Can my employer see what I do on the internet when I am connected to the company network?
Yes. Always assume yes.
Even if you are not sure, always assume yes. Even if you are sure, they might have a contract with the ISP, a rogue admin who installed a packetlogger, a video camera that catches your screen... yes.
Everything you do at the workplace is visible to everyone. Especially everything you do on digital media. Especially personal things. Especially things you would not want them to see.
One of the basic rules of Information Security is that whoever has physical access to the machine, has the machine. Your employer has physical access to everything: the machine, the network, the infrastructure. He can add and change policies, install certificates, play man in the middle. Even websites with 'SSL' can be intercepted. There are plenty of valid reasons for this, mostly related to their own network security (antivirus, logging, prohibiting access to certain sites or functionalities).
Even if you get lucky and they cannot see the contents of your messages, they might still be able to see a lot of other things: how many connections you made, to which sites, how much data you sent, at what times... even when using your own device, even using a secure connection, network logs can be pretty revealing.
Please, when you are at work, or using a work computer, or even using your own computer on the company network: always assume everything you do can be seen by your employer.
Is it your device?
There are two ways you can be monitored - either what you do on your computer is being logged on your computer, or the internet traffic it generates is being logged somewhere else on the network.
There are many ways to prevent snooping on the traffic while in transport, but if it is not your computer (or smartphone or tablet) it is always possible that some kind of logging software is installed that could potentially monitor everything you do on the device, no exceptions. The same goes if you have allowed your employer to tamper with the device, e.g. install some software.
Now this might not be as likely as your traffic being logged, because many employers who do not work in a high security area might not find it worth the effort, but it is still a very real possibility. Therefore, if you are using a device provided by your employer they can potentially see everything you do no matter what precautions you take.
When browsing, are you using HTTPS?
So lets say you use your own device and your employer has not installed anything on it (maybe you connect your private smart phone to the office Wi-Fi). Can they still see what webpages you visit by monitoring the network traffic?
This depends on if you use plain HTTP, or if you use HTTPS. If the adress you visit begins with https:// it means that the communication is encrypted - the S stands for Secure - but if it begins with http:// it is not. You can also check if there is a padlock icon in the URL bar - see instructions for Firefox here.
There are some big caveats here, though:
- What domains you visit will still be visible. So if you visit
https://example.com/secretyour employer will be able to see that you visitedexample.com, but not that you specifically visited thesecretpage, what was written there, or anything you posted. - If this device is office-issued or has been tampered with by your employer, it is trivial for them to read all traffic going either way. This is done by installing a certificate on the device. Once done, they can intercept data from the server or from you, decrypt it, re-encrypt it and sending it to the recipient with no one the wiser. HTTPS will not help you.
For other apps, are they using encryption?
We do more on the internet than just visiting webpages with a browser. Both your computer and your phone probably have dozens of apps installed that uses the internet somehow. What about those?
Sadly, this is a bit more opaque. By default the owner of the network can read (and modify) everything you send or receive over it. To stop that, some kind of encryption must be used.
If any specific app uses (correctly implemented) encryption or not is hard to know, unless the makers of the app actively advertise it (and you trust them...). Some apps, such as WhatsApp, famously uses encryption while others don't. I would recommend you to assume that the traffic is not encrypted unless you know that it is.
TL;DR
It depends. To be on the safe side it may be a good idea to assume yes, and just do any sensitive business from your own private home network.
In order to make an efficient argument, we will investigate the possibility of how snooping can be done.
It should be noted: not all companies will monitor your behavior, even if given the opportunity. This is a strictly hypothetical investigation. We are only investigating the possibility of snooping, not how your employer utilizes it. How you assume your employer to behave is between you and your employer.
With those things said, there are pivotal points to be considered when investigating the degree of possibility of snooping:
- Who owns the hardware you use?
- Whose network are you using?
- Who is around?
Who owns the hardware you use?
If you use empolyer-owned hardware, this is probably the worst-case scenario. Your employer has a broad spectrum of tools to choose from when determining how to snoop. If you use your employer's hardware, anything is possible: everything can be monitored. Employers have complete autonomy when setting up hardware. Keyloggers, screen recorders, packet manipulators, and annoying reminders to keep working are just a small list of what can be installed on the computer without your consent because it is not your computer. It is impossible to verify that something has been tampered with any confidence. Even if you manage to use a different network (unlikely), the data can pass between any number of hardware before reaching your monitor. As stated before, this is probably the worst scenario to be in.
You work at a video production company. The software essential to the purpose of your position is expensive and resource-intensive, so you're provided with a company-built machine with an Adobe software suite, Blender, etc. to use while you're in the office. Your team lead seems to hint that he knows a lot about the details of the project you've been working on, so you decide to investigate the software installed on the computer. Fortunately, the "uninstall a program" window inside of Windows Control Panel doesn't show anything suspicious.
Then you remember that article on how programs can be hidden from control panel. The only way then is to view the registry, which is not possible when you don't have the administrator account (you don't). No administrator account, no assurance.
Whose network are you using?
Anyone who has used Kali Linux before can tell you, networks can be vulnerable (and usually are). But monitoring/manipulating with Kali and monitoring/manipulating your local network are two completely different ball games. Having control over the network gives you access to all traffic from all MAC addresses. Sometimes the traffic will be garbled (encrypted), sometimes it will be plain text (unencrypted). However, traffic is all monitoring is limited to. Only things you do over the network are view-able; if it isn't networked, you're safe*.
Unencrypted traffic is dangerous. Anyone who listens in can see what goes in and out of your ethernet/wireless card and where exactly it goes. This is not good if you want to mask what exactly you're sending across the wires (a comment on a blog post, a file sent to an FTP server, or an email sent over an SMTP server not using SSL). To be safe here, using TLS/SSL will keep you safe-er. This will encrypt the information sent over the line, keeping the content inside the packet between you and the server.
However, you must also consider that even with TLS/SSL, possibility for snooping is still present. "Metadata", or data about your data, can still be collected due to the nature of how your computer makes requests over the network. You still have to inform the router connected to the internet of where you want information from, or where it needs to go. Virtual Private Networks add protection from this level of snooping** by encrypting all network traffic and sending it to a router somewhere else, masquerading as you.
You decide to bring your own workstation to work after the previous privacy fiasco. After connecting it to the network, everything goes smoothly. However, you notice that your team lead brought up a topic of discussion that reminded you a lot of the comment you made on a message board. Like before, you decide to investigate. You read up on security.stackexchange.com and find out that you might have had your information snooped. In defense, you begin to encrypt all of your traffic using a VPN. After many more blog posts, you notice that the conversations tend to happen less fluidly. Success!
*: Careful here, as some software not used on the internet may still send usage information in the background. It is best practices to notify the user of this in advance (Check here to send anonymous usage statistics to X company), but not all will.
**: It is possible to block VPN's by MAC address or by using an alternate DNS to prevent connections to VPN's. This is common practice by some ISP's.
For the last point, we will begin with our example:
Suddenly, your employer starts mentioning those topics similar to the message board you follow again. You think to yourself, "But wait! My hardware is secure and my traffic is behind a VPN! How is this possible?!"
Who is around?
Sometimes, the easiest way to collect information is to look for it. Literally look. Cameras, peeping over your shoulder, using binoculars to look at your screen across the room, looking at your computer while it's still logged in and you're in the bathroom, etc. These "medieval methods" of snooping may be crude, but I would rather walk up to someone's computer and find out what I want to know compared to doing all the hard work of network/hardware snooping.
Also, this is arguably the hardest to defend against without making serious changes in your physical behavior and space, some of which may not be possible inside the confines of an office. I leave examples and solutions to those paranoid enough to worry about and solve these problems, as some are extremely tedious (imagine using two-factor authentication combined with a biological scan and...you get the point).