Illegal Mining

  • Illegal Mining

    When is data mining a bad thing? I'm guessing that many people think that the HP Data Mining that's been in the news recently is one of those times.

    After suspecting a leak in the Hewlett-Packard board of directors that was letting information out to the press. Patricia Dunn, then chairwoman and now ex-chairwoman, ordered an investigation to find the leak and after using some suspect means, found the board member and asked for a resignation. The member refused, but another resigned on the spot and asked for Dunn's resignation.

    It's been a story that has been in the press quite a bit lately. It's one that also entailed some data mining, both in the real world with investigators impersonating state officials, as well as digital spying with tracers in messages. I'm sure there was some analysis as well to try and coorelate the varous pieces of information with each board member.

    While most of us don't deal in the world of investigations, I'm sure we've all been asked to dig into our databases for senior executives and pull out reports at times. Most of these requests are business related and there's nothing wrong with them. However there is always the chance that a DBA would be asked to do some mining that might be illicit and compromise secrets.

    Dealing with data is a hard job. Not only do we need to keep servers running and the data intact, but we also might need to protect it at times from people with unauthorized access, possibly including company executives

    As data becomes more valuable and the legal obligations grow, DBAs are going to be caught in the middle. Granted most DBAs wouldn't be held legally responsible for obeying a corporate order, but you never know. The protections for data will grow over time and I can forsee the day when DBAs will need to become guardians of their data.

    Steve Jones

  • The obvious answer is that all ad-hoc data requests need to be logged. If every one is aware that there is an audit trail then it should deter people from asking for data they know they have no right to and protect the DBA from accusations of complicity.

    K.

  • "query proce It's been a story that has ...."

    hehe, looks like Steve was writing some sql at the same time as writing the article 🙂

  • I didn't realize that there was any illegal data mining going on in this case. I thought it was the pretexting (basically impersonating) that was against CA law.

    I suppose it was legal data mining (how could a technique like DM be illegal?) on data that was obtained illegally. Oh well, I'm probably splitting hairs, but the headline threw me off.

  • , Apparently the ALT-TAB got in the way of that article. I've corrected that part.

    The mining of data I referred to was analog, in the real world, mining. The headline was supposed to throw you :;

  • "As data becomes more valuable and the legal obligations grow, DBAs are going to be caught in the middle. Granted most DBAs wouldn't be held legally responsible for obeying a corporate order, but you never know. "

    If the action taken by the DBA is illegal under then-current law they most likely WILL be held responsible.   "My boss told me to do it" doesn't really cut it any more.  More likely the scenario you are thinking of relates to more borderline cases of corporate data use, where the request seems valid in business terms, but the data is then used for illegal purposes.

    All requests for ad-hoc reports on systems  I support are tracked via an email-trail.  You never know when you'll need to show who requested a report.


    Here there be dragons...,

    Steph Brown

  • Oh - someone beat me to it:

    "Granted most DBAs wouldn't be held legally responsible for obeying a corporate order"

    Good article, but Steve, if you leave publishing for the socalled "real world" - assume you can be held legally liable.   As a DBA I in fact CONSTANTLY do forensic work within my firm relateing to security investigations.

    "Least privelege" applies here, as does "need to know".  When doing such work, I am NEVER given the reasons for the request.  Aside from protecting the privacy of the investigation, it also protects me somewhat.

    Assume you are legally liable.

    Roger L Reid

  • We get lot's of "requests" during our career.  Complying with those requests may put one in a touchy situation.  Ethics!  I had a high placed indivdual tell me that there is no ethics in software, just data.  BS!

    I was just in a class that defined an ethics committee as being "Good people trying to act well."  That had better define all of us.  We are trusted with the correct handling of data.

    In the "real world" world area I was once approached by a sales person of the company for which I worked asking me for details of the requirements for a computer system for a government agency that was a client.  Yes, I had all the details.  I had consulted with the agency in forulating those requirements.  This was a hardware sales dude and wanted a "leg up" in preparing his bid.

    My action was to point him to the page in the employee handbook which stated why such a "request" was wrong.  Well some how his "request" got leaked, he got canned, people up to VP of sales for the division got canned.  All these people had friends and your truly became persona-non-grata and eventually laid off.

    When we acceed to a "off the record" request for information starts right down that slope.  Those in security may not have a need to know the reasons for some requests but even Law Enforcement has rogues.

    Stephanie said "'My boss told me to do it' doesn't really cut it any more".  It didn't cut it in post war Germany either.  "Those who fail to learn from the events of history...".

     

    ATBCharles Kincaid

  • BTW, assuming YOU aren't the #1 Boss, and it isn't the #1 Boss asking, to deflect questionable requests without making enemies, kick it upstairs is a good strategy.  "I'd like to be able to help you, but you'll need to get this OKed by (whoever)"

    Obviously, doesn't cover every situation, but worth remembering for when it can.  It also CYA a bit more because you've shown some dillegence on the appropriateness.

    Roger L Reid

  • Data mining is good way to check the data especially in data warehouse.  However now we have SOX, HIPPA and identity threft, the data security dept (or whatever they call themselves) constantly reminds us that the sensitive data liked SSN, telephone number has to be scrambled before you put it on a report, or simply you cannot extract those fields.  This is our company policy.

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply