Finding a Needle When You Can’t Look in the Haystack
Long before I was a security geek, I was a systems administrator. Oh sure, security goes with the territory when you’re a systems administrator, but it’s only one aspect of the job.
Needless to say, I’ve maintained email servers as part of my duties, where I’ve had plenty of access to look at people’s private emails. I also ran a computer bulletin board in the late 1980s, where I had the same privilege. In college, I did a term paper where I wrote about the Electronic Communications Privacy Act of 1986, which protects people’s personal email, but does little to protect corporate email. Provisions in the law allow business to monitor their networks for business purposes, which means they can see everything going on–including potentially non-business related communications.
While generally speaking, all an employer in the U.S. has to do is disclose that use of the corporate network is subject to monitoring, that is not the case in many European countries, where there are strict data privacy laws forbidding the practice. That would make it difficult for, let’s say, Nokia, to find out if a Finland-based employee was leaking secrets about upcoming handsets. It’s so difficult, in fact, that there was a reported rumor that Nokia was threatening to leave Finland if they couldn’t get a law passed that would allow employee email monitoring.
While Nokia spokespeople are officially denying this rumor, it doesn’t change the fact that the passing of such a law would be extremely beneficial to Nokia. Many companies, including Nokia, have a similar problem: how can evidence of corporate wrongdoing be found when you can’t look where evidence of wrongdoing would easily be found? In Europe, obviously, there are strict laws regulating who can see or do what with “private” electronic communications like email.
Even if monitoring workplace communications is legal, let’s assume the communication is somehow encrypted. How would you determine something inappropriate is going on? One school of thought is that the very use of encryption implies you have something to hide–something the company might not like.
Even if a communication is encrypted, some things about the communication usually aren’t: who it’s coming from, where it’s going to, and how much data or how long it is. One can certainly make some inferences based on that information, but one cannot conclusively prove that wrongdoing is taking place. However, you might find out enough just from that information alone to suspect something.
Of course, if you’re going to leak any company secrets, it’s probably best not to do it using the corporate network 
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=0de4bb16-158a-4c98-9eb2-a14149a683d2)
Bookmark with: del.icio.us Digg it Furl iFeedReaders ma.gnolia Maple.nu RawSugar reddit Simpy StumbleUpon
Tags: Electronic Communications Privacy Act, Encryption, nokia, Privacy law, security Fnord
Comment by Dave Michels
I got into a weird situation years ago. I was managing the IT function when one of the engineers approached me about another engineer he suspected was reading private mail through his admin rights. Mostly his command chain, which included me. The engineer reporting the deed did not want to go on the record and asked us to leave him out of it.
It was a very odd situation. Of course we had to urgently determine what to do, but could not use email to discuss it. We had my boss and HR involved and were trying to figure out our rights and his rights – remember it was only an accusation at this point.
I honestly don’t remember all the steps, but it did result with me firing him. I think it was my only termination where we had the (former) employee actually escorted out of the building. We also had to go thru a complete system password change-out and he not only had admin rights, but knew way too many passwords (early Microsoft).
So while your post talks about the laws governing corporate snooping, there is an even murkier area around completely unauthorized snooping based on admin rights – when as an admin snooping and when is an admin doing their job. In most systems now, admins can’t get to all the data without changing the password – but that isn’t always the case.