Slashdot Mirror
When Ethics and IT Collide
jcatcw writes "IT workers have access to confidential data, and they can see what other employees are doing on their computers or the networks. This can put a good worker in a bad predicament. Bryan, the IT director for the U.S. division of German company, discovered an employee using a company computer to view pornography of Asian women and of children. He reported it but the company ignored it. Subsequently the employee was promoted and moved to China to run a manufacturing plant. That was six years ago but Bryan still regrets not going to the FBI. Other IT workers admit using their admin passwords to snoop through company systems. In a Ponemon Institute poll of more than 16,000 U.S. IT practitioners, 62% said they had accessed another person's computer without permission, 50% read confidential or sensitive information without a legitimate reason, and 42% said they had knowingly violated their company's privacy, security or IT policies. But in the absence of a professional code of ethics, companies struggle to keep corporate policies up to date."
If it was like the PMP, CMA, CPA or other professional certifications/licensure that industry requires for certain jobs, then code of ethics violations would mean loss of certifications/licensure. That would weed out all those unethical assholes in IT.
In God we trust, all others require data.
This isn't specific to IT, but it happens a lot.
Most newbie Admins poke around in places they shouldn't soon after getting heightened access to the systems.
Almost anyone, in any career where they have access to sensitive information end up abusing it to some degree.
Doctors, Nurses and medical records people read the files of friends or relatives all the time, and that's certainly illegal.
Also, if you come across that kind of stuff in your routine work, you are actually required by law to report it to the police.
After 15+ years in IT, all data looks the same to me.
I can help someone adjust the font on a document and not even notice what it says.
Not too many years ago I worked for a "web startup" (i.e. small company founded by Harvard MBA who smoked lots of weed, drove a VW, and was out to "save the world") as IT manager. As the market tanked, the CEO became more and more concerned for the future of the company and with good reason! We'd gone from regular upper 6 figures per month to less than half that, with three locations whittled down to essentially one and a half. Many employees left for greener pastures. When things REALLY started to go down hill, the CEO asked me to intercept any emails between current and former employees, and then "hinted" that since so many of our clients had their email hosted on our email server, couldn't I do the same with them. I know that, legally, he had the right to get access to current employee email, and any former employee whom he had granted continued use of our email system (not sure on that last bit, IANAL). But asking me to, or suggesting I should allow him to, read client emails was a final straw. While he may have the "legal right" to read employee emails, it left a very bad taste in my mouth. Suggesting I allow him to read client's emails? It was like licking a rat. At the end of the day I had to go home and see myself in the mirror, and I knew that reading other people's personal, private emails was something so abhorrent. (Rimmer: "Lister, that is my private, personal, private diary; full of my personal, private, personal things." Cat: "It's gone public.") Now all that said, at another job, myself and some other IT workers suspected one of the devs of possibly being a pedo. We didn't read his emails, we didn't pour through his computer (which we could easily have done), but we did put google to good use, and at one point we did packet sniff where he was browsing. Was I proud of that? Well, actually yes. If he HAD been looking at kiddie porn, if he HAD been a sexual predator, being a father how could I stand back and not try to do something? It turned out he wasn't a diddler, just... Really really really really creepy. It is a very fine line between "ethical" and "non-ethical", it can be very hard to judge which is which, and everyone will have their own opinions. But in the end you have to live with yourself, and certainly I'm not qualified to decide right and wrong, nor pass judgment. If I had my way, anyone who sold a poorly made curry would be strung up and boiled in oil.
Except of course that you're wrong. Courts have upheld the right to use company phones for occasional personal use. Recently, they have ruled simillary for the web or email (I can't remember which). I also don't ever recall a court allowing a company to spy on telephone call, even though they owned the equipment.
You don't lose your rights when you enter a workplace.
What kind of soulless bastard needs a written code of ethics to know what's right and wrong? Who really thinks that snooping around other peoples' data is the right thing to do?
Most of us do. But then again a LOT of us have lapses and moments of weakness. I mean if you know there is some really good dirt being shot back and forth via email and you log all email it's really tempting to just snoop through it to kill some boredom. Sometimes just reading a piece of paper on the wall can help you keep your focus.
I'm an I.T. Manager and it's sort of tough sometimes. For me personally I'm having a bad time in my life and I have this vicious streak that emerges many times a day - and that isn't helping. I have the ability to see every website they visit, everything they do on their PC, and can see every email received and sent. I can also access pretty much every file on every machine in the company. That's a LOT of responsibility. And I honestly don't snoop through any of it - it's kept for security/legal reasons. Monthly I wrap it up an 256bit AES encryption on a DVD and that's it. I think most I.T. people are actually pretty honest as well as far as the ones I've met. I mean I'd hate to see what the assholes in sales would do if they had as much power over the company as I had. heh, I actually just cringed.
Many years ago I worked as a temp in a helpdesk situation. The position included tons of down-time, and one day I filled in the gaps by browsing what available resources I had been granted access to. I assumed that as a temp, I would have almost no access at all as any such access was not required in order to open a ticket.
Much to the contrary, I was able to access the entire salary list for the organization, and detailed networking topography and connections for all the remote offices. I reported this immediately and was thanked, not discouraged in any way, for what I did. However, a week or so later at the stroke of 5pm after all of the techs had left, I got a call from a remote office that could not access some resource... I tried to help troubleshoot the issue, and again looked around on the network for info that might help. I found an IP address I could ping. I pinged it and was able to at least report the results to the tech when I called them. I was terminated the next day, much to my surprise since I was completely honest and upfront with them at all times, and I was only trying to help (as opposed to the first time, when I was snooping intentionally and was not scolded).
I'm a believer in the idea that if you give me access to something, I'm free to utilize it... Controlling access is the admins responsibility. Yes, I'll state that again... If you give me access to the HR drive, I have every right to view the spreadsheets inside. The company has every right to fire you for screwing up and giving me that access, and every right to fire me if I publish it or do something other than keep it to myself.