home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
LEGAL
/
EFF309.TXT
< prev
next >
Wrap
Text File
|
1994-07-17
|
22KB
|
459 lines
########## ########## ########## | COMPUTER SPIES
########## ########## ########## | by Mitchell Kapor
#### #### #### |
######## ######## ######## |BUILDING BLOCKS AS STUMBLING BLOCKS
######## ######## ######## | A Commentary on the 15th NCSC
#### #### #### | by Rebecca Mercuri
########## #### #### |
########## #### #### | THIS OLD DOS
=====================================================================
EFFector Online November 9, 1992 Issue 3.09
A Publication of the Electronic Frontier Foundation
ISSN 1062-9424
=====================================================================
Computer Spies
by Mitchell Kapor
Can a company lawfully eavesdrop on its employees' telephone calls? Not
if they have an expectation of privacy. But, at least in most states,
the employer can monitor conversations if it tells the workers that that
is what it is going to do.
That old legal issue surfaces in a new technological context in Silicon
Valley, with disturbing consequences for your ability to defend key
information assets. Take a look at how Borland International, a company
that should know better after almost a decade on the leading edge of
technology, may have hurt itself in a case involving an apparent theft of
trade secrets.
The allegations in the tangled legal affair are by now well known. On
Sept. 1 Eugene Wang, a vice president of Borland's computer languages
division, abruptly jumped ship to join competitor Symantec Corp. A
pattern of suspicious behavior in Wang's final days suggested that
perhaps he had traded Borland secrets along with his job. Borland had no
proof, but it knew where to look. Borland executives opened Wang's MCI
Mail account, where they found, they said, a number of messages that
they believe prove Wang delivered Borland product plans, memos and other
sensitive documents to Symantec. The evidence thus uncovered led to
police searches of Wang's and Symantec Chief Executive Gordon Eubanks'
homes and Symantec offices, to a pending criminal investigation of Wang
and Eubanks and to a civil suit by Borland against Symantec.
What has been scarcely addressed in newspaper coverage of these events
is what this case means to the rapidly growing business of electronic
mail.
Let's back up and consider the law that protects electronic mail users,
the federal Electronic Communications Privacy Act of 1986. The privacy
act protects messages while in transmission on a public mail service
such as MCI, as well as after messages are received and stored on that
service.
Borland and its attorneys, in a hurry to prove their suspicions about
Wang, justified their intrusion into the mailbox as a property right:
Borland was paying the bills for Wang's MCI account. "E-mail is like an
in-box on someone's desk,' says Borland spokesman Steven Grady in
defense of the search. "When they leave, it reverts to the corporation."
Case closed? Not quite. Borland's metaphors fall apart when tested
against the realities of electronic mail. Unlike in-boxes on an
abandoned desk, E-mail requires a password, and it can be administered
by a wholly separate communications company, like MCI. As it stands, in
a criminal case Wang could challenge the legality of all the evidence
collected on the basis of the messages found in his MCI account. He may
also have grounds for a countersuit under the electronic privacy act and
California law, which goes further in protecting individual privacy.
It's easy to understand the anger Borland executives felt in discovering
an apparent information hemorrhage. But the methods employed by Borland,
which likes to flaunt its "barbarian" ways, may have been a little too
barbarian by the standards of the federal statute. The one thing for
sure is that all parties will be involved in a lengthy and expensive
court battle to sort this out. The final result may be a draw between
Borland and Symantec, and a new definition of privacy for the rest of
corporate America.
Borland could have strengthened its case against Wang if it had followed
the recommendation of the Electronic Mail Association to announce its
policies on electronic mail. As it was, a source says the Santa Cruz
County District Attorney staff took potential violations of the
electronic privacy act so seriously that they used a top computer-crime
prosecutor from the San Francisco area to help write the search
warrants.
Despite Borland's hard-learned lessons, it continues to refuse to
implement a formal E-mail privacy policy that declares just when
electronic messages sent from company equipment are company property.
Perhaps Borland is afraid that announcing such a policy would simply
remind miscreants to erase incriminating E-mail files before they are
found. If so, that's naive and shortsighted.
Some companies may be reluctant to announce in advance that they are
constantly snooping. So be it, but then they should refrain from
scanning MCI in-boxes. Whatever they do, they have to confront the
reality of the enormous power of digital media. In an age when a
company's most valuable property may be intangible the source code for
a software package, for example an E-mail account may amount to an
unlocked door on a warehouse.
The electronic privacy act's procedures may need streamlining, and the
Borland case may be the ratchet that makes the adjustments. By the time
Borland could have obtained court authorization to examine Wang's
electronic mail, some of the messages might have been deleted by MCI's
automated five-day cleanup function. New legislation requires fine-
tuning in the light of the complexities of real world situations in
order to be effective for the purposes for which it was originally
designed. But the lesson here is that corporations must begin to adjust
their own policies to fit the technologies they use.
from Forbes Magazine November 9 1992
Mitch Ratcliffe, editor-at-large for MacWEEK, provided research assistance
for this column.
-==--==--==-<>-==--==--==-
BUILDING BLOCKS TO SYSTEM SECURITY
By Rebecca Mercuri
(mercuri@gradient.cis.upenn.edu)
A Report from the 15th National Computer Security Conference
October 13 -16, Baltimore, Maryland.
I attended the 15th National Computer Security Conference with the hope
of coming away with some solutions for the security problems I had
encountered over the past few years. I left with a longer list of
problems, and the vague feeling that our industry has become remiss in
providing us with answers that we can use, or has answers and is either
incapable or unwilling to yield them publicly.
Let me state clearly here that this comment does not reflect negatively
on the conference organizers. They performed their task well, creating a
superbly orchestrated event that covered a broad spectrum of
topics. Indeed, "rookies" were liberally mixed on panels with esteemed
"greybeards" and many women (sans beards) were in evidence as session
chairs and presenters (although I was somewhat dismayed to note that
females appeared to constitute less than 10% of the attendees, lower
than in the computing community in general). The breadth and extent of
the conference does not allow one reporter to describe it fully, so I
offer these remarks merely as comment and commentary, perhaps to
stimulate discussion.
The conference had an international flavor. The keynote was by Roland
Hueber (Directorate General of the Commission of the European
Communities) and the closing plenary on International Harmonization
serving as bookends. There were repeated calls for cooperation in
developing global security standards, with the primary advantages of
such