Newsgroups: news.sysadmin
Path: utzoo!henry
From: henry@utzoo.uucp (Henry Spencer)
Subject: Re: Privacy of computer files...
Message-ID: <1988Nov11.180920.21736@utzoo.uucp>
Organization: U of Toronto Zoology
References: <183@gloom.UUCP>
Date: Fri, 11 Nov 88 18:09:20 GMT

In article <183@gloom.UUCP> cory@gloom.UUCP (Cory Kempf) writes:
>Joe User has an account on a system that you are running.  Is it
>proper for you (the sysadmin) to go poking through his files?

Unless open access was an explicit condition of his getting the account,
his files are his own.  There are some gray areas if his files are
world-readable, but if they are protected, use of sysadmin powers to
poke through them just out of curiosity is improper.

>What about if he is suspected of some wrong doing?  Should it 
>require a court order?

A complicated problem; normally the user does not actually own the resources
he is using, so the owner and his agents retain rights of some sort.  What
those rights are is less clear.  Big paternalistic organizations, e.g.
companies and universities, have a tendency to assert their right to
investigate suspected wrongdoing on their property without asking permission.
A complicating issue is that courts and such are not used to dealing with
computers, and might have trouble coping with such a request.

The rule we try to follow is "be sensible".  Investigation of a user's
files should be limited to that which appears necessary in the case at
hand.  Likewise disclosure of their contents.  First priority is averting
further wrongdoing; if Joe User is suspected of repeatedly crashing the 
system to harass other users, immediate investigation is in order to
prevent further crashes.  Second priority is minimizing the adverse
consequences of existing wrongdoing; if Joe has been getting copies of
other users's proprietary files, making sure he can't get them offsite
is urgent.  Third priority is preserving possible evidence against
accidental or malicious destruction.  Finding out whether Joe is guilty 
or not is the responsibility of either the legal system or the organization
that owns the facility, not the sysadmin, unless a tentative determination
of guilt or innocence bears on one of these three high-priority items (as
it often does).  Revealing the contents of Joe's files, or announcing a
tentative conclusion of guilt, to others is grossly improper unless it
is necessary for one of the three high priorities or is formally requested
by the "proper authorities".

The only time we've actually run into something like this was when one of
our users was strongly suspected (by another department) of using an account
on our system to assist in cheating.  Priorities one and two did not seem
to apply:  my understanding was that the suspected cheating was past tense,
not present or future, and the damage was done.  Priority three did seem
relevant, so we made a tape of the user's files and put it in protected
storage.  We told the other department that the tape's contents would be
investigated on, and only on, formal request by a formal investigation.
They wanted us to suspend the account.  We told them that the user was
entitled to the presumption of innocence, and that we wouldn't suspend
without proof of guilt or a formal request from higher authority.  I never
heard anything more about it; either the matter was dropped or they got
the goods on him without needing our evidence.
-- 
Sendmail is a bug,             |     Henry Spencer at U of Toronto Zoology
not a feature.                 | uunet!attcan!utzoo!henry henry@zoo.toronto.edu
