Hacker News new | past | comments | ask | show | jobs | submit login
Another former Tesla security manager says the company spied on employees (businessinsider.com)
145 points by AndrewBissell 6 days ago | hide | past | web | favorite | 54 comments

As an aside, if you’re using company-provided computers and phones your default behavior should be to assume they are spying on you to the degree that they are recording every action you take in those devices. It’s a spectrum—many companies don’t do this at all—but you would be doing well by yourself by assuming they record and track everything. You should also assume all of your traffic while at the office (if your comapny is old school and you only have a desktop) is being recorded.

> You should also assume all of your traffic while at the office

I fell out with my manager at FANG and she got back at me with the lowest rating possible for the year-end review. I chose to get my concerns across to HR about how this was unfair and challenged them to validate her critical feedback with peer engs. Didn't happen.

Instead what followed was, I was investigated for violation of company rules such as putting company laptop to personal use, violating social media policy, holding on to company documents for more time than company's policy permits... among a lot of such trivial other things (I was astonished at the intelligence they had built up, I guess, by using responses to internal surveys, predicting probability to have done something via browsing patterns, keeping tabs on laptop disk usage etc).

Once they had built "a case" they would go on to engage legal and terminate my employment with what I presume now qualifies as "just cause" and avoid having to pay any severance.

Has worked wonders for them, this tactic. I have since heared that a few other employees have been handled in a similar manner and that I was not the only one.

Remember the following:

HR is not your friend. HRs duty is to the company. If what you need and what the company needs are on the same page, sure, HR is on your side, but if not, they will do whatever it is that benefits and protects the company.

This seems to be a US thing. Worked in HR departments across several European countries. Obviously, HR’s duty is first and foremost to the company. It’s the same for everyone else in the company (to whom else should it be?! [1]). HR is chasing managers for policy adherence as much as it is chasing employees. At least in the companies I’ve seen, managers are typically even more so in the crosshairs of HR because they are supposed to enforce company policies at the frontline. Obviously, this breaks down if you talk about Board-level executives where the Supervisory Board will be involved more strongly.

If there are problems between employees and managers, HR should try to mitigate along company policy, where typically the first step would be to get the facts on the table.

Potentially this is lived more strongly in Europe, where employees have pretty powerful means after a dismissal to receive severance in case of any wrongdoing of the company

[1] and yes, it should be first to yourself but that’s the same for HR

I don't know, I worked for a large UK multinational and if you saw HR about then you generally knew someone was in trouble - their role appeared to be purely damage limitation.

On the plus side they took no interest in hiring.

This advice is about as useful as the also ever-present HN saying, “if you’re not paying for it, you’re the product”

In other words, entirely useless and just a derailment of the thread.

I disagree. This is a cautionary statement for other people in the same situation as the parent post - if your boss has it out for you, HR is unlikely to have your back. Polish your resume, get an offer somewhere else, be explicit in your exit interview and don't sign any NDAs.

I like the saying: "If you look around and don't see a price tag, it may be on the back of your head. Don't forget to bring a few mirrors or a trusted friend with you."

Pretty normal whenever HR has decided you need firing. Its similar to the police (in america anyway), make enough rules and you can fire all but the most model employee on a long enough timeline without any effort.

Sounds like the legal space in the Soviet Union.

You can get rid of anyone if you make enough illegal.

That said, I don't think it's quite so bad in the US.

Maybe not as bad as the USSR, but here are some examples that really shouldn't be felonies...


And a Twitter account that highlights mostly ridiculous laws... https://twitter.com/crimeaday?lang=en

First mistake is HR.

HR is not your friend, never engage unless you have air cover from an exec with juice.

I’m sorry to hear that. On that note, it seems almost impossible to not use company equipement to look at things which may not be strictly work related such as news, new tech, websites, the occasional Youtube comedy clip.

Seems inhuman to have such strict rules which only serve as a way for the company to kick people out when they moment is opportune.

> it seems almost impossible to not use company equipement

Why? Just don't do it. If its not work related, stop. If you need to kill some time to stay sane, get up and take a walk to do whatever on your device. I've worked at places where the computer that I used was connected to the production network. It was not connected to the internet at all which meant no email. To get to email, we had to log into a remote system to view email. Attachments could be saved to a folder that put it up for review of relevance and virus/malware/etc. If it wasn't approved, it was silently deleted with no notification.

At another location, we blocked FB at the firewall for the day, and the employees about lost their mind. It was very telling about how much time was wasted throughout the day. It was also surprising the number of people that complained like it was their right to use the company's resources to update their friends.

> It was very telling about how much time was wasted throughout the day.

Depends on a type of work that one does, for many office jobs today more hours spent working doesn't always translate into more work done. I personally find that taking frequent short breaks surfing web, reading news, checking FB and YT, etc. helps me keep focused and way more productive.

I simultaneously believe that you're correct about short breaks helping focus, that people who understand this effect tend to overestimate it in ways that help them rationalise procrastination, and that the renewed focus gained from a short walk or meditation is probably more helpful than whatever focus is gained from engaging in activities that require the social functions of your brain to kick in.

Individual personalities probably also play a big role here, how introvert/extrovert you are, and how much other social interactions do you have. Working from home can be lonely so virtual social interactions might be of higher importance to me than to, say, some introvert locked whole day in open space office full of people.

> Just don’t do it. If its not work related, stop.

I see where you’re coming from. I personally don’t use work computers for anything other than work related matters. However, I also know that this is not typically how work computers are used. Some people watch Netflix or Youtube clips during lunch. While I’m aware that there are secured environments where certain services are blocked due to security requirements (as they should be), many people work in environments where streaming Youtube or Netflix is not a security concern.

To get back on point, I think the issue of browsing while at work is one having to do with being reasonable: if employees choose to browse while at work then they should do so in a way which is reasonable to others. Looking at the odd Youtube clip here and there after someone brought it up in conversation is reasonable (assuming the content is Sfw, but that’s a whole other discussion). I listen to music while programming, using Apple music and Spotify. I know other people who use the Youtube streaming service.

Would you be able to name and shame? Which FANG is this?

It might be enough to know it was one of the four. The next time a recruiter calls from any of them, it'd be worth asking them about this and what policies they have to protect engineers from abusive management. If enough engineers express concern, a policy change may come down the line.

Probably signed NDA to get severance.

> The tip from Sean Gouthro, the former head of Tesla's global security operations center and investigations, was filed on January 24 and corroborates a tip filed in August from Karl Hansen ... Hansen's tip claimed that Tesla did not disclose to shareholders the theft of raw materials and the unauthorized surveillance and hacking of employee cellphones and computers.

This is not a tip about Tesla watching what its employees are doing on its own equipment and data networks.

>This is not a tip about Tesla watching what its employees are doing on its own equipment and data networks.

I'm curious about details on this. Modern phones (well, iPhones at least) are pretty hard to break into.

I wonder if it was something like having them install a root certificate to use the company wifi, then using that root cert to spy on other traffic traversing the network (such as leaks to reporters)

A statement from the whistleblower's attorney said Tesla had hired former members of Uber's intelligence team (that had been spying on drivers, regulators, and competitors a while back) and referenced a proposed settlement agreement for the wire tapping & corporate espionage charges that outlines the tactics (allegedly) used by Uber.[1]

It also mentions Tesla installed "specialized router equipment within its Nevada Gigafactory designed to capture employee cell phone communications and/or retrieve employee cell phone data."

Sounds like some sort of man in the middle attack? I didn't catch any similar references in the Uber document but its heavily redacted and the entirety of my knowledge in this area comes from Dinesh's criminal girlfriend so it's very possible I missed it.


>It also mentions Tesla installed "specialized router equipment within its Nevada Gigafactory designed to capture employee cell phone communications and/or retrieve employee cell phone data."

I might be not using the right term but sounds like a... stingray? (Well, some sort of cell site simulator)

Most MDM's install both a cert and a profile on iOS devices that allow the MDM admin to do just about anything. Any company-owned device is going to come to the user with this pre-installed, and non-removable by the user. I'd be astounded if a company the size, and with the security stance of Tesla didn't use the most intrusive MDM available.

It is very easy when the phone is left unlocked...

I suspect millions of affairs have been discovered using that elaborate hacking technique. The same thing can be done at work.

Looking over the shoulder is another low tech but quite effective option.

Anymore these days its been my experience that cert pinning prevents this from working. Adding a new root cert does not force any of the apps to use the root cert if they've enabled pinning.

Interesting tidbit, I'll stash that for the next time an SRE argues that pinning requires too much overhead (in terms of managing/paying for the certs rather than CPU) :)

You could 'hack' any spying tendency though, just set up a system to send emails early morning, late at night, at weekends.

Then come annual review time, your boss can be impressed by your dedication.

This is off the top of my head, and does have the obvious flaws of being obviously automated from the sending machined perspective, and emails might not be a sign of work in your particular job. It probably has unobvious flaws as well, so isn't career advice.

Right, and I would counter that if you're doing this, it's time to look for a new job. It's not good for your own personal career, it isn't good for your company, it isn't good for your relationship with your manager, and it is illegal is many locales.

So, no, please don't do this.

Just wondering what part is illegal. I'm not familiar with this sort of thing.

Fraud is lying to get paid. The employee is lying about their work (generating fake emails to fluff up email counts) with knowledge that the information is used to gauge work done. Their employment continuance, or bonuses, are partially factored based on this metric. Thus, they are lying to get paid. That is fraud.

If a salaried employee lets his boss see him when he comes into the office early, then when out of sight sips coffee and relaxes until his coworkers arrive, is that also fraud? If you caught one of your employees doing that, would you call the cops and report him for fraud?

Calling that fraud is about as accurate as calling an otter a pencil.

In some of my previous employers, this type of work was all any employee actually did. Calling it fraud is probably not accurate.

Has anyone ever gotten prosecuted for brown nosing by shifting email times?

You might think that the way Tesla treats employees, like this incident and the general impression that they are being driven into burnout, has some consequences. And I think that’s exactly what we’re seeing with the generally tumultuous news that we see on Tesla lately. Heck, there’s another HN front page entry just today, about Tesla’s sudden reversal to close all stores.

It’s probably not the only factor, but I would be surprised if it is not at least a factor.

If it was not for the strength of cult belief in Elon Musk within the company, they would probably be facing an open revolt at this point.

Don't miss "incentivizing employees to take out loans and spend PTO on new Teslas just before docking their pay": https://news.ycombinator.com/item?id=19361710

Here's another article with a different take: https://electrek.co/2019/03/11/tesla-former-security-manager...

Electrek writes the best articles. FUD free

Well I don't know if they are perfect, but they are miles better than the ton of anti-Tesla propaganda that has been flooding the media for the last year or two.

By the way, I am not saying there are not important criticisms of Musk and Tesla, it's that you need to balance it with all the things that are praiseworthy, and lately that just hasn't been happening. It seems like the more Tesla succeeds, the harder the media try to prove he is either a con man or a complete idiot.

As I see it, it's as an extension of the SpaceX smear campaign which, crazy as it sounds, seems like it's a real thing.

Tesla is anti union. Tesla spies on employees. Why do I see a nexus here?

In the Elon Way of Thinking, unless you 100% agree on everything and drink the cool aid and roll with rapid reversal of logic giving you whiplash, you are against the mission, and thus the enemy. Since everyone can one day disagree, and thus is potentially the enemy, the conclusion is we must spy on all internal and external entities; and when they disagree with anything, for instance, wanting a better workplace, question their motives. Another example: The SEC simply wants CEOs of a public company, you know, not to lie on twitter about material stuff like having a deal to buy-out the company... but according to Elon, the SEC simply wants to destroy Tesla; is part of a sinister network of anti-Elon forces, and can't possibly be actually watching out for investors and pensions. This is the mentality of a paranoid dictator. Short-sellers, who are to Elon are like Hillary/Muller to Trump on Twitter, are seeing a company constantly missing self-imposed goals and milestones, must also have be evil people, as opposed to simply pointing out the blatant issues on hand.


elon's hubris makes him and his actions with his companies pretty great entertainment but his treatment of employees and his followers treatment of those not drinking his kool aid is scary. his/teslas brand is interesting


Lots of people could make electric cars and rockets ("spaceships" lol) if they were handed 10s of billions in investor funds and government subsidies. It's really not that special of an accomplishment.


We've banned this account for posting unsubstantive comments.

If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future.


Suck my fucking dick you corrupt piece of shit mod. You can't ban me.


It only leads to personal gain if there really was malfeasance though; making things up won’t get you a penny. Given that, it does seem like you’re defending Tesla, or at least playing fast and loose.

Even true allegations can take years to come to fruition in a whistleblower payout, assuming there is still a solvent company around to pay fines by that point.

Absolutely, and those years will be quite unpleasant. I don’t think I’ve ever heard of whistleblowing being a skive, or a pleasant path. “Happy like a whistleblower?” Nah.

On the other hand...

If a company is playing fast and loose with regulations or laws, or, more generally, peoples sanity by pushing it's employees to work a million hours a day, because it stands to gain financially from doing so.

It seems only fair whistleblowers be likewise financially incentivised.

In some ways we could consider it analogous to a Bug Bounty program.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact