Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version Tektronix Network News Daemon (B 2.10.2 based); site daemon.UUCP Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!genrad!decvax!tektronix!daemon!richl From: richl@daemon.UUCP (Rick Lindsley) Newsgroups: net.legal Subject: Re: computer security, privacy, and ethics Message-ID: <872@daemon.UUCP> Date: Wed, 12-Jun-85 14:08:30 EDT Article-I.D.: daemon.872 Posted: Wed Jun 12 14:08:30 1985 Date-Received: Fri, 14-Jun-85 00:38:42 EDT References: <250@phri.UUCP> Reply-To: richl@daemon.UUCP (Rick Lindsley) Distribution: net Organization: Tektronix, Beaverton OR Lines: 112 Summary: In article <250@phri.UUCP> roy@phri.UUCP (Roy Smith) writes: > > Recently, the issue has come up where I work of privacy with >respect to computer files. I am not talking about the technical aspects of >protecting your files, but the ethical aspects of what rights you have to >keep you files private. > > Consider the following situation: you have an account on your >employer's computer system. Some of the files you keep on the system are >business related, some are personal. How much right does your employer >have to have access to your files? What about your co-workers? Your >immediate supervisor? Under what conditions may they exercize those >rights? How far do those rights extend? What right do you have to be >informed of searches of your files by your employer? What right do you >have to supervise those searches? This same issue arose a few months ago in our group. At the time, there was no policy, written or unwritten, regarding a situation like this. The incident which raised these questions was not handled in a way many thought appropriate. So we complained rather loud and hard and now have, I believe, at least an *unwritten* policy, which addresses most of the questions above. OFFICIAL DISCLAIMER Please note that I am not a lawyer, nor does this represent a general policy at Tektronix but rather one policy of one chain of management. It seems quite reasonable and it would be nice to see it generally in use, but it is *not* so please, fellow Tekkies, do not confront you manager saying "This is the way it is", but rather "Could you do things this way?" How much right does your employer have to have access to your files? What about your co-workers? Your immediate supervisor? Under what conditions may they exercise those rights? The sad truth is every legal right. They are stored on your employer's media and are covered under a normal employer/employee relationship. An analogy: if I were to use my employer's tape recorder and my employer's tape to record my grocery list and then left the company before I used my grocery list, I have little legal recourse to recover my grocery list. Now of course, the employer has little use for it, and will likely give it back to me in some form, because it is a harmless, good-faith gesture. And that is the compromise we arrived at: an employee recognizes that the employer has every right to look at files, but the employer also realizes that to do so indiscriminately makes the employee very unhappy. Unhappy people say bad things about a company. So for one person to look at another's files (unless those files are already publicly readable) requires approval of someone in the management chain of the person in question. It is expected that this sort of "need" will arise seldom. In addition, at the employee's request, the files may be censored (see below). Any person may make this request (after all it is "company" property and we all work for "the company") but it is expected that most of the cases will come either upon leaving the company or from some upper-level person, not from a colleague sitting in the room across the hall. How far do these rights extend? Until they become written policy, they extend as far as the interpretation of your manager. If you have a manager who will go to bat for you, perhaps you can defend yourself against even upper-level people wanting to casually poke around. But the time when most of this comes to a head is when a person leaves. ("But that's *MY* mail, take the source but I don't want you to see that I've been dating your sister!") And most of the time this involves your immediate manager wanting to do the poking. So... What right do you have to be informed of searches of your files by your employer? What right do you have to supervise those searches? This is the compromise arrived at here. (Again, this is not general policy -- yet!) The person "owning" the files and a member of the Human Relations (Personnel) staff would sit down with the "owner" and together they would start going through the files. The employee could point at a file or directory and say "that's personal". The staff member would then check it out and say yes it is or no it isn't. Keep in mind that these people hear secrets on a daily basis anyway ("I'd like to transfer because I can't stand the people I work with") and so are good candidates for a neutral third party. The employer's fear is that the employee, perhaps feeling vindictive, will delete all or part of his current project, and the employee is of course fearful for all his friends who sent him mail to support his theory that managers smell like pig manure. This seems to quiet both parties fears. Of course the employee may simply waive all this and say, go ahead, nothing there that bothers me. If I am storing drugs (or property stolen from fellow employees) in my desk, it seems reasonable that he should be able to search my desk after some sort of due process. Actually under the reasoning above the "due process" would likely be entirely up to the management rather than the courts. The desk or locker or file cabinet is actually theirs. But it would be interesting to see a case on this. A similar policy is being applied to those with superuser privilidges. You may be able to read another's files but to do so requires that you have that person's permission. It is admittedly difficult to tell when another's privacy has been breached but if a superuser is caught, the company will consider that serious misconduct and your job is on the line. The sole exception to this rule is the postmaster or uucp administrator who, in the course of their job, may find it necessary to inspect files being transferred. It is expected that regardless of the content of these files that they are held in strictest confidence and that this exception applies only to files "in transit" and not those which have been sitting in a user's directory for 3 weeks! Hope this helps (it will almost certainly provoke discussion). Rick Lindsley Small Systems Support Group and, incidentally, Postmaster@tektronix ...{decvax,ihnp4,allegra, and a host of others}!tektronix!daemon!richl