Re: seen recently at ACS/ITD

Jas (matt@nospam.uts.edu.au)
Fri, 19 Apr 1996 14:38:45 +1000 (EAST)

even before this reply, i wish to state that this reply is wholly my
opinion, and in no way, either explicit or implicit, constitutes ITD's
or ACS's opinion/policy.

this letter also attempts to put a past administrators personal point
of view in the fray.. but it is a _personal_ opinion...

Cam Dorrington wrote this...

> On Thu, 18 Apr 1996, Ryan Shelswell wrote:

>> It sounded to me like students are allowed to be over the quota if
>> they have course-related materials they're working on (which is
>> good), but the way this is run means that the admins perv through
>> their files to make sure they are course-related (which is bad from
>> a privacy standpoint).

i think you'll find that they dont want any non course work related
stuff on their machines, over quota or no. normally it is tolerated,
but if provoked they will act on it. basically once a problem goes
beyond some amorphous boundry, the admins will move into action and
start dealing with it.

> Their current policy as per the message of the day basically says
> that they can go look at anything anytime and if they dont think it
> is course work punish you as per the universities rules and i
> presume this goes as far as exclusion if you do something they
> consider pretty bad.

yes that is the way the motd reads to me.

> In my opinion a policy that says our staff can and will be looking
> at all your files is pretty fucked, and this is in fact what has
> been happening. ACS staff have been systematically going through
> ppl's accounts mainly focusing on pictures, viewing those pictures
> and depending on what they arelocking ppl's accounts for it, and
> from what i have heard they are basically locking ppl's accounts if
> the pictures are considered to be pornography, mainly i suppose
> because porn would be the content of most pictures that they find.

like i said before they will only only act once the problem becomes a
problem, then they normally crack down on it. this _particular_
problem must have come to light, and so i guess they dealt with it.
as far as EEO policy goes "offensive" material (and this includes
pornographic material), is not permitted to be shown in a public
place, and this may have been what triggered this particular episode
off.

> From the way it is worded their policy extends to any information on
> their system, ie including mail, so if an acs staff member wanted to
> they could go and read all of your mail to determine if it is
> coursework related or not and presumably lock your account if it
> isnt.

this is an extreme case, but yes it would seem it allows for this. but
from a admins point of view it is probable in the very near future
that admins/owners of system can be held liable for what is on their
machines (you can get info on this stuff from the attorney general of
nsw), and if you have any information that is considered "illegal" by
the censors board (i suspect this includes hard-core porn and the
like), then the admins/uni can be held responsible for this.. if this
is the case, then i think you'll find that the uni isnt going to wear
a possibly multi-million law suit for you.. now this represents the
other extreme, but i thought balancing the books was nececssary to
provide a more sober view of things.. look at both extremes and
reality is usually somewhere in between..

>> From a privacy standpoint this is REALLY REALLY REALLY fucked.

yes and no. privacy as i understand it from the privacy guidelines
(again this can be got from the attorney general of nsw), is only a
problem when it is either explicitly or implicitly granted. now if
the motd says that you cannot expect any privacy, then there is no
problem as far as the privacy guidelines goes. if you are not granted
privacy on the machine, then the admins going through your mail is
_acceptable_. please note that the privacy guidelines are not
law.. yet...

> Question:

>> Does ACS have some sort of code of ethics for people with superuser
>> access or is that sort of thing covered by an acceptable usage
>> policy if there is one as such ?

the system is a Unix system, root can do what they please, and if they
are smart enough can completely cover their tracks. if you want a
more secure system you'll need to move to a B2 or equivalent MLS OS,
which i suspect the uni doesnt have the money for, nor need for.

> Official awnser is no ( why am i not surprised).

official? which official?? who and when???

> My opinion of what is going on here is that ACS are way overstepping
> their boundaries by actively looking through peoples accounts,
> looking at anything they want to and making some sort of value
> judgement on its relevence to coursework/research of the owner.

overstepping? i personally dont think so. and as far as i undertsand
it they arent making value judgements, they are abiding by university
laws, and laws of the land.

> Even in this day and age there is still such a thing as privacy,
> maybe ACS need to be educated of this. It is 'their' system and
> everybody using it has to abide by 'their' rules, however, that
> doesnt mean that their rules arent fucked nor that their is no room
> for change in them.

i think you'll probably find they are more educated about it than you
are.. have you read the privacy guidelines? i have, and i made sure i
had, i also talked to corporate responsibilites about such things when
i was an admin, _some_ of the policies around ACS are a legacy of my
working there, some arent.. i hope they kept the good ones :) but
basically these things have been looked into and i would hope that
things upstairs havent gone totally ad hoc..

> Most people you talk to assume that no one can look at their stuff,
> and that if someone like an ACS staff member does have access, that
> they woulnd't actively monitor what they have. These are most
> probably the people that would not be likely to be on this list, or
> any other for that matter, just the average poor unsuspecting user
> who likes porn and thinks that no one will be able to see it and tat
> it is safe stored in 'their' account that no one else can see.

i think you'll find they dont actively monitor what they have, and
defenitely dont pro-actively monitor it, i think you'll find it much
much closer to re-active on the scale of things. you must realize
that if in the course of their work they come across something that is
"illegal" or could possibly be considered "illegal" they are obliged
to report it, and chances are they will check to see if there is more
than one person in the boat..

> Maybe it is time progsoc started making some official noise about
> this...... in terms of representing the UTS computing community's
> interests. Finding out what ITDs policies and practices are and
> making sure everyone knows about and is happy about them.

this would probably be a good idea. but you must be informed when you
make statements. now im no lawyer, i have never claimed to be, but i
have made and effort to read what i could get my hands on. i have
tried to get my own understanding on things (even though its probably
wrong :P ).

Matt

P.S. from "strange days" Max (i think): "its not wether you are
paranoid, its wether you are paranoid enough".

personally i would never trust a machine that i didnt administer
myself, even then.

-- 
#!/bin/sh
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit
  Matthew Keenan   Data Network Admin   Information Technology Division
        University of Technology     Sydney Australia

It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike