilities I'm taking on are so heavy that I feel the need to be always on call (and receive appropriate compensation).<p>Otherwise, if you're hiring me as a developer, I will develop with all my effort during work hours... and then go home. If you occasionally need me to stay late to supervise an off-hours deploy that's cool - no worries... but if it ends up running 4+ hours over a normal work day I expect time in lieu (possibly just starting late the next day).<p>I feel like I'm at the sort of ideal balance of defensiveness and compliance for an employee - I want to help make your company run better... but we signed an agreement on what I'll be compensated for that effort and what the expectations are and we'll stick to the agreement excepting sane and reasonable requests for minor deviations - a BYOD policy is not one of those. I am not pulling down half a mil - I don't even make six figures US - but I'm still expensive enough that a good work setup: computer, chair, keyboard that doesn't suck and phone if you need me to have it - are entirely incidental costs compared with my salary, employer taxes and health care costs. If you, as an employer, are going to try and make both of our lives more complicated over a one time 200$ cost to the company (and plan cost - which could be non-existent if wifi-only works for the phone) then you don't have your priorities straight (unless, again, you're like a three person startup then whatever - I get there's already way too much crap each person is trying to handle).<p>I disagree with Rachel in the fact that I don't think it's ever a good idea to BYOD - even paying for it yourself. Cleaning company software off the device is going to be a pain - and it's going to be a pain when your employment ends which is a period in every job's life that could always use every advantage it can get to be drama free.
The device discussion is really interesting on so many levels. Especially for non-phones and remote working.<p>Let's say you live in a studio apartment and you have your own personal workstation set up how you like it. That would be a desktop workstation, couple of monitors, adjustable standing desk, some chair that you like, internet, etc..<p>Now a company wants to hire you and they want you to use a company issued laptop. This becomes a serious physical burden on both yourself and your limited space. Using a laptop without external monitors is horrible posture but if you're in a studio apartment you might not have enough space to use a completely separate desk, chair, couple of monitors, keyboard, mouse, etc.. We'll ignore the money aspect of having 2 distinct set ups which in the grand scheme of things isn't too big of a deal.<p>There's not too many reasonable options here. The company's policy might not allow you to bring your own device and even if they let you use your personal computer, allowing them to audit that or install some remote desktop sharing software that they have free reign over would be total madness.<p>It's also not that painless to quickly switch around HDMI (or even worse DVI) monitor cables. I suppose you could rig some type of HUB that lets you flip a switch to control which computer your monitors, keyboard, mouse, headphones, microphone, etc. are active for. This way you can use your desk setup for both, but now you can't use them at the same time which has its own set of issues. There's also issues like wanting to copy files from your personal machine to the work machine. So you might think ok I'll just allow SSH connections locally but now you've linked both machines to a point where having separation is useless, or maybe you decide to use an external drive that you can swap between both. In either case the work machine has been tainted.
> Basically, when you quit, you have to go through this process of getting your number released from their mega-account with ATT or whatever, and that's just one more bit of turmoil in a time when you just want to be done with it.<p>I did this about a month ago at the same company Rachel is talking about. It was dead simple. I created a task where I mentioned my personal email account. The next day they mailed me a porting key, which I relayed to my new carrier. It started working within a day. Haven't had an issue so far.<p>I always felt that some of the writing on this blog had a tendency to make mountains out of mole hills. I can't say for sure about the rest of it, but this is definitely a mole hill.
My employer doesn't even really allow personal electronic devices on the network, though there is some provision for visitors of course. So if you need a phone they have to provide you one, same for a computer. The same security constraints also basically prohibit accessing work stuff from a personal device. We can't even get webmail, we have to access a managed desktop-as-a-seevice and get our email from there if we are on a personal device. And the facility is big enough that cell service sucks.<p>I really appreciate the work/life firewall. Impossible to work on personal devices, impossible to use personal devices at work. And the security posture of them can be different
I worked for a healthcare company where the deal was you could get email on your phone but only if you installed am app that would allow IT to remote-wipe your whole device at their discretion. I declined.
I'm astonished some companies push the "user your own phone, which we now basically can control" angle. I mean, that's really shitty.<p>I've been working for the same small software shop (single owner, and I trust him) for 14 years, so the entire development of the modern mobile ecosystem happened while I've been in this job.<p>I use a personal laptop for all my work. I do this because I have Strong Preferences, and there's no way for the company to interfere with my computer. I can say this because (a) I trust the guy and (b) it's not actually possible for our corporate stuff to affect my personal stuff. (My computer isn't on the domain, for one thing; for another, we've all increasingly moved to "remote desktop into a VM in the colo" as a work pattern, even the devs, because it puts us all closer to the app servers and database servers. What device we use to reach the corporate environment is increasingly irrelevant.)<p>But this is a post about what OTHER people should do. Most people aren't in my position. Anybody who works for a big corporation -- which I define as "anywhere your boss has a boss" -- should absolutely assume that Bullshit and Chicanery Will Ensue at some point, and treat your personal computing security accordingly. Don't cross the streams if you can at all avoid it. If you must, minimize exposure.
Yeah, it's never felt good to me to mix work and personal devices. I used to travel a lot and took two laptops with me; the work-issued laptop, and my own laptop. Work was done on the work laptop, everything else was done on my own. I heard rumors that screenshots were taken occasionally on work laptops, so I didn't really trust it for anything. I have no idea of those rumors were true. (Both were Chromebook Pixels, hilariously, and honestly the personal one was running my own build of Chrome OS so if Google wanted to spy on me, they could probably sneak the code past me. It's a big codebase.)<p>I think the more interesting case is the growing startup. I mix work and personal, because work doesn't require any special software. I push code to Github and message people on Slack. But the day will come when for compliance reasons we need to be able to state that nobody who accessed production had a virus, or whatever, and I think that will be very interesting. Either we'll have to ask people to install what will be perceived as spyware, or we'll have to buy everyone a "work computer", which will probably be less powerful than whatever personal computer they have. I personally hate maintaining two computers -- I don't have the space for two desks, and I don't enjoy making the same customizations to both (no, dotfiles on Github doesn't cover everything unless I make a NixOS image with all the ancillary software I use). But, I also don't enjoy spyware on my personal computer. So I guess all I can do is hope that it never comes up as a compliance strategy -- but you know what they say: hope is not a strategy! ;)
I’ve had two phones in my pocket the last 6 years. How this isn’t the obvious way to go is beyond me. I would cringe every time someone took a photo of Top Secret plans on whiteboard, where they get mixed right in with pics of their kid’s birthday party.
> I also was given a PCI Express (see, I told you this was a long time ago) cellular device which would let me get online with the company laptop from anywhere it had service.<p>Was this supposed to be PCMCIA or ExpressCard? It's not obvious to me how describing a laptop peripheral as being PCI Express-based is particularly effective at highlighting its anachronistic nature.
> Well, if you end up using any amount of storage (like backing up the device), they are going to want you to pay for it. You'll probably end up typing in a credit card number and all of that stuff.<p>I don't get this bit. Are you expected to pay for the cloud backup of your work laptop with your own money?
Somewhat related: <a href="https://news.ycombinator.com/item?id=28241753" rel="nofollow">https://news.ycombinator.com/item?id=28241753</a> "Apple explicitly asks employees to merge their personal and work accounts"
If companies want you to install certain apps on a phone, then they should be paying for the phone. It's that simple.<p>I had a crazy boss 15 years ago who read our email. I learned after that to separate work and personal email. The same should be true for devices.
It is insanity that a company as “big” as Lyft is not providing a Corp phone to employees and forcing them to install and connect to so many work related apps and network elements on their own non-work-supplied phone. Absolute insanity.
This is another reason why I Remote Desktop to corporate machines from my personal ones. Fully insulated access to corporate stuff (I turn off file and printer sharing, obviously, although they’re usually disabled anyway), but I get to use my monitors, keyboard, mouse, etc. and don’t have to physically plug in anything.
I guess I have been lucky to work in groups that were fairly focused on operational and personal security which requires quite a bit of separation between business and personal. Although the larger organization always has broad-brush security measures that lump it all together.<p>Pretty sure my next phone will be a feature phone.
If you’re working a tech job, you almost certainly have the bucks to get the extra device. Personally, I think it’s a bit scummy that a business would ask employees to do work on a device they didn’t pay for, but that’s a digression.<p>The long and short of it, I think, is that you should keep things separate because a job is not forever so you should remain prepared to leave, and to keep them from snooping in your personal business. Yeah yeah that probably won’t happen, but if you keep em separate you know it won’t.<p>MDM and similar also give them the ability to wipe the device at any time, for reasons that could have absolutely nothing to with you. You know, as a precaution, of course.<p>Just save yourself the headache.
The shameful thing is that there is no earthly reason why we need separate devices. There should be appropriate isolation mechanisms so that corp-ware stays in corp-land and personal crap stays over on its side of the fence. We have dual sim devices now, so we can even assign entirely separate plans to different device partitions. Separate devices just create more senseless e-waste.