0

Let's say a company uses GlobalProtect to let their employees connect from their private PC at home with VPN to their work PC.

GlobalProtect connects automatically when the private PC at home starts up. Let's say a user visited different websites from this private PC , but forgot that GlobalProtect automatically connects at startup.

Can the company then see what websites the user has been visiting on his own private PC? And if yes, is this legal?

Jedi
  • 3,976
  • 2
  • 26
  • 42
Henrik R L
  • 11
  • 1
  • 1
  • 1
  • Related, if not duplicate-- http://security.stackexchange.com/q/31086/111626 – Jedi Dec 03 '16 at 16:16
  • I don't know what "GlobalProtect" does. It might be the worst spyware ever, it might actually just offer VPN, and then that VPN might be configured to tunnel everything through the company, or just the intranet data. Impossible to say from here. – Marcus Müller Dec 03 '16 at 16:24
  • What I mean is if the company server can log the website browsing history for websites visited at the private home PC? Is a browser request for a website at the private home PC routed through the company's server (when connected with VPN) or does the request for a website at the private home PC go directly from let's say Chrome and to my Internet provider? I don't think about if the company will hack into the private PC to check Chromes browser history. – Henrik R L Dec 03 '16 at 16:25
  • @John4545 no-one can know without looking insíde the software used and how it is configured. Sorry. – Marcus Müller Dec 03 '16 at 16:29
  • Would not the answer to "is this legal?" depend on the answer to "in which jurisdiction?", which is conveniently left unanswered in this question? – user Dec 03 '16 at 17:44
  • @Marcus Müller. Thanks for your answer. I think I found the answer I was looking for. In a CMD prompt on the home PC I write lets say "tracert www.youtube.com" when the VPN connection (GlobalProtect) is disabled and when the VPN connection is connected. These two results is identical! This must mean that a website requested on the private home PC is NOT routed through the company server and therefore the company server can NOT log the visited websites from the private home PC. (The company will not try to hack into the home PC to read Chrome's browser history etc.). Am I correct? – Henrik R L Dec 03 '16 at 17:51
  • No, you're not, for the reasons I wrote twice already. Have a nice day. – Marcus Müller Dec 03 '16 at 19:30

2 Answers2

1

GlobalProtect is a lot more than just a VPN service. As such, without knowing how it has been configured, it isn't really possible to answer your question properly.

For example, since GP is able to enforce "profiles" on your PC to allow you to connect to work resources, it is entirely possible that it could enforce the use of monitoring software which could indeed track usage. I don't say that this is likely, I doubt it, but it is possible.

In addition, the answer you've given yourself certainly isn't proof. One thing that a VPN could do is called "Split Tunnelling" where some traffic may be forced to go through the VPN and some not. Of course most VPN services, when the VPN is active, will apply forced routing of most if not all traffic through the VPN at which point you may well see a different route.

You should check your browsers network settings to see if, when the VPN is turned on, you have a proxy set up to use. This again is not total proof but is a common configuration for corporate VPN's.

The other thing that can happen - and I don't know the GP product so I can't say for sure whether it can/does do this - is that a product like this can create secure "bubbles" on your PC. In that case, it is common for applications, data and network traffic for work to be wrapped up by the application and kept separate from everything else on your PC. You would normally be told this when first being set up to use the application as it is important to understand how things are kept apart. If this were the case, then your normal browsing would remain private even when the VPN is on.

As to legality. You should have been asked to sign up to some terms and conditions, possibly part of the Acceptable Use Policy. This should say what the impact is of using the VPN service with personal equipment. If not, you should request this information from your organisation as soon as possible. Organisations leave themselves open to some serious legal issues if they haven't made these things very clear.

Julian Knight
  • 7,132
  • 19
  • 23
-1

In a CMD prompt on the home PC I write lets say "tracert www.youtube.com" when the VPN connection (GlobalProtect) is disabled and when the VPN connection is connected. Since these two results is identical I assume the website request is not routed through the company server, so the company server does not know what websites has been visited on the private home PC.

Henrik R L
  • 11
  • 1
  • 1
  • 1
  • 1
    As the VPN seems selective based on the domain you're accessing, how can you be sure that the result you got is the same without testing each domain you're interested in? – Neil Smithline Dec 03 '16 at 19:22
  • @Neil Smithline. Do you mean that I must check every website visited with VPN disabled/connected and check the trace result? If "tracert www.cnn.com" does not show the company server can I then be sure that lets say www.google.com will not be routed from the home PC and to the company server when VPN is connected? – Henrik R L Dec 03 '16 at 19:48
  • Yes, that's what I mean. You need to either check each domain, or find the active configuration for the VPN and examine it. I guess that if you test enough domains, you'll be able to make a good guess how the VPN works, but you can't be certain. – Neil Smithline Dec 07 '16 at 22:32