Hackers Underworld 2: Forbidden Knowledge

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Underworld 2: Forbidden Knowledge / Hackers Underworld 2: Forbidden Knowledge.iso / LEGAL / EFF309.TXT < prev next >

Wrap

Text File | 1994-07-17 | 22KB | 459 lines

########## ########## ########## | COMPUTER SPIES ########## ########## ########## | by Mitchell Kapor #### #### #### | ######## ######## ######## |BUILDING BLOCKS AS STUMBLING BLOCKS ######## ######## ######## | A Commentary on the 15th NCSC #### #### #### | by Rebecca Mercuri ########## #### #### | ########## #### #### | THIS OLD DOS ===================================================================== EFFector Online November 9, 1992 Issue 3.09 A Publication of the Electronic Frontier Foundation ISSN 1062-9424 ===================================================================== Computer Spies by Mitchell Kapor Can a company lawfully eavesdrop on its employees' telephone calls? Not if they have an expectation of privacy. But, at least in most states, the employer can monitor conversations if it tells the workers that that is what it is going to do. That old legal issue surfaces in a new technological context in Silicon Valley, with disturbing consequences for your ability to defend key information assets. Take a look at how Borland International, a company that should know better after almost a decade on the leading edge of technology, may have hurt itself in a case involving an apparent theft of trade secrets. The allegations in the tangled legal affair are by now well known. On Sept. 1 Eugene Wang, a vice president of Borland's computer languages division, abruptly jumped ship to join competitor Symantec Corp. A pattern of suspicious behavior in Wang's final days suggested that perhaps he had traded Borland secrets along with his job. Borland had no proof, but it knew where to look. Borland executives opened Wang's MCI Mail account, where they found, they said, a number of messages that they believe prove Wang delivered Borland product plans, memos and other sensitive documents to Symantec. The evidence thus uncovered led to police searches of Wang's and Symantec Chief Executive Gordon Eubanks' homes and Symantec offices, to a pending criminal investigation of Wang and Eubanks and to a civil suit by Borland against Symantec. What has been scarcely addressed in newspaper coverage of these events is what this case means to the rapidly growing business of electronic mail. Let's back up and consider the law that protects electronic mail users, the federal Electronic Communications Privacy Act of 1986. The privacy act protects messages while in transmission on a public mail service such as MCI, as well as after messages are received and stored on that service. Borland and its attorneys, in a hurry to prove their suspicions about Wang, justified their intrusion into the mailbox as a property right: Borland was paying the bills for Wang's MCI account. "E-mail is like an in-box on someone's desk,' says Borland spokesman Steven Grady in defense of the search. "When they leave, it reverts to the corporation." Case closed? Not quite. Borland's metaphors fall apart when tested against the realities of electronic mail. Unlike in-boxes on an abandoned desk, E-mail requires a password, and it can be administered by a wholly separate communications company, like MCI. As it stands, in a criminal case Wang could challenge the legality of all the evidence collected on the basis of the messages found in his MCI account. He may also have grounds for a countersuit under the electronic privacy act and California law, which goes further in protecting individual privacy. It's easy to understand the anger Borland executives felt in discovering an apparent information hemorrhage. But the methods employed by Borland, which likes to flaunt its "barbarian" ways, may have been a little too barbarian by the standards of the federal statute. The one thing for sure is that all parties will be involved in a lengthy and expensive court battle to sort this out. The final result may be a draw between Borland and Symantec, and a new definition of privacy for the rest of corporate America. Borland could have strengthened its case against Wang if it had followed the recommendation of the Electronic Mail Association to announce its policies on electronic mail. As it was, a source says the Santa Cruz County District Attorney staff took potential violations of the electronic privacy act so seriously that they used a top computer-crime prosecutor from the San Francisco area to help write the search warrants. Despite Borland's hard-learned lessons, it continues to refuse to implement a formal E-mail privacy policy that declares just when electronic messages sent from company equipment are company property. Perhaps Borland is afraid that announcing such a policy would simply remind miscreants to erase incriminating E-mail files before they are found. If so, that's naive and shortsighted. Some companies may be reluctant to announce in advance that they are constantly snooping. So be it, but then they should refrain from scanning MCI in-boxes. Whatever they do, they have to confront the reality of the enormous power of digital media. In an age when a company's most valuable property may be intangible the source code for a software package, for example an E-mail account may amount to an unlocked door on a warehouse. The electronic privacy act's procedures may need streamlining, and the Borland case may be the ratchet that makes the adjustments. By the time Borland could have obtained court authorization to examine Wang's electronic mail, some of the messages might have been deleted by MCI's automated five-day cleanup function. New legislation requires fine- tuning in the light of the complexities of real world situations in order to be effective for the purposes for which it was originally designed. But the lesson here is that corporations must begin to adjust their own policies to fit the technologies they use. from Forbes Magazine November 9 1992 Mitch Ratcliffe, editor-at-large for MacWEEK, provided research assistance for this column. -==--==--==-<>-==--==--==- BUILDING BLOCKS TO SYSTEM SECURITY By Rebecca Mercuri (mercuri@gradient.cis.upenn.edu) A Report from the 15th National Computer Security Conference October 13 -16, Baltimore, Maryland. I attended the 15th National Computer Security Conference with the hope of coming away with some solutions for the security problems I had encountered over the past few years. I left with a longer list of problems, and the vague feeling that our industry has become remiss in providing us with answers that we can use, or has answers and is either incapable or unwilling to yield them publicly. Let me state clearly here that this comment does not reflect negatively on the conference organizers. They performed their task well, creating a superbly orchestrated event that covered a broad spectrum of topics. Indeed, "rookies" were liberally mixed on panels with esteemed "greybeards" and many women (sans beards) were in evidence as session chairs and presenters (although I was somewhat dismayed to note that females appeared to constitute less than 10% of the attendees, lower than in the computing community in general). The breadth and extent of the conference does not allow one reporter to describe it fully, so I offer these remarks merely as comment and commentary, perhaps to stimulate discussion. The conference had an international flavor. The keynote was by Roland Hueber (Directorate General of the Commission of the European Communities) and the closing plenary on International Harmonization serving as bookends. There were repeated calls for cooperation in developing global security standards, with the primary advantages of such