Blow the Whistle, Lose Your Job?

ccnull writes "You're a systems admin. On a routine PC repair, you discover a trove of child porn on an employee's PC. You call the cops. The employee pleads guilty and goes to jail. Then what do you do? You get fired. InformationWeek has an interesting expose on whistleblowers who lost their jobs, they say, because they publicly embarassed the company. The company has another version of the story. No matter what the reality is, at the center of this is a good question: If you discover illegal goodies on a machine, what should you do about it?"

Re:tell your boss and not the police.....??

[mnmn]

The Boss will either just fire the employee or call the cops herself. Regardless, you should call the cops too, especially in the case of child porn which is quite serious.

Ideally you should alert the boss first to prepare for the embarassment and have the spokesman prepare statements before the employee is carried away. Tell her, I intend to notify the cops, she wont be able to stop you then. If she tries to stop you, and you tell the cops, and get fired, youd have a lot against the boss too.

Re:Not so simple

[Afrosheen]

I believe you're right about being guilty for not reporting it.

In Illinois and some states, if the cops pull you and your friends over after a night of drinking, they give everybody breathalyzer tests. If the least drunk guy is driving, they're happy. But, if you're in the car, the driver is drunker than you, then you get a ticket. Same goes for everyone else in the car.

I know it's a stretch but it seems relevant to this thread for some vague reason. :)

It doesn't add up...

[jdreed1024]

From the article:

The next day, Perry gave the PC to Gross to back up, fearing it might crash and lose valuable data.

In the process, according to the suit, Gross opened a folder titled "my music," within which was another folder, named "nime," then another, "nime2." It was here, Gross said in an interview, that he encountered the illicit content. "I didn't have to click on any files when I went into the folder," says Gross. "There were thumbnail images, so I was pretty much instantly exposed to that."

If Gross hadn't opened those folders, he wouldn't have come across the offensive images in the first place. But Perry and Gross say it wasn't unusual for them to check the content of folders when troubleshooting; a large file, for example, can be an indication that a virus is at work.

I don't buy this. Are they claiming that standard procedure for these folks, when looking for a virus, is not to boot with a known-good disk and run an up-to-date virus scanner, but rather to go through folders looking for large files which might "be an indication that a virus is at work"? If so, that's pretty crappy. Well, I have this huge file called PAGEFILE.SYS on my C:\ drive, I guess I have a virus (it's Windows' swap file, for those who use other OSes), right? Sigh.

I also don't buy the "they were looking in the folder for files to backup" argument, either. That's not the way you do it. You use Windows backup, or a 3rd party utility, or a disk-imaging program (like Ghost for windows or DiskCopy for Mac) or you drag everything to a server for later restoration, or you use an external firewire/USB drive. You don't poke around for files and copy them one by one. Apart from being horribly inefficient, that would also kill the client's directory structure. For example, within my documents folders, I have subfolders for different classes, and for things like correspondance, and receipts, and the like. If some tech support company had to back up my stuff, and had copied the files one by one, instead of copying the entire tree, I'd be real pissed off.

So I don't think that they quite came across the porn in the line of duty. I think they were looking around without any good reason. (Not that this makes child porn any less wrong, but it does cloud the issue of discovery and reporting)

There is, of course, the other issue, which is that by default, newer versions of Windows use thumbnail view, which is unfortunate. If the prof had been using regular list view, and the techs had double-clicked the files, they wouldn't stand a chance of defending themselves. This raises the issue of just what exactly is "invading someone's privacy"? Even filenames can say a lot about someone. For example, if you see someone's desktop, and they have a bunch of files named "naked_teens_1.jpg" through "naked_teens_50.jpg", what are you going to think about them? What if the files were named "12_year_old_naked.jpg"? Does that change things? Suppose you wrote an editorial to your newspaper about how much you though Al Qaeda sucked. You named this file "al_qaeda_letter.txt". You take your PC in for service, and some tech sees it, and decides to report you to the FBI. (Not too far-fetched in this day and age). Are filenames public or private information? Sure, you can't prevent people from seeing filenames, but do they have the right to act upon them? (This applies to other issues, like when the RIAA found files with the name "usher" and "mp3" and assumed they were songs when they actually were some prof's lectures.)

I work in tech support, and I find myself in lots of situations when I have access to users PCs. The general guideline where I work is to see as little as possible. For example, If I'm working on a PC, I try to stay at the root level as much as possible. When we need to backup a PC, we drag the entire directory tree to a USB drive (if its PC) or a FireWire drive (if it's a Mac), or a server if nei

Re:It doesn't add up...

[etymxris]

That's exactly what the filmmakers who make that sick crap want you to think. They don't want you to ask little Suzzie why she comes into school crying, and they dont' want her to tell you why either.

While it is indeed noble to stop this immoral activity that happens in secret, we have to weigh this against the alternatives. And while you may think that stopping child porn is more important than anything else in the world, it isn't. What's more important? Life, for one. Freedom, for two. Privacy, for three. Now, any of these in their absolute will have negative consequences. Must you perserve the life of someone who is shooting at you? Must you preserve the freedom of one who takes it away from others (i.e., a kidnapper)? Must we protect the privacy of those that we already know to have done many illegal things in secret? The answer to all of these is "No". So there are limits on these things.

But in this case it's different. The way you pose it, there is a dilemma between two choices:

1. Strong privacy and a clandestine culture of child pornography.
   
2. No privacy and the eradication of child pornography.
   

Maybe in your world (1) is better, but I definitely prefer (2). Total loss of privacy is not something I'd sacrifice to stop child pornography, as noble as its eradication would be.

Maybe I'm attacking a straw man, but I don't think so. You speak as though any invasion of privacy is justified if it discovers something like child porn. But this is only known after the fact. So there are two choices: (a) snooping without discovery of child porn, or (b) snooping with discovery of child porn. The actor who snoops cannot know whether they are facing (a) or (b). And what they cannot know they cannot act on. And what they cannot act on they cannot be held morally responsible for--ought implies can. So by moral theory, these actions are by necessity equivalent. And, if in your mind, (b) is justified, then (a) must also be justified.

But (a) is not justified. No one has a right to invade my privacy without any reason to suspect me of wrong-doing. And if you think about it, you should come to the same conclusion.

Even Senior VP's get fired for blowing the whistle

[CaptainFrito]

I reported rampant software piracy to our CEO and board member and got fired within hours. This happened in January. Now I sense that I'm blacklisted.

The employees did the right thing

[dszd0g]

They reported it to their supervisor. Then the company has the ability to handle it how they like.

I don't see why anyone should get in trouble for reporting an illegal activity going on at work to their supervisor. I could understand if the employees directly went to the police or media and not giving the company the ability to handle it.

Maybe I've had the experience of working at better companies. A coworker and I had the wonderful experience of walking into work late one night and all the lights were off and one of the employees was sitting at a computer... well you get the idea. I reported it to my boss and the employee was fired the next day. Their were logs that verified what was going on. Some things just aren't appropriate at work.

As a system administrator, I always make sure that their is a message drawn up by the legal department that we may discover things in the normal duties of our job. I have never poked around people's stuff. But I have had to go into people's home directories to fix things for them (my general policy is I don't touch your home directory unless you ask me to). However, I do go through system logs occasionally. If something turns up in system logs that shouldn't be there, I will report it to my boss.

One company I worked for had a policy that we were to ignore any porn found. That was fine with me, it's their decision. This was done after management decided to crack down on it, and it was found that the largest downloaders of porn were some of the vice presidents. After those results, the policy was quickly put in place.

Re:tell your boss and not the police.....??

[b17bmbr]

this isn't just pr0n, but child porn. big difference. let's say you found emails, etc., that the guy was running a drug ring, selling crank to kids down at the local school yard. or that he was funneling money to al qaida or something. where do yo draw the line. maybe i'm biased. i have two children and i teach seventh grade (12-13 yr olds). child porn is a pernicious offense and offenders should be pubished. you think he jsut say, gee thanks, i won't do that any more. look at the research on child molestors. they are habitual. they cannot be "cured". actually true of most sex offenders. but towards children especially.

i'm not talking about some 17 year old tittie, or some 18 year old drerssed in a school uni. hell, if i'd found the stuff on his computer, i'd probably just take the guy out back and beat him fucking senseless.

Re:Illegal things...

[etymxris]

Now the story makes it seem like their discovery was innocuous enough. But how many times do computer repair people snoop around where they should not? Yes, the person had vile, disgusting, and illegal content on his computer. But why did the repair person find this material? If I send a computer in for repair, I am not giving access for someone to look through all my personal shit.

It's as if I left my diary in a car that was in the shop, and all the mechanics started reading it. Except for computers, this is the norm rather than the exception. I don't want someone going through all my personal shit.

So the people that fired them made the right decision. The word is now out that giving your computer to these people will hold all your personal data up to scrutiny by complete strangers. So what if your wife picks it up, and they tell her about the (legal) porn hidden in an innocuous sounding directory? Or maybe they'll read about the financial plans of your company, because some important documents were on the PC?

The truth is that people doing repairs should make every attempt not to view even a smidgen of personal data on the PCs they repair. So this article makes their discovery sound like they couldn't help it. But why were they clicking around in random directories? Simply wondering, "Hmm, what's in this directory," is not nearly a good enough reason. A repairperson should know what directories are relevant to fixing the computer and which are not.

Now, of course, all of this is null and void if there was some telling "C:\ChildPorn" directory on the computer. But barring such obvious dumbassedness on the part of the person giving the computer for repair, the repair-persons' actions were clearly unethical, even if, in the end, they discovered another unethical action. Two wrongs don't make a right, remember.

Re:Only partly agree

[stinky+wizzleteats]

Then again, there are illegal things (like mp3's) and illegal things (like child porn) and they are not created equal.

Well, yes and no. I do expert witness testimony in criminal defense cases, many involving accusations of child pornography. The reality is that the feds view kiddie porn as an effortless conviction machine. Here's how it works:

If you have ANY porn on your hard disk whatsoever, they print it all up poster size and show it to a jury. After about the 450th pic of a thirty year old in pig tails, cheerleading outfit, or with shaven nether regions, technicalities such as legal age disappear from the minds of most jurors. It's easy to say to yourself, oh, kiddie porn - fry the bastard. It is quite another to consider the ramifications of having every image ever stored on any part of your system's hard drive (including deleted files, file slack, ram buffer slack, swapfile contents, etc.) and shown to 12 church ladies. And that's if the case even goes to trial. Most defense firms have no idea how to challenge electronic evidence, and often simpily do a plea bargain. In the cases I've dealt with, I have yet to see one instance of actual, real child pornography. Furthermore, of the computers I've worked on which were ever used to view pornography of any kind on the Internet, I've found enough of what passes for "evidence" these days to put the owner in prison.

Simple rules: if you like your money, don't download mp3s. If you like your freedom, don't surf porn. And don't participate in the 3 minutes hate. You may not know how finely the line is drawn beteween yourself and "those evil bastards".

Yeah, sure.

[Saint+Mitchell]

My favorite part of the article:

But as criminally disturbing and emotional as this issue may be, the pending litigation has nothing to do with the professor. Employment of the technicians ended due to issues completely unrelated to this isolated incident, which will become clear as the case progresses through the legal system. Claims made by the plaintiffs cannot be taken at face value and should not be trumpeted as fact via media when they are based solely on unsubstantiated allegations.

Translation: Yeah, we fired them for that, but we didn't think they'd sue us. We'll just say we have evidence that will appear in court. We'll pull a tardy report from a few months ago, bam, permission to fire them. Never mind that the guy they told on was a golf buddy of mine and asked me to get rid of them as revenge.

Do corps do this kind of thing? You'd better believe it. I used to work for a utility as the network admin. They would come to me and ask for me to find "evidence" for them to fire someone. Usually all that took was a weblog or a copy of an email of them doing something against company policy. I hated doing it, but it would have been my job if I said no. The reason they tell you you are fired is never the real reason.

They told their boss, who reported it to the cops

[billstewart]

According to both articles, the two sysadmins reported the files to their supervisor, who reported it to the police. Sounds like they followed policy. The only uncertainty about that that I see in the article is that one of the sysadmins reported it to the other before they went to the supervisor, but depending on the work environment that's a pretty typical thing to expect.

The company's article says that there are other things going on, which they can't talk about because there's a lawsuit pending. If that's not true, and they're really doing it because they're embarassed about it being reported to the police, then they should presumably have also fired the supervisor who reported it. Sounds like there are multiple sets of ugliness and stupidity going on here...