It's not a matter of hiding. Companies do not want to know.
I guarantee that in many (likely the vast majority) of these cases someone in management is aware and is pursuing a don't ask don't tell policy because they don't want to deal with the fallout.
It's extremely common to work while on a visitor's visa in another country, for example. I bet there is not a single manager reading this comment who has not had one of their employees send work emails while traveling internationally on a visitor's visa.
I have several friends who are doing the digital nomad thing, working all over the world while ostensibly traveling on visas that prohibit work. If they officially asked HR, HR would be forced to officially tell them to not work. But they're never going to ask, and their direct managers are never going to report the situation.
I know of several situations as well where the employee moved. The company response is pretty much universally "you can't do it so please don't tell us about it because if it's ever put in writing we have to act on it"
> It's not a matter of hiding. Companies do not want to know.
If a company doesn't want to know you shouldn't be doing business with that company.
Sure some of these cases are John Doe wanting to live as a secret expat but not all.
In a remote world, you have to know. There are numerous fake employee scams that have a number of different outcomes that present exactly in this manner.
1) Steal or forge a decent looking identity.
2) Have a face that interviews and attends some of the early weeks on camera then slides back to off camera
3) Profit whether it's theft or double-dipping or code farms
This isn't a pretend scenario. It's active.
Depending on your vertical and internal zero trust architecture a breach of this nature could be devastating.
So sure, maybe that employee is lying about their location to soak a big salary under a cheap cost of living but maybe they are something much darker and you can't leave that stone unturned.
Within the EU, it would likely be considered an invasion of worker privacy (indiscriminate screening of where employees are logging in from).
Even if it weren't an invasion of privacy, as you say, companies want to be able to point and say 'look, we have a policy, you aren't allowed!' and blame workers for breaking the rules rather than trying to solve the (admittedly complex) tax regulations about working outside the country you are normally employed in.
Not to the country you’re visiting. I had to attest to the German government that I would not send any emails or write any reports on my recent work trip there. Else, I needed a work permit.
They're degrees of the same thing. In my experience companies don't want to know about it if at all possible.
In some cases working on a vacation is a more serious issue - I have heard stories of employees remote working from sanctioned countries and employers finding out after the fact.
My point is that it's typically not a cloak and dagger situation described above, with an employee going to great technical lengths to hide their whereabouts.
Generally speaking, the immediate manager is aware and is pursuing a policy of willful ignorance. Often when rumors percolate to HR, HR will very quietly say that they don't want to know and to clean it up so they don't ever have to.
I don't know of any companies attempting to actively document this kind of thing. They don't want to know, and they'll only respond if they are forced to acknowledge the situation.
Potentially the case, but this article was about two people who were going to great lengths to hide their whereabouts from their employers.
> I don't know of any companies attempting to actively document this kind of thing.
Well, not all companies tolerate casual lies, especially those that impact tax liability. At my organization, you'd be terminated for any willful lie in an instant based solely on a violation of trust... even if it didn't open the company to any tax or legal liability.
Certainly the official policy is that you'll be terminated. Almost every HR department would say this if asked.
Reality is often different. Companies are diverse collections of many different people with a diversity of incentives who all enforce policies in very different ways. When these things happen there are many layers of management who will more often than not try to avoid the problem.
Maybe at a large org. I don't work at a large org. There is no difference in official policy and effective policy in an org where they are both controlled by the same person (or by a few people who closely agree)
Also, there are larger organizations where matters of trust are a critical part of the job, there are operational safeguards in place to account for lapses in trustworthiness, and concerns surrounding this are taken more seriously.
No; they're not. Intention often matters in immigration. If the purpose of your stay in a country is tourism, that is one thing. If the purpose of your stay is to work remotely then that is a different thing.
Your original reply was to a post saying: Sending an email on vacation is one thing. Setting up residency is something else entirely.
Those do not have the same intention. In the first case, the email is incidental to the vacation. In the second case, the purpose is to work (which defies the claim to be "on vacation" in the first place).
No-one is confused about whether they're going on a foreign vacation (taking vacation time, telling their colleagues they're not going to be available etc) and handling a few emails vs. setting out to work remotely from another country that might have a superior climate. The suggestion that these are the same thing based on observing that both involve work email in a foreign country is pretty obviously ridiculous.
If you tell the immigration officer at the border that you're planning to work remotely with your tourist visa, they're going to put you on the first plane home.
That can be bypassed by using a residential/LTE VPN. They're not as easy to get a hold of as regular VPNs, but if tens of thousands of dollars on the line I think tech workers can manage.
Or you know just having a small room with a server rented that you ssh or vpn through.
I think by the time an employer gets into such arms war with the employees, it’s time to have a hard look in the mirror and see where the CEO is working from.
I found that a little surprising and upsetting about CloudFlare for example. The CTO is working from a beach town in Portugal but regular employees are bound to a physical office. And this is 100% ‘cloud’ company where all your work is logging in remotely anyway.
I found that a little surprising and upsetting about CloudFlare for example. The CTO is working from a beach town in Portugal but regular employees are bound to a physical office.
Well, that's a pile of shit and completely false. Everything about that is false. I'm in Lisbon not some "beach town" (unless you're counting the capital of Portugal as a beach town). Employees have a huge amount of flexibility on using the Lisbon office or not.
And this is 100% ‘cloud’ company where all your work is logging in remotely anyway.
Not so sure about that. First meeting I have tomorrow morning is in person with member of the team in Portugal in the office. It's true that I have a lot of video calls, but not really a surprise given that Cloudflare has offices all over the world. We have more than 200 employees in Portugal and I'd guess around 40 in the office at any one time.
If you ask your employer to work from Lisbon as opposed to SF, you'll likely get a 3x-5x reduction in total compensation. I doubt Cloudflare (or any other) CEO's compensation will get the same readjustment for cost of living if he moves from the SF office to the Lisbon office.
Then find an employer who thinks the same way. If you agree to work for a company that says "your place of employment is X" then you'd better be OK with that. Anything is just rationalization.
People in tech have already been doing stuff like working three jobs at once for decades. Sometimes these people will comment on here how they do all this juggling in their careers and keep each employer blind to the other. It's old hat that the tech worker will develop a way to squeeze more money out of their employers. Should be expected at this point.
If you set up your entire home network to tunnel back via the VPN, it's basically bulletproof. The failure mode would be "no connection", not a leak via the local, non-VPN'd connection. You can even maintain an actual air gap between the 2 networks with one device that handles the tunneling and exposes an ethernet port that's only ever bridged to the VPN interface, and the normal router's WAN port connected to that.
I have such a setup - the local connections at the end-user sites are inexpensive consumer-grade connections (because they are cheaper and quicker to set up than a proper leased-line which has months of lead time, and you're not going to convince small restaurants/coffee shops that they need to spend 500 bucks/month for a leased line to serve public Wi-Fi) with various bullshit such as filtering, dynamic IP, etc - but the network hardware tunnels back to my infrastructure and abstracts away all the intermediary connections, giving them a "clean" Ethernet port. As a bonus, it can tolerate intermediary connections failing without dropping in-flight TCP connections, since those run over the tunnel rather than the raw interfaces which have gone down.
There is a difference if it is your own vs corporate hardware: MDM can enable wifi remotely, then do a location scan against wifi networks nearby (ostensibly this is for theft purposes)
If you really want to do this and fool wireless location, I wonder if a client running at the "real" location can run something like airodump-ng and send the received (B|E)SSIDs to the remote end where a fake AP spoofs them. You don't actually need to break any crypto to do this, simply broadcast the same networks with the same security parameters (even if the key itself is different). Signal strength will be an issue but it's probably still good enough to fool the system into returning an inconclusive result. Tampering with the wireless card to prevent it from receiving anything is also a solution.
You would have to be in the stone ages not to heard of VPNs or believe that the origin IP is correct. But maybe I like that you exist.
I've helped a few remote workers with this setup. Always a stable VPN - be careful some of the low cost ones - any lifetime bullshit deals - anything listed on stacksocial - anything less $5/m - they change their IP registrations so even if you are connected to SF one day it shows correctly the next the day it shows Pakistan - use something like Mullvad or better yet Tailscale exit node from a stable VPN provider in your specified location of working - heck just setup tailscale on raspberry PI at your parents/friends. Modify route tables so you never hit the web unless connected via VPN, easy on some Asus routers.
Adjust the time and TZ on your PC to place of registered work time,that web based homebrew HR system could be doing something crafty .
Deep latency hacks - use RDP from place of registered work
The article details the levels of active deception that one of these covertly-overseas employees has gone through, involving virtual environments and VPNs. The rare employees that are this determined are probably more determined than a compliance officer.
I don’t understand why “Matt” would talk to the press if he truly wanted to keep his deception secret. Because once he gets caught and narc’d on by his employer for obtaining a visa under fraudulent pretenses, with this article as evidence, his travel options are gonna get limited.
