Slashdot Mirror

← Back to Stories (view on slashdot.org)

How IT Pros Can Avoid Legal Trouble

Posted by Soulskill on from the don't-listen-to-michael-bolton dept.

snydeq writes "InfoWorld's Peter S. Vogel reports on the kinds of inadvertent transgressions that could land IT pros into legal trouble without realizing it. From confidentiality and privacy negligence, to copyright and source code violations, IT staff are legally liable for a lot more than they might think — in some cases because the law will not stop at your employer, instead holding individual IT employees responsible for violations even if the individuals are just 'doing their job.' Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do. 'That lack of understanding can lead them to conclude you're at fault or should have known better,' Vogel writes. 'After all, many people think anyone technical is a whiz kid or brainiac on any topic.'" What legally questionable scenarios have cropped up at your job?

24 of 230 comments (clear)

  1. Liability by nhaines · · Score: 5, Funny

    I'm liable for first posts.

    1. Re:Liability by skids · · Score: 5, Funny

      As long as you caught them forking children, I don't think anyone will mind.

      --
      Someone had to do it.
  2. Terry Childs was NOT an IT pro by Anonymous Coward · · Score: 4, Insightful

    He was a petulant child.

    This narrative that this ruling could affect non-sociopaths is FUD.

    1. Re:Terry Childs was NOT an IT pro by Toonol · · Score: 5, Insightful

      Terry Childs is a terrible poster child for IT professionals. He did all sorts of things professionally and ethically wrong, and probably legally wrong, as well. I certainly would have pressed charges if he had been my employee.

      However, there are some legal traps that even a well-behaved IT pro can fall into. For instance, monitoring too much can be a privacy invasion, monitoring not enough can be negligence. Because the IT word scales up so much, sometimes a minor mistake can end up with millions of dollars of consequences.

  3. Licensing by CaptSlaq · · Score: 5, Informative

    It's such a gigantic PITA to track all of the licensing for everything that I weep for any small to medium sized shop that can't afford to have a dedicated person/dedicated people for it.

    1. Re:Licensing by Dr+Herbert+West · · Score: 5, Interesting

      I can't tell you how many shops I've worked at where it was obvious that all the software was cracked. My favorite was a print vendor who would encourage his staff (college interns) to "bring in" some of their school software/plugins to "test in a real-world environment". Anytime someone had to send a job to print, all the workstations would have to be disconnected from the network or else there would be licensing conflicts with all the cracked warez. This was more than a decade ago, and the vendor in question has been out of business for a long time. Scumbag-- everything he did somehow reeked of illegality.

      I remember I came in once (this was right after I started) only to find the entire staff (except the interns) had quit without warning. Everyone from the production managers to the secretaries-- gone. I soon followed, natch!

    2. Re:Licensing by toastar · · Score: 4, Insightful

      The solution to that is to not buy such software.
      If it is not free or simply licensed, just do not use it.

      ... tell that to my boss.

    3. Re:Licensing by Brandee07 · · Score: 5, Insightful

      Your job is to keep his copy of Microsoft Office working, not to tell him that he should switch to OpenOffice.

      In my limited workplace experience, if you answer "Fix my software" with "Use this other software instead," you will either be ignored or fired. (I found myself ignored, but instilled with a profound desire to not attempt to be helpful again.)

    4. Re:Licensing by jimicus · · Score: 4, Interesting

      I agree, but I'd go further - and my comments apply equally to free and commercial software.

      We're a small shop and part of my job is to keep on top of licensing. After doing this job for some years, I have reached an inevitable conclusion.

      You are not supposed to get it 100% right. Indeed, you are being set up for failure .

      While some licenses are fairly straightforward, enough of them are sufficiently complicated that it is wholly unrealistic to expect any organisation to be entirely perfect. Whether this is by accident or design I wouldn't like to say, but I am dead certain that there is no organisation on God's sweet earth that would come out of a BSA audit without at least something wrong.

    5. Re:Licensing by 24-bit+Voxel · · Score: 4, Interesting

      I've seldom worked at a place that didn't pirate software. From fortune 500 to mom and pop shop, they all do it. The annoying part is I actually purchase mine, and in 3D that's not cheap. Ive spent easily 30K in the past 3 years keeping 'legal' with my software only to be underbid by these pirate shops. Now I am contracting at one because I can't win a bid against these pirates as their overhead is much lower than mine because of this.

      My favorite part is negotiating my rate for a contract and I stipulate that it's cheaper if I can work from home because I have full support of my fully paid for software. They almost never get it at first, but when I mention my one caveat of not supporting or bug fixing/debugging scenes made with pirated versions. That wakes them up every time. Mostly because the first two weeks are at a preset lower rate while we get used to eachother. Only after those two weeks I am privy to all sorts of info (such as pirating) and then they are often afraid not to hire me in case I rat them out. It's a shitty system with a couple perks.

  4. Premeditated murder by Peach+Rings · · Score: 5, Funny

    I'm a medical equipment technician at a California corrections facility. My boss routinely asks me to kill people in cold blood, and I've been doing it for a few years now... there's a lot of paperwork and everything, but I'm not entirely sure it's legal.

    Does anyone else have experience with being ordered to kill somebody as part of their IT duties?

    1. Re:Premeditated murder by Surt · · Score: 4, Funny

      When I had to do that, I couldn't live with the moral qualms, so what I did, I hooked up the kill mechanism to a web server, and created this animated ad where if you punched the monkey it would kill the person.

      --
      "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
  5. Blackberry Enterprise Server by Monkeedude1212 · · Score: 4, Interesting

    When someone at work has a blackberry, they are set up on the Blackberry enterprise server, which manages all their contacts and emails and calendar and such.

    If they leave, or are terminated, we are told to send the kill command to their BES account. This will delete any emails off their phone AND their contact details. In some cases, a person will be let go - our IT staff will be let known first so their account can be disabled for security reasons. Then that recently laid off person has lost all of their contact details - including Mom and Dad and sweet Great Aunt Gertrude.

    We haven't faced any legal suits yet - but it happened a couple times where people have gotten angry. As a precaution - we've started informing people that this happens - so anyone with a blackberry needs to back up their contacts constantly.

    1. Re:Blackberry Enterprise Server by grasshoppa · · Score: 4, Insightful

      If the device is hooked up to a corporate BES server, then they can already read all of your sms / email.

      Always better for the corporation to completely own the device, from start to finish, to prevent confusion.

      --
      Mod me down with all of your hatred and your journey towards the dark side will be complete!
    2. Re:Blackberry Enterprise Server by Shakrai · · Score: 4, Funny

      If the device is hooked up to a corporate BES server, then they can already read all of your sms / email.

      I pointed this out to a friend that uses her personal blackberry to access her company e-mail. Her response was "So what?" Then I asked her, "Don't you use text messaging to order that dried up plant material that's illegal in all 50 states?"

      She bought a droid the very next day.....

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
  6. You're kidding... by Un+pobre+guey · · Score: 4, Insightful

    What legally questionable scenarios have cropped up at your job?

    You have got to be shitting me. This isn't phishing, this needs a new term all its own.

  7. Har Har by poliscipirate · · Score: 4, Funny

    'After all, many people think anyone technical is a whiz kid or brainiac on any topic.'

    Obviously, they've never visited slashdot.

  8. Legally questionable scenarios? by girlintraining · · Score: 4, Interesting

    Here's one: I worked for one of the top national retail firms. Their POS systems were booted using PXE, and there was no firwalling between the stores and corporate HQ. In other words, the network topology was completely flat. Setup a PXE server at any store, distribution center, or headquarters, and you could respond to PXE requests sent by the POS systems. The store's location was coded into the DNS RR, and followed an easy to understand naming convention -- they also were powered down every evening. Which means, you had about a 10 minute window each day where if you disabled or DDoS'd the one PXE server on the network, you would be able to send a bootable image to every POS server in that timezone.

    They fired me three days after reporting this flaw, calling me a security risk.

    --
    #fuckbeta #iamslashdot #dicemustdie
  9. Terry Childs case not a good example by linebackn · · Score: 4, Insightful

    Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do

    As I recall, when the details finally came to light about what he did and how he went about it, the judge and jurry WERE technically savvy enough to understand what he did. It was all the people jumping to uninformed conclusions here on Slashdot that didn't understand.

    I have no doubt there are plenty of cases where judges and juries fail to understand the facts at hand, but I don't think this was one of them.

  10. Asked to use pirate software by Rene+S.+Hollan · · Score: 4, Interesting

    I have often been either asked to use pirate copies of software (Borland Turbo C in the 1980s), or accept license agreements personally, where a corporate license would have been more fitting. Neither of these have occurred at my present place of employment, thankfully.

    In other areas, I was once asked by a low-level manager at a client company of our contracting firm for my SSN for a "background check". I was told this person had a reputation of committing identity theft in the name of contractors, obtaining credit in their name, and threatening to insist they be removed from the assignment if they complained. I don't know if that was true, but did insist that any "background check" would be done by a recognized neutral party. I was requested removed from the assignment, and let go for lack of other work.

    On the pirate software issue, I simply licensed my own copies, and took them with me when I left (well, wiped them off my work computer). Borland's license would let me use their compiler on any machine, even let someone else use it, one at a time.

    The bottom line is that if your employer asks you to break the law, find another job... fast.

    --
    In Liberty, Rene
  11. Re:Terry Childs the new Mitnick? by Anonymous Coward · · Score: 5, Insightful

    Umm no. I disagree entirely. Are we forgetting there was a network engineer on the jury? Seriously? This is exactly the sort of thing that SHOULD happen. A jury of his "peers!"

    It was described to the engineer, and he was the de-facto explainer for the group, but seriously Childs was working for the gov't too long and had too many bad habits of "fiefdom" creation that are everywhere in city and state organizations. He created a world, then he took the keys away from everyone and didn't give it up. He's not the first, nor will he be the last, but the lesson here should be to all comers "hit by bus strategy... always." Otherwise, things that together could be suspect or could be best practice BECOME suspect without a backup and recovery plan.

    And no, an encrypted that's tattoo'd to an admin's ass doesn't count. Especially if there's a likelyhood of a flame thrower being involved at some point.

  12. Re:Terry Childs the new Mitnick? by bws111 · · Score: 4, Insightful

    Why is it a "concern" that judges and juries don't understand what IT pros do? Judges are supposed to understand the law. Period. Juries are supposed to be unbiased. Period. Is it a "concern" that judges and juries don't understand what police detectives do? Doctors? Hospital ethics boards? Accident reconstruction experts? Corporate officers? Accountants? Fund managers? Etc, etc. If the judge or jury needs to understand any of those things it is up to the parties in the case to educate them. There is nothing special about IT that makes it any more or less difficult to explain than anything else.

  13. Re:Terry Childs the new Mitnick? by XanC · · Score: 4, Insightful

    That network engineer, IIRC, said here something to the effect that he didn't think Childs had any criminal intent, and that he was doing what he thought was right for the city. The only reason for the conviction was that the letter of the law appeared to be against him.

    This was a case where a fully informed jury should have acquitted, but unfortunately juries are not fully informed. A jury has the right, nay the responsibility, to judge the LAW as well as the FACTS.

    Basically, put yourself in Childs' situation. You did what you thought was right. (Let's assume that's the case, since I believe that's what the juror said.) Wouldn't you hope that somebody would inject some common sense at some point rather than robotically reading the law?

    That's why we have juries. But judges tell them all they can do is robotically read the law. It's awful.

    http://fija.org/

  14. I'm always close to violating copyright laws by Opportunist · · Score: 5, Insightful

    Why?

    Because I'm in IT security. My job is to analyze and dissect malware, not only to find out what it does but also how it does it, what attack vectors are used, what system flaws are exploited, what means of communication with a controlling server are used and, if possible, I should also try to cut those lines and render the malware useless, preferably create some kind of remedy or even protection against it. All this can usually only be done by taking a closer look at the software than is possible by simply watching it run. In other words, disassembly and protocol sniffing and decoding are two of the main parts of my work. Both already illegal in some countries.

    Now, fortunately my country provides protection for this (albeit ... well, I have a law that I might pull out of my ass should I need it, but it's anything but a certain victory in case anyone ever goes to court for it). But in theory, any writer of malware could pull any IT security company to court and stand a pretty good chance to win. Though he'd first have to admit that it was him who created the malware.

    In other words, as odd as it may be, I may violate that copyright because the one who could drag me to court for it certainly has no interest to come forwards and claim ownership of the code.

    And now let's ponder for a moment what will change should ACTA become reality and copyright violations get shifted from civil to criminal code. Technically, the State Attorney would have to step forward and protect the copyright of the writers of malware without them asking for it (because the SA has to act even without prompting from the injured party) and prosecute those that analyze malware and design protection and remedies against it.

    You see, you don't have to be the bad guy to think that ACTA is a really, really bad idea...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.