Privacy Issues

[Adam1V]

My Supervisor (not the big boss), has decided that it would be in the companies interest to keep an up to date log of EVERYONES username/password for the computers (joining the sbs server).

The reasons for it is that if an important email is sent to someone, or someone has an important file on their PC then we can still get to it in an emergency.. which we could still do anyway.

Is there any data protection or privacy that stops this from happening? My supervisor aruges that its all business use and not personal so there should be no privacy.

Im strongly against this, there is no way i want a list of everyone?s passwords and there is no way im going to give anyone my password.

OF course this list would be kept only accessible by one or two managers.

Any have any suggestions or recommendations?

Adam

[Dick Montage]

Ridiculous. A well maintained environment would need no such policy. Access to passwords should be one-way only. Admins can reset them, but not see them. In an "emergency", the network admin should already have rights to:

a) Reset the specified users password

b) Be a local admin and be able to interrogate the machine / accounts

c) Be a domain admin as be able to interrogate the machine / accounts

Moreover, emails and work files should not be stored locally but on a relevent server (exchange/fileserver/sharepoint).

As much as the computers are a company resource, a lot of people use passwords that are reflective of other passwords they may use elsewhere. There is No reason for anyone to know passwords.

My CTO has access to anything I do/send/post/save but has no need for my password.

[FlibbyFlobby]

If you ask me your supervisor doesn't understand exactly how networks work. As an admin you'll be able to access anyone else's files and email anyway, and be able to reset their password should there be an emergency. Personally I'd refuse to tell my password, its nobodies business but my own.

[mycoolkim]

Thats just sad, its private why not also ask for your bank card pin code aswell? lol

[Adam1V]

Thanks for the heads up.

The emails are stored within exchange server. You mentioned your CTO has access to your emails if needs be, but how is this done?

I wasnt aware i could do this.

[Dick Montage]

It's about rights and permissions. I believe inherrited from AD but not so sure. But he can open any users mailbox. I can open my juniors mailbox, for example.

[EcPercy]

My Supervisor (not the big boss), has decided that it would be in the companies interest to keep an up to date log of EVERYONES username/password for the computers (joining the sbs server).

The reasons for it is that if an important email is sent to someone, or someone has an important file on their PC then we can still get to it in an emergency.. which we could still do anyway.

Is there any data protection or privacy that stops this from happening? My supervisor aruges that its all business use and not personal so there should be no privacy.

Im strongly against this, there is no way i want a list of everyone?s passwords and there is no way im going to give anyone my password.

OF course this list would be kept only accessible by one or two managers.

Any have any suggestions or recommendations?

Adam

I take it you don't already have some sort of network use policy in place stating that you won't give out your password to anyone? You really should tell your boss that as a sys admin you already have the ability to get into everyone's account and that having everyone's password is a serious security risk.

[JK1150]

I don't think it's possible to get a password from an AD account even as an administrator without brute forcing it...

[Dick Montage]

Nobody has said it is! They have said you have access to their account files and permissions - which does not imply access to their password.

[Adam1V]

thanks guys, ive pretty much found out everything i need to know.

Emails can be shared by right click their inbox initially and goign to the sharing tab.

As an administrator i can also access files if needs be.

I can see no other reason for having someones password

[Ferret]

I can see no other reason for having someones password

That is correct !

I would never expect anyone's password !

[MrBear5587]

Absolutely, as already mentioned passwords should be strictly one way.

If need be, the Admin can reset a users password to a temporary one to gain access to the account/files if they don't have already.

But wanting to keep a list of all user name/passwords is easily a breach of privacy, and a half-baked idea anyway.

What happens when the list falls into the wrong hands? Or when a user changes his/her password.

The very fact that the "supervisor" is requesting this, makes me wonder how he/she got the job.

[The_Decryptor Veteran]

A centralized list of all user names and passwords for every employee?

I can't see any issues with that.

[kampioen]

tell him to talk to the computer administrator.. if something is needed in emergency on your login.. the admin can reset your password to anything and access it.. once you are back.. you set your password back to whatever...

[Garry]

Remind your supervisor that him knowing everybody's password does two things:

a) Renders your AUP useless.

b) Makes him a target.

If a user was ever accused of doing something they shouldn't then they would be in a position to simply accuse you AND/OR your supervisor of doing it since you know their password and can log in as them.

[bobbba]

A centralized list of all user names and passwords for every employee?

I can't see any issues with that.

Glasses needed? :whistle: :D

[Puggsley]

It's realy not a good idea to put yourslef in that position. I used to give myself access to everyone exchnage boxes but stopped doing that now cos someone accused me of spamming, thanks to audit logging i proved it wasn;t me but i now only gain access to other peolple emails when asked by the person in charge, and only while they're present.

Having the passwords shouldn't matter with regards to Data protection but its what you do with them that could cause trouble!

[TaZsPaZ]

I would have to say there was one thing I didn't see anyone of you state in this email. As a consultant and IT manager I've had to deal with this in the past and have spoken with several peers. It is common to hear this type of request coming from a company looking for either a) to much control or b) paranoid (be it legal or personal reasons) and c) that do not have a clear understanding of the law and recent court standings.

This boils down to a privacy issue. The information, as you have found through this post, is readily available to anyone with administrative access to the systems in question. Be it a file, data table, email, or many other items; this is the point of Administrative Access.

Here is something to think about, please keep in mind it is only from the Federal Perspective and does not include potential local statutes you may have to deal with:

"The Electronic Communications Privacy Act (ECPA) (18 U.S.C. ?? 2510-20; 2701-2711), is the only federal statute relevant to claims of workplace invasions of privacy by electronic means. The ECPA prohibits (1) unauthorized and intentional "interception" of wire, oral, and electronic communications during the transmission phase, and (2) unauthorized "accessing" of electronically stored wire or electronic communications.

For purposes of interpreting the Act, it is important to note that an e-mail is an "electronic communication" as that phrase is defined in ? 2510. In the specific context of e-mails, it is also important to determine whether an employer "intercepted" the e-mail while it was being transmitted, or whether he/she "accessed" it minutes, days, or weeks after it was stored in an employee?s computer. This distinction is important because different penalties apply:

? Section 2701 prohibits the unauthorized access of an e-mail that is stored in a computer. A violation of ? 2701 subjects the violator to a fine of up to $10,000 and/or a sentence of up to one year in prison.

? Section 2511, on the other hand, prohibits the interception of an e-mail while the e-mail is being transmitted, and subjects the violator to penalties of up to a $10,000 fine and/or up to five years in prison.

The ECPA contains two exceptions that are pertinent to e-mail communications. First, under the system provider exception, the prohibitions on the interception, disclosure, or use of electronic communications do not apply to conduct by an officer, employee, or agent of a provider of electronic communication services if the interception occurs during an activity necessary to the rendition of the service or to the protection of the rights or property of the provider."

For example, a Massachusetts court found that reviewing employees' mail using a supervisor's password violated state law against "unreasonable, substantial or serious" interference with privacy (Restuccia vs. Burk Technology).

Please note here that I only focused on email. The ECPA is far reaching as well as the state and local statutes. Some states even have vague ties in their state constitutional amendments. You'd have to check on your local and state laws to be sure.

In the end it comes down to having a sound monitoring policy in place. One in which everything is spelled out, is signed by the employee and counter-signed by the IT dandand HR. Remember, even though the Federal laws are currently very vague on the privacy laws they, as well as state and local courts have found in favor of the employee in these situations on many more occasions than businesses have won.

Tread cautiously.

My two cents anyhow.

Edited May 21, 2007 by TaZsPaZ

[Dick Montage]

Thanks for that - I wasn't going to state any legal issues as I don't know them off the top of my head.

[win2000b]

Also if you deal with any financial data the old Sarbanes Oxley Act applies.

http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act

[TaZsPaZ]

Also if you deal with any financial data the old Sarbanes Oxley Act applies.

http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act

A common mislead for most people is the above statement. Please don't take me wrong this is NOT a flame, just a nudge in the right direction.

Sarbanes-Oxley is not about all company's financial data. In fact if your company is not subject to public debts or the SEC (because your company is public) you do not have to be bound by SOX (though I highly recommend following the practices as a "best practices" model). Please bear in mind if your company was public and went private you may still be subject to SOX due to public debts outstanding.

There are various issues (not meant to be all inclusive here) "Privacy in the Work Place", Payment Card Industry (PCI formerly CISP) compliance, Health Insurance Portability Accountability Act (HIPAA), and of course we should all be familiar with Control Objectives for Information and related Technology (COBIT). Like I said you will also want to know any local, state, and federal laws for the industry your shop is doing business in/with. For those of us that consult or work in an industry that services the Department of Defense (DoD) there are others such as knowing the audit procedures for the GAO, IG, DITSCAP, DAA approvals, etc etc....

Wow, didn't really sit back and think of the scope here as I started to write. One of the things that has amazed me when I was consulting up until a year ago was simply that many people don't know the governance policies for their particular industry's that they service or work in. Seems so many people just focus on SOX, PCI, and HIPAA (if in the health industry). It's scary how much more is needed knowledge not just for middle managment and executives but for your basic Net Admin. Even scarier is the fact that most Net Admin's believe that as long as it's in email from the boss' that they are covered if ever an issue arises. *shivers*

Please, I don't want to sound like I know it all as I know I do not even come close to knowing everything. However the industries I choose to consult in I knew the "rules" and the industry I now work in I know the "rules" that apply to my job function and those above me. I urge all that read this to do the same. You never know when you have a disgrundeled employee leave and just how much he/she might do to exact their own personal "vengance" on the company. Thereby putting you at risk as well.

Hmm...this is making me think I need to go find a new job at a small company!

(Am I making any sense today or just rambling on?) :o

Edited May 25, 2007 by TaZsPaZ

[Odom Member]

Makes perfect sense to me. The very first company I was with, the IT manager set the passwords for everyone in the company, except for some other managers, and usually within the same department everyone had the same password. I was called out during my holliday and threated to be fired because I had a password in my *.pst file. My boss was accessing my data and telling me it all belongs to the company and there is no reason for me to have any passwords. One admin to rule them all! :) Want to spy on a user? Hell, you're the admin and can get anywhere you want, check out email, personal files, etc... Even better, turn on VNC on the other guy's PC and you can even see what they're doing. How many times did I catch the boss as if watching TV.

I'm now in a big multinational company, IT is split up in so many departments, there is no one that can access everything. Someone needs to access to someone else's email for whatever emergency? Sure, it's possible. Get all the needed approvals and you might get a chance. There was also a lot more that I had to sign than my first job :) It's a whole new ballpark.

But companies without a defined policy on data and such, if you're the admin, sooner or later you'll be between the sword and a wall.