[techtalk] Sick of surf and porn addicts

James Sutherland jas88 at cam.ac.uk
Sat May 26 15:34:04 EST 2001 

On Sat, 26 May 2001, Neale Green wrote:
> From: "James Sutherland" <jas88 at cam.ac.uk>
> > On Sat, 26 May 2001, Penguina wrote:
> >
> > > Why not write a script to put each users' web access cache list
> > > (from the squid cache) up on an intranet web site--viewable by
> > > their line supervisor--you know, the one who approved the account
> > > in the first place.
> >
> > Liese said in her e-mail she couldn't do that: it would be an unlawful
> > violation of the employees' privacy. I wouldn't expect my employer to post
> > transcripts of my 'phone calls on the intranet - so why should the content
> > of my TCP sessions be any different?
>
> Actually, James, the squid cache is very different from the content of any
> sessions, it's merely a list of the sites visited.

The squid CACHE is a great deal more than that; it actually contains a
copy of most of what was downloaded. Presumably you're talking about the
log files, which list every single URL (not just the site), and the size
and nature of every object retrieved. Depending on the configuration, they
could also log usernames and passwords for remote sites such as Hotmail.

> Many ISPs harvest the top count cache hits and list them as points
> which may be of interest to others.

Yes, they'll list the popularity of sites - they will NOT provide a list
of which URLs a specific customer accessed! (Except obviously with a court
order or similar reason, and then only to the appropriate authority.)

Phone calls from an office are obviously logged for billing purposes, but
would you want your call logs published or supplied to anyone other than
a relevant legal authority? I wouldn't - that's an invasion of privacy. I
don't have anything to hide, but I don't support the canard that "if you
have nothing to hide, why do you care about privacy"!

> At work, we have had to provide squid caches for court cases in regard to
> porn,

There's rather a big difference between supplying subpoenaed evidence in a
court case and giving arbitrary individuals access to private information.
The former is legal, the latter (in Europe at least) is not.

> as these are the only items that you can generally harvest WITHOUT
> perfoming unlawful privacy breaches.

Here, the Data Protection Act imposes strict limitations on what you may
do with personal information like that. You cannot, for example, transfer
it to external agencies without the person's prior written authorisation -
and that includes sending data to an overseas division of the same
company.

> The industries that our customers are in ensure that we do not skirt
> the edges of lawfullness, we cleave wholly to the letter of the law,
> even if it were our inclination to do otherwise.

I don't know where you live, but here the letter and spirit of the law
protect the privacy of individuals.

A few quotes from our code of practice:

    * analysing web logs to see who is accessing the site is not permitted
unless the web site gives notice of this (i.e. the data is 'fairly
obtained')
    * logs may be used to gather statistics

Even the administrator of a WWW site is not permitted access to the access
logs. Only the server administrator has such access, and is not permitted
to disclose that information to others.

Basically, personal information may not be disclosed to ANYONE without a
court order. Most of this is a legal requirement, rather than departmental
policy.

> As for leaving a company that imposes restrictions such as this, within a
> very short time, this will seriously restrict your choice of campanies, as

In the UK (and presumably the rest of the EU, since this is EU-derived
legislation), "any company which doesn't break the law" would fit the
bill. Which country are you in, and what privacy legislation do you have?
Presumably a great deal weaker than ours?

> businesses are being forced to go this way, to reduce their own liability in
> harassment cases etc. If a business cannot show that employees were formally
> advised that such material is inapproprite and forbidden, and that they have
> taken some measures to prevent the use of their facilities to obtain same,
> they may be ( and some companies have been ) held liable in cases where
> offensive material is transmitted or displayed so as to be held as
> harassment by individuals.

What I do in private cannot reasonably be held as harassment by anyone: by
definition, they aren't involved. If anyone is offended by the contents of
my PC, the only person liable for anything is that person: they are
criminally liable for unauthorised access to my data.

> It's an unfortunate fact of life that some people need external
> controls to ensure proper behaviour, and displaying a record of
> accesses is one such form of control. Anyway, as noted above, in my
> view people should be getting access to such things from home, not
> from work.

Agreed - it's a misuse of company resources, after all - but enforcing
draconian rules is a case of the "cure" being worse than the root problem.
If infringing your staff's rights is the answer, you're asking the wrong
question!


James.

More information about the Techtalk mailing list