my boss wrote a poem about us but left people out, I doubt my boss’s nephew is really a genius, and more

It’s four answers to four questions. Here we go…

1. My new boss wrote a poem about our team … but only some of us

My company has an annual team-building outing, which is traditionally the occasion for higher management to express their gratitude to the employees. At least, that was what I was picking up from the trip, as I’ve only started working here recently.

One of the gestures my grandboss made to express her thankfulness for us was to write a poem about our hard work. The thing is, she manages two teams— let’s call them team A and B — and her poem was only about team A.

I’m on team B. To be fair to her, my team was part of team A until pretty recently, and we are comprised mostly of newbies, my boss included. Because of the nature of our work, we do not interact with our grandboss as much as team A. Still, it’s hard not to feel slighted when her poem listed out the names of every single member in team A, and not once mentioned the people in team B. All her other gestures addressed her employees as a whole, but the poem made me wonder if she only intended her praises and encouragement for team A.

She’s been a stellar supervisor otherwise, and neither of my teammates nor my boss seem to be bothered by the, in my opinion, preferential treatment. Should I just let it go?

I feel like it’s something important to bring up though, mostly because it reflects poorly on her as a manager. How do I bring this issue up delicately? Should I speak to her privately or should I give my feedback during the annual manager review? Or again, is it this worth making a big deal at all?

Let it go. It’s true that big public expressions of appreciation shouldn’t favor only some of the people a manager manages (unless it was specific to a project they did or something like that). But I can see this happening if she knows Team A well and has worked with them a long time, and those things aren’t true yet of Team B. It still wasn’t very graceful, but it’s not a big enough deal to raise with her; if you do, you risk looking a little precious, especially as a new employee.

You say she’s been a great manager otherwise, and that’s more important.

2. Employer is requiring us to install software on our personal computers

I am a doctoral student at a major U.S. university. Everyone in my grad program is employed by the university in some capacity: some of us teach classes; others are hired as researchers. However, this doesn’t function like a normal workplace in many ways, including that there are no work computers provided. This is a huge expense for people, and unfortunately it’s very common in academia.

The other day, we received an email from IT that all university devices will be required to have a particular antivirus software installed on them. I thought, no problem, I don’t have a university device. But then I read the fine print and realized their definition of “university device” covers any personal device used for university business — which includes all of our personal computers.

Apparently if we don’t comply by a certain date, our devices will be locked out of the campus wifi and other essential campus IT infrastructure. The justification given is that other devices in a network could be compromised if one insecure device is hacked. That may be true! But the particular software (there are no alternative options) brags of its AI virus detection, and apparently, if the AI erroneously blocks a legitimate program we’re trying to download, we can contact IT to have it unblocked within 48 hours. (48 hours???) It also says that the software does not share personal data … except in cases where “adverse events” are detected, and they are extremely vague about what would constitute an adverse event.

I am deeply uncomfortable with this. As a matter of principle, I’m grossed out by the lack of ethical oversight of AI and would like to opt out as much as I can. More to the point, this is my personal computer! I use it for, well, very personal things that I really don’t want my employer to see (outside of work time, of course!) The university has not given me reason to trust their judgment in the past, and I don’t trust that this software will keep my data private. I also have my own risk tolerance for downloading open-source software from the internet, and I don’t relish having to go through IT to get downloads unblocked, especially if they have nothing to do with work.

Do I have any options? Obviously, this is what work computers are for, but there’s no funding for them and I can’t afford to buy a second laptop. (Nor can most of my peers! People are already using absolutely ancient laptops because they couldn’t afford new ones in the first place.) We do have a union, which I am active in, and there’s a possibility that we could push back collectively on this, but the timeline for getting it resolved is likely to exceed the time they’ve given us to comply with this order.

Also, nobody else seems to be upset. Did they just not read the email? Am I wildly overreacting? Maybe this is just a necessary change to the technology … but I feel very trapped.

You’re not overreacting; this is a massive overreach with significant privacy implications for your personal devices. It would be different if these were work-provided computers, but they’re not. And I suspect the reason no one else is upset is because they didn’t pay much attention to the email or haven’t thought through all the implications.

Legally, you don’t have much to stand on. Employers can require you to use your personal devices, and they can require you to install all sorts of invasive programs when you do. But you potentially have power in numbers, if enough of you push back on this. Talk to your union, and talk to your colleagues. Spell out exactly what they’re agreeing to if they install this software. (And why is it not an option to simply agree to install anti-virus software on your device that you select and control? That’s what I’d push for.)

3. I doubt my boss’s nephew is really a genius

My boss has hired her nephew to work part-time in our department. He’s 18 years old, fresh out of high school and I believe this is his first job (we do accounts receivable for a 2,500-person company). There are two supervisors in our department, me and another person. My boss made her nephew my direct report (without even discussing it with me!) and he is my only direct report; the other supervisor has no direct reports at all.

My issue with is probably not a big deal, but I’m still annoyed. At least once a week my boss refers to her nephew as a genius (“Genius Nephew has come up with a more efficient way to do X!” or “Nephew had a genius idea about Y!”) and it really annoys me; sure he’s smart enough I guess, but I doubt he’s actually a genius.

I am very hesitant to bring it up to my boss herself because when I’ve brought up other issues regarding the nephew in the past, she has justified his behavior even though one example of what he did (pushing off his research onto another department) is something she has expressly told the rest of us that we are not to do.

With some recent reorganizations, my boss has a new boss and honestly I would love to bring this up with him and hopefully he would see this situation as problematic and then we could hire someone other than my boss’s nephew, who would be able to work full-time AND not be the boss’s nephew OR my direct report.

Should I even bother to bring this up with my grandboss or should I just internally roll my eyes and let it go?

The issue is less that your boss thinks her nephew is a genius and more that she hired her nephew to work under you, which puts you in an impossible situation as far as managing him goes. The genius stuff is a subset of that larger problem; it shows a bias in his favor that’s probably connected to their familiar relationship, but even if she weren’t so effusive about his incredible brain, hiring him into her chain of command would still be a problem.

So yes, talk to your boss’s new boss! He may not even realize that your boss hired her own nephew and stuck you with managing him, so lay out the situation for him and whatever problems you’ve seen so far.

4. Hot desking and when to clock in

I recently started working at a place with a hot desk, and clean desk, policy. At the end of the day, we put our laptop, notebooks, etc. in our individual lockers, and at the beginning of the day we take our things out of our lockers and set them up at our usually-new desks. I have no issues with this: we only have to be in the office two days a week, and get to work from home the other three days, so this like a perfectly fair compromise to me.

My question is: should the time I spend setting up my things when I arrive, and putting away my things when I leave, be counted as working time? We use timesheets to clock in and out every day.

In past jobs I’ve counted my clock-in time as being when I’m logged in and online, but that’s in jobs where I’m always at the same desk so am not required to set up every day. It doesn’t take that long (probably five minutes on either end), but I’d still like a definitive answer. Thoughts?

It should be paid time. Federal law requires you to be paid for activities before and after your work shift if they are “an integral and indispensable part of the principal activities” for which you’re employed. An activity is integral and indispensable if it is “one with which the employee cannot dispense if they are to perform their principal activities.” You need to set up your work station in order to perform your job, and you are required to put things away when you leave, so doing that should be paid time.

{ 377 comments… read them below }

  1. Daria grace*

    #1 personally I would have been glad to not be name checked in an awkward poem.

    #2 if they really did care about compromised devices compromising other parts of the network they would provide properly locked down work computers. With or without sketchy anti-virus software there is always going to be huge risks inherent in a bring your own device policy, especially when many people are using older devices. They don’t get to compromise your personal device because they aren’t willing to spend the money it takes to set up proper secure IT arrangements.

    Also inclined to side eye this as I’m assuming undergrad students are connecting their own devices to the network all the time and don’t have this software (or often any anti-virus at all)

    1. Nina*

      (Also grad student) my university provides controlled computers and is very reluctant to let you use personal computers on uni networks at all – like, you can, but there’s a lot of stuff you can’t access. Which is a better setup than LW has.

      1. Nesprin*

        GO YELL AT YOUR DEANS!!! AND GET YOUR PIs TO YELL TOO!!!!

        Making sure that grad students can do their work is like 60% of the job of a dean and keeping the PIs happy is the other 40%.

        1. Prof_Murph*

          This and you must contact your union. Everything you raise is valid. And if you have any sort of graduate student association/senate, bring immediately to them to address. I’m a university professor and I can assure that this is an overreach – your IT department should not have this much decision-making power over employees/staff/individuals personal devices. (Regardless of whether your institution can pay for employee devices or not.)

          1. Spacelf*

            I doubt a support group has that kind of power. However, it does seem to be a budget issue. If it’s that important, loaner laptop should be issued for work.

            1. Banana Pyjamas*

              Take the poor public high school route, and have a cart with laptops that grad students can check in and out as needed for work.

    2. WeirdChemist*

      For letter #2:
      -At a major US university (ie an R1 university), the number of doctoral students is likely in the thousands. Providing work computers for all of them would likely be crazy expensive (or they would provide the absolute crappiest)
      -When I was a grad student we had the ability to buy lab-use laptops with our grant money. That could maybe be an option for LW2 to ask their PI? Obviously the better option would be for the university to not do this thing but…
      -I am absolutely assuming that the undergrads are being asked to do this thing too, likely as a new student “software package” or something. IT says any device will be blocked from campus wifi, which the undergrads will need… Or if the undergrads are *not* being asked to do this thing, then there’s clearly going to be ways to access the wifi without it, so LW2 should ask around
      -I am also outraged on LW2s behalf!

      1. I'm just here for the cats!!*

        I’m wondering if there are 2 WiFi la one for employees and one for guests and undergrad. for example, at the university I work at we have 1 that you have to use and log in with your employee email and password. and the the guest which is open. the university wifi doesn’t seem to work on private devices

      2. AnotherOne*

        or ask about getting second hand laptops from the university.

        my department updates our computers on essentially a 3 year cycle, so we always have computers we are getting rid of. they first get offered to staff first. but after us, they go to some program at the university for students who need them, as I understand it.

        OP2 could speak to their department about whether that could be an option.

        Though if I were OP, I might start by speaking with Computer Science/Engineering grad students if that isn’t their department. I imagine they are in the same boat and may be coming up with solutions.

      3. daffodil*

        The grant funding solution is unlikely to be available to humanities scholars, or folks on teaching assistantships unfortunately.
        Higher Ed would really benefit from a reconsideration of PhD students’ place in the system. I’m still mad that 15 years ago when I was teaching two different undergrad courses as instructor of record and only registering for dissertation hours, I was still charged what the university called “instructional fee” (a way of raising tuition without raising tuition, which for those of us on university assistantships was effectively a pay cut from our already meager stipends).

      4. judyjudyjudy*

        How easy was it to get approval for funding computing resources? As far as I understand, the NIH and NSF are super strict about what you are allowed to purchase and how it is used.

    3. MBK*

      I’ve worked for three different R1 universities, and I have a kid who just started at a liberal arts college. Every one of these institutions requires *every* computer that connects to their network – university owned or personal – to have a certain level of malware protection. The main differences are that with university owned devices, they (a) have more direct control, as they can check that the antivirus/anti-malware software is installed and active via remote management tools, and (b) they can dictate which specific software is used and how it’s configured, as opposed to just setting some requirements and having individuals make choices to meet them.

      1. Sled dog mama*

        Yeah, when I was in undergrad (20 years ago) we were required to have certain software installed to access the campus network. We did have a choice of several different ones to use.

        1. a clockwork lemon*

          This is how it was when I was in undergrad too (10ish years ago). The university provided some sort of fancy antivirus software, it was a non-negotiable requirement to have it installed. My campus was an outlier in that they also pretty much required everyone to have Macbooks. The only exception I’m aware of is some of the science students doing lab work had PCs because some of their software wasn’t compatible with iOS at the time.

        2. Starbuck*

          So interesting, there was none of this at the highly-ranked public R1 I attended as an undergrad. Nothing was required of you to access the wifi other than a student ID log in. I definitely would not have installed any software they asked me to on my own personal computer… the network should be locked down enough that it’s nearly irrelevant, honestly.

        3. Quill*

          Yeah, I had a windows Vista that was constantly fighting the campus antivirus to the death during my first two years of undergrad, resulting in a decent number of bluescreens. Turns out the antivirus that came with the laptop was trying to remove the campus antivirus and vice versa. It was a disaster and IT was not interested in solutions other than “factory reset your computer” and “buy a different brand of laptop.”

          So while in theory having everyone on the same antivirus was good, the application was… extremely bad.

        4. Aerin*

          Exactly the same for me. We offered a choice of three antiviruses, but having one was required. And even then, working student helpdesk I spent half my time trying to clean viruses off student computers and doing the fun parlor trick of telling them exactly which sketchy adult websites they’d been hanging out on.

          I also heavily side-eye “my own risk tolerance for downloading software.” You may be fine with it in theory if Bob’s Discount AV doesn’t catch that Totally Legit Registry Cleanup is a worm, but will the owners of the computers that you spread it to be so blase? Will you be okay if word gets out that you’re the reason the network went down? (I’ve seen that happen, it’s not pretty.) It may be your computer but it’s the school’s network, and they are 100% allowed to limit what you can do on it since they’re the ones assuming the risk if something goes wrong. (I worked at my school ITS during the heyday of DMCA suits, and those takedown notices didn’t go to the students directly–they came to the school, and we had to deal with it or be the ones to get sued. So they were on their personal computers, but we could still tell them not to host torrents of HBO shows.)

          I am firmly against generative AI in its current form, but also AI is currently a buzzword that companies are plastering over everything, and they don’t really distinguish the LLMs being flogged into the ground from the run-of-the-mill machine learning algorithms that have been in use forever. Complaining about everything AI just because it’s called AI clouds the real issues and makes it harder for those of us trying to shut down bad actors.

          In short, I think that Allison got this one really wrong, and that the reason no one else is upset is that they understand basic info sec. At my current org, most users do not have admin rights to their own machines and cannot install anything without approval, and frankly the Venn diagram of “users who complain about this the most” and “users who are the exact reason the policy exists” is remarkably circular. I doubt OP would get anything for pushing back except a reputation in the IT department.

          1. ChattyG*

            Yep, if you were going to be truly committed to being fully anti-AI then you’d also need to stop using: navigation software, autocorrect, search engines, online shopping, online payment systems, social media, language translators, and computer games.

      2. Elitist Semicolon*

        Yeah, I was really surprised by this letter and the response. It’s not hugely different (in my experience at multiple R1s as both a student and staff) from agreeing to terms of service set by, say, a public library to use their wifi. You want to use the university’s network? Then you’ll have to following the university’s terms, and installing an antivirus of their choosing isn’t a ridiculous requirement. The university can’t provide support for a million different options and has chosen one that it knows is legit and regularly updated.

        (That’s not even addressing the possibility of personal devices introducing malware into the university’s network to begin with, but my knowledge there is hopelessly out of date so I’ll leave that to actual IT folks to explain.)

        1. Twenty Points for the Copier*

          Agreed. 10-15 years ago, I lived on campus at a major research institution while my partner was in a PhD program. Any computer either of us wanted to connect to the University’s WiFi was required to install their software. It was a requirement across the board for student, workers, faculty, etc.

          1. Starbuck*

            This is so wild because it was not my experience at all at the very large institution I attended. To use the wifi as an undergrad, all you had to do was log in, there was no software for your personal computer (and I definitely didn’t have to install anything on the iPod touch I was using back then, lol).

            1. LL*

              @Starbuck, yeah, I was in grad school 15 years ago and I don’t remember having to install special software in order to access the wifi network. I don’t remember having to do it in undergrad either.

        2. AsstPlantProf*

          I agree that this is super common at universities, but the PhD students are in a weird space where they’re more employees than students—realistically this policy falls within the norm in academia, but I do think it’s worth questioning if that should be the norm. As a professor, I have the choice to only use my work-provided computer on campus, so I haven’t had to install the antivirus stuff in my own computer or phone. But grad students, practically speaking, don’t have any choice there.

          1. Lydia*

            Right. It’s time we got away from what’s “normal at academia” and started maybe pushing back in small ways. Dysfunction is normal for a lot of people. that doesn’t make it acceptable.

          2. Elitist Semicolon*

            I’m not sure I understand why the malleable status of grad students (I was one and now work with them, so I know that status well) changes the fact that installing the antivirus is now part of the university’s terms of use. As IT folks here have pointed out, it’s a security risk not to require it, and that doesn’t change with the professional or financial status of who is using the device in question.

            1. Analyst*

              because no one of other statuses has to use a personal computer to be an employee (students use a personal computer, but are not employees. Professors and staff don’t use a personal computer, they are issued one)

              1. Pescadero*

                Lets just say that everything you say there… isn’t very true in my experience.
                (R1 university, 50K+ students, 38K staff)

                1) PhD students AREN’T employees legally.
                2) Non-PhD students can be employees, and required to use personal computers.
                3) Many, many professors use personal machines – and the ones that donr’t generally use grant funded machines. Mostly they DON’T get university issues machines.
                4) Some staff are required to use personal computers

                …and all of us – students, staff, faculty – are required to install software on our personal cellphone, or buy a $60+ dongle, to do two factor to log into any university resources.

                1. OP2*

                  Just jumping in here to say at this institution in particular, PhD students are legally employees. This is something that varies a lot state to state and institution to institution, but in our case, we are recognized legally as employees and must be treated as such. That’s how we’re able to bargain a union contract.

                  The point about two factor authentication is a great one, and I remember being pretty frustrated about that one, too, although it felt a little less invasive than this does.

                  Interesting that staff at your institution are required to use personal computers! I’m not aware of that happening at mine, but now I’m tempted to start asking around.

                2. bleh*

                  My Uni did not buy (or pay for service) my phone, so I opted for the extra fob for two factor. It’s effing overreach for them to require it. They need to figure out (and pay for) their own IT and security issues, not require students and faculty to do it for them.

        3. FrivYeti*

          I think there’s a huge difference between “you have to have antivirus software installed” and “you have to give the university’s IT full control over what you can and can’t download, on their schedule, with no way to overrule them”.

          The two big complains by the OP were (1) that the required antivirus software includes AI that’s going to try to flag suspicious downloads, which will block them until IT goes in and manually approves them, and (2) that the required antivirus software will share personal browsing information with IT in “adverse situations”, with no further information.

          The first of those is a huge inconvenience, and the second is a huge privacy violation, even without getting into issues with not wanting AI bullshit shoved onto your computer against your will in the first place.

          1. Starbuck*

            Right this seems super onerous because presumably it’s also going to kick in when you’re browsing for personal stuff at home too? I’m imagining it’s running constantly and not just when you’re connected to the school’s wifi.

          2. allathian*

            Would two Windows user profiles help? One for the university network and the other for private use off network?

            1. Disappointed Australien*

              The policy isn’t particularly workable, it’s a compromise between security and what departments/PI’s are willing to pay for.

              “just” buy and maintain an extra pile of computers is an expensive process, not helped by the wide range of requirements from “can run MS-Office” to “can run particle diffusion simulations” (architecture) or “can run basic AI models” (… ok, that’s everyone these days, it’s built into MS-Windows)

          3. LL*

            Exactly. It’s fine to require anti-virus software, it’s not fine to require the use of one specific software that’s going to be a pain in the neck for users AND uses AI.

        4. AVP*

          Maybe it’s because this would be incredibly weird at a normal workplace?

          Depends on the program, I guess, but a lot of them record what websites you go to, videos you watch, things you type. Do you really, regularly, share all of that with your boss, from your personal computer?! Bc that’s whats on offer here unless the program is very carefully locked down, or you buy a second device.

          (I have some experience with this — my small agency tried to get us to do this on our personal laptops a few years ago but 100% of the staff teamed up and said they could buy us work devices or we would just opt out. They didn’t want to buy us computers so the plan was dropped. But this was 100% of a small staff of specialists, we had a lot more power.)

      3. Timothy (TRiG)*

        I got out of that requirement as an undergrad student a few years ago, because my personal laptop ran Ubuntu, and they didn’t have software for that.

    4. Sneaky Squirrel*

      #1 was certainly insensitive but I definitely would prefer not to be named in anyone’s poem. I think I would just have second hand embarrassment from someone writing a poem about my work. If you appreciate my work, just give a bonus and call it a day please.

    5. Quill*

      Yes. They need to either provide the tech support (and tech) themselves or modify their expectations. Most universities, however, are chronically bad at remembering that they are a workplace as well as a school, and that their lower level employees, who are not always students, need to be able to do their jobs without being nickel and dimed over, say, campus parking, or troubleshooting their personal computer when the campus antivirus is incompatible with it.

  2. nnn*

    #2: As an interim approach, if you find yourself stuck with no choice but to install their software, is it possible to create multiple accounts on your computer and only run the software in one account, which you use to connect to the campus network? Or disable the campus anti-virus software and enable your personal anti-virus software when you’re on a personal account working with personal information?

    1. Loz*

      That was going to be my suggestion too.
      Additionally,
      a) Given it’s your device, you are able to make the work account with fewest privileges required, i.e. non-administrator.
      b) Highly recommended that if your personal stuff might include the odd adult website, then make a new account for that, also with low privileges and don’t install/use things like email etc.
      c) Make an account with admin access to allow you to manage the other accounts. Including disabling their virus checker and activating yours when you’re not on work time.

    2. Bilateralrope*

      That might depend on how deeply the antivirus software embeds itself into the OS. Also, running multiple antivirus programs is a bad idea as they will conflict with each other.

      So I’d suggest that the LW assumes that, if this antivirus gets installed, it will be running constantly until it gets uninstalled. Also, if it’s badly made, uninstalling it might require wiping the drive and reinstalling the OS.

    3. AcademiaNut*

      I was thinking a raspberry pi (a very tiny computer used by hobbyists) for about $30, basic Linux installation and use it as a wifi hotspot.

    4. Roxaboxim*

      A more radical technical solution would be to create two partitions, one for work and one private. Make sure the work partition dosn’t auto-mount the private partition.

      1. Sola Lingua Bona Lingua Mortua Est*

        I was thinking set up a Virtual Machine (e.g. Virtualbox, VMWare, qEmu, etc) and run the AI application inside the VM along with the university work. Education Edition in the VM if you’re on Windows. Then it’s sequestered, a known-good baseline HDD image (VDI, VDMK, etc) can be archived for rollback, and the AI can’t do any permanent damage to the host OS.

        Crappy situation altogether, though; I’d lean into the team pushback, and put a lot of emphasis on the 48-hour “promise” if the team goes nowhere. That’s a lot of productivity to forfeit to an alleged productivity-enhancer.

        1. Old Lady manager*

          This is a good idea. A lot of people don’t know how to setup a dual boot situation but installing virtual box is pretty easy. Run work stuff on the virtual computer. It runs like a self contained program. I’d even ask them for the OS license. Tell them that you are setting up a new system (which is the truth.) and that you need a place to backup your work files to and an OS to restore them to because you system didn’t come with an OS. Lots of schools get deeply discounted versions of operating systems and office programs.
          The beauty of this is , is that YOU can turn of the virtual machine when not use.

          1. HigherEdEscapee*

            This is exactly where my mind went. The policy is garbage, but a dual boot into a VM might make it work and keep academic and personal separate on the same device. I had to do that when I worked at a tiny non-profit that required me to use a personal laptop and work in *nix when most of my life was in Windows. Worked like a charm.

    5. Alan*

      Yeah, I think there are some technical solutions here (software/hardware firewall, separate boot image for school, virtual machine, …) to separate your personal stuff from school stuff. This honestly reminds me of an IT person at work who wanted me to let them into my computer so that they could check for vulnerabilities. My position was always that if they can’t get into my computer to check for vulnerabilities, it must be okay.

      1. Disappointed Australien*

        Dual booting is (or very soon will be) prevented by campus IT because that’s what ‘secure boot’ is *for*. Virtual machines are likely to be similarly banned because they bypass the anti-virus.

        Running FreeBSD might be an option, but is likely to fail the “is it running the required antivirus” test (the point of using that OS is because it can’t). I suspect there will be a list of approved OS’s, and that list might well exclude all Linux+BSD variants.

        I wonder about booting a clean OS off a USB device that you can physically remove from the computer. But see above BIOS lockout requirements…

    6. Kuddel Daddeldu*

      I would do this:
      Install Virtualbox (free, from Oracle)
      Create a virtual work computer (a “virtual machine”)
      Install Windows (you can get a 180 day trial for free from Microsoft, or the university is likely to have a campus license) and the software needed for work.
      The virtual machine has no access to the private PC’s files; it’s just an application.
      I use this for testing stuff both privately and at work (I’m a cyber security professional).
      Actually, that’s what the IT department should recommend; it gives them a computer they can configure and control according to their policy. Only cost is about 20 GB of hard disk space (can be on an external SSD) and a small amount of memory overhead.
      Alternatively, look for refurbished (used) business laptops; you can buy them relatively cheaply but the market has dried up a bit due to Covid.

  3. BigLawEx*

    #2 I’m outraged on your behalf. I love all sorts of side projects and install open source software all the time. I spent an hour of my evening looking for and installing software to replace the other open source software that’s been abandoned and no longer operates after recent updates. I love this part of my life and can’t imagine having to bargain with IT on whether or not my side projects are worthy of being unblocked. 48 hours! I’d have lost my mind if that happened.

    All that *plus* AI. Noppity, nope, nope.

    TBH I’d push back very, very hard. I’m sorry it’s come to this, though.

    1. Bilateralrope*

      All that stuff you’ve heard about AI misbehaving in the last few years has been from generative AI. Other types of AI are more reliable.

      So, if this antivirus provider is competent, we might be looking at AI that has been reliably detecting questionable code for years without much fanfare. Until marketing decided that talking about AI means more sales.

      It seems best to stick to the provable problems with this antivirus software for any pushback.

      1. TigressInTech*

        Yeah, I started my grad degree in computer science two years ago and can confirm that even then, machine learning algorithms for categorizing things were mostly just called “machine learning”. “AI” is a much more marketable label now, but it’s still largely the same algorithms. There are enough issues with this requirement (particularly at the university level, where many people use open source code and resources for research) without having to argue about the AI label.

        1. Coverage Associate*

          This. I am not even sure how generative AI would be applied in the anti virus context. Antivirus software doesn’t generate anything. We don’t call motion sensor gates or gates on timers or even home systems that “learn” your routine to set timers automatically “AI,” and antivirus software is like a security guard for your hard drive, not a personal assistant taking notes or something else with an end product.

          1. Falling Diphthong*

            I am not even sure how generative AI would be applied in the anti virus context.
            Pretty sure some tech people–the same ones who reinvent the concept of the “city bus” every few years–will try.

          2. DJ Abbott*

            I would never trust a computer program to learn my routines and allow access to my home! It would glitch and be opening doors at midnight.
            Since the beginning in the 90’s it’s been glitches everywhere. Just in the last few months it’s been apps that don’t work the way they’re supposed to, glitches in Hulu streaming… and don’t even get me started on Microsoft programs…

          3. The Cosmic Avenger*

            Actually, I can see it. AI/machine learning can proactively look for new viruses and malware by analyzing the function and structure of known malware vs. known legitimate software, and comparing any new, unknown programs to those to try to determine the likelihood that an unrecognized program is a threat or not. In this, yes, it’s actually a smart use for AI, as there is new malware all the time, so using signature files leaves you open to new threats.

            1. I am Emily's failing memory*

              But that wouldn’t be generative AI, which is the point Coverage Associate is making.

              Generative AI like ChatGPT and Midjourney have made the general public more aware of AI, and many of them think that the term “AI” refers only to genAI. At the same time, tech companies have tried to hitch their wagon to genAI’s rising profile by rebranding their features that used to be called “machine learning” as “AI.” An unintended effect of this rebranding, when combined with the poor understanding of what exactly AI is among the public, is that the people who have ethical concerns about GenAI are now suspiciously side-eyeing all those rebranded products as if they have the same issues wrt to content ownership and environment impact.

              1. Aerin*

                100% to all of this! It’s being driven by the techbros who saw NFTs crash and immediately pivoted to their next grift, and the gullible, skittish investors who like to think they’re ahead of the curve by backing the latest buzzwords. I’ve seen so many companies make an internal push to be able to say that their products include AI even when it makes no sense.

            2. MigraineMonth*

              The classification type of AI–usually called Machine Learning–is pretty damn good at its job and has been used broadly for the last decade.

              Yes, there are still two pitfalls we need to watch out for when training it:

              – Given real-world training data, it will replicate real-world bias. Given a bunch of software developer resumes without the name/gender attached, it figured out it should lean towards rejecting any that contained the word “women” (as in women’s college, women’s basketball, women’s studies)

              -It will cheat if it can. Given a bunch of training data on tumors, one algorithm figured out that any tumor with a ruler next to it in the photo was malignant, since the photos of benign tumors didn’t have a ruler. Accurate, but useless for real-world applications.

        2. Steve for Work Purposes*

          Yeah same, some of what I do is being called “AI” in grants/internal discussion but it’s just machine learning algorithms for classifying stuff like “we put accelerometers on animals to understand activity patterns and this pattern of accelerometer data means the animals are doing X” or computer vision stuff like analysing trail camera footage to classify what animals are passing by. It’s not generative AI at all, and I find myself having to clarify that what I do is the good kind of AI.

          1. MachineLearningIsAI*

            machine learning is AI, you know. Most of the AI discussion until ~1.5-2 years ago was specifically about machine learning. Machine learning absolutely does ingest training data to develop the algorithms used to determine and implement the models used. It can be every bit as problematic from a data use perspective. There are no good or bad kinds of AI, there are good and bad data use practices (and other practices) applied in the course of AI of different types.

            1. Caramel & Cheddar*

              Thank you! I very distinctly remember the discussion points from a few years ago about how in areas like crime “prevention” and medicine, machine learning software was using huge data sets to pretend to be impartial while of course instead replicating on a massive scale the kinds of prejudices that went into those original data sets in the first place.

            2. Pescadero*

              Machine learning ISN’T AI you know… neither is generative “AI”.

              Not a single thing we call “AI” is actually artificial intelligence.

          2. Ally McBeal*

            It’s like “GMO.” A significant number (most?) of crops we eat have been genetically modified in one way or another – like the banana – but the label “GMO” appears to refer colloquially & specifically to plants that have been genetically modified *in a lab*.

            HR departments have been using AI for resume scanning for years, decades probably, but that practice is only now being increasingly scrutinized because of public mistrust of AI.

        3. University employee*

          Yup, I just took a look at McAfee’s website (one of the major antivirus software companies) and they’re advertising threat detection using AI. In this context, it’s not generative AI. It’s probably just using computer algorithms to identify patterns, which has been done for years as “machine learning.” AI is just a buzzy word right now, so companies are leaning into it. I suspect it’s hard to find a major antivirus software right now that ISNT advertising AI in some way.

          And any antivirus software that is contracted for use across a whole research university is probably a) one of the major players in the field, and b) selected via a lengthy process involving many committees and comparison against many different similar products. It wasn’t just plucked from thin air by one person in IT. (Source: I work for a major public research university.)

          Requiring antivirus software for a device to be able to access a secure campus network (versus the “guest” wifi) is quite common at universities. In my experience, it’s often mandated for windows computers but not Macs.

          1. HigherEdEscapee*

            …selected via a lengthy process involving many committees and comparison against many different similar products. It wasn’t just plucked from thin air by one person in IT…
            Having worked in two R1 institutions, this doesn’t necessarily mean I would necessarily have more faith in the product selected at the end of the process. I’ve been in those meetings.

      2. Emotional support capybara (he/him)*

        It’s equally likely in this day and aga that we’re looking at an “AI” that would scrape LW’S hard drive for training data to send back to the proverbial mothership, if its developers think they could make a few extra bucks from it.

      3. Disappointed Australien*

        AI for virus recognition is actually old, but that doesn’t make it more reliable. The IT policy of “we will manually vet flagged software” is exactly because of the widespread false positive problem.

        One of the classics is that because Delphi is a small language popular with some virus writers, the “made with Delphi” signature regularly gets classified as indicating a virus… something of a problem for Delphi developers. You compile your program, it gets flagged and removed to a safe place, you can’t run it… might as well go home and stay home until the anti-virus software is fixed. (when that happens to, say, microsoft or google compilers it’s fixed very quickly and generally before the updated antivirus is released – it’s possible to have a circular firing squad where the new antivirus program is flagged by the old one because it’s built with the ‘wrong’ compiler…)

    2. Pescadero*

      That sounds great – but university IT doesn’t care.

      Their job is to protect the network. If that imposes costs on you – that isn’t their problem. If that impedes or completely stops your workflow – that isn’t their problem.

      …and legally – they can just say you don’t get to connect to the network if you don’t install it, and your only real recourse is to not connect to their network.

      OP – better hit up your PI for funding for a work computer. Hope you got some grants, and this isn’t liberal arts where there is no funding.

      1. JustaTech*

        You’ve hit on another big issue here: if there’s not money for computers, then there isn’t money for software, so a lot of grad students use open source because they can’t afford the paid stuff.

        And for a lot of the sciences there isn’t a paid option for the super super technical software you need to analyze your radio telescope signals or protein folding or I don’t even know.

        I work for a corporation and once spent the better part of a week trying to get IT to let me install R. It’s very powerful statistical software that’s open source and by golly the IT folks didn’t like it and couldn’t figure out how to put it into our forms.

        I foresee the LW’s university IT being instantly overwhelmed with installation issues.

        1. Wayward Sun*

          My experience is most antivirus packages recognize most open-source software as legit and leave it alone. They’re looking for patterns that suggest malware activity.

        2. Disappointed Australien*

          This happens to software developers a lot too, and it’s common to have a company policy that (senior) developers can do whatever they want. Otherwise the ongoing process of finding and testing new software becomes a bureaucratic nightmare that annoys everyone.

          My current job contract has “you may only install pre-approved software on your work computer(s)” clause in the “you can be instantly dismissed for violating these” section. Then in the addendum for software developers “{…} clause does not apply to software developers”. It would be an utter joke if it was true, part of my job is writing and installing new software :)

          Actually, I wonder if the R programs you write count as software that must be approved?

        3. Aerin*

          The IT folks at my org hate R but mainly because it’s a terrible and useless name. We eventually settled on calling it RStudio in our packaging and documentation so it’s at all searchable.

      2. Wayward Sun*

        In many cases university IT is having their hand forced from higher up. There have been some high-profile ransomware and data breach incidents at universities in recent years. The companies they contract with for cybersecurity insurance are starting to demand they improve security or lose their insurance.

        1. Pescadero*

          Yep… they got us last year right at the start of fall semester.

          My understanding is the costs for dealing with it were just under $10 million.

          1. Wayward Sun*

            We haven’t had a major breach yet but other universities in our system have, so they’re tightening the screws.

    3. OP2*

      Yep, I’m very frustrated. Definitely more opposed to the lack of personal/work distinction than to the software itself, though–as many other people have said here, it’s IT’s job to protect the network, and I don’t have any beef with them in particular. It’s just another case of the university not treating us appropriately as employees…

      1. Wayward Sun*

        Work/life distinctions for academic personnel are really lacking in general. I sympathize with you there.

        If you’re grant-funded you could ask if the grant can pay for a computer for you. That would let you keep your work stuff separate. On the other hand you’d be stuck carrying two computers around.

      2. Disappointed Australien*

        Depending on the fine print how much of your personal stuff you you do on a refurbished ex-corp laptop? Or even one of the RaspPi-laptop setups, possibly plugged into an external monitor/keyboard etc?

        That gets you out of the whole hassle of needing the BIOS to allow you to change where it boots from/whether you’re allowed to run virtual machines etc.

        1. Aerin*

          Facebook Marketplace near me generally has basic used laptops for pretty cheap. I do all my personal stuff on my Chromebook, which I bring to the office along with my work laptop. (Getting a roller bag rather than a backpack has helped a lot with making that easier!)

          I mean, I don’t trust Facebook, which is why I have an old phone logged in with a different account that runs Facebook Lite and nothing else. Separate devices for separate purposes has always been the least-hassle solution.

  4. Kyle S.*

    LW#2, as a University employee you are surely aware of FERPA. In addition to the standard concerns around data breaches, students have particular legal rights to the security and privacy of their PII. The University must implement policies to defend against reasonably foreseeable ways this privacy could be violated. That means anti-virus software that the IT department can verify is up-to-date and working.

    The only reasonable option for LW#2 is to request the university provide them a laptop.

    1. Silver Robin*

      but did they cite ferpa? and does LW have access to protected information? grad students who do not teach and are just doing research or similar might not actually be looking at student records or have any ability to

      1. StudentInfo*

        Grad students are still students and their information related to their own education (surely on the same computer) is also subject to FERPA privacy requirements.

        Also, even if this particular grad student isn’t teaching, most grad student jobs are teaching or being a TA (in the first few years, at least) so it’s very likely they’ll have other student’s info on their machine (which, in of itself, seems like a reason not to work on their own computer).

        1. JSPA*

          That almost has to be a misreading of FERPA???

          Insisting on “protecting” an individual against their own express wishes for their own autonomous person and own privately-held belongings and data isn’t actually protection.

          It’s like banning a student from handing out candy on Halloween, because they (somehow) ought to keep and eat all of it themselves. Or banning them from wearing a shirt saying, “straight A student.”

          1. Anon student services person*

            I haven’t read FERPA closely enough to know whether there’s a particular section that governs student information gleaned from hacking, but the point of the required antivirus doesn’t have anything to do with “express wishes for their own autonomous person and own privately-held belongings and data.” It has to do with preventing others accessing those data without the student’s explicit permission.

            Even if it isn’t a FERPA issue, though, most universities have policies regarding what kind of information can be stored on individual devices and what needs to be stored behind passwords/on restricted drives. Those policies may be more relevant to discussions of antiviruses/malware protection than FERPA is.

        2. WeirdChemist*

          Tbh, when I was a doctoral student, the way we rode the line on “are we considered employees or student right now” was “well what’s most convenient for the university right now?” So we were “employees” when it came to coming in for inclement weather or during Covid, but we were “just students” if we ever had an on-campus injury or were asking for any type of employee rights. So I could definitely see the university saying “you’re employees, therefor you have to follow employee policies!”

          Although, I’m doubting that the undergrads don’t have to also download this software (you’ll apparently be blocked from accessing wifi if you don’t, which the undergrads definitely need/want), and they’re *definitely* students doing activities covered by FERPA so…

          1. bamcheeks*

            I wasn’t clear on whether everyone who didn’t have the software would be blocked or whether it was just they had a list of devices that were being used by staff and those devices would be blocked if they didn’t have the software installed?

            I currently work for a university with pretty tight security protocols (tighter than other institutions I’ve worked for), and we have to have the latest security updates on our devices in order to access Microsoft 365 (so all of Office, OneDrive etc), but any device can connect to the wireless with just a university email address and password. We have one wireless system which covers all UK universities and higher education institutions anyway, so blocking access to that would be wildly impractical.

            1. WeirdChemist*

              The most likely way to generate a list like that would be from university-issued computers and computers purchased with university funds, so the LW would be fine. In the lab I worked in, my PI’s office setup and all the laptops we purchased with grant money (that stayed on campus full time) all had to go through the university IT software/checking rigamarole. I can’t see a way for IT to know if a particular grad student’s personal computer/wifi login is being used solely for “student activities” or if “employee activities” are occurring. So either the LW misunderstood the requirement and they’re fine, or this is being applied to all computers including undergrads’ and there’s no way they’ll be able to push back.

              (Also at least when I was in grad school, my university’s wifi was also a part of some national system that I could access at a whole bunch of schools across the US. Definitely not all of them, and it might not be a thing anymore?)

          2. Kuddel Daddeldu*

            WiFi is often segregated into public (guests, EduRoam, students) and protected (faculty, admin/record, …) networks. The guest lecturer does not need access to the cafeteria point-of-sale, facility management’s AC and lighting control, etc. – just to the Internet and the intranet site for her course, and the menu for the staff cafeteria.
            In my office, we have a guest network (open, we can give out vouchers to guests without restrictions on devices) and the company network (only computers managed by IT can connect). Even my Linux laptop for cyber security work has to go on the guest network (despite being company-owned and nuked and reinstalled from scratch for every penetration test I do).

        3. Silver Robin*

          It is perfectly possible to track which grad students are teaching and which are not, since that has to show up in the employment records of the school. Making it a requirement for those with wider access makes some sense.

          As for accessing their own info and needing protection…that is absurd. It means the undergrads need to be given the same policy, firstly. That was not at all the case when I was an undergrad, which was within the past decade. Secondly, even if they did require that of all students, that info can be generally be accessed by username/password from any device. If FERPA means that the data has to be protected no matter which machine is used (since it apparently now covers personal devices too), then what happens when students access it from a home computer? Or the public library computer because their laptop is getting repaired over the summer? That sounds like such an untenable way to interpret FERPA.

          1. Anon student services person*

            FERPA protects very specific types of student data that are not considered public record or publicly accessible. It doesn’t cover what book a student was looking up in the library system, the third paragraph of their senior thesis, or what websites they visit using their own laptop on the university network. What you’re describing above isn’t a FERPA issue.

            It is possible to determine who is teaching and who isn’t by the uni’s employment records, but at a large university with 10,000 grad students whose appointments may change from semester to semester (it’s not unusual for a student to be a TA one semester but not the next), the staff labor and time involved in doing so would be disproportionate to the benefit of doing so.

          2. Samwise*

            FERPA has to do with the “student records,” not with where the “records” are stored or what device the is used to access them. Employees are subject to FERPA whether they are a professor or a registrar or a student worker.

            The university has a legal obligation to protect those records. Grad students do not give up the right to privacy for their own academic records just because the university does not provide them with a computer and forces them to use their own devices when working as employees of the university.

            I would suggest that the OP see if the campus library lends out laptops and then use those devices for work. It’s a pain because they’ll have to go back and forth to check the device out and in. But better than subjecting their private property to university overreach.

      2. Pescadero*

        “and does LW have access to protected information”

        Probably not – but someone hacking the network through the LW computer that is vulnerable MIGHT.

    2. anon for this*

      I would be concerned about whether this AI-powered software is itself FERPA compliant. I work with confidential personal information and my IT department is very strict about when and what contexts any AI can be used on work devices specifically because of the potential for data to be misappropriated by them.

      1. Wayward Sun*

        My experience is “AI” in antivirus software is a marketing term for what we used to call “heuristic” or “rules-based antivirus.” It just means it’s looking for malware behavior instead of just checking for certain specific files. It’s not the same thing as generative AI.

    3. not like a regular teacher*

      Yeah, I’d be more concerned about the antivirus software is itself FERPA-compliant. At my org (which isn’t governed by FERPA) we’re not allowed to use generative AI in any context that does or could involve confidential information of any sort.

      1. Adam*

        Antivirus isn’t going to be using generative AI. Most likely it’s just a marketing-adjusted term for the same kind of matching they’ve been doing before, but labeled “AI” because AI is hot right now.

          1. Anon student services person*

            Until IT steps in and explains it to them (and to whomever they’re complaining to).

      2. metadata minion*

        I would be very surprised if this hasn’t already been evaluated. Universities do some bonkers things sometimes, but they don’t generally mess around with FERPA.

    4. Pastor Petty Labelle*

      No one is saying there shouldn’t be any anti-virus software. The problem is this is a mandatory software with no other options. That could prevent the OP from being able to use her own laptop for personal use. If they said you must have antivirus software and these are the levels of protection we require, that would be one thing. But to insist on an AI one that is known to be buggy, hence the note about allling IT to unblock is not acceptable.

    5. HonorBox*

      I don’t think the OP is disagreeing with anti-virus software. I think the software that is being requested and its implementation give more control, or at least a wide open window, to university IT over what someone is doing on their personal computer on personal time. Having to go through IT and potentially waiting 48 hours seems out of line if something you want to do personally is flagged.

      1. Saturday*

        Exactly. I’m sure the OP would be fine with anti-virus software.
        Also, there’s no way the university is going to buy laptops for all grad student workers.

      2. Ansteve*

        I’m in IT and if any employer wants to have full MDM control over my personal devices I will say hard no. My previous company wanted the ability to completely wipe any device that had an email client that they also wanted installed on our phones. I was able to get a company provided phone. No way in hell I was giving them the ability to nuke my phone which they were known for doing.

        At my current place they have the app sandboxed and encrypted so if they delete the device out of MDM it just kills the mailbox data and resets the app the rest of the phone is fine.

      3. OP2*

        Yes, thank you, I should have been clearer! I don’t disagree with the idea of antivirus software, and I absolutely agree that IT should protect the university’s network. My objection is to the lack of strict privacy protections and the fact that there’s no division between work and personal devices here.

        1. Freya*

          I’d also suggest asking if that applies to your mobile phone, if you do anything at all connected with the university on it. And asking if there’s a process in place for requesting expedited whitelisting of programs required to carry out time-critical university tasks (it shouldn’t ever happen, but that doesn’t mean that there shouldn’t be a process ready just in case)

          I mean, the antivirus on my home desktop regularly complains about the work VOIP installed on it having control over the microphone when I run it because I’m WFH. And it pops up a warning every time a phone call comes through, even if a co-worker (working elsewhere) answers it!

    6. Hermione Danger*

      Someone else may have already posted about this, but has IT ensured that the AI using the software complies with FERPA? Because if student information is being used to train it, that might be an important concern to raise.

  5. The teapots are on fire*

    LW#2, I’d suggest you band together to push for a virtual desktop client you log into from a Web browser. It’s more secure anyway and compatible with most ancient computers. The licensing and administration will be expensive but so is having multiple members of your union arrange to call IT multiple times a day for work and personal web site access.

    1. Cheesesteak in Paradise*

      This is what I have to do as a fed. Mine even requires an ID card reader to login. If it’s good enough for federal employees and healthcare use…

    2. A Book about Metals*

      According to the LW though she’s the only one that cares about it – not sure the banding together as a group will be successful here. Couldn’t hurt to ask the union about it though

    3. CB*

      #2: I’ve worked at multiple universities and colleges. There have always been shared desktop computers available for us to use. A computer lab or shared office space for doing work and computers at the podium in classrooms.

      If this is the setup you have, then you can’t really complain. There are computers available to use on campus and you can save your files on the cloud so they are easily accessible. If you prefer to use your laptop instead, then you need to comply be their rules.

      If there truly are no computers available, then, yes, the university should be providing devices instead of requiring you to install software on your personal devices.

      1. Six for the truth over solace in lies*

        Yes. At the university I tangentially do some work for, the answer is “if you don’t want it on your personal device, you can use the computer lab.” That’s not providing the hardware in a way most people prefer, but it is providing it.

      2. OP2*

        We definitely don’t have computer labs! We have offices, but they don’t come with computers, and we are expected to bring our own devices. Besides, many of us work remotely a lot.

    4. learnedthehardway*

      Agreeing – I have that with multiple clients, because they want me to have access to their systems, but don’t want to provide me with their devices (nor do I want multiple laptops all humming along around me). There is multi-factor authentication, and I do work through a portal into their platform, without my own computer being subjected to their software.

      Mind you, this no doubt takes time and budget to set up, so might be a longer term solution. But I would be surprised if they don’t already have something like this, anyway.

    5. OP2*

      This is an interesting idea! I guess I’m confused about how this would fix the problem, though. I would still need to connect to university wifi from a personal device in order to log into the virtual desktop, so wouldn’t I then still need antivirus on my personal computer?

  6. Bilateralrope*

    #2

    One big problem with letting people choose their own anti-virus software is that some of them are much worse than others and which one that is varies from year to year. Which means that any employer who is serious about protecting the computers used for work should research them, create a list of known good antivirus software, then mandate that everyone uses something from that list.

    If the employer is paying for it, then it’s probably cheaper to keep that list as short as possible.

    1. Coverage Associate*

      This, but the employer also has to be sure that the anti virus software selected by each employee is running at all required times. I don’t know a lot about how the university is going to check that every computer logging into the university WiFi is running the single chosen software, but I imagine it’s easier to have WiFi check for one program rather than one of several.

      1. Bilateralrope*

        If I was requiring antivirus software, “all required times” would be any time that the computer is running. Anything less gives an open for ransomware or copying data.

    2. Ginger Cat Lady*

      The problem here is that the employer ISN’T paying for any of it. Not the work computers, not the software. Just mandating it. For student employees they already pay a pittance.

      1. Wayward Sun*

        I would be surprised if they weren’t paying for the antivirus software. In situations like this it’s normal to have a license that covers the entire campus, making it “free” for students (really paid for by everyone’s tuition.)

  7. Star Trek Nutcase*

    I wasn’t aware an employer can legally require an employee to use personal devices for work. I’m probably in the minority but it would be a cold day in hell that I did that – and even colder before I let a work program be installed. I’m pretty conflict adverse but I’d not comply and just drag out things (acting stupidly incompetent can do wonders) until I found a different job. I’m willing to sacrifice significant privacy to benefit security (personally or collectively) but to benefit a cheap-ass employer who won’t provide work devices? No, hell no.

    1. Elsa*

      Letter #2 is not at all a standard case of employer and employee. The OP is a graduate student at a university, and also does some TA-ing or similar for the university. I know that when I was a grad student, my responsibilities as a TA were a pretty minor part of my week – I was primarily working on my own coursework. So the question here is whether universities should provide computers for their students, which I believe is uncommon.

      1. Coverage Associate*

        I would be interested if the handful of state laws where employers have to compensate employees for use of employees’ devices even applies here. There are historically lots of exceptions to those types of laws in the graduate and professional school contexts. Just ask a medical doctor who’s been practicing for a few decades.

      2. Beany*

        It’s been a long time (20+ years) since I was a grad student and TA, and even though I was working in a computer-heavy discipline, I didn’t actually own my own machine (laptops were common but not omnipresent). To me, this is what university-owned or department-owned computer labs were for: use a centrally administered machine for this kind of responsibility, and never have to keep it on your personal device to begin with. Has that model completely vanished?

        1. Person from the Resume*

          Fascinating. 30 years there were computer labs. But I wonder if that model makes sense now-a-days.

          That certainly disadvantaged poorer students but OTOH if barely anyone uses it, it doesn’t make sense for the college to have any or many computer labs. Maybe a few at the library?

          But it is incorrect for ST Nutcase to reference a normal employee / employer relationship. A grad student is mostly a student and to a smaller degree an employee, and the LW can’t just quit and find a new job without seriously impacting their studies.

          1. WeirdChemist*

            You’re absolutely right that a grad student/university relationship is not a normal employee/employer relationship, but for most of my PhD I definitely acted more like an employee than a student… I took classes for 1 year and then spent the next 4 working full time (50-60 hours a week) working in a lab. I basically didn’t set foot in a classroom for 4 years. We were considered employees enough to be mandated to come into campus during inclement weather and during Covid, and I got a W2 every year that listed the university as my employer. It likely works differently in humanities departments however…

            1. OP2*

              This is more accurate to my experience. It’s actually a whole thing–academia is going through a transition with grad students fighting to be considered employees, and we’re starting to win union rights. But the university still treats us as students when it’s convenient for them.

              In my situation, I do research full time, no classes, and I receive a research stipend for that which is considered wages. I am employed by the university–my work is my research. People who are TAs work for actually quite a considerable number of hours each week, and in their case, their paycheck is for their teaching work. In both cases, we are employees at the same time as being students, and in many departments, including mine, there are few to no classes.

          2. happybat*

            At my (non-US) institution we offer short and long term loans of university laptops, and also have maintained computer clusters (mostly in the library). It seems to work ok, with the added advantage that when a student gets in touch about a dead laptop, we can send them off to borrow one.

          3. Pescadero*

            I work at the same R1 university I graduated from 25 years ago.
            There are MORE computer labs now than then.

          4. Disappointed Australien*

            Computer labs are really common for expensive software. Even academic licenses for the likes of Solidworks or Flow3D are not cheap and they require relatively hefty computers to run them. So architecture and engineering will have “CAD labs” as well as “CNC workshops” (if you think Solidworks is expensive shop around for industrial CNC machines).

            I’m used to postgrads having separate computer labs so they can fight with each other rather than competing with hundreds of undregrads. That doesn’t help when people want to run distributed computing jobs for hours (days, weeks…) but it does help. It’s just not going to help you mark essays or other office type jobs because of competition to access those machines.

        2. WeirdChemist*

          University computer labs definitely still exist, but they’re not used as heavily. For both undergrads and grad students, a pretty big chunk of your day-to-day work requires regular access to a computer, and it would be very inconvenient to only be able to do work from a single on-campus building. For undergrads, a lot of textbooks these days are only accessed through pdfs or with some sort of online access code, class materials (syllabi, homework) are only available through online portals, class attendance is taken through an online system, and lectures are set up to be followed along on a students personal computer. For grad students, it depends heavily on the program/work requirements. I personally had a ton of computer work to be doing day-to-day (writing papers, making presentations, analyzing data through computer software), but I also had to be physically present in my lab for most of the day to be babysitting experiments and making sure nothing caught on fire… it would have been horribly inconvenient to be running back and forth all day to another campus building!

        3. Guacamole Bob*

          The computer labs at my grad program were focused on providing resources that typical laptops might not – extra power for big data sets, large monitors for design work, specialty software (the library for our department had a GIS lab, which is geographical analysis software).

          Many grad students do plenty of work in ordinary software programs, but even those doing non-tech work may want to install browser plugins to track references and citations and anyone working in a technical field will almost certainly be happier with a custom setup. A computer lab is much less convenient, and much less common, than it was when I was in undergrad 20+ years ago and people would pull all-nighters writing papers in the lab.

      3. Hroethvitnir*

        This pov is wild to me. Universities exist on the back of research that is performed by grad students (and teaching, of course, but that’s actually terrible undervalued which is another discussion).

        I have attended to universities in Aotearoa, and in post grad both labs provide you a desktop. My most recent experience being… right now. It’s literally the basic resources needed for universities to create their main measured output!

        For undergrad we also had computer rooms, computers in the library, and didn’t need to install anything to connect to wifi with personal computers.

        Not especially relevant to this discussion but ties into the perception: I feel like postgrad in the US is very different to most other western countries. Certainly it seems often more competitive, less collaborative, and with less support a lot of the time (which was my friend’s experience when visiting a collaborator’s lab in NYC).

        In Aotearoa, Australia and the UK a PhD is 3 years, in Western Europe 4. You have a stipend of varying values, you don’t take classes, it’s valuable to teach for academia but certainly not everyone does. IME (as someone with a lot of work experience), it is just a job you pay for, with considerably more lattitude for you to wreck yourself if you don’t have good oversight. My supervisor describes it as an apprenticeship, and I think that’s particularly apt.

        My experience is exclusively biomed though, which is pretty generalisable to other biology and chemistry, but very far from humanities. (We struggle to scrape by with funding for studying cancer with our connected hospital, I can’t imagine what it’s like in humanities. My sympathies.)

    2. Tangerine steak*

      We don’t provide computers for casuals working a couple hours a week – but we do have them available for them to use if they don’t have their own device. Nobody wants to sit in a computer lab though, so nobody chooses this option.

      Some of our casuals might work as little as 10 hours a year. Not the typical sort of casual job.

      1. bamcheeks*

        Yes, that was the situation when I was graduate student. Technically you could do all your work on a university desktop on campus: in practice we wanted to use our own laptops for the flexibility.

        LW, it depends what kind of work you are doing and how much overlap there is between your studies and your paid work, but that might be an option: only use your personal device for your work as a student, and do everything that you are paid for on a university-owned desktop. That will limit your flexibility, but it would mean your personal device would stay personal. I guess the question would be what guarantees the IT service would need that you weren’t doing paid work on your personal device and whether personal devices which *aren’t* being used for work are allowed in the WiFi.

      2. WeirdChemist*

        It depends on the type of work/program LW is a part of. When I was a doctoral student I was typically working 50-60 hours a week (either full time research or a combo of research/TAing), with a lot of on-campus use of my personal computer.

        Also to follow up on Star Trek’s question, the DOL has ruled that university TA/RAs are considered “students” when it comes to most employee rights, despite however much they may be working in a way that would appear to be employee-like

    3. Ellis Bell*

      Grad students are tied to their institution in such a way that nopeing out and going elsewhere is not particularly an option. That’s how these types of cheap practices are allowed to flourish. Even if they transferred, I doubt another institution would pay for them to have devices. Group push back is probably the best option.

    4. Random Bystander*

      I might be willing to buy the cheapest, nearly-a-brick, used laptop to be my “personal device”. Because yeah, I agree–my personal stuff is *my* personal stuff and I am the one who chooses what software is installed (well, I do consult my son who works in IT as to which AV he recommends).

      1. Anon Y. Mouse*

        this is 100% what I would do. They only get to put the stuff on the personal device that will be connecting to their networks. As far as they’re concerned my own actual everyday personal device does not exist

      2. AsstPlantProf*

        Depending on the work the student is doing, this may be pretty infeasible. I was doing a lot of data analysis on my own laptop during my PhD, and I needed to spend more money than I otherwise would have to make sure it was powerful enough to handle the data I needed it to. It’s not a good system, I’m not defending it, but if it’s the one the LW is stuck in, they may not have tons of options.

    5. Antilles*

      I’m pretty conflict adverse but I’d not comply and just drag out things (acting stupidly incompetent can do wonders) until I found a different job.
      I assume you’ve never been in academia, because none of this actually applies in this context. “Finding a different job” for a doctoral student is incredibly difficult. That means finding a new school with openings, applying, waiting for acceptance, moving to a new city and different university, probably losing some class credits when you transfer, and potentially starting from scratch on a new research project for their thesis. It’s not completely impossible and people do it, but in most cases, you’re looking at adding at least a year if not more to your time in school.
      Oh, and by the way, application windows and academic calendars work mean that OP wouldn’t be able to transfer until summer anyways; presumably this “new policy” takes effect sooner than that, so even if OP wanted to take a stand and transfer schools, you’d still have to find a way to deal with it between now and then.

      1. DJ Hymnotic*

        Yep. One of the reasons I got out of academia was seeing how little leverage my friends in doctoral programs had at their universities as they put up by necessity with terrible stipends, broader financial insecurity, unrealistic responsibilities, uncertain job prospects, and in the case of one of my friends, genuinely predatory supervisors. Every once in a while I wake up wondering if I should have gone for the PhD and then I remember all of that and know I made the right decision. OP’s university could just tell them that if they don’t like it to go somewhere else knowing full well there may not be anywhere else for OP to realistically go.

        Which makes me more, not less, indignant on OP’s behalf. Their university is pinching pennies and being invasive because it can. Even with the advent of grad student unions, the universities have had almost all of the leverage for a while now.

    6. Pescadero*

      “I wasn’t aware an employer can legally require an employee to use personal devices for work.”

      It’s been wildly common for the skilled trades, machinists, and auto mechanics going back to at least WW2.

      It’s only recently been applied to white collar jobs and electronic devices – but auto mechanics have been expected to show up with all their own tools forever.

      1. Freya*

        And in Australia, at least, if you personally purchase things for work use and don’t get reimbursed by your employer, then the cost is deductible on your personal tax return to the extent that they’re actually used for work.

        (the Australian Tax Office has a page on claiming mobile phone usage, for example, that explicitly lists using your personal phone for 2FA to log in to government stuff (ie the myGovID app) as a work-related use)

    7. carrot cake*

      Grad. students likely have data sets and/or access to students’ grades on those devices. It’s a reasonable liability issue.

      “I’m willing to sacrifice significant privacy to benefit security (personally or collectively) but to benefit a cheap-ass employer who won’t provide work devices?” is a bit much. Finding a different job would be the only solution, and with good reason.

    8. Wayward Sun*

      I’ve seen lots of jobs that included a requirement that the employee use their own car. Is having to provide your own computer that different?

      1. Beany*

        It could be if the requirement is burdensome on the employee.

        It’s one thing to require that the employee uses their own car, but another to mandate specifications for the car and aftermarket add-ons that suit the employer rather than the employee/car-owner.

        E.g. if the company wanted the car painted in the corporate colors and logo. Or perhaps the company demanded an all-EV vehicle force, but the employee didn’t have access to charging facilities at home. In cases like this, the company’s requirements make the car more of an albatross for the employee. It’s like a really expensive version of corporate clothing that the employee has to buy for themselves.

    9. Saturday*

      It’s possible that the work is related to research the graduate students are doing for their degree, in which case taking on an unrelated job would be a real hardship.

  8. Wonderland*

    #2 is what “reply all” is for.

    Union + sharing your concerns widely + accepting no using the university WiFi between the over zealous it security professional ‘s installation date and when the matter is resolved (I’m old enough to remember offline software and hotspots from my phone, these solutions may not work/be available to you but thought I’d share why I don’t see WiFi as 100% essential).

    Also, what are they doing about alle the students logging into the WiFi? can you not log in under that capacity?

    1. High Score!*

      If this doesn’t work, put your work files on a virtual machine and install their security software only on the virtual machine.

      It’s always a good idea to keep work and personal accounts separate anyway.

    2. So they all cheap ass-rolled over and out fell out*

      I would bet if the reply-all (or similar) can get even a few people to join in on pushing back, the deadline will be extended. Then quite possibly the mandate will be canceled or amended to something more palatable.

    3. AsstPlantProf*

      Probably not. Every university or college I’ve attended or worked at had a requirement that you have specific antiviral software installed before you could connect to the main WiFi. That rule generally applies to everyone, including undergrads, grad students, and faculty and staff. It’s very standard—honestly I think the biggest issue is that PhD students are, as usual, falling into a grey area between employees and students.

  9. knave*

    Wait… when I worked at a well known major food chain, we had to arrive with enough time before our scheduled shift start to put our things away and change into our uniform shirts/aprons/hats (which were involved to assemble and could not be taken home). So like if our shift was at 10, we had to arrive at 9:45ish so we could be uniformed and ready to go to clock in at 10. That was company wide but apparently illegal.

    1. sheworkshardforthemoney*

      I worked for an equally shady employer. You were expected to be in uniform and ready to work at 8AM. But you couldn’t clock in until 5 minutes before your shift started so it mean 10-15 minutes of your own time getting work ready. Because the locker rooms were a 5 minute walk away from the actual worksite it meant building an extra 5 minutes into your arrival time which in reality meant arriving at work at least 20 minutes before your shift started. If you ran into traffic or delays it was a mad scramble to ensure a timely arrival which forced people to arrive at least 30 minutes before their shift started so we lost a lot of our personal unpaid time.

    2. Chili*

      That is called ‘donning and doffing’ time and employers don’t have to cover it if you’re just changing into a uniform without specialized equipment involved. Theoretically, you could do your job safely and effectively in your regular clothes. The uniform is only employer choice. However, if you work in a clean room or as an underwater rescuer, it is assumed that your safety equipment is intrinsic to the job (and takes more time to put on) .

      I work in manufacturing and we pay this time because it is not worth monitoring/fighting over. Everyone moves at a reasonable pace. Probably one of the reasons we have very low turnover compared with our industry.

      1. Filthy Vulgar Mercenary*

        > The uniform is only employer choice

        Can you say more about this please? If the employer is choosing to require a certain uniform and won’t let you work without it, even if it’s not a safety issue, why wouldn’t that be considered a requirement of the job that they’d need to pay you for?

        1. Honoria Lucasta*

          They don’t pay you to put on your uniform for the same reason that they don’t pay you for the time it takes to drive from your house to work. If you were a lawyer and expected to wear a jacket and tie in court, your firm wouldn’t have to pay you for the time it took to put on your jacket and tie in the morning. That would just be called getting dressed for work. Other uniform requirements are also, at heart, just getting dressed for work. You might not want to wear your red polo to school, so you might change into it once you arrive at the restaurant, but that’s just changing clothes in the middle of the day. You don’t have to wear a red polo to stand outside with an iPad and take orders for chicken sandwiches. Thus the red polo is not essential for the *job*, i e. the tasks you are performing.

          You can think of the uniform requirement as a dress code from the employer more than an equipment requirement. They don’t have to pay you for the time it takes you to comply with the dress code. Firefighting equipment is more than just a dress code; underwater rescue gear is more than just a dress code; etc.

          1. Florence Reece*

            It does sound like in knave’s case, they weren’t able to get dressed before arriving at work because they couldn’t take the uniforms home. I wonder if that would be classed differently? It’s still not ‘essential’ for the work, but it’s not an employee choice like wearing your branded polo during the rest of your day. Even if it’s not a legal requirement, my values tell me that time should be paid lol.

      2. Some Dude*

        This is not true. The DOL says that donning and doffing is compensable when it must be done at the workplace. So, if your workplace does not let you take your uniform, apron, shoes, etc. home, meaning you need to get in and out of your gear at your workplace, it needs to be paid. Same with any time traveling from that changing location to your station, per the supreme court.

        1. So they all cheap ass-rolled over and out fell out*

          When did the supreme court make that decision? It seems like this stuff has changed recently.
          In before lock: 2005… so not so recently.
          I am thinking about the relatively recent (much more recent than 2005) about how employers don’t have to pay employees for the time they spend in line waiting to be searched after their shifts.

    3. fhqwhgads*

      My understanding is this might have changed somewhat recently? Or maybe that employer was just crappy.
      The whole “change into a uniform” thing used to be unpaid – for example at certain very expensive theme parks. And the employees pushed way back (possibly a lawsuit? can’t remember).
      So, if you can bring your uniform home to launder and such, and you need to arrive uniformed, and can travel in it: changing into uniform is unpaid.
      If you can’t bring it home and it has to be laundered there and you have to change after getting there, it is paid.
      I can’t recall now if the outcome was “ok you can bring them home” or if it were “ok now you’re paid for the time”.

  10. Granada*

    #1 Not to the extent of a poem, but I had a grandboss who brought a team with her when she moved over to managing our three teams. She clearly knew them better, had in-jokes etc and I thought it was poor judgement to allow that to be so obvious. But exactly like your colleague she was otherwise great, and it wasn’t my place to say anything.
    I also had some sympathy for the fact that when she tried to lighten up deathly cross-team meetings she reached for the people she knew to have a bit of banter (that theoretically anyone could then join in with).

    1. Djinna Davis*

      *Huge* insensitivity? No, it doesn’t. It’s a tiny, tiny thing, and LW1 is really magnifying it.

      They “only started working [there] recently” and admit that nearly all of Team B is in the same position, so the grandboss has had limited time and meaningful contact to get to know them or their work. Still, LW admits, ” All her other gestures addressed her employees as a whole” and she’s otherwise been “a stellar supervisor”. Yet, LW1 takes this teeny weeny gesture as proof positive that Team A gets or will get “preferential treatment” and considers the little poem to be of such gravity that it overshadows everything else about the grandboss as a manager. That’s way overblown.

      1. Ellis Bell*

        I think when people themselves have particularly good social graces, it looks to them like a larger mistake than it is when others don’t. We all underestimate our own strengths and are surprised when others don’t have them. Besides, OP is fully aware that the boss is otherwise good and is stellar in other areas. They aren’t extrapolating that the boss will show preferential treatment, but expressing that the boss already has, in public, shown favouritism in a way that makes those with good social graces question what on earth she could have been thinking. I’ve had a very similar boss in the past and it took a long time for anyone new to trust them because they had to look more deeply at their managerial judgement (which was good in everything else) than if they hadn’t had this poor habit of showcasing people as favourites; frequently. She was greatly helped for a long time by having a second who was warm and gracious to everyone, and always gave people their due, but when the second in command left, people’s morale took a hit. You’re right that an Ode to my favourite reports isn’t really intended to communicate anything to those excluded, but unfortunately it will be received that way. The optics of favouritism is much more unnerving when it’s your livelihood, rather than a purely social space.

        1. MsM*

          Yeah, I think it might be helpful to the boss to know how this is coming across to those who haven’t known the organization before the team A/B split versus those who have maybe been there a bit longer, or have more perspective on how things work at a higher level like OP’s boss. Maybe it’s not a big deal now, but if boss continues to think of team A as the “real” team, it could have ramifications down the line. It could just be a gentle “I get it, and I don’t think you meant it as a snub, but just something to keep in mind.” Especially if OP doesn’t have any other constructive criticism to offer up at the manager review.

      2. hello*

        Can you read? Where are you getting that LW thinks the poem overshadows everything about grandboss, despite them repeating that grandboss is actually a stellar manager?

        1. Honoria Lucasta*

          OP did say “but the poem made me wonder if she only intended her praises and encouragement for team A.”

          1. ferrina*

            I think this is a reasonable thing to be cautious of, but OP needs to watch and wait to see if this really is the case. It’s possible that this was a rare misstep, or it could be a subtle pattern of behavior.

            I had a boss that suddenly got several new hire. Half of her team was familiar, and half of it was new. She was a very nice person, but there was a dynamic where she knew and trusted half of the people more than the other half. This meant half of the team got the benefit of the doubt and got more access to her than the other half. It wasn’t intentional, it was all unconscious bias. If someone familiar wanted to get Boss’s opinion on something, Boss could make time. But if a new person wanted Boss’s time, we were usually shunted off with “sorry, I’m really busy, but ask Familiar Person”. It was true, Boss was busy, and sometimes Familiar Person could help (and sometimes they couldn’t), but it created a dynamic where half of the team got access to the Boss and half couldn’t (even weirder was that the Familiar ones were technically less senior than some of the newer people, but the senior newer people also couldn’t catch the Boss’s ear)

      3. Florence Reece*

        Did you mean to respond to a different comment? I don’t see anything about ‘huge insensitivity.’ Also I’m confused, you seem almost personally offended that someone’s feelings were hurt because…yours wouldn’t be I guess? But “teeny weeny gesture” “little poem” “proof positive” “LW admits” (like they’re on trial!) are all weirdly intense for a stranger’s bruised feelings!

        It’s not unreasonable to feel left out if your recognition comes only in aggregate while other people (and the other team as a whole) are specifically called out. Grandboss doesn’t know Team B well yet, but she could have easily said she’s excited to get to know them, or make a point to welcome them since it’s the first time this team has existed at this team-builder. That’s not feedback that LW is in a place to give, but it wouldn’t be unwarranted feedback from Grandboss’s boss. It’s not an egregious misstep or anything but it is a morale issue that someone more conscious could have avoided.

        It would be unreasonable to determine that your grandboss is a big old meanyhead forever, but the LW…isn’t doing that. I don’t see how they’re “overshadowing everything else about the grandboss as a manager.” Since we don’t know these people at all, we only know the good stuff about the grandboss because LW recognizes the good stuff and specifically noted it. That’s sort of the opposite of overshadowing everything else?

        This isn’t worth LW stewing over, but that’s the point of asking others if your reaction is reasonable or not. Dismissing the reaction entirely as if it’s offensive to feel feelings isn’t helpful lol.

      4. Smithy*

        I think that realistically moments like that serve to be yellow flags, where if it’s just a few – people do let them slide, but when they add up it does become a problem. How many letters are there on AAM that have to do with imbalances around life event acknowledgement?

        I do not need my workplace to celebrate my birthday – however I used to work somewhere that did not change their birthday process from when it was a team of ten to then 50+. The process essentially was that ask for people to contribute via Venmo what they felt like – and inevitably it was a situation where those who’d been there longer would receive large gift certificates/gifts and news employees would get considerably less. A version of this would play out again during end of year/Christmas time.

        Again, how my birthday is celebrated does not matter. However, this imbalance in acknowledgement and blindness to seeing how a process should be changed as the team got larger played out in a number of other ways. Ways that weren’t always as easy to pinpoint, but around issues like how growth opportunities were assigned as well as promotions.

        In one case I remember asking my supervisor why one such opportunity was assigned to one of those long-term colleagues instead of me. And her response was just very telling, it was simply “I didn’t think about it”. And ultimately, that is the worry that comes along with these moments. As said above, it’s a yellow flag vs a red one. It doesn’t mean this dynamic is a given, but it puts you on edge to look out for it.

    2. Honoria Lucasta*

      I have been thinking that it would make more sense for LW1 to think of this poem as not addressed to the whole team, but instead addressed specifically to the named employees of the long-tenure team that grandboss has worked with. Of course, it would have been better if grandboss had been able to make some parallel gesture to team B at the same time, but the fact that they have a working history with the members of team A in the way that they don’t with team B means that there is even some fairness in giving more thanks or appreciation to team A in acknowledgment of that history.

      1. Georgia Carolyn Mason*

        That makes sense, and the poem thing didn’t strike me as a flag of any color. To me, being left out of a poem in front of a large work group — that mentioned people by name! — would be a green flag because that sounds incredibly cringe. But, I see why LW1 felt left out. Definitely worth putting in the rearview, though.

        1. fhqwhgads*

          I mean, poem is kinda cringey in context, but really ignore the poem aspect and just take is as “big public thank you to one team while conspicuously silent about the other team”. Doesn’t matter whether it’s a poem, a speech, an all-team email, a broadway style musical number. The relevant bit is “and thanks to my super awesome team (list of A and not B)”

  11. Artemesia*

    While there is no option for #1 but suck it up, it does hurt and really shows huge insensitivity on the part of the boss. When I was a new HS teacher the principal put out a Christmas letter in which he talked about the contributions of faculty of which there were about 90. I read the letter of course looking for my name. He mentioned about 70 people by name and something about what they had done that was admirable that year — but not me and not maybe 20 or so of my colleagues. I remember the wave of misery when I realized that in something so apparently inclusive I was not included. No one should do something like this which includes most but leaves out some. It would have been different if he had singled out 5 people who did something amazing — but dozens and many of them for fairly trivial ‘achievements’ meant that the handful left out were so unmemorable that he couldn’t come up with a thing.

    He was a great boss. He stood behind me when there was a conflict later that year and I have always considered him a good leader. But that incident really burned. I think he just got tired and quite, but it was a real misjudgment of an otherwise terrific boss.

    1. Not The Kind of Doctor*

      I had something similar happen a few years ago at the annual holiday gathering. Our department at the time was around 30 folks and one of the boss’s pet employees decided to write an “end of year poem” for the group. Wow was it painfully obvious who the cool kids were! The author lauded praise on the 4 supervisors and our disaster of a boss, then got super clever for the stanzas about her favored few cronies with, but for more than half of us it was more along the line of “and Sally has blonde hair”. My name mention didn’t even get line, it literally just said “Molly and Mary do this specialized work task” before moving on to 2 paragraphs about someone else’s funny anecdote from earlier in the year. It was so bad. Half the room was over the moon with compliments while the rest of us were trying to keep a semi-gracious fake smile to mask the “are you &^%$* kidding me?!?!”

    2. Miss Muffet*

      It’s like the kid’s birthday party rule: invite less than half the class, or else the whole class. Doing something individually for 80% and leaving 20% out feels personal, even if it isn’t meant to be.

    3. ferrina*

      I’m sorry. You’re right- something like this really can sour an otherwise strong relationship with an otherwise good leader.

      I’ve had to have this conversation with a couple senior leaders at my company. People notice patterns in praise. If you mention 80% of the company and not 20% (and it’s not a project-specific thing), the people that also worked hard and weren’t mentioned will feel like you thought they weren’t worth the few words in the letter/moments in the presentation to say their name. That’s usually not how the senior leaders are thinking about it- they just listed the people they thought of in that moment and assume that others know they are valuable too (or just blank out on those people. or don’t realize how they contributed). This is why we try to have a second set of eyes on internal comms.

    4. Daisy-dog*

      Yep, just a lesson for anyone who reads this. LW doesn’t need to do anything or even flag anything. It was just an unpleasant moment.

  12. I&I*

    The issue #3 needs to bring to their grandboss, I think, is that they’re not being allowed to make a direct report abide by company standards because Manager is openly biased in his favour. Nephew does things no one is allowed to do, OP3 brings it up with Manager, Manager says he’s allowed.

    The fact that she keeps calling him a ‘genius’ is relevant not because it’s annoying in itself, but because OP3 is being instructed to enforce favouritism and calling him a genius is proof of how blatant that favouritism is.

    I’d approach it as a chain of command issue. It sounds like OP3 is supposed to be in charge of him – but also has to ask Manager’s permission before correcting him? That’s a mess. OP3 either needs to be free to manage him without asking for a sign-off, or to be answerable to someone who isn’t his favourite auntie.

    A grandboss may not care if someone’s being irritatingly over-effusive, but they should care if the report structure isn’t functional.

    1. Smithy*

      I agree with this – the genius feature doesn’t need to be proved/disproved because ultimately this is just a factor of favoritism and bias.

      I don’t think this applies to the OP’s situation, but the only caveat I’d flag is if it’s very likely this young person was only going to be in the job for a short-term period. Like if they had plans to start university or travel in January and this was just an opportunity to gain some professional experience in the interim.

      In that case going to the new grandboss could alleviate the immediate issue but at the expense of their relationship with their supervisor. And if this family member was only going to be in the job for a few months, then I would suck it up in favor of not rocking the boat. However, if there was any sign of that family member or another being brought back for another period- then I’d speak up before the formal assignment happened. Basically saying “this is how it worked the last time, it was not an effective reporting structure the first time, etc.”

      1. Grumpy Elder Millennial*

        A counterargument is that it would be useful for the grand-boss to know that the boss seems to have questionable judgment, at least about some stuff. As el 1 said below, it’s likely this was a wholly ineffective attempt to avoid the conflict of directly managing her nephew. But you only need to think about it for like 3 seconds to realize the problem with this plan. If the grand-boss is brought into the loop, he may decide to monitor and manage her more closely than he otherwise would have. And I’d hope that the grand-boss wouldn’t out the LW for sharing this information. Probably several people know about all of this, so it could have come from anywhere.

        1. Smithy*

          If this were a short-term hire – I think this is just more about the “real politick” decisions we all make at work. In no way do I disagree with the larger themes on reporting this, and if the OP’s supervisor’s idea is to give this nephew a part-time job for the foreseeable future – then 100% report it.

          However, if it’s short-term, I still do believe that it’s worth getting through this tenure and then only reporting it if the arrangement is attempted to be repeated either with this nephew or another relative. I think it’s highly unlikely that the OP’s supervisor wouldn’t connect a message to the grandboss as coming from the OP. And for a short term hire, I just see more risk.

          1. Sparkles McFadden*

            Short-term has a way of becoming long-term. Bosses who do things like giving jobs to relatives often say it’s temporary to keep anyone from pushing back. Then they’ll say “This is working out great so now my nephew is going to be a permanent full-time employee!” So, I think the LW has to talk to the grandboss. Yes, it’s a bit of a risk, but being stuck with this guy permanently would be worse.

    2. el l*

      Yes, approach as a chain of command issue – because I’m betting grandboss has no idea any of this is happening.

      A “supervisor” with no direct reports (LW’s colleague)?
      A supervisor with one direct report, which was probably given as a misguided attempt to avoid the conflict of boss managing their own nephew?
      And count me skeptical that grandboss will think a small AR team’s priority need is an 18 year old.

      1. ferrina*

        Yeah, I’d be really curious about what the grandboss knows about this. Does Grandboss know that this employee is Boss’s nephew? If so, does Grandboss know that he was hired without your input and that your management over him has been compromised?

        Also- brush up your resume. Start that low-key job search in case things go downhill.

    3. Grumpy Elder Millennial*

      Exactly, this connects to the broader question of what actual authority the LW has to manage and supervise any direct report. Because it’s sounding like the answer is “not much.” They’ve been put in a situation that’s guaranteed to fail, since you can’t manage someone if you have no real authority.

      A secondary question is whether the LW has gotten a title change or pay bump for taking on these new responsibilities. As we were reminded in a letter yesterday, there are bosses out there who will just keep adding to staff’s plates and refuse to compensate them for all the extra work and responsibility.

      1. MigraineMonth*

        Ooh, good thought. Be sure to advocate for yourself, LW, even if you do get stuck with this thorn in your side.

  13. Varthema*

    If LW2 doesn’t get traction from their coworkers (which I can see happening – not wanting to alienate key advisors, limited bandwidth to care bc of studies/work), they could get in touch with the student paper. This is exactly the kind of thing student journalists love to sink their teeth into and that could whip up enough chatter to embarrass the administration if their policy was simply lazy and just not thought out (which I suspect is the case). It might also bring more of your colleagues on-side, including senior faculty.

    1. Wayward Sun*

      Faculty aren’t going to care about the student paper. However, if they can get faculty on their side in other ways — maybe some of the faculty don’t like the software either — that might work. Administrators are sensitive to pushback from faculty.

      Bear in mind though that it may be above everyone’s head. Where I work we’re having to roll out a lot of security measures because our cybersecurity insurance company has told us we’ll be uninsurable without them.

      1. UncleFrank*

        This probably varies a lot by school, but I read our student paper every week! And I’ve definitely seen stories go from school paper to faculty listserve.

  14. Rez123*

    LW5. When we had to physically clock in to work, the machine was right by the door. Now that we have a mobile system I clock in with my phone at the same spot where the machine would be. When WFH and my computer is set up, I clock in when I sign in. If it is not set up (if I’ve been to office the day before) then i sign in when I sign in at the door of my study.

    1. Agent Diane*

      Yes. Clocking on is when you walk through the door – whether that’s literal or metaphorical.

    2. WillowSunstar*

      It depends on where you work. We hot desked before COVID and had laptops, and were expected to punch in at our regular start times, no matter if the rest of your stuff was set up or not. This of course resulted in most people coming in 10-15 minutes early so they could get their area set up, get coffee, etc., and then punch in. Should be paid but in some companies, they will chastise employees for not being ready yet.

      1. Daisy-dog*

        A former employer settled in a lawsuit about that and employees got payouts for that reason. (Coffee excluded.) We were expected to be *working* (call center) exactly at our start time, so we did have to do setup before that time which was unpaid.

  15. LifeisaDream*

    I worked for an equally shady employer. You were expected to be in uniform and ready to work at 8AM. But you couldn’t clock in until 5 minutes before your shift started so it mean 10-15 minutes of your own time getting work ready. Because the locker rooms were a 5 minute walk away from the actual worksite it meant building an extra 5 minutes into your arrival time which in reality meant arriving at work at least 20 minutes before your shift started. If you ran into traffic or delays it was a mad scramble to ensure a timely arrival which forced people to arrive at least 30 minutes before their shift started so we lost a lot of our personal unpaid time.

  16. Michigander*

    LW3: Make sure you focus on whatever issues you have with the nephew and his work and not that your boss is calling him a genius. “I was assigned to manage boss’ nephew and I have some concerns about it because…” is a legitimate issue. “She keeps calling him a genius and I want her to stop because he’s NOT a genius, he’s just a normal level of smart, so I don’t think she should call him a genius” makes it sound like you don’t understand compliments that well. They are often hyperbolic and most people hearing someone complimented as a genius would understand that the person giving the compliment doesn’t actually mean MENSA-level genius.

    1. bamcheeks*

      I mean, it’s also possible that he IS a MENSA-level genius but that doesn’t make his ideas on how to run Accounts Receivable worth listening to! High IQs aren’t that rare and they don’t mean you magically know better than someone with training and experience in a particular area.

      1. Smithy*

        Absolutely this.

        Also, he may also be genuinely a genius and have some good ideas about how to run Accounts Receivable – but as many of us learn over the years at work – just because we have great ideas doesn’t mean they can fit into our team’s workplan or strategy the second they’re considered. A huge part of learning how any team, industry or employer works is not just having the great idea, but figuring out how to implement it.

        So having a great idea, but it will take a team of 10 to execute it and you’re a team of 4. Having a great idea, but it costs $10k at a minimum, and you’ve been given a budget of $500. Having a great idea, and you now need to demonstrate to your supervisor how good an idea it is so that you’re working together on it and not in opposition. And 101 versions of this are all part of that reality of taking whatever “genius” or other intelligence and making it happen at your job.

        1. MigraineMonth*

          Yeah, take a look at all the failed business ventures by brilliant people. Google is one of the most successful of all companies, yet you can find lists of their “Top 30 Failed Products” from Google Glass to Google Health.

    2. Irish Teacher.*

      Yeah, I very much doubt she means he’s literally a genius. It’s just a way of saying, “didn’t he come up with a great idea considering he’s an 18 year old in his first job? I bet most people his age wouldn’t be that smart!”

      It’s still problematic because it means she is favouring him and putting you in a position where it’s pretty clear she’s not likely to be open to supporting you if you have to correct him/turn down one of his suggestions and really when he’s her nephew, she should be very careful about saying anything that indicates bias. Her attitude reminds me of the mother who supervised her daughter and recieved a complaint about that daughter and wrote in to ask, not how she could investigate the complaint but how she could find out who made it because she couldn’t trust any of her employees until she ruled them out.

      But yeah, I wouldn’t worry about whether or not he’s a genius. As Bamcheeks says, it’s not relevant anyway. Somebody could be a literal genius and terrible at their job or they could have an average IQ and a real talent for a particular role. Her taking his side when you have concerns about his work, allowing him to do things that she wouldn’t accept from others and making him your direct report without discussing it with you and…making it clear that she is impressed with him and inserting herself into issues she should really be avoiding due to the family relationship and possibly employing him in the first place at such a young age and with little experience (depending on whether or not it is normal to employ school leavers for his role) are all much bigger problems and what the LW should focus on.

    3. ecnaseener*

      Totally agree. It may be relevant to mention the “genius” comments to illustrate the apparent favoritism, but absolutely no need to get into LW’s judgment of whether or not he’s a true literal genius. Both because it doesn’t matter whether he is or isn’t, and because at least in the examples in the letter it doesn’t sound like the boss meant it literally. Especially the second example — anyone can have a “genius idea!”

    4. I&I*

      I suspect it’s one of those things that particularly grates because:

      A. Unlike ‘As your manager I can overrule you about how to handle him,’ it’s provably incorrect.

      B. Favouritism is bad enough without implicit social pressure to agree that yes, Favourite totally IS the bestest!

      It adds insult to injury – but the injury is the real issue here. If the workplace was properly run, I suspect it wouldn’t bother OP3 nearly so much.

  17. A Book about Metals*

    I’m not sure the “push back as a group” will work in the case of #2. The LW says that nobody else seems to care. It wouldn’t be a hill to die on for me, but if it’s that important you can always contact the union.

    Also, personal device or not, you do need some kind of virus protection. Yes they should pay for a work computer, but if not it’s reasonable that they’d be concerned about vulnerability

    1. Seashell*

      Maybe the others haven’t thought it through, so LW2 can bring their concerns up to them. There’s also a possibility that they still won’t care when LW lays out their concerns. I would probably fall in the latter category.

      1. Sloanicota*

        Yeah unfortunately in my experience we’re losing the cultural war on privacy/tech stuff. Most of my friends are happy enough to download any app or program that makes things go smoother for them, either work related or just to try a new restaurant’s food. They’re not concerned about the fine print and even if you are explicit about the issue – “this allows Facebook to monitor everything you do on your phone” – they just shrug and say Big Tech already knows everything about them anyway. The issue of the antivirus blocking a download they want is one they’ll have to encounter before they start caring, and it’s possible there’ll just be a whisper network for how to disable the antivirus software when you need something.

        1. Wilbur*

          I’m a bit terrified about the next privacy case (whenever it lands in the Supreme court). My understanding is that our current standards for privacy were set back in the 70’s when cameras (security or otherwise) weren’t nearly as common. A “reasonable expectation of privacy” now is so much different now.

  18. Middle Name Jane*

    A few years ago, I withdrew from the hiring process when the employer (local branch of a university) said that the person hired for the job would be expected to use their personal laptop. I pushed back and said I couldn’t accept the job without an employer-provided laptop. That’s just non-negotiable for me.

    Same reason I am not a fan of BYOD for cell phones. Yes, it’s a hassle to keep up with 2 phones/chargers, but I won’t allow any employer access to my personal phone for any reason.

    1. BatManDan*

      This is the only correct solution. Gonna pay me tens-of-thousands in salary? Find $500 for a decent laptop, thankyouverymuch.

      1. I Have RBF*

        I work in IT, and I have never, even when I was at a university, been required to provide my own laptop or desktop. If a company is paying me six figures for my work, they can spend ~$1k on a laptop. I’ve also been in jobs where when they laid people off their laptop became an instant brick, with a bios password no less. Find by me, it was their equipment. If they had tried to do that to my personal device there would have been screaming.

    2. Paint N Drip*

      It is inconceivable to me that a full time employee wouldn’t be provided equipment to do the job!! Glad you sussed that out in the interview, if I found myself in that job it’s crazy how fast I’m rewriting history – I don’t own a laptop and I applied for this job at the library

      1. Pescadero*

        Full time employees that regularly have to provide at least some of their own equipment:

        Auto Mechanics
        Tool and Die makers
        Machinists
        Roofers
        Carpenters
        Bricklayers
        Musicians
        Electricians
        Plumbers
        Chefs

        1. Wayward Sun*

          I had a full-time job where I had to travel from site to site in my personal car, so providing a reliable car was part of the job.

          Realtors are often required to not only provide their own car, but provide one that’s less than a certain number of years old, for appearance purposes.

        2. Texan In Exile*

          In a town near me, the cops have to provide their own uniforms, guns, and vests. There is a referendum on the ballot to raise money to pay for these items (along with EMT services from the next town over), but some people are against it, saying they have to pay for their own equipment – why shouldn’t the cops? These cops are paid about $25/hour.

        3. Peanut Hamper*

          This is a false equivalency, though. Just because some employees have to provide their own equipment doesn’t mean all employees should be required to do that.

          Also, all of the careers you mention here make heavy use of hand tools. And people often have highly specific personal preferences for quality tools that will last and which they can take with them from job to job to ensure they can maintain a high quality of work. (And yep, I’m considering musical instruments to be tools.)

          1. Wayward Sun*

            A lot of people have intense personal preferences about computers too. There are people I provide a work computer to who don’t use it because they prefer their personal one.

        4. I Have RBF*

          Hammers, knives, pliers and wrenches do not become obsolete in three to five years, computers do. Most professional grade tools in fact have lifetime warranties. Yes, tradespeople have toolboxes worth thousands of dollars, but those are accumulated over years of buying, are under warranty, and can’t be rendered unusable by the employer with a few keystrokes.

    3. Wayward Sun*

      I’m not a big fan of BYOD either, but once most people had personal cell phones they stopped wanting an additional work phone because of the hassle of carrying two. It was a trend that was, at least initially, mostly driven by user preferences, not cost-cutting. (It became a cost-cutting trend later.)

    4. I went to school with only 1 Jennifer*

      Happily, most phones are using the same style of charger these days. (It’s a tiny thing, but I’ll take the tiny wins.)

  19. Alton Brown's Evil Twin*

    #4 – OP, you only take 5 minutes to set up and tear down, but there may very well be people who don’t. Ostentatiously wiping down the desk, spending 15 minutes to arrange pictures and tchotchkes, etc. If there are people who abuse the process, make sure you’re able to show that you aren’t one of them (timestamped something in the first & last minutes of the day).

    1. Colette*

      That’s not really abusing the process, though. If you want a clean desk, wiping it down is reasonable. If the company doesn’t want to pay for that time, they should give everyone a fixed desk.

      1. Alton Brown's Evil Twin*

        “Ostentatiously” is the key word I was going for there. You can clean a desk because you want a clean desk, or you can clean a desk in an over-the-top manner in order to waste time. “performative” might have been a better word choice.

        1. Colette*

          It doesn’t really matter. It’s work time regardless.

          Yeah, someone might exaggerate how long it takes, or take longer than strictly necessary, but that’s the price of hot desking. And people are fully capable of wasting time even when they have a fixed desk.

        2. metadata minion*

          If anyone is actually doing that, their manager can address it. Telling the LW to make sure they *really* need that much time to get ready feels both condescending and unnecessary.

  20. Meg*

    #2: My university also has the requirement for antivirus software on the computers, but it seemingly has no teeth? When you try to log onto the wifi it tells you should have antivirus software, but then allows you to log onto the wifi anyways. Hopefully yours will be similar?

    1. AGD*

      It happened to me once about twenty years ago. The surprise poem was well-written and silly, but I was cast as the nearest thing that it had to a villain, and I spent about a year after that wondering if everyone secretly thought I was hypercritical. Stopped worrying about it only after I changed jobs!

  21. HailRobonia*

    I work at a Major Research Univerity ™ and work with more people who would be considered “geniuses” than the general populace . The only time I have ever heard someone refer to anyone as a genius is out of sarcasm… and normally referring to themselves (e.g. a world leader in immunology locking themselves out of their own lab saying “wow, I’m such a genius!”)

    1. Colette*

      I can myself and other people geniuses all the time. (“You got that jar opened? You’re a genius.”)

      I do not mean it literally.

    2. AGD*

      I’m also at an MRU™ and yes, this. One worshipful student aside, I’ve only seen the term used sarcastically. One time before smartphones I was on a trip to another campus with about seven colleagues divided between two cars on I-90. From the backseat of the second car, it took me ten minutes to convince the others that we weren’t actually heading west as everyone thought. Finally the driver of the second car was persuaded, and called up the driver of the first car, who opened with: “You turned the wrong way onto the freeway, genius.”

    3. Emily of New Moon*

      The word “genius” isn’t even used anymore on IQ tests. A person with a highly superior IQ is now referred to as “gifted.” I suspect the change was due to people using the word in the way that you describe.

      1. MigraineMonth*

        I went to a program for “gifted youth” (basically summer school for kids who just wanted more school) and we thought that was so pretentious we came up with another phrase to fit the acronym and called ourselves that. Gyrating yaks? Something like that.

    4. Disappointed Australien*

      Yeah, it’s definitely something where adult lumber children with it in a completely different way to adults. Three highly paid senior engineers taking apart a filing cabinet because one of them didn’t close the cash box properly and now there’s coins jamming the drawer slides? Geniuses, the lot of us.

      Kid doing something above their age cohort? Genius. Kid doing something unexpectedly smart? Genius.

      But 18 is really pushing it for the kid version. Especially in a workplace. If *I* did that at work everyone would assume it was sarcasm until proven otherwise.

  22. giraffecat*

    LW2 – If your university doesn’t have a union for graduate students, you can check if they have an ombudsman that may be helpful. My university is going through something similar but is only requiring us to change antivirus software on university-owned computers. You may also be able to talk to someone in IT about your concerns and see what they say. They may have some solutions or workarounds for your personal computer.

    I’m also really surprised that the university doesn’t have any computer labs available that you can use. That may be another question to ask IT or your department. Sometimes they are not well known to students, but do exist.

    1. Wayward Sun*

      We have computer labs but hardly anyone uses them; they prefer to use their own personal computers. I’ve been gradually reducing the number of lab workstations in my department because they’re so rarely used, but they still exist.

    2. OP2*

      We do have a union! Definitely going to work on organizing collective action around this. And yes, I’m planning to talk to IT, at least to get more details about the exact circumstances under which data would be shared with this software.

      1. Wayward Sun*

        Filing a union grievance over it would probably get everyone’s attention and might delay the whole thing, even if it doesn’t stop it.

  23. EvilQueenRegina*

    Not sure whether this post or the one from yesterday about random tat found in cupboards is the right one for this, but both have just reminded me of the poem I once found in an old office which had fallen down the side of a desk who knows how long ago – long enough ago that the majority of people named in it had long since left. I think it was given to the one person who was still there.

  24. jenny*

    I know LW #2 says that no one can afford new computers. But if at all possible, I’d be tempted to find the cheapest one I could find and try to get it. Chromebooks are $250.

    1. Person from the Resume*

      That is one way. It’s still not a cheap way, but if the LW’s “university business” work doesn’t require high computing power a separate inexpensive computer that they use for university business only could work.

      It’s still costly for someone making grad student money. And it’s a pain if they find themselves carrying two laptops because they do their own studies and personal play on their personal laptop which accesses a different (??) non-employee wifi, but need the other laptop to to do their paid job duties which they must use the employee wifi and campus IT infrastructure.

      1. fhqwhgads*

        I was thinking the suggestion was even if the university says there’s no budget to supply a computer, that should be cheap enough for the university to do.

    2. Ginger Cat Lady*

      Maybe that’s cheap to you, but just 5 years ago, my daughter made $12k a year before taxes as a grad student and was prohibited from taking any other employment during the school year. Try living on $12k a year and tell me again how affordable it is to spend an extra $250 for a second computer.
      Grad students are POOR.
      (Unless, of course, they have a rich family backing them up.)

    3. OP2*

      This is something I’m actively considering, yes. It’s barely an option for me and will be even less of an option for other grad students who make significantly less than me, so part of my desire to push back is on behalf of all of us, who really should not have to shoulder this cost. But I agree that as an interim solution, it may be necessary.

      1. PP*

        OP2, I wonder if getting a raspberry pi computer might be an option, if you have to buy a computer? I was just looking at their site, and they have raspberry Pi PC keyboard kit for around $100. You would connect it to a monitor.

        It seems you download their free OS. I’m not clear if you can run Microsoft Office applications on it – such as 365.

        Maybe others here are in the know.

        1. OP2*

          Intriguing! I’ve already been in touch with some Math/CS friends who I’m sure will have creative solutions. I could ask them about this.

    4. I Have RBF*

      Chromebooks are pretty useless except for web browsing and maybe email, but I don’t think they’ll even run Outlook. Any office stuff has to use Google docs/sheets/etc.

  25. Bananapants*

    LW2 that’s annoying and I don’t think you’re crazy. When Old Job sent us all home during the pandemic they didn’t give us laptops and most of us didn’t have room for a desktop setup (small apartments) so we just had to use our personal devices. Besides the MANY client data privacy concerns involved with that, IT once asked me to let them access my computer remotely to install software for a task I volunteered to do in my downtime. IT guy said he just had to type in the license key but I didn’t love the idea of giving my employer full control over my personal laptop even for a few minutes. I refused and no one pushed it since it wasn’t a critical task.

  26. Glomarization, Esq.*

    I’m sorry, pushing back against IT requiring particular anti-virus software will be a non-starter. Universities are massively attractive targets for bad actors. Particularly R1 universities, which have contracts with the federal government (think: military, nuclear, public health) and often have hospitals attached, so the importance of campus data security cannot be overstated.

    It is 100% true that “other devices in a network could be compromised if one insecure device is hacked” and that’s why IT has instituted this requirement. It kind of boggles my mind that the risks here aren’t clear, why there would be pushback against this, and why anyone would think that the grad student union or any group would be effective in changing this policy.

    1. petri73*

      Yes to this. I’m in IT at an R1, and while we aren’t mandating this yet, personal devices are a huge problem and some sort of mandate is likely heading our way. My specific college has a TON of federal contracts (DOD, DOE especially), which come with a ton of security requirements. (I’m looking at you CMMC 2.0). We have to comply, or we don’t get grant money. DOD and DOJ currently have a lawsuit against Georgia Tech for cybersecurity failures.

      Our dept has been stressing for YEARS that PI’s need to start providing equip for RA’s and TA’s but most of them don’t want to, because it’s expensive, and with the type of research most of them are doing, a chromebook or a cheap laptop isn’t going to work because they aren’t powerful enough. We’ve tried going to college leadership, and they don’t care either. All they see is IT and all our “stupid mandates” as a money suck. They’re finally kind of starting to listen because of the lawsuit.

      We have VM’s and labs available, but usage is LOW. We’re doing what we can. Academia is a mess.

      1. Pescadero*

        “DOD and DOJ currently have a lawsuit against Georgia Tech for cybersecurity failures.”

        Yep… and my department might the beneficiary of that money not going to GT.

      2. F.*

        RAs, for students supported by their advisor’s grants, I can see. But, at least in the departments I’m familiar with, funding for TAs doesn’t flow through federal grants so the university would need to pony up.

        In principle, this is what “indirect costs” are for. (For anyone reading not in the know, when you’re writing the budget for a grant proposal, once you’ve accounted for all your line items you’re requesting, you then add 50% or more to cover “indirect costs” of your research, which goes to the university.)

        1. petri73*

          You’re totally right. I just know some PIs who have tried to do some creative accounting to cover salaries for both TAs and RAs, and we have a ton of students who have multiple appointments. It’s a mess. We just joke that somehow the ‘indirect costs’ go to the college, never to be seen again. Hopefully, it’s better at your institutions.

      3. OP2*

        Thanks to both of you for this additional context. I should have been clearer in the letter–I am 0% mad at IT for this. While I don’t know much about data security, I am not at all surprised to learn that this is a real necessity. I don’t intend to push back against the mandate itself, but against the lack of separation between personal and work computers. If they’re going to consider us employees and enforce employee-level info security, then it’s important for them to provide us with the equipment to do that. If I had a work computer, I would have no problem whatsoever installing the software!

        1. MigraineMonth*

          I think that’s a good approach. A cheap Chromebook for each of the employees of the university to use while working is a much more reasonable ask than an exemption from the antivirus mandate. IT would probably appreciate the ability to have stronger control over what was connecting to their system, too (though they probably won’t enjoy replacing all the destroyed power cords).

          To be honest, I didn’t find the antivirus terms of service particularly alarming; any antivirus probably needs that level of access/potential privacy violation in order to do it’s job. (I don’t think it would allow the type of data scraping others have expressed concern about.) As for not allowing certain types of software… well, your university’s risk tolerance is going to be much lower than yours apparently is. I also don’t think letting you pick your own antivirus would resolve most of these issues.

    2. Colette*

      The OP’s letter is pretty clear about why. The university does not own their laptops (which may already have a different anti-virus installed), but will receive personal data about what is done on those personal laptops under circumstances that are not defined.

      I wouldn’t want my employer to get a report of what I do on my personal laptop because it’s none of their business. (Would the anti-virus software share banking logins, for example? What about involvement in groups that c0uld result in illegal discrimination? What about every email you’ve ever sent to anyone about anything?)

      1. Colette*

        To be clear, I understand why the university needs this – but the answer is that they need to restrict the network to devices they control.

        1. Lady Lessa*

          I agree with you about both the control and the need for the hardware to be provided. I still dislike that our corporate owner makes us put this one program (to identify us) on our personal cell phones.

          I am a lab type, and never take work home, etc. so corporate doesn’t need to know anything about my personal devices.

          1. windy*

            Just curious: why did you let them? When my employer asked to put a program on my cell, I just said I didn’t have one, and let them solve it. Was it more inconvenient for me? Yes. But, when I got laid off, I didn’t have to worry about them wiping my phone.

            1. Lady Lessa*

              My cell phone number was already listed with HR, etc. And I to have the app on there, or else I could easily get locked out of my work computer.

              1. PP*

                I once had an HR department change the number that they had for me. I think I might have changed it to a google voice number. But in any case, I was placed there via an agency who was my employer. And I was not going to be answering work calls on my personal phone. I this situation, the company I was place at gave me a bridge for making conference calls, and it also has a phone number attached to it. So, I used that as my work phone number – which it was.

                I really have a bug-a-boo about people having to use their personal cell phones, because all these employers are too cheap to provide phones (VIOP or otherwise). If my key to my job is being on phone call, then provide me with the resources for that.

                In another job where I worked again via an agency, and for a bit 5 tech company, they didn’t require using cell phones for verification for logging onto their system on their provided computer. They used physical keys, duh! Other companies have that option too, instead of making people download some verification software to their phone to get log-in authority key codes.

        2. metadata minion*

          There’s no way the university is going to pay for computers for all its students. The LW should absolutely get clarification about the privacy concerns and potentially push for the university to switch antivirus software, but this sort of requirement is almost universal in campus settings, and it has to account for the probably thousands of undergraduate students who are not going to be ok with using a crappy university-provided computer (remember that many of them probably live on campus, so it’s not just a matter of only using their school computer at school).

          1. Colette*

            But they should be paying for computers for all of their employees – which apparently includes the OP.

            1. Elitist Semicolon*

              I don’t disagree with you but not all graduate students are employed for their entire duration, and setting up/issuing/tracking equipment on a semester-by-semester basis (which is how many TA appointments work) would be extremely labor-intensive. If it were a matter of students starting a campus appointment in Year X and continuing all the way through to Year Y with no off-contract breaks (i.e. no summers without work), that would be one thing, but that’s not how graduate appointments are structured in a lot of fields.

        3. Wayward Sun*

          Our plan is to segregate the network. University owned systems and others with correct antivirus installed will get full access. Personal devices without AV will get Internet access but won’t be able to access other resources on campus.

          This is an extension of the current situation, where when a machine is detected as infected by our threat management system it’s booted off the network.

      2. Nancy*

        Then LW2 should talk to their boss and see if there is a laptop they can use, or work in the computer lab, or ask IT about virtual system options.

        1. Wayward Sun*

          It’s worth asking. I will occasionally loan out laptops to TAs who don’t have one. But it won’t be new, it’ll be one someone else no longer needed.

      3. HonorBox*

        The “reach” of the software is something that OP can definitely clarify and push back on. If they’re working on university things and connected to the university’s network, by all means there should be a way to prevent bad things from happening, but if the software is gathering information or blocking use when it is on personal time, especially on a different network, I’d have concern about what personal information was in someone else’s hands and how it might put me in a compromised position.

        1. Wayward Sun*

          The IT department may be willing to tell them what information they actually have access to. In most cases it’s going to be only stuff directly related to the breach — IT people don’t want to collect a lot of personal info, because that just creates another sort of liability.

          Typical stuff for our endpoint security system would include the actual file that triggered the alert, information about the OS and how up-to-date it is (being sufficiently out-of-date can in itself be a reason to lock out a system), information to identify the affected system (this can be surprisingly hard to do just from network data, if it’s a laptop on WiFi), and maybe a list of software installed. We don’t want or need to know about all the user data on the system.

        2. OP2*

          This is a good question, and it’s one that I’ll follow up with IT about. I would be much less concerned if the software will only flag things that happen when I’m connected to university wifi–that way, anything I do at home on personal wifi wouldn’t be surveiled.

    3. PayToPlay*

      Agreed, but that’s why employers providthat hardware. If they care about control over the computing environment (which I agree they should) they need to supply a conformant option

    4. bamcheeks*

      But it depends what you’re accessing. You should not need the same security standards for using the WiFi that you need to access the VPN or SharePoint or the student records system. It’s possible that LW could keep all those things off their personal device and use campus computers for higher level security things.

  27. Buni*

    #2 would have me in a rage spiral too, absolutely no way. I had something similar here when work wanted me to install an app on my phone in order to update doing one thing I did.
    I pointed out it was my personal phone.
    They said it was needed to loop me in on the process.
    I pointed out I was doing that process voluntarily, it had nothing to do with my actual job description, I was MORE than happy to give it up to someone else who was happy with the app.
    They stopped asking – nobody wants to do the job (which is how I ended up with it….)

    1. OP2*

      Arrrrghhh that would infuriate me as well! I’m so glad you were able to both hold a line with them and also get a task taken off your plate in the process :)

  28. trust me, i read a book once.*

    re: the software install on your personal devices. IT professional here. It’s not an overreach to require any devices that connect to their production network (whether wireless or wired) have security software installed. It’s a basic require of cybersecurity. In fact the organization is foolish if they dont do it. Really they shouldn’t be allowing access to their production for your personal devices at all, they should be providing you with a secure computer they manage completely to do your work. it’s a terrible idea to allow people on your network with the same computers they let their teenage sons play video games and scroll the internet on, believe me.

    1. Caramel & Cheddar*

      It’s an overreach specifically because they don’t provide computers for their staff. The overreach isn’t about their perfectly legitimate need to keep their network secure, the overreach is imposing that on other people at personal cost/expense/whatever. It’s an organization downloading the cost of doing business to their users. That it’s super common that a lot of companies require employees to use personal devices instead of providing them doesn’t negate the overreach.

    2. Old Lady manager*

      I totally agree.
      The other thing that most people miss is that most work places put in a “remote wipe” clause in their 6p contract. This basically means they have permission to remote wipe clean/delete any devices allowed to be used for work and sometimes even remote install software. So you use your personal cell phone to access the company client list, they can remote wipe everything off of your phone, computer, etc. on purpose or accidently. I worked at a place where this was a thing. You could find out that you were fired by the company because they wiped the device you were using for 2 factor authentication. I would warn people to request a company phone, excuse was always that carrying 2 phones or having 2 laptops was a hassle. Bad remote app install bricked your personal devices,,, so sorry, read the 6p contract. Now I won’t work anywhere that won’t provide me with company equipment.

  29. Annie*

    I’m really interested in the implications of (4). I work at a large campus which can only be entered at one of two security checkpoints. It takes me 10-¹5 minutes to get through the checkpoint, park, walk or take the shuttle to my building, walk to my desk, and log in. I am in the office 2-3 days/week, but could technically request to be fully wfh and do my job that way. About half my colleagues must be on site 3 days a week due to the nature of their roles.

    Based on Alison’s response to #4, do those 20-30 minutes count as work time for my colleagues who must be on site but not for me for whom it is optional?

    1. MigraineMonth*

      Unfortunately, the time spent waiting in a security line was deemed not work time in a recent-ish Supreme Court case. I think that was the wrong decision, but boy howdy have I disagreed with a lot of recent Supreme Court cases!

      The rest of the time (parking, taking the shuttle, walking to the desk) would probably be considered commuting time and therefore also not work time.

  30. Joey Jo-Jo Junior Shabadoo*

    #2: Your employer would be more secure by setting up a virtual machine or VPN instead of this dumb policy.

    Nonetheless, one option for you now is to install a virtual machine on your personal computer and run the mandatory antivirus software on it. It it will mean a minor additional cost to you, but should limit what the antivirus software will be able to access.

    1. OP2*

      We actually do have a VPN, which I use when I work from home and need to access university resources.

      I’m unclear on how this would help, though–the software applies to computers, so wouldn’t I still need to install the antivirus on my personal machine even if I were using the VPN?

      1. LJ*

        Yeah I don’t see how that would help either. A virtual machine keeps the thing inside the VM from getting out into the parent system (at least nominally/except for if there are bugs/vulnerabilities), not from things in parent system from getting in

        A VPN makes a secure tunnel between your system and the corporate network, but it doesn’t do anything for what’s on your system.

        1. LJ*

          It occurs to me maybe the parent comment meant some sort of remote desktop solution? Even then, say you have malware on your local computer that’s logging all your keystrokes – it’s still going to log them even if you’re typing it into the remote desktop.

  31. Nancy*

    LW2: that is a normal requirement for universities (and hospitals) and has been for many years. Grants also require you to say how your system is protected. There is nothing to push back on, they can require employees to use a specific anti-virus software on computer they plan to use for work as part of their security policy.

    1. Colette*

      They can, but it’s a pretty crappy thing to do when they aren’t supplying the computers.

      Let’s say I’m a biology student, and I’m also interested in medieval weaponry as a hobby. If the anti-virus blocks a site I need for my hobby, is the university going to unblock it? Or are they going to say “that’s not relevant to your job”?

      I suspect it’s the second – which means that my personal laptop is not something I can use for my hobby.

      1. Parenthesis Guy*

        We’re talking about the network of a major university. Tens of thousands of undergrads use it. They’re not going to be restricting anything unless its for security reasons.

        1. Colette*

          They presumably are going to be relying on the manufacturer’s algorithm – which, like any algorithm, can have false positives. That’s why they have a “if you need it we will unblock it in 48 hours” process.

          These things often get things wrong – it’s the nature of the millions of sites on the internet. No one is individually evaluating each one.

        2. judyjudyjudy*

          But graduate students and research staff might have access to specific networks that the general student population doesn’t — networks that have shared data, including patient information.

          Also, whatever you might argue about who has access to what, that doesn’t change the fact that if grant agencies require it, the university has to comply or start firing people.

      2. Person from the Resume*

        I don’t know, but I also suspect there’s guest networks and employee networks.

        When someone is off-campus they’re probably not actually using the the university network at all. Blocking websites may or may not be the purview of the antivirus software.

      3. Pescadero*

        It’s the second – and it’s not their problem.

        Their job is to protect the university computing resources – full stop.

        Their job isn’t to make sure you can do personal stuff. Their job isn’t to make sure you can do your research. They don’t care one bit about that.

        You can install their software, or you can find another way to connect… and if that means expense, or time, or anything else? It’s not their problem, it’s yours.

        It’s important to remember that universities don’t work like a big monolith with centralized management. They work like 1,000 different corporations in a trade association.

      4. metadata minion*

        The university will unblock it unless there’s something sketchy about the security of the website. They’re used to people researching incredibly weird things, and they’re certainly not going to go “oh, you’re a biology student so you can only access biology”. As an academic librarian, my search history looks very, very weird. As in, “I occasionally have to look at literal Neo-Nazi websites” weird. Most universities already have policies in place for when faculty are researching things like pornography that will ping most filters.

        The privacy concerns are legitimate here, but the reason the university has a requirement for everyone to download antivirus software is that it’s serving a population that includes both clueless 18-year-olds and tenured faculty who are extremely attached to Windows Vista and have to be convinced with a crowbar to update it. This population is in the thousands, possibly tens of thousands if it’s a really big university. There will be malware. So much malware.

        1. Colette*

          I understand why they want to do it – but they need to do it in a way that does not download the costs onto their grad students, and they need to be clear about the privacy concerns.

          That means supplying university computers and/or being clear about in what circumstances the program collects personal data and when the university gets to see it.

          If the answer is “if you’re looking at child pornography, the software will alert us”, that’s different from “we get snapshots of what you are doing once an hour, but we’ll only look at them if you give us a reason to”.

          1. Anon student services person*

            There’s no required cost here, though. The university is not saying that students must buy a separate laptop (or pay for the software, though I might have overlooked that) to use for university-only work. That’s the students’ choice. The end financial result may be the same – that is, OP or a colleague may decide they can’t live with the new policy and instead shell out for a separate machine – but the policy itself does not “download the costs onto their grad students.”

          2. Pescadero*

            ” but they need to do it in a way that does not download the costs onto their grad students”

            We can argue about whether they SHOULD do it in a way that does not download the costs onto their grad students, but they definitely don’t NEED to.

            They can just tell grad students “tough luck – install the software, buy a new computer, or use the computer lab”. They don’t NEED to do anything to help them, and it isn’t their problem.

            1. Overthinking It*

              Really appreciate your sensitivity this. It’s horribly egotistical to assign one’s own needs to another – saying “YOU need to. . .” rather than “I need FOR you to. . .” And yet, people do it all the time. (It’s a linguistic bugaboo of mine.)

              1. In My Underdark Era*

                ughh I hate that too. I even do it sometimes myself but I always correct myself when I catch it. (I unfortunately absorbed from someone who does it constantly…)

                as much as I love how flexible and creative our language can be, I so wish we could all just agree to say what we actually mean haha

      5. University Employee*

        The antivirus software probably isn’t blocking websites, but rather suspicious downloads. And for a huge university, those settings are pretty unlikely to block anything you need in the course of your day to day life—remember, undergrads in their dorms are also using this network.

        I write about science/research for a major research university. That means I look at a lot of weird websites. I Google things like “worm sex” on my work computer on a not-infrequent basis. I also have never had an issue downloading legitimate open source software on my university computer. (For comparison, my partner works for a private company, and their network does block a lot of totally normal websites.)

        To me the biggest issue is the expectation that grad students provide their own computer. It’s standard in academia but that doesn’t mean it shouldn’t change.

      6. Nancy*

        Your medieval weaponry site wouldn’t even be blocked unless it was known for having malware or causing viruses. Universities have people looking at much weirder sites than that.

        IT doesn’t care if a biology student is looking at medieval weaponry, so if it was a site that was accidentally caught and not a site with actual concerns, then they’d unblock it.

  32. Caramel & Cheddar*

    LW1, getting left out of any kind of thank you, in the format of a poem or otherwise, really does suck. But this probably won’t be the last time it happens either at this workplace or future workplaces because people are forgetful or don’t think very broadly about who should be thanked or why, and it’s usually not malicious. If she’s otherwise a good manager, I’d let it go, and I’d work on finding ways of not taking it personally.

    It’s something I’m on the receiving end (or lack thereof) of a lot in my role at work, and at this point we just sort of eyeroll and say “Well, they forgot the X team / Y person again!” and move on with our day. It only stings when we’ve felt unappreciated in other ways in our work, so I’d also take a broader look at how employee appreciation is doled out when poems aren’t involved.

  33. YesPhoebeWould*

    Regarding #2 (the antivirus), while the university *should* provide laptops themselves, it really is a legitimate requirement for any personally-owned devices that touch the university’s network tio have a centrally-managed antimalware and endpoint protection system installed.

    Concerns about AI aside, it really is quite dangerous to the university to have unprotected endpoints connected to their systems. This is one of the most common attack vectors out there.

    I work in infosec? I have implemented the same requirement before: if you want your system to connect to our network, it will have our centrally-managed endpoint protection. Period.

    If your university is seeking grants, federal contracts, ISO 27001 certification or a SOC 2 certification (common security certifications), this is pretty much an absolute requirement. And to be honest? If it is from any of the major players? It’s very unobtrusive – you won’t even know it is there.

    1. Parenthesis Guy*

      I think the challenge is that while it may make sense to do this for doctoral students, it wouldn’t make sense to do this for undergrads. And they could be afraid doing it for one set of students could cause a bad precedent.

      1. YesPhoebeWould*

        Actually it probably makes *more* sense to require this of undergrads, as I would expect a PhD candidate to be older and more aware, especially having been embedded in the university system for years.

        And many grant applications and the certifications make no distinction amongst devices. It’s pretty much a universal best practice in infosec – if a device touches my network, it is managed and it has endpoint protection. Especially with the rise of AI as an attack mechanism? Endpoint protection is going to become increasingly critical.

        I understand it is a pain, but if somebody wants their personal device to touch my network? It WILL be managed by my IT department and it WILL have centrally managed endpoint protection. This expectation is perfectly reasonable.

        1. Parenthesis Guy*

          Apologies. I wasn’t clear. I meant it wouldn’t make sense to pay for laptops for all the undergrads.

          1. YesPhoebeWould*

            Oh, my bad. I misunderstood. True. And given the disparities between different majors (my son is an engineering major and needs a powerful Core i7 with a dedicated GPU, while my daughter is a psych major and is using an inexpensive Chromebook-class laptop), it would be very difficult to do it even if they had the money.

            Fully agree.

      2. Anon student services person*

        It absolutely makes sense to do this for undergrads, who aren’t always discerning in their internet usage. And malware doesn’t care whose laptop it’s using to access a network.

      3. metadata minion*

        This is absolutely something universities require of undergrads. (I’m sure some don’t; that shouldn’t be taken as a universal. But it’s very, very common.)

  34. KnowTheRules*

    Those of you commenting about using personal devices at work, be aware that it means you’ll likely be required to hand them over as is in the case of any legal action against the company and that many companies will expect to be able to brick your computer or device if it has company-related materials on it – and some will do so as a matter of policy whenever an employee stops working at the company.

    It also makes IP issues a lot more complicated if you do anything outside of your job that generates IP.

    If you agree to use a personal device or computer for work, make sure you understand what rights you’re giving the company.

    1. Wayward Sun*

      Also if you’re an employee of a university, any work product you create is probably available to the public via FOIA requests. For this reason I strongly recommend people not use their university work email for personal stuff.

  35. Happy*

    Every university I’m familiar with requires all students to have whatever particularly antivirus software the university prefers (and that spans the last 25 years), so I’m surprised to see it described as overreach. (Though the details of this software would annoy me, too.)

    1. Person from the Resume*

      It’s not about all students and all undergrads. It’s not about any device logging onto a university wi-fi network. It’s just about employees and the devices they are using for “university business.”

      university devices will be required to have a particular antivirus software installed on them … their definition of “university device” covers any personal device used for university business.

    2. Consonance*

      Yeah, my experience is the same. I sympathize, because I too think that this feels like an overreach, but the reality / practical situation is that this is normal/standard and likely not going to change.

  36. Parenthesis Guy*

    #2 – If you want to work on someone else’s network, you need to play by their rules. I don’t know if they’re worried so much about the doctoral students, but they probably are worried about the undergrads on their campus. Undergrad students do a lot of risky things on the internet, so providing a dictat that certain anti-virus software must be installed on anything that hits their network is not only reasonable but prudent. If this user doesn’t want their employer to see their personal things, they need to get their own network and use their personal device only on that.

    No IT department will agree to let you select the anti-virus system you choose. Some anti-virus systems are better than others and you might choose a poor one. It’s possible that maybe, maybe, they’d let you choose from a list. But if they think that such and such anti-virus is the best, that’s what they’re going to want.

    Where you could try to push back is by demanding work computers. I think that’s more likely to be successful than arguing that your university shouldn’t adequately secure its network. I just find it surprising that a major US university wouldn’t have computer labs where you could/would be expected to work.

    If it makes you feel any better, your university is almost certainly tracking what you do anyway and installing their anti-virus will have minimal impact on how they’re doing it.

    1. Colette*

      The university could only be tracking things you do on their network, not things you do when you connect your laptop to a different network.

  37. Synaptically Unique*

    For LW1 – I went through a similar situation from the opposite side. Had a new staff member, had an accreditation site visit while the new staff member was still in training and was unable to help in any substantial way. After a great report from the site visitors, my boss gave exactly the same level of public kudos to the brand new employee as she gave to the two people who actually did all the work. It felt very performative and pissed me off majorly. In this case, it was part of someone just being a horrible manager overall.

    1. Ginger Cat Lady*

      That’s not the same. You were thanked for your work. Just because you felt the other person didn’t deserve thanks doesn’t mean you were wronged. You are looking for reasons to be offended because you already didn’t like the manager. But you were not wronged here.

  38. HonorBox*

    OP2 – This situation sucks. I get the anti-virus requirement, but having the university able to track (and have to approve?) something that is done outside of their network seems a bit heavy-handed.

    I’m going to make a suggestion that I actually have mixed feeling about, because there are numerous negatives I could flag. But, what about a second device? Could your university work be done with a cheap Chromebook? Perhaps pushing back might also include pushing for the university to “allow” you to buy a cheaper second option by running the purchase through the university. They could buy in bulk, many companies offer education discounts, and then those could be available to those who might want to have a work and personal device. Again, many negatives including that you’d be paying for a second computer, carrying a second device, etc. But that might be a way to use the university’s purchasing power to accommodate what they need while also not compromising your personal device and personal activities.

  39. A Book about Metals*

    Are these employees currently using machines to do university business with NO virus protection? That’s way worse in my opinion than what the university is suggesting.

    1. Irish Teacher.*

      It’s quite likely they have their own anti-virus protections, just not necessarily one advocated by the university.

  40. Ann O'Nemity*

    LW #1, it’s still early days so hopefully this was an oblivious one-off. Still, I would keep an eye out for other flags. Call me a pessimist, but I would worry that a manager that works much more closely with one of their teams is going to advocate for them more than the others. After all, the manager knows them better, knows their work better, can speak to it, champion it, etc.

  41. Ostrich Herder*

    Apologies if this has already been said, but I feel like LW3’s conundrum is kind of a classic AAM pattern: “Am I being petty about this small thing?” > “Yes, but only because it’s an indicator of a larger, more systemic problem, which is what you should focus on.”

    I catch myself thinking this way a lot, too, where I realize my outsized frustration around something little actually ties back in to something big. But it’s hard to get past the built-up frustration over the little thing, even knowing the broader pattern! Here’s to hoping LW3’s boss’s new boss sees the issue and makes some changes.

  42. Annie*

    I’m very interested to understand more about Allison’s response to #4. I work on a large campus that must be entered through one of two security gates. It takes me 10-15 minutes to get through the security gates, drive to the parking garage, walk or take the shuttle to my building, and walk to my desk and turn my computer on. However, it is technically possible for me to request to wfh and do my job remotely (I think I would be less effective, but it is allowed). Half of my colleagues have to be on site to do their jobs.

    Allison’s response makes me think that the 20-30 minutes a day that we all spend going between the entrance to campus and our desks count as work time for my colleagues for whom it is necessary to do their jobs, but not for me since it is not technically necessary for me to do my job. Is that right?

    1. PP*

      In the US there is a case involving Amazon.com where it was determined that their time waiting in line to go through the security screening was not time that people had to be paid for.

      Your situation seems to fall generally into that idea.

  43. Overthinking It*

    So. . . there are two supervisors, one has no direct reports and one has one – that sounds fairly low level to me – boss hired and assigned LW someone to supervise “without even discussing it?” That part sounds pretty normal. . . ?

    What does seem odd is that these two were are “supervisors ” How can you be a supervisor when you supervise nobody?

    The second thing that seems odd, is the LW wants to report the boss for thinking nephew is a genius. It’s annoying when a boss thinks anyone – relative or not – is a genius, and, sure, it can be a flag warning favoritism.. But isn’t the real issue the nepotism, not her opinion of his intelligence?

  44. Pretty as a Princess*

    Popped in to say that for #2, it’s entirely possible that the university has government contracts that prevent them from allowing “any software you choose on your machine.”

    You can google for the whistleblower lawsuits recently settled by Penn State and launched against Georgia Tech and GTRI regarding their assertions to the government about cybersecurity practices. Compliance with these rules is far more straightforward to implement, monitor, and demonstrate when the university chooses compliant solutions and enforces them, rather than having to vet a zillion and one different separate tools.

    That said I do think that the grad student union in this case should act and go to the university’s computing/IT services team with their issues, in writing, and ask for very specific information relevant to their concerns. It is feasible that they could lobby for a different tool.

    1. Dawn*

      It’s also a lot easier to comply with those rules when you supply employees with company equipment and don’t try to mandate that they install spyware on their personal machines.

      I doubt this software would even work on my Linux system, not that I’d agree to install it regardless.

      If you want me to install spyware on my machine, provide the machine.

  45. In The Lab*

    LW2, I get your outrage, but unfortunately this is incredibly common in the US and the security requirements for personal devices are even more invasive for researchers and workers who might possibly interact with sensitive, legally protected data such as patient information. And there’s no technology budget for post-docs, either, so if you plan to stay in academia, this is the new normal. It’s a legitimate gripe – I found the required security software slowed my computer so much that I was forced to invest in a much more expensive, powerful laptop just to get basic work done. I’m sorry! Best of luck with your graduate research.

    1. Dawn*

      The average university budget in the US is in the billions. If they claim they can’t afford to buy you a laptop, you’re being scammed.

      1. OP2*

        Yep! I’m super aware of this. I think pushing for change in the very broken system that is academia is very important, which is why I’m active in my union. Postdocs are unionizing all over the country as well; in many places they’re treated even worse than grad students. It is very common; that doesn’t mean it should continue to be.

      2. Wayward Sun*

        All that money doesn’t spend the same, and most of it isn’t available to departments for computer purchases.

        If someone donates a million bucks to get a lecture hall with their name on it, and you spend it on computers, they’re going to be unhappy. Litigiously unhappy.

        1. Dawn*

          “Most of it isn’t available to departments for computer purchases.”

          It should be. These are public institutions, supposedly.

          Just because something is done a certain way, doesn’t mean it should.

          1. judyjudyjudy*

            In the US, a lot of research funding comes through federal grants, and most of those grant agencies do not allow funding for computing equipment without a lot of rules about what can be purchased and how it can be used. So many rules, that most people don’t want to try to get approval to buy a computer, because it’s a huge time suck.

            I wish you luck in trying to change the system, LW, but in the meantime, can your PI get some money from the department to buy you a work computer?

  46. Forrest Rhodes*

    #3 I think Alison is right that a conversation with boss’s boss would be a good thing; and that you, LW, are in an awkward position having to supervise boss’s nephew.

    I kept hoping that boss is using “genius” as affectionate, family-type sarcasm, like, “Yeah, my ‘genius’ nephew washed a red sock with his white laundry and everything came out pink—again,” but from your report it sounds like that’s not the case.

  47. Jo*

    #4 – the company I work for was sued years ago because they were requiring call center employees to come in 10 minutes early and be ready to take calls at their scheduled time. But they weren’t paying them for those 10 minutes. Now they work that start up time into the schedule and people are paid. Absolutely start up time needs to be paid!

  48. anonhere*

    OP 1: For Admin Professionals Day this year, the head of our agency told us he asked AI to write us a haiku. He not only included the AI haiku, but failed to realize that AI had not properly identified all the syllables in one of the lines. So it was AI, and also wrong. Thanks for our hard work, I guess…?

  49. CL*

    #2- This a debate/issue happening at companies all over. Cybersecurity teams would often rather provide work-only locked down devices to everyone but budgets don’t usually allow it. Depending on where you are, there are state laws that require employers to provide equipment needed to do the job (or at least reimburse). During COVID, this started getting more traction as everyone worked from home. I would look it your local laws. (IANAL)

    1. Wayward Sun*

      Yeah, trust me, if I had the budget to provide a laptop to every TA I would do it in a heartbeat. I already manage enough of them to have automated processes, so managing more is not much extra work. What I don’t have is the budget. I can barely keep our professors’ computers up to date.

  50. Coverage Associate*

    The “adverse event” access sounds like it’s for breach forensics. Normally, the software prevents bad things getting on your computer. But if it detects something got past, it will go in to fish it out and also let you know what it accessed.

    1. Wayward Sun*

      Pretty much. With the system we use, when it detects a suspected piece of malware, we get a notification with information about the specific computer, what OS version it’s running, what the suspected file is, where the file is located, etc. Then it quarantines it.

      It’s not remote control software, and it doesn’t dump the whole disk or anything like that. I feel like everyone worries we’re going to be browsing their furry porn stash or something, but it doesn’t work that way, and we don’t have that kind of time on our hands. ;)

      1. OP2*

        This is helpful context! I definitely think I’d feel better if I had more information about what constitutes an “adverse event” and what kind of access they would then have to my device. I’ll talk to IT and see if they can clarify.

        1. LJ*

          Also if it helps, of course I don’t know the “AI” that’s in your particular software, but AI is such a buzzword nowadays that companies are eager to apply it to show how hip they are. Antivirus software have always had to use pattern matching and heuristics to decide if a file was a virus. What do we call advanced pattern matching nowadays? AI

  51. Elizabeth West*

    #2 is why I like to ask employers in interviews what equipment will be provided, and how up to date their software is. BYOD is a total deal breaker for me because I have intellectual property that belongs to me on my personal machine.

    My last job provided laptops, but they also had a rule that anything worked on during company time, or on company machines, belonged to the company. I bought a whole second laptop just to write on my lunch hour and did not even connect it to the wi-fi. I didn’t want them to be able to claim anything.

    #4 — Didn’t Amazon or Walmart (or both) get in massive trouble for not paying workers for standing in lines to clock in, or somesuch?

    1. OP2*

      I wish it were possible to choose a PhD program according to this! Unfortunately, BYOD is pretty much the norm in academia, so it’s nearly impossible to vote with your feet about this sort of thing as a grad student.

  52. Dawn*

    Just because apparently a lot of IT staff at universities need to hear this:

    The average university budget in the US is in the billions. Many are in the tens of billions. If they claim they can’t afford to buy employees a work laptop, you’re being scammed.

    1. Dawn*

      SUNY has a budget of $13.8 bn this year. Ask the administrators if they can add a teensy tiny line item for $10 million – an increase of 0.07% – to buy 10,000 HP Probooks.

    2. OP2*

      Exactly–budgets are an expression of priorities. It’s not IT’s fault that they’re not buying us computers; the university has decided to prioritize other things above their employees’ working conditions.

    3. Wayward Sun*

      Because a lot of people who aren’t IT staff at universities apparently need to hear this:

      We get very little control over our budgets and what we’re allowed to spend them on. Most of that money is spoken for, at a level that’s far above our heads.

      1. Dawn*

        You should maybe try to push back against that instead of telling everyone to lie back and think of England.

  53. PP*

    #1 If the person is in California, they may be able to push back regarding their employer not supplying computers when a computer is required for the work (versus what Allison wrote of, “Employers can require you to use your personal devices”). Under California labor laws, employers have to themselves pickup their necessary business costs and not just pass them on to employees. (Calif Labor Code Section 2802) I’d suggest they get their union involved if they are in California.

  54. Rich*

    OP #2: I am a computer security professional with tons of experience in exactly the type of software they’re requiring. Based on that:

    1) They are very reasonable to require any computer connecting to the network to have proper protection — and the type of software they will require is completely standard in that sort of environment. I guarantee you will be unable to disable it when disconnected from the university network.

    2) I would never allow the IT department to put that on MY PERSONAL machine. All modern IT-managed AV software gives them full visibility, and often remote access/control of the systems where the software is running.

    3) When they say “adverse event”, 99+% likely they mean “the software detected a virus” — which is when they should pay attention. The problem is, you need to trust them that they won’t pay attention the rest of the time. The software won’t _prevent_ them from looking if there’s no virus activity, they just have to respect people enough not to do it. Most people are great. Most people won’t look. As someone who does security for a living, do not trust people if “everyone will behave well” is your only protection — which it is, here.

    4) As many people stated, the only reasonable course for them is to provide work computers. Give everyone a machine where there’s explicitly no expectation of privacy. Keep your personal machine personal.

    They’re absolutely right to want to protect the environment. They’re wrong to want to do it at the expense of your privacy.

  55. quippymissy*

    Letter writer #2, as a unionized grad student body, this sounds like a change to your working conditions which the employer cannot make unilaterally. Definitely check with your union and your contract, but my understanding is that labor law requires them to bargain with you when wanting to institute changes to aspects of your working condition. Your union can approach the admin that way, or file a grievance. Either will delay the institution of the software or when they cut off computers from the network while you work it out.

  56. judyjudyjudy*

    LW2, I have both been a graduate student (in chemistry) and an now a university research staff member (in immunology). When I was in graduate school, it was totally A THING that people used their personal laptops for their graduate work, but I wasn’t required to use any antivirus software. Now, as a research staff member at a different institution and within a medical school, I am required to use a university-provided computer BECAUSE they want to secure university networks and data as much as possible. These computers are paid for by the department (not grants) because in the U.S., it’s pretty tricky to get money for computing resources from national grant agencies for scientific research like the NIH. At my current school, you can only purchase these computers from the IT department, and for a Windows OS it’s ~$700 for a desktop and ~$1000 for a laptop. Macs and Linux machines are also available. You cannot network any computer that has not been purchased through IT. But you can connect any device you like to the university wifi.

    Ok, so now to the practical stuff. The best solution is out of your control — which is, the university should provide you with a computer. But since you can’t control that, I encourage you to keep advocating for university-provided computers through your union. (Side note: what does your PI say about all this?). I hope that path will bear fruit, but if it does, it will happen slowly. So slow, that you will need a solution right now.

    Ask if you don’t the access the university network with your computer, could you avoid downloading this software? Then ask yourself, could I do my work without my laptop being on the university network? That would work for me (I can use a lab computer to access the network the few times a week I need to) but it may not work for you.

    I think the best course of action is to buy a “work only” laptop, which extra sucks because grad students make so little. I’ve had good luck buying refurbished laptops (one for ~$150, another for ~$250), and your university might have a tech store where they sell a limited selection of laptops for maybe an ok price. If you live in the U.S., you might also get a good “black Friday” or “cyber Monday” deal in a few weeks (are those prices still good, or is it just hype now?).

    Best of luck in your program!

  57. Kuddel Daddeldu*

    I would do this:
    Install Virtualbox (free, from Oracle)
    Create a virtual work computer (a “virtual machine”)
    Install Windows (you can get a 180 day trial for free from Microsoft, or the university is likely to have a campus license) and the software needed for work.
    The virtual machine has no access to the private PC’s files; it’s just an application.
    I use this for testing stuff both privately and at work (I’m a cyber security professional).
    Actually, that’s what the IT department should recommend; it gives them a computer they can configure and control according to their policy. Only cost is about 20 GB of hard disk space (can be on an external SSD) and a small amount of memory overhead.
    Alternatively, look for refurbished (used) business laptops; you can buy them relatively cheaply but the market has dried up a bit due to Covid.

Comments are closed.