[techtalk] Sick of surf and porn addicts

[Neale Green]

> > Actually, James, the squid cache is very different from the content of
any sessions, it's merely a list of the sites visited.
>
> The squid CACHE is a great deal more than that; it actually contains a
copy of most of what was downloaded. Presumably you're talking about the log
files, which list every single URL (not just the site), and the size and
nature of every object retrieved. Depending on the configuration, they could
also log usernames and passwords for remote sites such as Hotmail.

OK, should have said what I meant properly, that the EXTRACT can be a list
of the sites.

>
> > Many ISPs harvest the top count cache hits and list them as points which
may be of interest to others.
>
> Yes, they'll list the popularity of sites - they will NOT provide a list
of which URLs a specific customer accessed! (Except obviously with a court
> order or similar reason, and then only to the appropriate authority.)

Actually, I've seen lists of popular URLs listed by ISPs, generated from the
Squid Cache. Destinations aren't held to be private information here.

>
 > At work, we have had to provide squid caches for court cases in regard to
porn,
>
> There's rather a big difference between supplying subpoenaed evidence in a
court case and giving arbitrary individuals access to private information.
The former is legal, the latter (in Europe at least) is not.
>
> > as these are the only items that you can generally harvest WITHOUT
perfoming unlawful privacy breaches.
>
> Here, the Data Protection Act imposes strict limitations on what you may
do with personal information like that. You cannot, for example, transfer it
to external agencies without the person's prior written authorisation - and
that includes sending data to an overseas division of the same company.

It all depends on the "personal information" concerned, content, personal
details etc are all deemed personal information, URLs visited are not, this
is what I, at least, was referring to.

>
> > The industries that our customers are in ensure that we do not skirt the
edges of lawfullness, we cleave wholly to the letter of the law, even if it
were our inclination to do otherwise.
>
> I don't know where you live, but here the letter and spirit of the law
protect the privacy of individuals.

I'm in Australia, the privacy laws do protect the privacy of individuals,
but locations visited is not deemed to be personal information, laws require
us to formally advise people that the locations visited may be monitored,
and thereafter legal action is allowed against them, if they are found to be
utilising resources to access inappropriate, or illegal, sites.

Hence, I am liable for legal action if it can be shown, from logs of my net
accesses, that I have accesses inappropriate or illegal sites, there wasa a
case last year where a number of personnel were legally dismissed from one
company as a result of this.

>
> A few quotes from our code of practice:

Are you talking about UK law. or "code of practice", these are two very
different things.

>
>     * analysing web logs to see who is accessing the site is not permitted
unless the web site gives notice of this (i.e. the data is 'fairly
obtained')
>     * logs may be used to gather statistics
>
> Even the administrator of a WWW site is not permitted access to the access
> logs. Only the server administrator has such access, and is not permitted
> to disclose that information to others.
>
> Basically, personal information may not be disclosed to ANYONE without a
court order. Most of this is a legal requirement, rather than departmental
policy.

As noted above, the definition of "personal information" is where the
boundaries may, or may not, differ. What I look at in a given location would
be personal, by my reading of the laws, the fact that I've visited the
location, however, would not, as it would not require access to any private
content on my part.

>
> > As for leaving a company that imposes restrictions such as this, within
a very short time, this will seriously restrict your choice of campanies, as
>
> In the UK (and presumably the rest of the EU, since this is EU-derived
legislation), "any company which doesn't break the law" would fit the
> bill. Which country are you in, and what privacy legislation do you have?
Presumably a great deal weaker than ours?

As noted above, Australia, I question the definition of privacy legislation
being "weaker", though, the privacy laws protect the private details of
individuals, including, but not restricted to, content of private Emails,
documents etc. If you are quoting exact extracts of the law in the UK, they
appear to be written without consideration of the boundaries and nature of
ownership of personal information.

>
> > businesses are being forced to go this way, to reduce their own
liability in harassment cases etc. If a business cannot show that employees
were formally advised that such material is inapproprite and forbidden, and
that they have taken some measures to prevent the use of their facilities to
obtain same, they may be ( and some companies have been ) held liable in
cases where offensive material is transmitted or displayed so as to be held
as harassment by individuals.
>
> What I do in private cannot reasonably be held as harassment by anyone: by
definition, they aren't involved. If anyone is offended by the contents of
my PC, the only person liable for anything is that person: they are
criminally liable for unauthorised access to my data.

I'd check the legal obligations on this point. IF you transmit or display
images or information that are deemed by others to be threatening, or
harassment of some sort, ownership of, and responsibility for, the resources
by which you obtained, transmitted and/or displayed said images or
information is an issue, which in other countries applies liability upon the
owners of these resources ( the company ). If you are correct on the level
of the privacy laws, I would be very surprised if the company was not held
liable ( to a degree at least ) for the supply of resources involved in
harassment. Also, the threshhold between private data, and ownership of
resources is at question, as the owner of the resources (your work PC), the
company has legal rights to audit the content of their resources, once again
in line with being liable for said content.

>
> > It's an unfortunate fact of life that some people need external controls
to ensure proper behaviour, and displaying a record of accesses is one such
form of control. Anyway, as noted above, in my view people should be getting
access to such things from home, not from work.
>
> Agreed - it's a misuse of company resources, after all - but enforcing
draconian rules is a case of the "cure" being worse than the root problem.
If infringing your staff's rights is the answer, you're asking the wrong
question!
>

We'll have to agree to disagree on that point, given that I was referring to
the display of locations visited, and nothing more, under the laws of
Australia ( and many other countries ), this does not infringe on anyone's
rights, or privacy. Nor do I believe that there is an ethical issue in doing
so, to that degree. Email issues are totally different, in that it is
neither legal, nor ethical, to examine an individual's Email traffic, and
many companies have been taken to court over this.

Anyway, I think this is getting too far from the "technical" aspect of this
list, if you wish to discuss further, I suggest we take it off-list.

Neale
>
> James.