10. The Boundaries of Cybersecurity: Ethics, Rights, and Laws 269 Charlie’s Privacy at Work Alice, a valued student worker for the University’s IT department, had just received an email from her boss asking her to come to his office as soon as possible. As she approached his desk, she was alarmed by the grim look on his face. When she asked what was going on he told her that he had a secret special assignment for her that needed to be completed as quickly, thoroughly, and discreetly as possible. He informed her that the police had called that morning, and that they were conducting an investigation into an investment analyst who worked for the University named Charlie. He asked Alice to gather all of the information that she could on Charlie going back six months so that it could be turned over to the police. Alice went right to work. First she grabbed the easy stuff, like all the emails he sent and received from his work email account, and the files stored in his directory on the network file server. Then she went a little deeper. She had remote admin login access to his work computer, so she logged in and copied down all of the files in his user directory and sub-directories, including a folder named “Personal”—her boss had said “all” data. Then she went to the VOIP server and ran a metadata report on all of the calls to and from Charlie’s office phone—no recordings of phone calls were stored, or she would have grabbed those, too. After this, she logged into his department’s copy machine, which did store copies of every document scanned, faxed, printed, and photocopied, and collected all the documents logged to his account over the past six months. Then she started brainstorming a little more and realized that she had access to even more of Charlie’s data. A user ID was needed to log on to the university’s wireless network, even with personal devices like smartphones and laptops. So Alice accessed the firewall logs and produced a report of every IP address that Charlie had visited from the campus network, regardless of what device he had been using. This is when she struck upon her best idea yet. Web browsing from university owned computers was proxied so that the network’s intrusion detection system could perform deep packet inspection on all web traffic, including HTTPS traffic. Even better, all of the web data was cached for a week in case it was needed for further analysis. So Alice dug around in the cache and was able to retrieve the unencrypted contents of all of Charlie’s web browsing from the past week, including all the URLs he visited, his social media activity, and the plaintext emails he sent and received from his personal email account. She considered that this might be a violation of Charlie’s privacy, but then again, he was at work and using his work computer on the university’s network—what could he expect?
RkJQdWJsaXNoZXIy MTM4ODY=