My client want an agent on my laptop. Is this the new normal?

If you are a freelancer then your contract should allow you to do work for others. In which case, your response to this client has to be "Sorry, but my business laptop potentially has data from other clients on it. I can't let you install this monitoring agent without violating my contractual confidentially agreement with those other clients. I always maintain client confidentiality and will do the same for you. If you want to ship me a dedicated laptop for your engagement, I would be happy to install whatever you want on it."

The concept of "working from home" forced by the pandemic is harming the "remote working" community by extensive invigilation and moving harmful office behaviors to private space.

I talked to an Intel HR person (informal chat, I never applied there nor planned to) 2-3 months ago and after I stated that after a decade of remote work, I see pandemic-driven introduction of harmful concepts like spying on previously trustworthy contractors by control-freaking managers that have no idea how to prove themselves in new reality, I was given a look which would usually be reserved for a psychotic person believing that they're being watched 24/7. Quite an unique experience, contrasting with how HR folks are trained to do sect-like "love bombing".

You want me to work for you and deliver results? My pleasure - that's what I do.

You want me to hang a company logo in my place and sit in front of camera multiple times a day, log every minute of my time and creep on me in other ways? I never worked in "Office Space"-like environment and I'm not planning to. Go fuck yourself, I'm out.

There's a load of nonsense in the comments here today.

* Drata is a vendor that helps a company navigate your SOC2 compliance process, by organizing all the controls and helping you gather evidence that you have done so. For instance, they'll connect with Github and make sure everyone with access to your repos is a company employee. If you don't use Drata you have to gather this evidence yourself, repeatedly over months, and it's a pain.

* The Drata agent is a pretty innocuous thing. It checks you have done things like turn on disk encryption, have updates enabled, and that the screen locks if you walk away. It does NOT monitor employee's activities. These kind of security checks are incredibly common and are required for certifications like ISO27001 and SOC2. SOC2 is not really optional for large enough b2b SaaS.

* The poster says "Their business model (in my case) seems to be to take money from companies to spy on their employees/contractors, and then they sell the employees/contractors private information to "targeted advertising".

Do you have any evidence for this?? I've just been involved in selecting Drata as a vendor for SOC2 compliance planning for our company. If this is true it's a huge deal and totally against my understanding of their business model. It honestly sounds like bullshit to me! But if you have evidence that they do this, please let us know.

* As a freelancer, whether you are required to install security monitoring software is definitely an open question. If you're delivering work separately and not connected to company systems, then ok. If you're basically just acting like any other employee, and connected to the company systems, then you will probably have to do this. Because otherwise they would fail SOC2 and managing your legal status as "Freelancer" vs "Employee" (for tax reasons??) is not worth not being certified.

Do you object outright to spyware, or to the client wanting to run their spyware on your equipment?

It sounds like the spyware is non negotiable and I personally wouldn’t have issue with it if the client also provides a laptop on which to run it. The client is free to do whatever the hell they like with their own hardware.

What’s objectionable about situations like this is the client wanting to have their spyware cake and eat it on someone else’s computer. That’s a great deal for them — why pay $5k for a laptop when you can just pay $100 for the spyware license instead?!

I realize the economics aren’t exactly on point, but I tend to view situations like this as them stealing $5000 — my laptop — from me.

So moving forward:

1/ you are “happy to help them reach their compliance goal and move to a Drata controlled environment”

2/ to do so you “will need to isolate them, as a client, to an airgapped environment solely for their work”

3/ which will need “$5k up front and a lead time of a week to order new hardware, or for the client to ship you a preconfigured laptop with configuration X Y and Z.”

Saying yes with principled conditions is always a good route forward. Yes-but instead of no-but.

I know people who work for Fortune 500 companies who don't have such crap installed in their company laptops, and they mainly work remotely. I also work remotely and I dont have such thing installed either.

Installing agents is a sign that the company doesn't value trust with their employees and treats them as liabilities. Companies that made me an offer who had asked me if I would have an issue installing an agent just got rejected from my employer list. If they don't trust me doing my job why should I trust them doing their job. Why not install an agent to the CEO's computer as well? After all I should trust him that he's doing his job well enough for us not to lose our jobs. I'm also dependant on him after all. These are all relationships where trust plays a major role.

After all, if you think an employee isn't performing you can just have an annual PDR (Performance and Development Review) and figure out if you have to get rid of that employee or talk to him. Why spy on all of employees? Agents are just an excuse, not the means. It's a disgusting in my opinion excuse to spy on everyone.

Whatever the case or how common this is, I won't ever accept agents to spy on me. You do you but I think everyone should do the same. I demand your respect to be mutual to my and your privacy and sense of trust. Agents are harming the remote development space and skew the perception of what it means to have a healthy team.

I deal with critical infrastructure consulting all the time and if the client wants some specific agent run, they send me the laptop to do it on.

Not only is your personal equipment yours, it likely contains information about other businesses that you probably have legal obligations to, like NDAs, and if the client doesn't understand that you can't ethically violate that for them, then they're not a client you need to be dealing with.

It doesn't help that the 3-5 "IT agents" they run are rarely doing anything useful expect fulfilling 3-5 different directors idea of spying.

Sounds like you'll be purchasing a new laptop for that client and bill them for the price of the laptop, and several additional hours on maintaining said laptop.

Soc compliance is not ensured by spying on employees activities. That excuse alone is a complete bullshit. If this were happening to me, I'd tell them exactly that and refuse to work under surveillance. This is completely unacceptable even if it is getting somewhat common.

I don’t think this is the new normal, though I would caveat my answer based on the structure of the business relationship and ownership of the device. I would most likely not agree to this arrangement for myself or any of my employees except on a client-provided device. I may be open to installing a limited management profile that I’m able to inspect, but my preference would lean hard toward writing requirements into the contract and providing evidence to the client that we had met the identified requirements.

It’s an interesting question, and one that we’ve evaluated with respect to our own customers, who lean on freelancers and other small vendors. Getting back to my original statement about the nature of the business relationship, we’re asking questions about what level of technical sophistication a freelancer has and whether they’ve established enough of their own policies and procedures to meet regulatory requirements independently.

Often times, that’s just not practical. Even then, my preference is for the client to provide a managed device to the freelancer or to offer them self-managed options with documentation requirements to prove compliance. Forcing a contractor to install an agent like you’re describing onto their own device feels like a privacy intrusion, and may also represent a risk to the contractor’s other customers.

I work as an employee for a small company that wanted to get ISO-whatever certified, but as the only one in the company I had a BYOD agreement (reasonable fee for bringing my own laptop). The people that helped with the certification process came with some virus scanning plus remote access for maintenance plus login protection solution that everyone must install, or else our precious data would be at risk (in terms of precious metal, the data would be lead). Anyway, they got me a new MacBook Pro.

Then they came with the same shit for our phones, but since everyone plainly refused, they found another solution for that. Because there always is one. But this was nipped in the bud at the start. Had people accepted it, there would be no going back, because there never is going back.

I worked as a contractor for a large media company in Europe (fully remote, from Italy). We had company issued laptops prepackaged with corporate tooling (VPNs, accounts, etc.) and that came with a fair bit of corporate-spyware included from _at least_ couple different vendors.

At one point, I was writing a small demo in golang for one of our projects and I've been contacted by a security engineer telling me that I've been hitting C:\Users\\AppData\Local\Temp\go-build2923888066\b001\exe\main.exe too frequently and that called a `cryptsp.dll` that according to him was highly correlated with ransomware attacks. I was adviced to stop working on that until my manager confirmed this was legitimate activity. I must admit, I've been quite freaked by the fact that they were listening for the single executables launched on my machine.

Needless to say, this dragged on for a week due to complex internal politics. I thoroughly enjoyed a week of paid time off.

If you can afford to drop that client, drop them.

If you don’t want to, make the pain to them apparent as a line item. Tell them complying with this is increasing your costs (by the need to protect other clients’ information) and that your rate will increase by .

Make them see the costs of their decisions. We had timesheets instituted for a prior company. I had all my devs add an explicit time for entering timesheet data under a dedicated project code. 15 minutes a week for every dev plus 30 minutes for every lead all billed to one project adds up pretty quickly. "Why are we spending 1% of our time on filling out timesheets?!" "That is an excellent question."

I do some contracting work, and would almost for sure refuse such a demand, even if I end up losing the contract. That doesn’t sound reasonable to have a mandatory surveillance software to install, unless they want to provide their own laptop (or you buy one just for them and send them the bill).

Really weird stuff, I hope that won’t become a trend.

A middle ground solution may be to use virtual machine on your computer or e.g. ask for access to AWS Workspace under their control.

The customer provided me an image with all necessary licensed software I need to use to provide the service, including software to connect to their production infra via VPN and encrypted filesystem. They don't have access to camera, mic, my private system or LAN (use NAT mode). Clipboard sharing is set with guest to host direction only. I can filter out any call home stuff I don't like on my router unless it goes thru their VPN. I Zoom them with my host system, then do screen-sharing of virtual machine window only.

In my opinion separating customer gigs with VMs in general is a safe way to prevent accidental cross-customer data leak. Of course it depends on kind of work you do and software you use, however personal licenses often allow to use software on multiple devices by the same person.

Use a VM (local or in the cloud). I do this for each client. If they have certain software, such as VPN, RDP launcher, etc., it gets installed in the VM. If they wanted an agent in the VM, I would add that also. This protects my main system from their software and, once the project is over, I can easily archive or delete the VM and not worry about a corrupted or compromised local system.

Very common at least in my experience. Almost all previous and my current job run a whole suite of stuff on all endpoints and feed everything from things your corporate laptop resolves, all the process invocations, all network flows being established back for analysis. These are all Fortune 100 businesses and things may be different in smaller shops?

I don’t conduct personal business of any sort on a corporate device. Just not having direct access to production won’t exclude you from security protocols, else how can you guarantee nobody slipped adjustments into software you have checked out,a ‘git push’ originating from your endpoint, which then gets deployed?

Somewhat tangentially: I note that most managers seem to equate hours at the keyboard with productivity. I have heard of some employees being monitored via the notebook's video camera.

Is it so difficult to define deliverables and pay for completed and tested work? The business value of any given function point is the same whether it took 100 hours to develop or 10 hours. Of course, more productive programmers would benefit under such an arrangement.

Oh wait ... the problem is that requirements specifications are never clear nor complete enough and there aren't any tests to confirm correctness of the implementation.

At a company like the one I work for, it's a hill noone can afford to die on. PCI-DSS demands at least some control over employee laptops to ensure that certain secure configuration standards are met. That entails dropping command and control agents on machines. Say what you will about PCI and credit card cartels, but no accreditation, no business.

That said, as I work from home, my work laptop lid remains closed for all but a fortnightly company all-hands meeting, and I ensure that I keep zero personal data on it. I'd be an absolute no if the demand ever morphed to always on video or activity trackers. That's a bridge too far.

As it stands, I understand the need for some policy enforcement/remote control of their assets, but will make whatever moves I must to ensure that policy doesn't infringe on the rest of my environment.

One-way mirrors are not sustainable for performance of non-prisoner workers.

Do we need an open-source repo/db/blockchain to track companies which track workers? This could monitor certification/regulatory requirements, benchmark tracking across near-peer companies, real-world impact on human performance, and supply chain integrity of tracking vendors. If a tracking company is breached, it would be possible to flag all of the companies using that vendor.

Just ask them to send you a company issued computer. Use that one to do the work for that one client.

Anything corporate software is a no go on my personal devices. I like to draw a clear line between work and personal life. The only exception I made is having google authenticator on my cellphone, I feel like I would have been unreasonable to ask a company provided phone for this application only...

kvm switch are great to be able to re-use your input/output devices without mixing up personal and corporate stuff... this is what I use... A physical button to separate the 2 environments.

Under EU law that would potentially make you an employee rather then a contractor, as a major part of the destruction is control and time management and the more the Company wants to manage your equipment and time the more the balance swings towards employee status.

This is also part of the reason why BYOD is going nowhere as the second the company wants to audit/control setting it's no longer "Your Own Device".

You have a third option: Install a VM for working with your client and let their agent run in that.

Talk to your union. This is nonsense. We are SOC2 compliant at my employer without any surveillance tools. There are plenty of other controls that are perfectly reasonable though.

A monitoring agent is used on platforms such as UpWork, where you often deal with untrusted contractors for hourly contracts. That is a part of the contract that both sides need to agree on before starting any work.

The screenshots can then be as part of the dispute resolution process, and can also protect the contractor in case of disputes from unscrupulous companies.

The agent captures screenshots every few minutes, and the contractor can review and redact any screenshots before sending them.

Adding a monitoring agent for an existing contractor is a major change in the contract terms, and not something that I would consider acceptable.

It's not normal, and not something you should agree to.

I work for an ISO certified company, our company laptops have specific things for things like firewalls, allowed software, etc. Things for actual security. But no spyware, I don't feel like you need spyware to get ISO or SOC2, just sounds like a ruse to me for a company that lacks trust. Big red flag.

If it's your own personal laptop, then it's your property, they have no right to make you install something on it. If it's their laptop they've given you, then they do. And it's up to you whether you want to work in that way. But as I said, that would sound alarm bells for me.

My company is implementing this exact thing - and in general for company laptops I'd say it's not really too crazy (freelancers, contactors will most likely be given machines too if they need any level of access to our stuff/code). From what drata told our team - the agent is based on OSQuery, and just reports disk encryption, antivirus, screen lock, installed applications.

Not sure what the other commenters in this thread are going on about but AICPA's soc2 common criteria _do_ require that a bunch of that stuff is configured. The reality we're facing is that unless we actually monitor for those basic security config things, sales/marketing/etc will disable those setting for no reason and promptly leave their laptop in a Starbucks with client user lists or confidential data on it.

For other context - based on our research, compliance automation platforms like drata or secureframe greatly decrease the cost of the actual audit since it makes evidence collection that the proper security controls are in place and are functioning much easier.

From your perspective though I 100% get the concern though from a freelancer - I'd say that they shouldn't want you to be handling their source code on your personal machine anyways and should prob. send you a laptop.

Watch out for what all permissions that software agent has.

Big firms when they issue their own hardware often install such agents that have ability to not just monitor activity, but also wipe out data or change user account credentials.

I personally find it weird if the ask is to install such agent on BYOD (personal device), since not just the company data, but your personal data can also be wiped out remotely, or your account credentials can be changed remotely locking you out of your own device.

Drata has a web application where you can upload evidences of the requirements. The agent just makes it easier. If you are not comfortable, it should not be a big issue.

You can choose not to install it and upload a couple screenshots of requested settings (having disk encryption enabled, having a password manager installed etc) periodically. If the client forces it that is a little unreasonable because drata tracks if you uploaded stuff in a timely manner anyway.

They don’t need to force it.

If they own the laptop, they can request you to install anything they want on it, including spyware.

If it's your own laptop, you don't have to do that. That's yours, not their property. They can provide you with one configured as they request, or provide it and ask you to configure it that way. Or you could set up a VM for it.

Corporate spyware is kinda common nowadays. It's mildly annoying but mostly unlikely to be a problem in many/most places. Mostly just there to deal with problem situations.

And you mention that your client wants SOC 2 certification - chances are they'll never actually bother hiring someone to watch what you do on your computer, they just want to be able to check off a box on a form that says "yeah we do this, and all our employees have this thing installed, so we have central control of our data." to get the certification. Because that's what it's about. But also it's just bureaucracy, and probably just checking that box is all they care about so they can tell their clients/customers that their solution is officially certified safe. A lot o' stuff like that is driven by, and ultimately, just feature checklists.

It's not the "new" normal. It's a very old normal.

I spent about 15 years consulting, on short- to medium-term often-recurring projects. Most clients didn't ask vendors to instrument their machines. Some did; for those clients, the solution tended to be that the client provided us with a machine to work on.

Most of these agents are truly awful. I don't know anything about Drata. You should not be psyched to have that running on your machine; I would isolate it somehow so that it's only in contact with that one client's workload.

But they're not making up the SOC2 thing. It's pretty likely they won't budge from this, not because they really care about the agent thing, but because they really do have a documented SOC2 process with "agents on desktops" as a stated control (almost everybody with SOC2 has some kind of agent somewhere, though you usually hope it's just MDM). They do not have a choice about whether to tool you up; your choice is likely just to stop working for them or not.

I've being running a contract development shop for about 20 years and I think that this is very out of line.

That said, our usual approach to dealing with customer-required installs like VPN clients is to just spin up a VM using VMWare Workstation on our development machines and do all of the things that touch their network with that. Given the nature of our work, we connect to their environments as little as possible and we leave those VMs off at all other times. We haven't had any problems with that approach thus far.

Additionally, we don't offer our clients the option of giving us development laptops for our work with them. That just makes us churn hours without producing anything while we deal with whatever local IT silliness they have.

Technical considerations aside, the idea that they want to spy on their contractors is troubling and I'd get away from that situation as soon as possible. Unless they decide to pull back on these requests, it sounds like they'll be just be emboldened to micromanage even more.

Ask for a separate work laptop from them, put it on a different VLAN without access to local resources. Do not login to anything personal on it. That's what I currently do. I also keep it in an office room away from living areas of the house. The VLAN also shuts access to the internet 90 minutes after working hours.

It's not normal. Ask them if they and Drata are willing to be on the hook for all your potential bank breach in the future, as they are key-logging your online banking access. Ask them if they can put up a surety bond or insurance for any of your financial loss due to breach of privacy.

If your client can tell you how to work, you're not a freelancer. Go get some employment benefits

I have been through this as well. My client accounts for 90% of my current work, but my laptop contains information about many other clients. Due to the excessive access and control that their spyware requires (Cortex XDR with complete remote access capabilities in this case), I was unable to use the same computer that I use for all other work. I have no choice but to use a separate computer unless I'd be willing to hand over all the information and assets I have for other clients, which I am not. In my case, the client was able to provide me a machine specifically to use with them. I would say that this is the new norm if you're doing long-term engagements with any company that pursues SOC2.

We solved this by issuing company owned and controlled laptops to our contractors.

Disk encryption, screen time outs, remote wipe etc. contractor machines with code and production access are treated as critical assets and are fully under IT control.

Personally I would simply refuse and prepare for the possibility that this company will no longer be a client... or charge more for the inconvenience and change in relationship status. I presume you freelance because of freedom to choose clients, projects, and terms.

If this is really just your employer (only client), but you have a "freelance" relationship for tax purposes or whatever, then you might want to consider whether you will be better off just getting a job.

As a software engineer, I assume you have employment options (there is demand everywhere it seems), so you can probably afford to do what makes you happy.

Since this 'Drata' thing is intended to keep employees/contractor computers in check with policy requirements, runs as (equivalent of) root, and auto-updates, I assume it must be:

* completely open source

* have gone through security audits with public reports, and a favorable outcome

* have reproducable and verifiable builds, and those are the only ones distributed, and the end user can easily verify that their binary copy is an official build?

Right?

Because if not, aren't you just adding another attack vector onto all your employee/contractor laptops when you use 'Drata' to check a policy box on your SOC2 application?

[edit: formatting bullet list]

I predict that this will be the new normal for a while, until the myriad problems it causes really surface.

As with other backdoors, these will leak important data and ultimately become priority attack vectors to steal or corrupt data.

Of course there's also the worker privacy, but that will always get trampled on until the workers revolt.

Part of selling yourself (whether your mind or your body) is deciding where to draw lines. What will you do, or accept, to get paid?

I won't accept invasive monitoring. Companies like this can look elsewhere (and they'll find people who will happily trade everything for a little money).

I would decline. There are other jobs out there.

Another alternative might be to install it into a VM or old but freshly-paved computer.

I haven't been in this case yet as most companies I've contracted for were/are small companies <25 employees where everyone brings their own laptop (or at least the contractors do).

There was one company which required devices to be up to date on the latest security updates from the OS and every wednesday an employee was chasing everyone to get confirmation that our systems were updated.

If a client would require an agent to be installed I would ask for a company laptop to do the work on.

"Just for the record: I don't have credentials to production systems, and I don't work with production data. I just figure out how to transform dreams into code, I write parts of that code, and then I fix it as needed."

Since the certificate is about protecting user data - and you say you do not have user data - then I would not just accept it, without trying to reason with them, that the general approach they are doing is maybe too broad and unneccesary.

The problem is the arrangement itself. They hire a contractor/consultant to get some value out of you. What they should be doing is monitoring if they are getting the value. Hours spent is not value.

If I was in your situation I would ask them if they want to discuss the arrangement, the value and the guarantees they are getting. I would suggest we can agree on zero notice period and no questions asked termination policy (of course symmetrically). I would also want to discuss how they will know the work progresses so that they are satisfied they are not being robbed. If that wouldn't work I would part our ways and find other job.

As to installing spying software that should be absolutely out of question. If you agree, you are just enabling them to do the same for other people.

Listen, there is no value in having spying software on your computer. Will you work more diligently when you know you are observed? That only works for menial jobs, but if your job is to do anything complex you are just burning time for no reason.

#1 - every client gets their own VM. Unless it acts badly on my network, I'll install pretty much any requirement they ask me to on that VM.

#2 - if they require something specific in terms of hardware ("install this spyware directly on bare metal"), have the discussion about hardware setup cost/time and then expense them for the hardware you have to purchase.

>Is this the new normal now?

In my last four engagements, every single laptop provided by the employer had something. Usually Tanium or Carbon Black. Network interfaces being disabled entirely if you're not connected to their VPN. One client requiring the use of a Meraki hardware VPN appliance.

This was an investment bank, a university, a software company and a health insurance company.

yes and no.

It's normal to have software that safeguards company's intellectual property (how suitable this particular software is, I cannot speak). However, with that goal in mind, it's also normal for company to provide a dedicated, company-owned-and-managed hardware as well, such as laptop or phone.

Demanding that employee or contractor use personal hardware but install monitoring software seems a lose-lose proposition for everybody - it will not necessarily achieve the level of control and safeguards that company desires, and it compromises the contractor's ability to safeguard their own and other clients' data.

Depending on circumstances, my own approach would be to start with a friendly email indicating that you understand and support their goals, and propose that the best way to achieve them is to use customer provided and managed hardware.

I have been tasked to write software like this for a couple of clients throught my carrer and once I even made a working prototype in C# for Windows. which turns out is not so hard.

The reality is though, after i had completed the intial client-app for the Pc's I called the client and terminated the project. He was not to happy about it and a lengthy discussion about whats right or wrong about it ensured. We agreed that it is really not neccesairy and also unwanted surveillance. so i was happy and the code has been scrapped.

....Until his inhouse staff taught him how to read the logins from the actice directory....

Truth be told, if they supply the hardware and you consent to it( at lesat in europe), they are within their rights. If you think its right and give your consent to it, is up to you though

PS: A permanently running agent is most likely to make screencaps too.

At this point, I've gotten to the point where each client I deal with, has their own vm. This insures no commingling of data between clients, and my personal use and the clients.

In that regard, its easy for me to put an agent on their vm, I do run pi-hole so it doesn't matter what VM I'm in, most of this sort traffic gets filtered.

I would also recommend reviewing the contract you have with them, to see if it allows them to put these sort of measures on you. And personally determine if this contract is worth keeping, a company wishing to push something like this, with that rigid a response, doesn't sound like someone you would want to maintain a relationship with.

But either way, it seems like this is something that could be resolved without much effort.

I don't find this uncommon. I also work as a freelancer, but for local companies (eu). Sometimes the company (banks for example) will ask me to work on one of their laptops, which has vpn and other software that they want. I can of course deny, but then I won't get the contract. As long as I don't feel that they are invading my privacy, like you hear some companies do by taking screenshots, checking for idleness, etc, then I don't mind. In your case I would just rent/buy a new laptop specifically for this job, install their tool and don't worry about it. At the end you can sell your laptop. Or maybe you can work out of a VM running on your laptop, and install it there.

There is no justification for your client to even remotely think you should install this tool.

- It's a massive breach of trust (I'd consider just asking for that tool a testament of no trust at all, irrepairable actually)

- The job market gives them zero bargaining power

If it comes "out of the blue" like you say, chances are it's being driven by a new guy. You'd do yourself and your client a huge favor by immediately, and visibly to all stakeholders, pointing out the idiocy of that guy's idea (remember, the trust is gone already, no need to sugar coat it then).

Because there will be more of those ideas, if he's not interrupted, possibly harming the company in cataclysmic proportions down the road.

This is legitimate when working with sensitive data even as a contractor. I have seen it a lot with fintech clients. In that case though they should provide a company laptop. I would never ever install something like this on my personal laptop.

Your laptop? No, it is not normal and say “no” to this. Their laptop that they are going to ship to you - yes, it is a normal, acceptable, and reasonable practice for many clients with strict security and/or compliance requirements

I work for a large company and even before remote working, all company laptops had to run CrowdStrike, this sounds very similar. However the rules where very clear, no using non-company laptops for work, this included contractors etc...

> for all employees of your company

As a contractor, you are not an employee so not covered.

Basically you get to choose what to do, and in my experience this is not normal, although companies often do have IT requirements for systems that will have access to sensitive information, so the concept in general is not unusual.

For me, the fact that this isn't purely about security (e.g. it's not some agent that comes from Cisco or some legit vendor only interested in security), I'd say no. But it depends how hungry you are for work. Since software developers are hard to find, I'd expect you can find work from other clients that don't have this requirement.

If all else fails, consider spinning up a virtual machine just for that client, and do all work, install all required apps for that client inside that VM only. I am truly shocked at all the outrage posts with no mention of this.

At a previous employer they wanted me to install some work software on my iPhone. Nothing particularly invasive as far as I could tell, just Okta, gmail, etc. I told them up front that it violated my personal security policy to install any work software on my personal devices. I told them this was for their protection as much as my own. This brought my boss up short and he wondered aloud why this wasn’t already company policy. Fast forward two months and it became company policy. So it’s my fault that everyone that needs to use company software on their phone has to carry a separate company phone.

I would politely tell them to go f... themselves.

Or explain them that I value privacy and if they don't, they can go search for another collaborator.

Or tell them that installing spyware on my computer is going to cost them 2x the money.

Install it in a linux virtual machine, if they don't have a Linux agent ... Too bad, because you don't have Windows or Mac. If they have a Linux agent it will be running only inside the vm.

Not new, I've been working remotely on and off for 20 years, there's always something they want to install/control. I learned early on to require they give me a dedicated machine. It's just way too messy trying to use a personal (or other business) machine in an environment that requires that level of control. I've been offered the option to Remote Desktop into a VM the company controls but that always requires using their VPN (and sometimes requires a specific security suite be installed), same problem.

Never heard of SOC 2 Cert. Its as disturbing as CSAM. Its basically as you put it bend over and take it compliance, total subjection based on a power imbalance.

I love the PR. Why is SOC2 important. Because relentless unrestricted spying allows you to foster a control system like never before over your pathetic serfs that dare wish to maintain a work life balance. When that project you forgot to assign goes over deadline use SOC2 to flay them with human resources over too many seconds of bathroom time causing the project to fall behind.

Tell them no. End of story.

I don’t know what your agent does, but from day 1, pre-pandemic we had spy software installed on our work laptops. It ostensibly inspects all network connections looking for malware.

When I’m not using my laptop it’s closed, so the camera is off and the mic is muffled.

It doesn’t seem like that big of a deal to me. The laptop is for work stuff, most of which is in the cloud under their control anyways. Worst they’re going to find is my raw and unvarnished work logs, which might hurt some feelings if anyone is over-sensitive.

My employer-provided computer runs multiple agents. They're only used for security auditing as far as I can tell.

One of them is reporting all the processes I'm running. Certain keywords will trigger IT to reach out to investigate.

Another of them is intercepting all my web traffic, even going as far as installing its own CA and decrypting SSL. It's fun when that hiccups and I start getting SEC_ERROR_REUSED_ISSUER_AND_SERIAL errors everywhere.

This provides great incentive for me to keep personal usage off my work computer.

The agent isn’t mandatory for SOC2, there is an option to just upload screenshots of settings periodically. I had the same situation and I opted to upload the screenshots.

Make your client provide a laptop, simple as that. Make him send you a laptop or cover the cost upfront for a new laptop where he can install all the spyware he wants.

You mention you are in the EU. That's important because the GDPR applies. Even if you are working for a US company.

The details come down to what exactly the software is spying on (I won't look at their website): if it's too invasive, even on a company-provided computer (as many other commenter suggested), it can run afoul of the GDPR (i.e. illegal). There have been some cases already on that [1], and looking up some of them might prove to be a very effective negotiating strategy against that.

[1] quick search on Google: https://www.complianceweek.com/data-privacy/employee-monitor...

Request a laptop with whatever they want pre-installed. Use that laptop only for work for that client.

Another solution: Virtualize a pc, put everything that you need to work for that client in that VPC, install they drata only in the vpc. Or better yet, ask them to provide you with a VPC image with what they want.

I can understand being piss about it, but unless you are ready to drop them over this, getting angry will be of no consequence

I work as a CI(S)O for a startup. We have lots of freelancers and have Soc2. Unless you fake your soc2, there are two options: give freelancers a company laptop, or force them to install the agent.

We do two things.

One: we give them the choice. Yes it costs money, but not that much.

Two: we went with Kolide. To understand how they are different, go read https://honest.security.

This is second hand, because I've never worked for them, but my friend who worked for cisco was given a laptop that he only did cisco work on and couldn't use for anything else. I'd ask for that. Then they can have whatever the hell they want on it.

I've been a contractor on and off for almost 20 years, and no way would I let someone insist on an agent. The most they can ask for is a VPN client.

Say no. Name and shame.

The soc2 controls in question can be met with a handful of config changes and an antivirus install. (I’ve implemented soc2 controls five times) Full disk encryption with FileVault or Bitlocker Screen lock Enable automatic security updates Use of password manager Virus scan with ClamAv or windows defender.

If they want an agent to make sure you’re working when you say you’re working I’d pass.

Having previously led a SoC2 implementation at a few large multi-nationals, the request coming from your company strikes me as either;

A) they're being super lazy and using Drata as a blanket to cover a bunch of SoC2 requirements

B) it has nothing to do with SoC2, it's just their excuse to push this employee spyware

Try asking for a company provided computer. I'd also put that company device on it's own VLAN.

They can send you a laptop running whatever they want. Unfortunately, you can’t install an agent not under your direct control on your freelance business laptop, because it would potentially compromise your confidentiality and security agreements with your other clients. This is out of showing your other clients the same level of respect that your subject client can expect.

Why not just run a VM for their stuff and install it there. You can block the camera and microphone from the host. Do you work in the VM.

If they have SOC 2 requirements your options are to install the client or find a different job. That will be completely non-negotiable. We have a division that has to be compliant and they are regularly audited and there are no exceptions allowed. The guys in that group complain daily about what a pain it is so I understand the concern/frustration.

I don't know anything about Drata but these packages are usually a small step away from malware if they haven't already crossed that line. If you have to do this then insist your employer ships you a laptop that you will use exclusively for the work you do for them. Your device: your rules. Their device: their rules.

One option is to ask them to set up a remote desktop instance for you (something like AWS workspaces for instance) that has their monitoring stuff on it and commit to only use this for working for them.

Another option would be you set up something like that for working with that client and install their agent on it.

I don't know Drata but to me this is very common. And I don't see the problem. I usually carry ~3 laptops provided by my client or use remote citrix machines.

In the rare event I have a customer that let's me work on my own hardware, I use VMs. VMs make it easy to segregate and backup work.

If a client asked me to do something like this the answer would be simple: they’d no longer be my client.

I would buy another laptop specific for that customer.

You can then either build the cost into your rates or suggest you bill them for it. You could even sell the laptop when the project ends.

Of course you can also be principled over it if you don’t need the work. It is after all a B2B relationship.

They have no legal bearing whatsoever for demanding that you install this on your own private laptop. Challenge the idiocy by instead asking them to send you another laptop, one that you will use just for this project, on which it will be OK to install the spyware.

It's not the new normal unless you let it be. If the other teams are mad, collude with them to refuse.

They're not a client if they can make you do this, they're your boss. So don't let them make you do it, because you're not their employee.

> demanding that I install an "agent" from a company named "Drata"* on my laptop.

If a company sends me decidated hardware, including an LTE or 5G modem to connect to the internet, they can install on that whatever they want.

Their hardware, their rules.

My hardware, my rules.

Ask them for funds to buy a new laptop and router ; buy a laptop with removable battery and put the laptop behind the new router taking care to ensure to isolate the laptop. Remove the laptop battery when not using the laptop.

Sounds like you need to say no. You can describe your expertise and ask if they care more about the appearance of security (SOC2 compliance) or real security. They will choose the appearance of security and you can move on.

Usually when clients need that level of vigilance, they provide their own laptops. I wouldn't say is a "new" normal, I think it has been common practice for a while at least in the consulting industry

If you freelance via upwork this is a normal thing. Odd for contracting though.

What if you tell them that in order to protect others' data, you need a separate laptop. As long as the client is happy to shell out 1500 euros, they you'll install all the spyware they want on it.

Pick your preferred laptop. Add 25% to your final cost for overhead and profit on the hardware. Estimate the time acquiring and setting it up and send the client a proposed cost for their change to the scope.

It is business.

Run it in a VM.

Doing work for clients often involves installing other software of theirs i.e. their preferred VPN client. I just run up a VM because having 10 different VPN setups is a disaster waiting to happen.

Say no, get a new client, or say yes. Those are your options. I would tell them no though. If its a company laptop they could have an argument but its you are a freelancer... I would not do that.

"Zero Trust Networks" usually require an agent to be installed

If they want "ownership" then they could / should supply you with a laptop dedicated to your work for them.

Three of the last four (marketing) agencies I worked for supplied me with a MBP.

If you are a contractor, ask your company admin if you are in scope. If you are in scope as them for a laptop. If you are out of scope, ask them to mark you out of scope for the audit.

I would see two rather easy options in this case: - Client supplies a laptop - You create a virtual machine/environment on your laptop and grids the client within the environment.

It doesn't sound normal to me. I would recommend you contact your National Data Protection Authority and provide them the data you've received and cancel the contract.

We need an online list of firms that request this. People who use the list should be asked to turn down new firms that do this and inform the firm they are about to be listed.

Don't let this become the new normal, find a better client.

They need to send you a machine if they want you on some kind of special network or to have their monitoring tools or whatever on it. That's it. Period.

No, tell them this is not acceptable and don't do it. If you do or try to find some excuse it will only further this type of behavior.

It's normal but ask them for a work device. You shouldn't be expected to install this monitoring system on your own equipment.

Hi, founder of Secureframe (https://secureframe.com) here. Secureframe helps streamline compliance across SOC 2, ISO 27001, HIPAA, PCI DSS, and more.

There are so many accurate responses in this thread. Like many have mentioned, SOC 2 is indeed not a prescriptive framework. Much of the confusion behind SOC 2 stems from that fact. It allows you to customize your InfoSec program to your company's needs. As we know, this can vary from company to company, hence why I read so many correct ways of approaching this specific situation in the thread.

Why SOC 2? SOC 2 is primarily customer-driven (this is why it becomes so urgent on your org). Buyer's require their vendors to undergo these third-party audits for their own vendor security management. While they would love to take you at your word, they feel a bit better knowing that a third-party took a look under the hood of your InfoSec program.

Employee vs. Contractor The legal status of an employee vs. contractor doesn't really matter for SOC 2 or most other InfoSec frameworks. At a minimum, what they really care about is the individuals ability to access, modify, view or otherwise have an effect on production/customer data. If an individual has that ability, they are likely in-scope (this can mean a lot of things). If an individual is indeed in-scope for your audit, they should follow your InfoSec program. You can always have carveouts for certain scenarios (for example, background checks are illegal in many countries so you may exclude them for individuals in those countries).

Company Policy What this all comes down to is the policy that the company has put in place. Does the company require all employees and contractors regardless of access to have hard drives encrypted without any carveouts? If so, then the company must follow that practice, or they will risk get an exception on their SOC 2 audit report. SOC 2 has some minimum standards that auditors look for but ultimately the company sets its controls and policies (if they are barebones they might not get accepted). Auditors are human and since SOC 2 is not prescriptive, reasonable minds will differ as to what those minimums exactly are.

Common Recommendation This has been mentioned a number of times in this thread but what we typically see and recommend is that you treat all employees as in-scope (this makes it easier on the company so they don't have to make determinations about who should and shouldn't be in-scope) and then for all contractors, you create a carveout where if they don't have access etc to production/customer data then they are not in-scope. In this case, such contractors would not need to track things like hard drive encryption, rendering the need for the agent moot. This seems in-line with the original posters role, and we would typically not have our customers require this of such a contractor.

There is nuance needed to make some of these determinations. For example, a company could hire a contractor who only has access to source code. In this case, an auditor may say that this contractor is indeed in-scope since they have control to modify source code that is pushed to production, even though they don't have direct access to the production itself.

We can't speak to the Drata agent, but based on what we would expect, the organization in OP's question is most likely trying to simplify evidence gathering when it comes time for the audit. There are other ways to grab such evidence (manual screenshots), but they are time consuming. Based on OP's job description it doesn't seem like its necessary for OP to be in-scope in this scenario and therefore the organization shouldn't need to collect such data. However, as we mentioned, this organization could have more stringent policies and without more information there isn't a wrong or right answer here. What we can confidently say is that it isn't a hard SOC 2 requirement.

In your place I wouldn't accept that. If the client has such requirements they should be shipping their hardware to you.

Any decent company that has you work from home (contractor or employee) will provide you with a laptop. That laptop should be used only for work for that company and when you're done with the contract, you return the laptop.

This is especially true when you're connecting to their network and using their data. I'm sure there are exceptions for certain types of contracts, but for hourly work this is the norm for companies that take their data security seriously.

Maybe they could supply you with a secure VM with the agent installed? So you can separate their work from other activities.

I would tell them if they want an agent on my laptop, they need to send their own laptop because your privacy is non-negotiable.

Full stop.

One client asking for it does not make it "the new normal". It makes it "one client asked for it".

Ask them to provide a temp laptop for you.

I mean if they provide you with separate laptop and all required software I don't see much harm in this.

No, that’s not a new normal. I work with many clients and nobody has ever asked me for something like that.

Send them a bill for a new dedicated laptop and extra time for setup and drop in development efficiency?

Such agents are often in breach of GDPR _and_ labor law in the EU.

If your employee doesn't fulfill some other criteria, like providing all hardware containing such a agent, not requiring you to use our have the hardware powered on outside of you work time etc. it's unlikely to be legal.

They might also need to provide you with a way to separate internet access, e.g. an LTE modem, a this agent the to scan the network which they are in, which is also in beach of law in case of home office.

Hi, Adam here, CEO at Drata.

While I don’t know all the details about this specific case, I want to clearly lay out and address some of the concerns and misinformation in your post. We believe trust is the most important aspect of any business, and it’s why we’ve ALWAYS made a point to be very transparent. As a company, we would never develop any software that does what you are claiming. In fact, Drata does just the opposite, by helping companies protect data.

First, we should address the WHY. In order to be SOC 2 compliant, one thing businesses need to do is ensure their employees’ and contractors’ computers are configured securely. The “agent” is one way Drata efficiently does this, especially for teams with remote employees.

Now, let’s look at the HOW:

- The Drata agent is a lightweight, read-only osquery based agent that reads system information such as hard-drive encryption, screen lock timeout, firewall status, etc. Drata collects that information to ensure companies are meeting their security/compliance requirements and so that these companies can prove their SOC2 obligations are being met during audits.

- Regarding the TOS, there is no monitoring or selling of your personal information. That is unequivocally false.

The question you asked Drata about over email was directly related to the TOS, and not the agent (though we’ve explained what the agent does above). As we stated, we don’t sell customer data. We never have and we never will.

I would be happy to chat more to address any concerns you have. You can reach out to me at adam [at] drata.com to chat anytime.

Just say no? As a contractor it is my own hardware, no one is making me install anything.

Move on. There are so many job openings right now... Find someone better to work with.

No, this is not the new normal and it will never be. I would never accept this. Period.

They provide a laptop not on your personal machine because you other client data, right

Make them provide you a machine. Don’t do any other work on the machine they provide.

Is this in your contract? No? Then forget it.

This is neither normal nor reasonable. Do not accept it.

Install it on a spare laptop.

You are sort asking for legal advice. Not sure if I need to elaborate more.

Make them provide you a laptop. Then only do work for them on that laptop.

There is no need for this tool with regard to any of the goals of SOC 2.

If you're not willing to walk away, you have no negotiating power.

Are you sure you need to have that Drata agent on all the time?

AFAIK it only checks a few items. We had to install it, too for SOC2 compliance. I installed it, let it send in a report (because I'm on Linux, I manually had to make a few screenshots as proof), then uninstalled it.

I'm happy to do the above process next time they complain, if ever.

No thanks. If they don’t trust me we shouldn’t be working together.

I would definitely refuse that. If it's a deal breaker, you can turn the demand around though, by asking what are the actual requirement for the SOC 2 certification to be met and, if possible, metting those in a way that works for you.

Yet another use case for working through virtual desktops.....

Dual boot between your personal OS and the work OS.

"Agent"? Yet another name for malware.

If everyone refused to comply, they (and all other companies) would have to rethink their approach and back up.

Sometimes I really wish for a trade union of IT workers, however bad that sounds.

"I am not open to installing software that is non-essential to doing my job, and could put mine and other client's privacy at risk."

I had a similar issues this year - a client's admin wanted me to hand over my device for him to setup vpn access.

My response was that I'm contractually forbidden to allow that since on my device there's data GDPR-relevant and otherwise of other customers.

You can also make up a company-policy (even if you're a single person) and communicate it that way. "There's a strict company policy preventing me/us from installing this kind of software."

Apart from that, this violates the no-asshole-rule.

Load the client in a virtual machine.

Just put it in a docker container.

Since you are in the EU, have you asked them if they have confirmed with their DPO that the suggested data collection and processing is GDPR compliant?

Always do client work in a VM.

1) Consider dumping the client

2) Consider getting a special laptop for them alone (and bill it to them)

3) Have them send you laptop for their work.

4) Go to 1

Install it in a sandbox.

Tell them to pound sand.

Laptops are not that expensive any more - maybe you could dedicate one to that client?

I would use GDPR on them.

You have two options: (1) quit or (2) "renegotiate the relationship", as the saying goes.

Specifically, it's perfectly reasonable for you to say "OK -- if you're willing to provide me with a dedicated laptop". They can say no of course, but so can you. Or you can request a rate increase (which they would probably say no to, if they won't provide you with a laptop).

Either way, those are you choices. Yes it sucks to a degree, but that's what work does generally and which is why it pays money. All we can do is moderate the suckiness-to-money ratio as best we can.