Hiding my personal documents from the IT department

2

I have a laptop from my job, a large corporation, and I would like to use it for my personal needs and documents as well. The laptop goes with me everywhere and it's comfortable.

However, I am not comfortable with the IT department having access to my personal documents. I have no specific reason to think they will access them, but they can, and it doesn't' feel right. I am looking for ideas for technical solutions that will ensure that the IT cannot read my personal documents

More information:

  • The IT department is the administrator of my computer
  • I will be using an online back up tool for backing up my personal documents, so in case I'm fired, I will still have my data.
  • Currently, the IT can Technically access the data stored on my disk whenever they want. I'm not sure by what means exactly. I do know that they use "DameWare" remote control to control my computer from time to time, for troubleshooting problems. My c: drive (the only hardisk on the computer) marked as not shared
  • The system: an I7 computer, 4GB ram, running windows7 32bit
  • Let me know what other information you need to respond

I want to emphasize, that I believe the situation itself of me storing some personal documents of mine, on the work computer, is ok with my employer. The problem here is my privacy

edit: Unfortunately, I cannot add comments to your answers, as I wasn't logged in when asking the question and now superuser doesn't recognize me as myself. Anyway, I don't believe anybody is spying after me on purpose, so I don't worry about keyloger and screen captures. I don't think they are installed. The realistic scenario is an it guy looking at my files out of curiosity while doing a maintenance work @Stephen-Jennings thank you for your excellent answer

A question regarding an external ssd. Won't the it be able to access it via DameWare or other similar means, when it is connected to the computer? Can i prevent this? My intention would be to leave it connected always.

Bill

Posted 2013-04-11T07:07:24.320

Reputation: 51

Question was closed 2013-04-11T18:20:49.070

3You have a work computer! It's not your computer and so although the company are OK with your personal use as well, the IT team will be administrators and therefore can get access to it all (as they should). Other than password protecting folders and files with software (Google it) you don't have many options. – Dave – 2013-04-11T07:20:41.933

Please look at http://superuser.com/help/user-merge to have your duplicate accounts merged – simply fill out the form.

– slhck – 2013-04-11T08:56:50.943

Answers

8

First, I would recommend getting explicit permission to use the laptop for personal purposes and to hide that personal information from the administrators. You don't want your employer to lose trust in you because you're doing something sneaky with their property without telling them.

To answer your question, you could use TrueCrypt to keep your files in an encrypted volume. The files would only be readable after entering your password. You can keep the encrypted volume on the laptop's disk, or you can keep it on an external flash drive or hard drive.

However,

As long as there are other administrators on the computer, you cannot be 100% certain that they can't get access to the same files that you can. As long as they have full access to the operating system, they can unlock just about any lock you put in place if they're determined enough.

True, they can't break TrueCrypt's encryption as long as you use a strong password. But even if you encrypt your files, at some point you must decrypt them to work on them. At that point, the computer could secretly log the password you type in, or it could start creating unencrypted copies of your files the instant you decrypt them. It's difficult to be sure the other administrators haven't done something like this.

That said, it's unlikely your IT department has a desire to secretly spy on your files, even if they had the time and resources. Unless you work with particularly sensitive data or in a heavily-regulated industry, they probably don't have keylogging software that would capture your password or elaborate file-copying software to decrypt your files. They probably just use DameWare to get remote access for fixing problems and patching the system.

Probably.

But I can't say for sure, and neither can you. You'll have to decide for yourself how much risk you're willing to tolerate. If you absolutely can't let the admins have access to your files, the safest option is to keep them off a computer they have complete control over.

Stephen Jennings

Posted 2013-04-11T07:07:24.320

Reputation: 21 788

In many countries it's illegal to spy on employees. I think this is illegal in the EU. Maybe in some situations it is allowed, but then only when the employee is informed about it. – SPRBRN – 2013-04-11T09:40:29.597

It's amazing how fast TrueCrypt is. I would expect a serious slowdown, and there is simply none – Bill – 2013-04-11T18:01:30.893

Probably true crypt is all that I need. My main concern is about them backing up my files somewhere in a routine action, and then a copy of my files laying somewhere out of my control. The other scenarios seem unlikely – Bill – 2013-04-11T18:04:25.847

4

Use an external ssd or other device, if your administrator allows for this. Other then that, you can save your files directly online with services. Some plugins like AddToPicasa http://www.howtogeek.com/howto/2632/quickly-save-photos-to-your-picasa-web-albums-with-addtopicasa/ can be helpful.

user1725396

Posted 2013-04-11T07:07:24.320

Reputation: 41

Saving to an external hard drive or flash drive is probably a good solution to somewhat prevent personal files from being "mixed" with your work stuff. Although there will always be temp files etc. that end up on your work machine, the vast majority of your stuff will not be captured by your employer either accidentally or on purpose. – cloneman – 2013-04-11T07:44:10.537

However, keyloggers or screen captures will severely limit your privacy in any scenario.

To improve browsing privacy, consider using a portable browser running off your external drive. However, network traffic monitoring could compromise you here, you would have to encrypt it as well. – cloneman – 2013-04-11T07:50:41.623

3

First of all, it is a work computer. That means that IT will have admin access and that there is no guaranteed way you can do anything with it without them being able to detect it.

Having said that, here are four thoughts:

  1. IT personnel is not in the habit of snooping around. (And depending on the country/laws that might even be illegal to do without a very good reason). Thus if you keep your documents in a folder called 'private' then they will leave them alone. Usually this is good enough.

  2. You can encrypt that private folder. TrueCrypt is one of the ways to do that, just make sure you do not loose the encryption key. Note that this will not make it impossible for someone to read the encrypted data. It is just harder to gain access. (They are still admin on that laptop and can intercept any key, or access it after you decrypted it to work with).

  3. You can avoid that using a completely different OS. E.g. swap harddrives, or use a second drive (easy if you can put on in place of the CD drive, or if the laptop has eSATA). Install your own OS on that and select (usually using F12) which OS to boot.

    If you use full disk encryption on the second OS drive it will not be accessible after booting the work OS. - Alternatively, unplug the drive before booting the work OS.

  4. Or just use your own laptop.

Hennes

Posted 2013-04-11T07:07:24.320

Reputation: 60 739

#3 Could also be done very easily using a thumbdrive to boot up a live OS. This and #4 are really the only 100% guaranteed methods I can think of for being sure no one is watching without possibly voiding a warranty and causing a lot of trouble if you needed to take it to IT. – krowe – 2014-09-24T05:04:11.657

2

Even when your employer agrees and even when you specifically state that those documents are personal, your employer may still have the right to access them, depending on your legal system.

You can encrypt your folders with truecrypt or zip/winrar, but note that it would be trivial for any administrator to recover a password for any file if he has administrator access as he can even install keyloggers if he wants.

It simply is not your laptop in two ways:

  1. You don't own the hardware
  2. You are not the administrator

If you are not comfortable with your IT department having access to your files, then simply do not put them on your corporate laptop.

Lucas Kauffman

Posted 2013-04-11T07:07:24.320

Reputation: 2 545

Without a keylogger installed can you explain how it would be 'trivial' for an admin to retrieve sufficiently strong RAR/ZIP/TrueCrypt passwords? – Karan – 2013-04-11T14:21:01.427

When a Truecrypt volume is mounted the decryption key will be in memory. For the case of rar/zip it's less trivial, but the usability is also a lot worse. To keep the window for an attack low, you would need to Unrar => do something with the files => rar the files; Secure wipe the files which were initially unrarred. – Lucas Kauffman – 2013-04-11T14:26:25.970

I believe TC does erase its matter keys from RAM on normal shutdown/hibernation/volume dismount. Even if unencrypted data is present in RAM though I still think it would be far from trivial to reliably retrieve everything that the OP was working on when he had possession of the laptop. A keylogger would be a far simpler and more reliable method if IT really was interested to that extent in his data (which I don't think is the case anyway), don't you agree? – Karan – 2013-04-11T14:33:09.373

Yes, I agree that trivial would probably be exaggerated, it would not be possible if the user had shutdown his computer. I think the only way would be if there is a BSOD which would result in a memory dump or if the admin accesses the machine when it's still running. But yea extracting a key would be a lot more difficult than just installing a keylogger. I've edited my answer. – Lucas Kauffman – 2013-04-11T14:42:54.670

Thanks for the edit, and for the record I meant "master" keys in my previous comment (darned minuscule mobile keypad!) – Karan – 2013-04-11T14:54:51.327

1

I promise you, the old dude with a pony tail that's making $14.50 / hr is too busy chasing problems in the system he created in the first place to care about files on your local disk. If you're really that big of a privacy freak, keep your private files at home, but I promise you, nobody really cares. I used to do IT for a large, large, conglomerate and I assure you, the IT guy could care less.

However, with that being said, with Dameware, IT can see your screen at anytime. So all the encryption in the world won't prevent them from seeing your screen in the event they start a session while you have these files open. Do yourself a favor, and keep your personal files on your personal computer.

MDT Guy

Posted 2013-04-11T07:07:24.320

Reputation: 3 683

0

One word:

Steganography

please read THIS page.

When your IT department looks into your files for whatever reason, they will only see some pictures of family and friends and other innocent things (don't go wild, choosing pornographic images or offensive ones otherwise) and most probably gloss over them. It is a safe bet if you encrypt the files using something like a zip program, before burying them in the pictures.

MelBurslan

Posted 2013-04-11T07:07:24.320

Reputation: 835

0

Working for a large corporation means that they definitly have a policy in place for accessing network resources and using devices and equipment. You probably agree to it every time you login to the system. If I were you, I wouldn't ask them permission for using the laptop for personal purposes because the answer is going to be NO, point blank. I will certainly not ask them not to look at my personal files because that's when they will look at them. Let's face it, everyone from the CEO to the janitor utilize resources for personal purpose to some degree.

Things you can do to protect your privacy as much as possible: 1. Make your files hidden files. 2. Place all of your files (Pictures, music, text documents) in one folder. 3. Install freeware such as "mylockbox" and place the folder in it to password protect the folder. 4. Change file and folder options to "Don't show hidden files and folders.

The reality is that they can access anything at any time. If you ask them not to, you will draw attention to yourself and represent a red flag.......

Mohamed H

Posted 2013-04-11T07:07:24.320

Reputation: 43

1I disagree with making the files hidden. As an admin I might wonder why a roaming profile is that long to load. A simple du showing a XX GB private folder will be left alone. A Folder showing XX GB and no idea why will attact attention (as well as a virus scan). – Hennes – 2013-04-11T12:43:45.793

For a corporate with hundreds of employees and thousands of computers, the system admin probably doesn't have time to 1. wonder and 2. notice. But again, everything is possible and if the IT dept. is adequately staffed, they are likely to notice. I like ur idea of just using an external eSATA..... – Mohamed H – 2013-04-11T15:40:56.600

1Heh. Dream on. Last time we had 150 people to migrate. No standard image. A network to slow to handle all that so we had to migrate users one by one from XP on dell lattitude C's (USB1 based!) to moderm lattitude-D, using USB HDD to rescue data. I did not care what the data was, but I cared on how much it was and how long it took. (USB1 speeds are not fun when copying a users critical mission data MP3s) – Hennes – 2013-04-11T15:46:48.897

0

Quite simply, you don't. There's a few elements to this, not all of which is technical.

First and formost, your organizations AUP - since that determines what the organization allows you to do, and what your organization is allowed to do with your systems. In general though, without a formal order from higher up, with reasonable cause, there's no reason someone should be rooting through your system. Know your rights, and your limits, and you should be fine. For all the mistrust of IT, most IT folk have better things to do than root through your private files. If you do not trust a system, implicitly or explicitly, do not use it

Non technical answers are boring, so, read on.

You'd want to keep it on storage media you control yourself, as suggested before. Firstly, simply cause the moment you unplug it, while there might be a trail left that the document existed, the document itself is less likely to be on the hard drive. If its just a matter of needing a system, consider buying a hard drive, installing your OS of choice and swapping drives when working on personal systems, assuming you don't have a bios lock. Otherwise, just don't use the system for sensitive information at all.

From your mention of documents, its also worth noting that microsoft office occasionally makes copies for automatic recovery in the temporary directory. Its worth clearing out, if you're worried about privacy. The location and file extension may vary if you're using something else.

Journeyman Geek

Posted 2013-04-11T07:07:24.320

Reputation: 119 122

Asked: 2013-04-11T07:07:24.320

Viewed: 2 290 times

Active: 2013-04-11T15:34:29.530