You have two options: (1) quit or (2) "renegotiate the relationship", as the saying goes.
Specifically, it's perfectly reasonable for you to say "OK -- if you're willing to provide me with a dedicated laptop". They can say no of course, but so can you. Or you can request a rate increase (which they would probably say no to, if they won't provide you with a laptop).
Either way, those are you choices. Yes it sucks to a degree, but that's what work does generally and which is why it pays money. All we can do is moderate the suckiness-to-money ratio as best we can.
My client is quite reasonable, and is willing to compensate a new laptop.
It took me less then a few minutes after I read the mail to come up with algorithms to implement this thing without compromising my security or privacy. VM. Using an old laptop and remove the wi-fi card. Get a new PC or laptop. Wire whatever I choose on a vlan that goes directly to a VPN server in another country.
However, I still don't like the idea of running an agent on my/a machine. It's a road I feel strongly against going down. But then, I came from a different time, when people still trusted each other and acted in good faith.
Just get the laptop, use it for work only. This is the best way forward.
They are looking for their interests (minimize security breaches) and that's a perfectly understandable position and solution to the problem. In this day and age the risk from a breach is much larger than in the past.
Since they are willing to provide the necessary equipment for that then there is no issue from your end.
> They are looking for their interests (minimize security breaches)
No. This comes from the sales people. They want to provide a "SOC 2 Audited" certificate to their potential customers. They don't give a rats ass about actual security.
The upper management does care about security. But I don't think this particular requirement offer much of that.
I googled "SOC 2 Audited" - and I've got:
"""
A SOC 2 audit is a company-wide certification that evaluates an organization's standards regarding its core data security infrastructure, information handling practices, consumer privacy, and confidentiality. For this purpose, an SOC 2 auditor needs to evaluate various aspects of a company's systems and processes
"""
So it is about security. I guess your point is that it is just a security theatre and not related to the real thing - but that is a different discussion. It would be a discussion about https://slatestarcodex.com/2014/07/30/meditations-on-moloch/ and https://www.amazon.com/Moral-Mazes-World-Corporate-Managers/... and etc
> ...My client is quite reasonable, and is willing to compensate a new laptop.
I wonder, if "in the spirit and for the strength of mutual trust" would they be willing to provide you with the reports on the agent-collected data about you. Basically, the copy of how you are being shown in those dashboards.
It's fairly reasonable, as you're not an employee by definition, yet such policy or a requirement to operate on client-controlled work means is an employee's realm, not an independent contractor's one.
> It's trivial for software inside to VM to detect that
QEMU can get you very far in masking the presence of a VM. If it can work around Nvidia's cash grab of not allowing consumer cards to be used in VMs, it should be able to deal with whatever bullshit spyware.
No, "quitting" is rarely the right option - you do not need to proactively respond to the situation they created! If you're willing to no longer work there over this (as you should be), then that is a pretty strong BATNA. You soft refuse and give them alternative options that are acceptable to you (perhaps supplying their own equipment to run the spyware, a higher rate so you can procure your own dedicated equipment, etc), etc. Let them be the ones to terminate the relationship.
The same goes for other bullshit sprung on you out of the blue - noncompetes, piss testing, etc. There's a decent chance that if you just passively stonewall, they will eventually give up.
Let them be the ones to terminate the relationship.
Disagree - in general you never want to be expressly terminated. Layoffs are a different matter, of course. But an explicit "for cause" termination is always a red flag to any future employer.
There's a decent chance that if you just passively stonewall, they will eventually give up.
You really can't stonewall these things and I wouldn't suggest to anyone that they try. If they foist unacceptable conditions on you as a condition for continued employment, then whatever it is -- moving to Dallas, a shitty NDA, taking a piss test -- you need to be an adult and say some version of "Thanks, but no thanks" and move on.
Or stick it out and be prepared to be miserable and feel like a suck-up if you want. But either way, those are the choice, unfortunately.
I should have said "let them end the relationship", not "terminate". There is a generally a long road from failing to install some spyware on your own device, or failing to give them some piss to play with, to "you are being fired for cause". If you're given a hard ultimatum (do this by next Friday or else), or if it looks like the process is definitely heading in that direction, then you can bail.
Every situation is a negotiation. I'm not advocating outright aggressive rejection, but rather passive stonewalling or responding with a counteroffer. Ultimately it depends on your position and what value you're providing. If management loves you (or needs you), that will go a long way in a sane place. You're a known quality employee getting the job done, and someone from HR or IT is coming along and rocking the boat. Obviously if you're already on shaky ground, then you've got a lot less leeway to play around.
Specifically, it's perfectly reasonable for you to say "OK -- if you're willing to provide me with a dedicated laptop". They can say no of course, but so can you. Or you can request a rate increase (which they would probably say no to, if they won't provide you with a laptop).
Either way, those are you choices. Yes it sucks to a degree, but that's what work does generally and which is why it pays money. All we can do is moderate the suckiness-to-money ratio as best we can.