> While employees have long been aware of the risks in over-sharing on email — a woefully insecure technology that is easy for employers to monitor, texting has been seen as different.
I don't think they're even that aware, but yep - this will get some careless folks in trouble.
>"allowing employers to intercept and archive RCS chats on work-managed devices."
Key phrase there. You should already be treating any employer provided device as completely compromised. Never do anything on those that you wouldn't be perfectly comfortable having projected on a screen in front of your entire company at a meeting.
The article says it will allow "employers to intercept and archive RCS chats on work-managed devices."
I can read that as applying personal phones hooked up to employer services. I think it's pretty common to force employees to consent allowing their employers to manage their device to get access to work email on it. I'd always assume that just mean they could remote wipe it, but maybe it's even worse than that.
Since this is on Android, this policy should only apply to the version of the Messages app within the work profile, right? If it didn't and could access personal messages, that would be crossing a line.
Reading the post makes it sound like this only happens on managed devices; whether that means "owned and provided by work", "within the confines of the work profile on a BYOD devices", or both, I'm not 100% sure.
> I think it's pretty common to force employees to consent allowing their employers to manage their device to get access to work email on it.
Is it common? I've only been asked to do that once, and I declined. I explained that it's my policy to never use my personal equipment for work purposes or my work equipment for personal purposes. They provided me with a work phone to use, instead.
Periodic reminder that E2EE chat apps like Signal cannot protect you from a device that betrays you (MDM). I don’t use Signal on any work devices. I can’t do anything about my colleagues who chat with me and do.
Could you explain how MDM would breach E2EE? I know that it can be used to MITM TLS connections, but not aware of a way it would breach E2EE like Signal.
It doesn’t breach E2EE; it gives your employer control over the device. Once messages are decrypted on the phone so you can read them, anything your employer deploys via MDM (screen capture, keylogging, backup/forensics tools, admin unlock, etc.) can potentially copy them.
On a company-owned, fully managed device, you should treat MDM as roughly equivalent to handing your boss an unlocked device: anything you can see on-screen could be captured or exfiltrated by tooling they deploy.
This headline is misleading.
>This applies to work-managed devices and doesn’t affect personal devices.
"All Your Text Messages" implies _all_ messages, which is not the case.
Looks like it shows a very obvious warning in the messages app.
See screenshot here.
Headline is clearly click-bait.
https://support.google.com/work/android/answer/13761869#zipp...
> While employees have long been aware of the risks in over-sharing on email — a woefully insecure technology that is easy for employers to monitor, texting has been seen as different.
I don't think they're even that aware, but yep - this will get some careless folks in trouble.
>"allowing employers to intercept and archive RCS chats on work-managed devices."
Key phrase there. You should already be treating any employer provided device as completely compromised. Never do anything on those that you wouldn't be perfectly comfortable having projected on a screen in front of your entire company at a meeting.
Never assume anything you do on a work device or a work network is private
I'm surprised this wasn't already the case for work phones?
The article says it will allow "employers to intercept and archive RCS chats on work-managed devices."
I can read that as applying personal phones hooked up to employer services. I think it's pretty common to force employees to consent allowing their employers to manage their device to get access to work email on it. I'd always assume that just mean they could remote wipe it, but maybe it's even worse than that.
Since this is on Android, this policy should only apply to the version of the Messages app within the work profile, right? If it didn't and could access personal messages, that would be crossing a line.
Reading the post makes it sound like this only happens on managed devices; whether that means "owned and provided by work", "within the confines of the work profile on a BYOD devices", or both, I'm not 100% sure.
> I think it's pretty common to force employees to consent allowing their employers to manage their device to get access to work email on it.
Is it common? I've only been asked to do that once, and I declined. I explained that it's my policy to never use my personal equipment for work purposes or my work equipment for personal purposes. They provided me with a work phone to use, instead.
It’s been taking Google a minute to fully reinvent the wheel with their proprietary instant messaging solution du jour.
Periodic reminder that E2EE chat apps like Signal cannot protect you from a device that betrays you (MDM). I don’t use Signal on any work devices. I can’t do anything about my colleagues who chat with me and do.
Could you explain how MDM would breach E2EE? I know that it can be used to MITM TLS connections, but not aware of a way it would breach E2EE like Signal.
It doesn’t breach E2EE; it gives your employer control over the device. Once messages are decrypted on the phone so you can read them, anything your employer deploys via MDM (screen capture, keylogging, backup/forensics tools, admin unlock, etc.) can potentially copy them.
On a company-owned, fully managed device, you should treat MDM as roughly equivalent to handing your boss an unlocked device: anything you can see on-screen could be captured or exfiltrated by tooling they deploy.
Ah. In the EU, folks are mostly protected against that kind of overreach, even if the phone is a work device: https://globalfreedomofexpression.columbia.edu/wp-content/up...
Google post: https://blog.google/products/android-enterprise/rcs-archival... (https://news.ycombinator.com/item?id=46109856)
[dead]