Can my employer see what websites I visit at home on my personal devices?

Question

Recently I started working from home (like half of the world these days due to the Corona virus). Work has provided me with a laptop/screen etc. and a VPN to the company network. I only use this laptop for work purposes (but I am logged into Whatsapp and Facebook on it) and not outside work hours (although sometimes I forget to turn it off directly).

Today I received an e-mail from HR stating that they have done some tests, because the network has been bad, and that IT has concluded this is due to extensive use of sites such as Netflix etc. IT has provided HR with a list of IP addresses where this was ascertained. HR has requested everyone to stop doing this immediately. They consider this to be an incident, which they expect to not happen again.

This e-mail was written as if it was sent to the whole company. A list of the 'guilty' IP addresses was stated in the e-mail and everyone was asked to check for themself if it's you (due to privacy regulations, they say). However, I explicitly saw my only name in the 'receivers' of the e-mail, so it appears as if they know who they sent it to and put everyone in BCC?

At first I laughed at it, but when I saw that it appeared to be sent only to me I decided to check the IP. And I've double-checked about 10 times so far, but my IP was clearly on the list...

Now I do watch a lot of Netflix since the quarantine, but I do so on my own laptop/phone and in my own time (or maybe once for 10 minutes on my phone during my lunch break).

Now I assume that they are referring to watching Netflix on the company laptop during work hours. And I want to reply and tell them that what they are saying (or basically accusing me of) is not true. But I also don't want to end up having any kind of problem with HR.

So now I wonder: can IT see what I do on my own phone/laptop, now I have a company laptop at home?

To me, it seems too ridiculous that this is what they are referring to. Besides, I don't think that they can tell me what I can and cannot watch on my private devices outside work hours. Or if I was living with someone, what a partner can and cannot watch on a private device while I work from home. But the e-mail is framed in such a way as if it is already a fact, that it makes me doubt about this.

I spoke about this to someone else, who thought that maybe IT sees that my internet is a problem. Tonight, I ran some speedtests and my download is 19 Mbps and upload is 3 Mbps. FYI: I work in customer service and I call over the internet (and do experience problems with this).

Answer 1

The other answer is technically correct in saying that it is possible to monitor your network from a device on the network. Sure, any adversary controlled device could potentially be used to pivot and attack other parts of your network, including monitoring.

But, the key word there is adversary. A legitimate company would not be actively attacking your home network from your work laptop. This would likely be illegal in nearly every jurisdiction. If you have evidence that your work laptop is performing malicious activity, that's an (unlikely) different story.

Simply put, your work should not be monitoring any traffic besides what is going through their corporate VPN. Why would they care what you do on your personal network, regardless of during work hours or not? Their concern seems to be resource use of the company network.

So, if you are not watching Netflix on your work computer, then it is likely a mistake on their part, or some other misunderstanding. This boils down to more of an HR issue than a technical one.

My only other thought: do you live in a complex with other residents, all sharing the same internet connection (and public IP address)? If so, maybe somebody else also lives there who works for your company and is misusing the company VPN.

Answer 2

Your question can be looked at from two different sides:

1. Technically: it is possible to monitor activity from any computer if the right tools are installed. Maybe you've connected to those sites for a couple of minutes using the company laptop.
2. Privacy: They shouldn't be monitoring your activity unless you have signed an agreement for that.

My advice: Ask specifically if they meant the message to you and ask suggestion to avoid doing that for error. (i.e. Connecting while you have the VPN open)

Answer 3

I basically copy and pasted your question into google and the answer is yes.

There are also multiple questions similar to this one: Can my employer see what I do on the internet when I am connected to the company network?

On top of my personal knowledge, when it comes to your person device, as long as your work device is connected to your home network, it can see your network traffic if they really wanted to.

As for your device itself, it can have all sorts of monitoring software you never knew were there since its meant to be hard to detect. Screen capture and all the sorts.

When you connect to their network, if you google "What my IP" you will know if you're on their network or not depending if it matches whats setup in the VPN. I assume they set you up via VPN settings in Windows. If you look at the configuration for that, you will see the IP added. Local IPs could easily be accidentally mistaken for your IP if your network is built similarly. Same subnet, addressing scheme etc. It also depends if your IP is static or not.

Just because you were in BCC doesn't mean you were targeted. My guess is it would deal more with privacy of others. Like if you were to do "Reply All" and accidentally send an email of you defending yourself or keeping email chains separate.

A short answer is, as long as that work PC is on your home network, they have the potential to see anything you do. Legal or not.