Private Data

  • Gary Varga (11/18/2015)


    With regards to "just following orders", I agree that everyone should have their own red line. John's example is one that probably is beyond the red line for most of us, if not all, but Steve's examples are ones that many might ignore or raise with the appropriate internal representative and forget.

    As IT professionals we are not here to police the content but as citizens we are obliged to tackle serious issues (such as CP as called out by John). I feel that the serious issues must be raised regardless of management whilst other matters can be dealt with by raising internally thereby passing on the responsibility.

    I was at a conference where an ethical discussion was moderated by a few people, including an FBI agent. A scenario they gave us was that in a multi-national, multi-industry conglomerate which included transportation, health care, communications, shipping, energy and other areas, the corporate VP of HR was found to have CP on his computer.

    Approximately 99% of the attendees thought it was fine to ignore it, delete the evidence indicating they had found it, or at best to report it to HR. SMACK! The HR department is where it was found, dummy! A few people said to report it to the legal department. Of course most of us know they would have also swept it under the rug rather than disparage the "good name of the company."

    I was one of a handful of people who argued to call the FBI, whether immediately or after a few days of not seeing them swarm down and confiscate everything.

    The best line I recall was when the FBI interrupted the discussion to ask someone arguing that my side was wrong. His response was "how do you like wearing orange?"

    If any of us finds something illegal, and does not report it, there is very good chance of being charged as an accessory. Yes, it depends on the scope of the crime, as Gary said above, but I for one would rather lose my job for engaging the authorities, than to star in my very own prison show.

    Dave

  • Eric M Russell (11/18/2015)


    For an organization (like DropBox, Google, or Microsoft) who hosts personal data, I think they should respect privacy in a way similar to apartment building managers. First, the data is supposed to be encrypted, so there is no reason for DropBox to be aware that a specific user is hosting illegal digital data. They can't "peek through the key hole" to proactively look for illegal activity going on in their users accounts without violating the explicit or presumptive expectation of privacy that they have with their customers.

    Only when authorities show up with a court issued search warrant for a specific customer account should they provide they key and let them in. I know that allowing police unrestricted (or just more liberal) access to peek inside email accounts (or apartments) would help prevent crime in some cases, but crime prevention is not the be all end all of society.

    Agreed! Using terrorism as an example, our governments want to make it OK to violate our rights, but want to extend rights that don't exist to certain groups, rather than be accused of being racist! There are ways to reduce crime and prevent terrorism without infringing on any rights.

    Dave

  • Eric M Russell (11/18/2015)


    For an organization (like DropBox, Google, or Microsoft) who hosts personal data, I think they should respect privacy in a way similar to apartment building managers. First, the data is supposed to be encrypted, so there is no reason for DropBox to be aware that a specific user is hosting illegal digital data. They can't "peek through the key hole" to proactively look for illegal activity going on in their users accounts without violating the explicit or presumptive expectation of privacy that they have with their customers.

    Only when authorities show up with a court issued search warrant for a specific customer account should they provide they key and let them in. I know that allowing police unrestricted (or just more liberal) access to peek inside email accounts (or apartments) would help prevent crime in some cases, but crime prevention is not the be all end all of society.

    There's a huge difference between finding out someone is personally committing a felony and being asked to do something that may or may not get the company in trouble. In the case of CP for example it wouldn't matter whether I found that information on someone's work computer, saw it in an email they sent, happen to see it on their phone or found a dvd in their home the response would be the same.

  • djackson 22568 (11/18/2015)


    Gary Varga (11/18/2015)


    With regards to "just following orders", I agree that everyone should have their own red line. John's example is one that probably is beyond the red line for most of us, if not all, but Steve's examples are ones that many might ignore or raise with the appropriate internal representative and forget.

    As IT professionals we are not here to police the content but as citizens we are obliged to tackle serious issues (such as CP as called out by John). I feel that the serious issues must be raised regardless of management whilst other matters can be dealt with by raising internally thereby passing on the responsibility.

    I was at a conference where an ethical discussion was moderated by a few people, including an FBI agent. A scenario they gave us was that in a multi-national, multi-industry conglomerate which included transportation, health care, communications, shipping, energy and other areas, the corporate VP of HR was found to have CP on his computer.

    Approximately 99% of the attendees thought it was fine to ignore it, delete the evidence indicating they had found it, or at best to report it to HR.

    ...

    .

    I don't see why the context of it being the VP of a corporate department, the industry of the business, or even the fact that it's CP specifically should matter. Is it the digital aspect of the crime or that the person in question was important enough to make the crime somehow matter more?

    Instead, let's assume the context was that we witness a college intern, a guy who is a friend in fact, smoking illegal dope in the parking lot on his lunch break: should we report it to HR, report it directly to the police, give them a warning, or mind our own business?

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Gary Varga (11/18/2015)


    With regards to "just following orders", I agree that everyone should have their own red line. John's example is one that probably is beyond the red line for most of us, if not all, but Steve's examples are ones that many might ignore or raise with the appropriate internal representative and forget.

    As IT professionals we are not here to police the content but as citizens we are obliged to tackle serious issues (such as CP as called out by John). I feel that the serious issues must be raised regardless of management whilst other matters can be dealt with by raising internally thereby passing on the responsibility.

    Perhaps a safety deposit box at a bank is a good analogy. They never open the box without the presence of the box holder except within the appropriate legal framework for the jurisdiction. And under neither of the circumstances do they themselves look at the contents.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Eric M Russell (11/18/2015)


    djackson 22568 (11/18/2015)


    Gary Varga (11/18/2015)


    With regards to "just following orders", I agree that everyone should have their own red line. John's example is one that probably is beyond the red line for most of us, if not all, but Steve's examples are ones that many might ignore or raise with the appropriate internal representative and forget.

    As IT professionals we are not here to police the content but as citizens we are obliged to tackle serious issues (such as CP as called out by John). I feel that the serious issues must be raised regardless of management whilst other matters can be dealt with by raising internally thereby passing on the responsibility.

    I was at a conference where an ethical discussion was moderated by a few people, including an FBI agent. A scenario they gave us was that in a multi-national, multi-industry conglomerate which included transportation, health care, communications, shipping, energy and other areas, the corporate VP of HR was found to have CP on his computer.

    Approximately 99% of the attendees thought it was fine to ignore it, delete the evidence indicating they had found it, or at best to report it to HR.

    ...

    .

    I don't see why the context of it being the VP of a corporate department, the industry of the business, or even the fact that it's CP specifically should matter. Is it the digital aspect of the crime or that the person in question was important enough to make the crime somehow matter more?

    Instead, let's assume the context was that we witness a college intern, a guy who is a friend in fact, smoking illegal dope in the parking lot on his lunch break: should we report it to HR, report it directly to the police, give them a warning, or mind our own business?

    .

    Not the same thing - ignoring someone who is smoking pot isn't a crime. Hell, joining in isn't a crime in a lot of states! 🙂

    Dave

  • Eric M Russell (11/18/2015)


    ...we witness a college intern, a guy who is a friend in fact, smoking illegal dope in the parking lot on his lunch break...

    I think that you are likely to find that this is a scenario that different people will place this on differing sides of the red line. Also this scenario is being done in public. As such the danger is that we will debate the severity of this criminal activity which doesn't even relate to privacy.

    Sorry Eric but this is too far off topic in my opinion.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Gary Varga (11/18/2015)


    Eric M Russell (11/18/2015)


    ...we witness a college intern, a guy who is a friend in fact, smoking illegal dope in the parking lot on his lunch break...

    I think that you are likely to find that this is a scenario that different people will place this on differing sides of the red line. Also this scenario is being done in public. As such the danger is that we will debate the severity of this criminal activity which doesn't even relate to privacy.

    Sorry Eric but this is too far off topic in my opinion.

    A 3rd party web or data host is in a position to peripherally witness suspicious activity, even if there is an agreement with the customer that they're data or online activity should be private. It goes to the question of whether one is morally or legally required to actively report a crime when it is witnessed, or if they should passively cooperate with authorities only when questioned about a specific individual or known crime. If so, then what nature of crime (or individual) would be considered important enough to demand attention.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (11/18/2015)


    Gary Varga (11/18/2015)


    Eric M Russell (11/18/2015)


    ...we witness a college intern, a guy who is a friend in fact, smoking illegal dope in the parking lot on his lunch break...

    I think that you are likely to find that this is a scenario that different people will place this on differing sides of the red line. Also this scenario is being done in public. As such the danger is that we will debate the severity of this criminal activity which doesn't even relate to privacy.

    Sorry Eric but this is too far off topic in my opinion.

    A 3rd party web or data host is in a position to peripherally witness suspicious activity, even if there is an agreement with the customer that they're data or online activity should be private. It goes to the question of whether one is morally or legally required to actively report a crime when it is witnessed, or if they should passively cooperate with authorities only when questioned about a specific individual or known crime. If so, then what nature of crime (or individual) would be considered important enough to demand attention.

    This is exactly why I referred to the conceptual red line as it is different for everyone. I do not think anyone is really interested in discussing here "what nature of crime (or individual) would be considered important enough to demand attention" and in the context of the editorial it is irrelevant.

    As for your scenario, the 3rd party has just broken the terms of their contract so, therefore, are obliged to hand themselves over to you for chastisement.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Gary Varga (11/18/2015)


    Perhaps a safety deposit box at a bank is a good analogy. They never open the box without the presence of the box holder except within the appropriate legal framework for the jurisdiction. And under neither of the circumstances do they themselves look at the contents.

    The safe deposit box is what I was thinking of. We shouldn't be liable for things we aren't aware of. Nor should we be asked to look.

  • When I backup files from my personal PC to the cloud, they are encrypted zip archives, so regardless of whether the account were accessed by a legal search warrant, passively snooped, or hacked, there is still another layer of encryption that must be brute force cracked with no back door shortcut. Some cloud backup providers actually try to prevent this, but you can work around it by splitting the archive to smaller files (ie: 500mb each) and changing the file extension.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • I totally agree about the liability part. I often wonder if my company would use me as a scapegoat they were ever challenged in court.

Viewing 12 posts - 16 through 26 (of 26 total)

You must be logged in to reply to this topic. Login to reply