Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site phri.UUCP Path: utzoo!watmath!clyde!bonnie!akgua!whuxlm!whuxl!houxm!vax135!timeinc!phri!roy From: roy@phri.UUCP (Roy Smith) Newsgroups: net.legal Subject: computer security, privacy, and ethics Message-ID: <250@phri.UUCP> Date: Fri, 7-Jun-85 22:44:11 EDT Article-I.D.: phri.250 Posted: Fri Jun 7 22:44:11 1985 Date-Received: Mon, 10-Jun-85 20:56:08 EDT Distribution: net Organization: Public Health Research Inst. (NY, NY) Lines: 47 Recently, the issue has come up where I work of privacy with respect to computer files. I am not talking about the technical aspects of protecting your files, but the ethical aspects of what rights you have to keep you files private. Consider the following situation: you have an account on your employer's computer system. Some of the files you keep on the system are business related, some are personal. How much right does your employer have to have access to your files? What about your co-workers? Your immediate supervisor? Under what conditions may they exercize those rights? How far do those rights extend? What right do you have to be informed of searches of your files by your employer? What right do you have to supervise those searches? To a certain extent, information stored in a computer system parallels physical items stored in a room. If I bring a handbag to work and store it in my desk, does my employer have a right to search my handbag? Probably not. On the other hand, if my employer suspects that I am storing drugs (or property stolen from fellow employees) in my desk, it seems reasonable that he should be able to search my desk after some sort of due process. Two major differences exist, as I see it. One is that information stored in a file can be stolen without removing it from its original place or storage. This means that 'stolen' files may go undetected for a long time. Also, the 'stolen' material my be encrypted to deter its being found. If the information is confidential, personal, or sensitive, harm may be done by simply having someone read the file without making a copy. The second difference is that the people (if any) who should have access to other people's files (some level of management, presumably) need to go through a intermediary to gain such access (i.e. the system operator who knows the super-user password). How does the intermediary decide if a valid request has been placed with which he should comply? How does the employer gain access to files through the intermediary without having the intermediary also see the files? Can anybody give me pointers to prototypical ethics documents (perhaps the ACM has done something like this?) which might guide us in preparing our own. Any thoughts on what should go into such a document? What we are trying to do is protect the rights of the users to privacy, which at the same time protect the rights of the employer to have control over what goes on in the workplace. -- allegra!phri!roy (Roy Smith) System Administrator, Public Health Research Institute