Privacy At Work
In the United States employees have no reasonable expectation of privacy. If you're using company networks or computers for personal communication it's reasonable to expect that some of this data will be discovered by the company, at very least unintentionally. Maybe you're out sick one day and someone needs to check your $HOME or email account for a piece of information that they think you've saved. Maybe the Systems department finds extra data while performing data recovery on your crashed hard drive. Or maybe your employer is actively spying on you, which is fine because monitoring your at-work communication is legal. (Most of the following also applies using networks at coffee shops and other public places where you might find people doing creepy things to your traffic on the network.)
There is no such thing as absolute privacy. There are degrees of action you can take to protect your privacy, and there are degrees of action an adversary can take to circumvent those measures and discover the data you're protecting. I'm not saying that the following measures will guarantee your privacy at work, but I *am* saying that if you follow these suggestions you can reduce the potential for your private data to be exposed to someone else. I've attempted to order my suggestions in ascending degrees of paranoia.
+ Don't leave email, IM messages, websites, or other content open while you leave your desk. Log out of the website and close the window. Don't lock your screen, because administrators can unlock the screen with the administrator password. This is so obvious I almost forgot to mention it.
+ Remind third parties not to send you any mail at work. Private data shouldn't get routed through workplace mail servers and stored on workplace disks. This is important, because if there's an "oops" you are probably not capable of clearing what a third party shouldn't have said off your employer's mail server's disks, even if you can delete it from your desktop. Third parties can also accidentally reveal your address to spammers, so it's just a good idea to keep your work mailbox as spam-free as possible.
+ Read your web mail over SSL connections. Visit https://mail.google.com instead of http. It's just as easy to monitor port 80 as it is to monitor port 25. If you're very concerned about this you can sign up for a HushMail account. Be sure to verify that the SSL certificate was signed by a legitimate certificate provider to be sure that your employer isn't using a man-in-the-middle.
+ Clear private data when you quit your browser. Under Preferences->Privacy->Private Data, check "Always clear private data when I close Firefox" and make sure that everything is checked under "Settings". If you're using Safari, using Private Browsing (aka Porn Mode) is even better since your bits never get written to cache files in the first place. Firefox's Distrust extension appears to do the same thing.
+ Encrypt your IM traffic with OTR. That might mean building your own Gaim with the gaim-otr plug-in active. That might also mean educating your friends on OTR solutions for their end. Make sure to turn off "log all chats", of course - it makes no sense to go through all that trouble to transmit encrypted content while leaving a cleartext transcript.
The Catch: Even if everything between your computer and theirs is completely secure there's always the analog hole. Your employer can still use a VNC to display your screen remotely or SpectorPro to save it for later when a human read it. It's technically possible to have a program that searches the RAM your web browser has claimed to recover strings of content from your web mail, although I've never heard of this actually happening. Employers can also install keystroke monitors to capture your web mail password, but I'm not sure whether it's permissible to use that stolen password to break into your account.
That's why if you're genuinely concerned about privacy at work you should:
+ Read your email on your own laptop. If you use an email client like Thunderbird or Outlook, make sure you're fetching your mail over an SMTP or IMAP connection that's encrypted with SSL. Even better if you can stay off the local network entirely by doing your communicating with an EVDO card. If you keep your $HOME and web cache encrypted with something like FileVault using a sufficiently unguessable password you're probably sufficiently protected from surveillance by your employer although sufficiently motivated and funded state organizations can still intercept your signals or subpoena records from your ISP.
+ If you're not allowed to have a laptop where your work but you're allowed to have a cell phone you can email or IM with a SideKick or other mobile internet appliance and get most of the privacy benefits of a laptop.
If anyone's got any other tips, let me know and I'll add them to this list.
There is no such thing as absolute privacy. There are degrees of action you can take to protect your privacy, and there are degrees of action an adversary can take to circumvent those measures and discover the data you're protecting. I'm not saying that the following measures will guarantee your privacy at work, but I *am* saying that if you follow these suggestions you can reduce the potential for your private data to be exposed to someone else. I've attempted to order my suggestions in ascending degrees of paranoia.
+ Don't leave email, IM messages, websites, or other content open while you leave your desk. Log out of the website and close the window. Don't lock your screen, because administrators can unlock the screen with the administrator password. This is so obvious I almost forgot to mention it.
+ Remind third parties not to send you any mail at work. Private data shouldn't get routed through workplace mail servers and stored on workplace disks. This is important, because if there's an "oops" you are probably not capable of clearing what a third party shouldn't have said off your employer's mail server's disks, even if you can delete it from your desktop. Third parties can also accidentally reveal your address to spammers, so it's just a good idea to keep your work mailbox as spam-free as possible.
+ Read your web mail over SSL connections. Visit https://mail.google.com instead of http. It's just as easy to monitor port 80 as it is to monitor port 25. If you're very concerned about this you can sign up for a HushMail account. Be sure to verify that the SSL certificate was signed by a legitimate certificate provider to be sure that your employer isn't using a man-in-the-middle.
+ Clear private data when you quit your browser. Under Preferences->Privacy->Private Data, check "Always clear private data when I close Firefox" and make sure that everything is checked under "Settings". If you're using Safari, using Private Browsing (aka Porn Mode) is even better since your bits never get written to cache files in the first place. Firefox's Distrust extension appears to do the same thing.
+ Encrypt your IM traffic with OTR. That might mean building your own Gaim with the gaim-otr plug-in active. That might also mean educating your friends on OTR solutions for their end. Make sure to turn off "log all chats", of course - it makes no sense to go through all that trouble to transmit encrypted content while leaving a cleartext transcript.
The Catch: Even if everything between your computer and theirs is completely secure there's always the analog hole. Your employer can still use a VNC to display your screen remotely or SpectorPro to save it for later when a human read it. It's technically possible to have a program that searches the RAM your web browser has claimed to recover strings of content from your web mail, although I've never heard of this actually happening. Employers can also install keystroke monitors to capture your web mail password, but I'm not sure whether it's permissible to use that stolen password to break into your account.
That's why if you're genuinely concerned about privacy at work you should:
+ Read your email on your own laptop. If you use an email client like Thunderbird or Outlook, make sure you're fetching your mail over an SMTP or IMAP connection that's encrypted with SSL. Even better if you can stay off the local network entirely by doing your communicating with an EVDO card. If you keep your $HOME and web cache encrypted with something like FileVault using a sufficiently unguessable password you're probably sufficiently protected from surveillance by your employer although sufficiently motivated and funded state organizations can still intercept your signals or subpoena records from your ISP.
+ If you're not allowed to have a laptop where your work but you're allowed to have a cell phone you can email or IM with a SideKick or other mobile internet appliance and get most of the privacy benefits of a laptop.
If anyone's got any other tips, let me know and I'll add them to this list.