Slashdot Mirror
How IT Pros Can Avoid Legal Trouble
snydeq writes "InfoWorld's Peter S. Vogel reports on the kinds of inadvertent transgressions that could land IT pros into legal trouble without realizing it. From confidentiality and privacy negligence, to copyright and source code violations, IT staff are legally liable for a lot more than they might think — in some cases because the law will not stop at your employer, instead holding individual IT employees responsible for violations even if the individuals are just 'doing their job.' Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do. 'That lack of understanding can lead them to conclude you're at fault or should have known better,' Vogel writes. 'After all, many people think anyone technical is a whiz kid or brainiac on any topic.'"
What legally questionable scenarios have cropped up at your job?
I'm liable for first posts.
He was a petulant child.
This narrative that this ruling could affect non-sociopaths is FUD.
It's such a gigantic PITA to track all of the licensing for everything that I weep for any small to medium sized shop that can't afford to have a dedicated person/dedicated people for it.
not post in this thread.
Are the same people claiming that Childs is some sort of mis-understood hero the same people who had "Free Kevin" schwag back in the day? If not, I'm not sure I get the mentality, because from what I know of the situation (maybe not enough), he did sort of grossly overstep the bounds. Maybe he didn't deserve jail time, but I'm not about to go emulating my career after him.
Change jobs.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
I'm a medical equipment technician at a California corrections facility. My boss routinely asks me to kill people in cold blood, and I've been doing it for a few years now... there's a lot of paperwork and everything, but I'm not entirely sure it's legal.
Does anyone else have experience with being ordered to kill somebody as part of their IT duties?
When someone at work has a blackberry, they are set up on the Blackberry enterprise server, which manages all their contacts and emails and calendar and such.
If they leave, or are terminated, we are told to send the kill command to their BES account. This will delete any emails off their phone AND their contact details. In some cases, a person will be let go - our IT staff will be let known first so their account can be disabled for security reasons. Then that recently laid off person has lost all of their contact details - including Mom and Dad and sweet Great Aunt Gertrude.
We haven't faced any legal suits yet - but it happened a couple times where people have gotten angry. As a precaution - we've started informing people that this happens - so anyone with a blackberry needs to back up their contacts constantly.
What legally questionable scenarios have cropped up at your job?
You have got to be shitting me. This isn't phishing, this needs a new term all its own.
'After all, many people think anyone technical is a whiz kid or brainiac on any topic.'
Obviously, they've never visited slashdot.
Just make sure you never try to run an illegal instruction!
The BSA does not go after the techs but they are a paper work b* and will hit for not having the paper work they want and some times it's not what you think you need to have.
We were in creditor protection (Canadian version of Chapter 11 Bankruptcy), and the owner asked me to essentially spy on the Court appointed monitors and send him any email they sent or received when they were on site and using our computer systems. Thankfully, I had the presence of mind to know how wrong that was, and went to the Accounting controller to inform him of that request. In the end the courts were not told of his transgressions as that would have caused him a pile of trouble (he most probably would have been fired from his own company), and the accounting controller talked a bit of sense into him.
Feed the need: Digitaladdiction.net
Here's one: I worked for one of the top national retail firms. Their POS systems were booted using PXE, and there was no firwalling between the stores and corporate HQ. In other words, the network topology was completely flat. Setup a PXE server at any store, distribution center, or headquarters, and you could respond to PXE requests sent by the POS systems. The store's location was coded into the DNS RR, and followed an easy to understand naming convention -- they also were powered down every evening. Which means, you had about a 10 minute window each day where if you disabled or DDoS'd the one PXE server on the network, you would be able to send a bootable image to every POS server in that timezone.
They fired me three days after reporting this flaw, calling me a security risk.
#fuckbeta #iamslashdot #dicemustdie
What legally questionable scenarios have cropped up at your job?
I'm a software developer for one of the big automotive companies and we almost got into some legal trouble a while back. We had another team that would test the embedded code we put in there and we were always playing pranks on each other between the two teams. So one time, I wrote a procedure that cause the accelerator to randomly speed up with no user interaction. It was very very rare that the procedure would trigger and then I called it right in the middle of the main block of the embedded code. Anyway, they run a bunch of tests a day and on the like the fortieth day, John drove his car right through the wall of the testing facility! Oh my, what a hoot, I haven't laughed so hard since they air lifted him out. But then there was all this legal BS about somebody getting hurt and this and that. Those law-talking guys have no sense of humor. So I realized I had to go in and comment out that procedure. So all I did was go in and comment out the signature block ... or at least I think that took care of it, but maybe it was that fancy ECC crap the smart guy put in ... I wonder if anyone ever went back in there and totally cleaned it up? Oh well ... dodged a bullet there ... am I right?
My work here is dung.
Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do. 'That lack of understanding can lead them to conclude you're at fault or should have known better,'
Has it shown that really??? I recall the foreman of the jury for the Terry Childs case was a pretty smart IT guy. Also, the resumes of the other jurors were not all that bad technically either. If anything, I really do think that Terry Childs was judged by a jury of his peers (even if this doesn't always happen in other cases).
Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do
As I recall, when the details finally came to light about what he did and how he went about it, the judge and jurry WERE technically savvy enough to understand what he did. It was all the people jumping to uninformed conclusions here on Slashdot that didn't understand.
I have no doubt there are plenty of cases where judges and juries fail to understand the facts at hand, but I don't think this was one of them.
how about makeing EULA that non legal types can read and under stand not all work places have the means to take the time for legal to look at all of them.
I have often been either asked to use pirate copies of software (Borland Turbo C in the 1980s), or accept license agreements personally, where a corporate license would have been more fitting. Neither of these have occurred at my present place of employment, thankfully.
In other areas, I was once asked by a low-level manager at a client company of our contracting firm for my SSN for a "background check". I was told this person had a reputation of committing identity theft in the name of contractors, obtaining credit in their name, and threatening to insist they be removed from the assignment if they complained. I don't know if that was true, but did insist that any "background check" would be done by a recognized neutral party. I was requested removed from the assignment, and let go for lack of other work.
On the pirate software issue, I simply licensed my own copies, and took them with me when I left (well, wiped them off my work computer). Borland's license would let me use their compiler on any machine, even let someone else use it, one at a time.
The bottom line is that if your employer asks you to break the law, find another job... fast.
In Liberty, Rene
How about legally liable for the PHB and other higher up people at the work place who don't know about IT but they buy stuff on the golf course buy they fail to buy the right licenses and they they tell the techs that proper license are done / the buying department took care of it.
In some places the IT guy do not buy any thing they just tell some what they need and hope to get it.
Most EULAs aren't actually that difficult to read. They're just long and boring...
Do to cut backs he was the only guy on the job 24/7 and lot of the people there did not have a clue at all. And giving the out the network pass word over a open phone call in a big meting room?
If your boss tells you to give out the password on a phone call... guess what you do? That being said... what if your boss then says email all the city system passwords to tasteless-rag-newspaper.com?
You quit, explain why you are quiting then give it out over the phone call.
Is that the right answer?
I work in the medical field and I am so thankful I have union representation to clarify legaly questionable requests from management.
People may speak ill of unions, but from my end they have literally been life savers.
I get where you are coming from, and I totally agree that Childs was a toolbox and could easily have handled the situation better if he had any desire to do so.
However, if your boss tells you to violate the state policies on passwords and mail them off to someone (or provide them to a room full of people) and then something bad happens because of that, it is quite possible that you will be held legally liable for the damages caused. Just following orders may not be enough of an excuse.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
One problem I see is that requirements may not be the same from state to state (in the US), and there are few formal resources available for IT professionals to know exactly what requirements apply. This is especially true for IT pros in smaller, or privately held firms that don't fall under the authority of some of the big bills that have been enacted. None of the college programs in my area even has a course addressing these issues, except for specific courses dealing with things like HIPPA. This seems to be a big gap, and I know I'd love to find a course (or even a website) that deals with specific requirements both at the State and Federal levels.
I use irony whenever I can, but my shirts are still wrinkled...
I haven't run afoul of any laws, writing software, but I'm always tangling with copyright readers and software licenses whenever I start up a project (which happens every year or two). Open source licenses especially, since the standing rule is that 'copyleft is bad, because we want to keep control of our work'.
Software licenses come up every couple months, but the shop does a good job keeping the site licenses for the software that we use, and personal software is discouraged. I have a couple sets of VS8/9/10 discs that I pass to the interns and new FTEs, but have the license codes squirreled away separately -- if the site license doesn't pick them up, it's IT's problem. I've had a license expire, which was inconvenient, but had the project money for the latest version.
Code plagiarism is another concern, but a pretty easy one ~ either don't copy it, or contact the original author. Pretty straightforwards.
asked for a reprint of the customer listing. A couple of days later the two vp's asked for the same thing. The company was shut down about 3 months later and I was the only one hired by the parent company.
About two months later I was called in the attorney's office. I was asked if I distributed any unauthorized customer lists.
Damn.
Because then some people might figure out what they're actually agreeing to and stop buying their software?
Get your boss to sign off on it. But seriously, the best (in fact ONLY) way to avoid legal trouble that the article is talking about is to do nothing but ask your boss for access to a solicitor to sign off on work.
The article is like asking "How do you avoid legal problems with a video compression algorithm that you think has no patented by anyone else?". The answer: you can't. As MPEG-LA know, since they don't indemnify against other people's patents.
At first I thought POS meant "Point of Sale", but as I read through your post I realized it actually stands for "Piece of..."
...software?
I live in France so software patents, in theory, do not exist. But I have American and Japanese clients. What happens then ?
I offer (freely) some web services like IRC or forums. If someone infringes a silly law from a silly country by saying something illegal in either the country I live in, the country where the server is located or the country where the user is, how are the responsibilities split ?
Some of the code I develop at my work is open source (BSD). But BSD has no French translations and no transcription for French law. Cecil-B can work, but French copyright laws are subtly different from Americans', and the legality of viral open source licenses is an open debate here (no one cared about making a simple and quick law to clearly state they are legal).
We have a silly law named HADOPI that create an offense of "non-securization of an internet terminal" with very vague terms that don't really explain how to comply.
My biggest problem, in definitive, is that the law of my country is unadapted, inapplicable, written by persons who dismissed experts' advices. As a result, and being a law-abiding person, I tried to write to representatives and journalists, I joined the local pirate party that was mainly made from people with a technical background that understood the law were silly. But I quit as this was taking more time than coding. So now it is a matter of choice between being up-to-date with the latest sillinesses or coding interesting and useful stuff. I chose the latter, knowing that the clown-hammer of law is suspended over my head and that I am probably in a gray zone. Being legally safe is a luxury I can not afford but I do not wish to surrender to the Legalausaurus Rex. I put the little faith I still have in humanity in the hope that when the silliness of the current laws will be obvious (it is forbidden to be infected by virus ! An IP address is a proof of identity ! Linux is illegal !) they will be corrected.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
as anybody that actually works in retail above the McD register level knows BOTH are correct.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Both wrong.
(a): there was no law demanding he hand over the keys unsecurely
(b): he did the right thing. If he'd been hit by a bus, they could reset the passwords by getting an engineer out to the sites.
Terry did the RIGHT thing according to law and the thing demanded by his employment contract. That contract stated who he could give the passwords to, where and who could override those orders.
A general cannot order a Private on Guard Duty (assigned as such by the Duty Officer) to leave his post. Doing so would be a court martial offence (potentially one that could see him shot, if it's a war zone or in time of war). The General may or may not be able to order the Duty Sergeant to order the private to leave his post. But if the general is not the Base Officer, OD can demand that the correct channels be used and the Base CO would have to order the Duty Officer to order the Private (note: even the Base CO cannot order a private off Guard Duty at his post).
Similarly, the captain of a ship outranks any officer on board ship, even a Port Admiral. At port, the captain can be removed from command by the Port Admiral. This is why Barratry is such a severe offence in the Navy.
But short version: both your statements are wrong.
'After all, many people think anyone technical is a whiz kid or brainiac on any topic.'
Just because *I* am doesn't mean other IT people are.
IANAL, IANAMD, IANAE, IANARS, IANAMCSE
A good recent example of how techs could get in trouble would be the techs that set up the spying on kids via webcam in Philadelphia. Congratulations you have just set up a child porn machine. I trust that all involved will never be able to work with kids and vunerable people again - and that would be getting off lightly, in the UK you would probaly have a tabloid lynch mob out for you.
I was building a website and left a legally incorrect line as to the corporate status of the company the site was for. I thought I had saved the changes as I was working but did not. It was a low priority project and did not plan to resume work for a few months (I also thought it was not a publicly available beta). So not only am I a lazy designer sometimes, now I got cease and desist letters from the AG's of two states with threats of $25,000 fines for each instance of "X" that resulted from my error. There were no "X's" and one state has dropped it, I am still waiting to officially hear that state number 2 has dropped it. There are somethings you need to be on top of!
6.8SPC TR of 550, l xwind at 6, drift rt at 26" drops 77". AT has 503 ft-lbs at 1403 fps. FT 0.86
In short, the articles advice to watch your ass legally, and provides some overview on doing so
Basic but functional, I suppose
I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
It's DUE to cutbacks. Unless you were implying "Do to cutbacks as you would have them do unto you" ... (?)
To work around this problem I developed a time travel machine, and would just revert when scheduled to appear. I wound up trapped in Groundhog Day redux. So now I'm a sanitation engineer.
Working in IT, you're bound to come across pirated software from time to time.
a) When I find some pirated software or license misuses, I could for instance tell the client that "I'm not the police, but..."
I might also make them aware that there is this company that looks out for software vendors--the business software alliance, for instance.
b) When a client is aware that they're asking me to do something illegal, like ignoring license agreements etc, I tell them that I don't care what people do privately (nor do I assist them in that case either), but this is not the act of doing serious business--or tell them sorry, and explain that the company I work for won't allow me to do this, etc. If they still insist, they are a lost cause. You can only spend so much energy on these matters.
I'd prefer that more commercial business software would come with some activation mechanism. I've seen cases where clients have ordered one license, then gone ahead installing the software on most every PC, and when confronted about this, they've argued that only one of them uses it at the time--but the license agreement does not allow it to be installed on more than one PC.
You'll most often find that objectivity is the first thing to be sacrificed in business, so hang on to it, tight, or lose it.
Why?
Because I'm in IT security. My job is to analyze and dissect malware, not only to find out what it does but also how it does it, what attack vectors are used, what system flaws are exploited, what means of communication with a controlling server are used and, if possible, I should also try to cut those lines and render the malware useless, preferably create some kind of remedy or even protection against it. All this can usually only be done by taking a closer look at the software than is possible by simply watching it run. In other words, disassembly and protocol sniffing and decoding are two of the main parts of my work. Both already illegal in some countries.
Now, fortunately my country provides protection for this (albeit ... well, I have a law that I might pull out of my ass should I need it, but it's anything but a certain victory in case anyone ever goes to court for it). But in theory, any writer of malware could pull any IT security company to court and stand a pretty good chance to win. Though he'd first have to admit that it was him who created the malware.
In other words, as odd as it may be, I may violate that copyright because the one who could drag me to court for it certainly has no interest to come forwards and claim ownership of the code.
And now let's ponder for a moment what will change should ACTA become reality and copyright violations get shifted from civil to criminal code. Technically, the State Attorney would have to step forward and protect the copyright of the writers of malware without them asking for it (because the SA has to act even without prompting from the injured party) and prosecute those that analyze malware and design protection and remedies against it.
You see, you don't have to be the bad guy to think that ACTA is a really, really bad idea...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This comment is just inflammatory. The question here is one of culpability, not one of assumed intelligence. Highly intelligent people should not be more culpable than those of average or even sub-average intelligence (barring retardation or insanity.)
Policy in my work place states that I need to sight and make a copy of the licence agreement before the software is installed onto any machine. If you're in a workplace like that, you need to lay down some rules :P
Reminds me of the company I did an internship 10yrs ago.
Licencsing practice went as follows: The department had a bunch of CD-R with copied installation media for the volume-licensed software. You (personally) had to keep tabs of your installed software in an Excel sheet and IT would buy licenses based on the number of people using the software.
Worked quite well until we found out that IT didn't even knew about that Excel file.....
bickerdyke
I set up a Point of Sale system for the restaurant I work for this winter. A few months ago we get some letters from our credit card processor saying we have to secure our customers CC info to be "PCI compliant". This consisted of filling out a form online where if i told the truth about our network (not firewalled, LANed through an unsecured wireless router, constantly writing down info to enter later for off-site orders) we would not be in compliance. Like a good employee I notified the boss about what it would cost to make the system secure. He determined it would cost too much. Nice to know that i could be prosecuted because my employer won't cough up $80 for an appropriate network switch.
Just boring old improper requests for data access. 'My friend's record doesn't look right', 'the police want the address of every staff member' (well, they of all people ought to know the proper way to request that information if they need it).
Can slashdot posts be considered confessions from a legal standpoint? Because I'm pretty sure that someone, somewhere, is just waiting for a lawsuit red flag to drop...
Just count licenses purchased and software in use.
While this may well be against most EULAs, I consider it a practical way to stay out of trouble.
If a software company should ever try to sue you, you can always claim that no monetary harm was done and that they don't have a case.
Except for such insignificant things like using the same code number twice...
I had problems with StumbleUpon bringing me to webpages, that while were safe for work, would bring up questionable material that, at the time, probably didn't look so good (i.e. "How to make Thermite" came up once while I was in the middle of a custody battle with my ex... The Police officer didn't seem amused when he questioned me.)
But, yes, lack of technical know-how in the non-technical community puts anyone who knows enough about technology to be dangerous (even if we never use it for that purpose), completely at risk. If I ever wanted a high-clearance job, that one incident will come up for the rest of my life, and I will, once again,have to spend hours and hours explaining what came up, bad timing, what happened, no I never read the article, no I never sent death threats to my ex., etc.
Was/is a NIGHTMARE!!!!!
Clones are people two!