Location: Upper Boardroom, First United Church, 16 William St W, Waterloo, ON N2L 1J3 (enter from parking lot door, upper boardroom is next to the entrance to the church sanctuary, upstairs https://osm.org/go/ZXna93PBA)
Date: Monday, February 12, 2018
How do we keep our workplaces secure? Does your organization use cameras? Does it filter web content? Check for document exfiltration? Inspect e-mail? Monitor keystrokes? Is this sneaky, underhanded spying, or merely good business practice? What are the ethics of corporate surveillance for System Administrators?
Join Kitchener-Waterloo Non-Profit System Administrators at our monthly round table meeting for a technical, philosophical and moral discussion.
–Bob Jonkman & Marc Paré
Notes taken by Bob Jonkman
What is Corporate Surveillance
- Most corporate management is meant to ensure computers aren’t altered, no viruses are introduced
- Bob has worked in a place that checks all outbound e-mail for keywords, looking for data exfiltration.
- Some exfiltration data is monitored for employees’ protection, also video camera footage, so if theft occurs employees are not falsely accused
- Some places archive e-mail for several months
- Data retention required for legislative purposes, but can be used for forensics and surveillance
- Is employee monitoring legal? Yes, employees sign contracts allowing this to take place, and that all data belongs to the corporation
- Including “shower ideas”, that are developed outside of company time
- Some places allow “reasonable use” of telephone, internet.
- Do employees even know they’re being monitored?
- There may be pop-up messages indicating that USB-drives are inserted, &c.
- Sometimes you see evidence of SysAdmins taking remote control
- But would you still want to work in a place like that?
- Very stressful to work in a place like that.
- Washroom breaks being logged!!
- Creepy for those being surveilled
- Maybe employees need a guaranteed that the data will not be retained, and is secure from data theft
- Need a union to protect the employees
- Even when it’s obvious that data on the computer is being logged and monitored
- Is that common sense?
- Some SysAdmins do not want to do forensics against their co-workers
- Or even SysAdmins doing forensics against managers
- Refusal to perform surveillance against co-workers can result in dismissal
- Sometimes the stuff unearthed is disturbing (pornography? worse?)
- We can all make reasonable arguments in favour of surveillance
- But big companies have shown time and time again that they can’t be trusted with the data
- And we can’t opt out
- Data correlation can identify individuals in millions of records based on only three data points
- Definitely unethical to sell my data collected through browsing
- But it’s OK if one company shows their products based on data they’ve collected previously
Internet Surveillance Companies (ISC) provide services at no cost to the user, but their business model is based on selling those users’ data
- Google is providing a service that predicts your “needs and wants” based on analysis of big data
- Selling it advertisers, insurance agencies, potential employers
- “Minority Report”, “Thoughtcrime”
- Selling it advertisers, insurance agencies, potential employers
- The “free services” are monetized by the sale of personal data
- Most people don’t know how much, how detailed it is
- You’re constantly being given things you want to see, you want to hear
- But it’s nothing that grates you, nothing that you don’t want to see
- So your online experience is shaped in a pleasant way,
- For someone who wants something different, the experience is not in that model
- It’s more insidious — you’re being tempted to have greater desires
Your desires are being shaped, not reflected by the collection of big data– Steve Izma
“5 things about TV” (get actual title from Steve Izma)
- Subliminal advertising, designed to hit your subconscious
- Outlawed on TV
- There is similarity between what anti-spam laws prohibit and what ISC are doing
- Reddit: Kids know that laws are weaker in US, consider Canada more favourable for keeping privacy
- As a SysAdmin, if you collect data on employees, what stops ISC from gathering that data?
- try to safeguard your employees, your company, your employers.
- Not just stealing stored data, but data from streaming services (search, video, forums)
- Google acts like an independent nation
- Needs legislation; corporations will kill people for profit if not prevented by law
- Internet Surveillance Companies give us what we want, but are they reshaping our values?
- Culture is important, will surveillance companies change your culture?
- People rooted in culture are more difficult to move
- We need legislation to preserve culture; we can trust our politicians to look out for us (???)
- (Side conversation on government subsidising Canadian culture)
- Good: Preserves our culture
- Bad: The good culture just moves offshore, only the mediocre Canadian stuff stays behind
- Some producers will create anything just to attract grant money
- Canadian funded productions are made to look like American productions; no cultural benefit to Canadians
- Canadians need to support Canadian businesses
- If Blackberry had been a US company, would they have been successful?
- Lots of loyalty — Microsoft failed in the mobile market
- Nortel failed not because they were Canadian, but because they made poor choices
- 19yr old believes Canada has a better grip on surveillance legislation
- He gets a wider point of view, not just from one source
- Canada has lots of regulations to keep data private
- In the US much data privacy data is pushed by FBI; Canada’s equivalent is RCMP
- Is the funding and capability in Canada equivalent? (10% tax base of US)
- “Five Eyes”, mutual spying on each other
- Bell has a proposal to throttle and turn off sites they find offensive
- Done through an “independent body”; keep our content we’ve paid for out of pirates’ hands
- Who will monitor the Canadian web? The CRTC? Who enforces the regulations?
- Yet another attempt by Big Media to provide services in the old model
- Blackberry’s encryption may be good, but they’ve still compromised themselves for large markets
- How can we protect ourselves?
- Don’t use the main services like Google (use SearchX) or Twitter (use GNUsocial or Mastodon)
- Use proxy services like Tor and I2P (the Dark Web)
- Use VPN services (but how can you trust the VPN provider?)
- Trying to do black-box analysis of “protection” sites may be hazaradous
- As bad as our loss of privacy is, other countries have their entire access blocked (and surveilled)
- Corporate profits always take priority over ethics
- Not a sustainable model in many cases
- Staff is hired to find loopholes in contracts to maximize profits
- Corporations that go out of business are cannibalized to create new markets, improve
- Venture Capitalists will also undermine ethics
- Tim Wu, “The Master Switch”, on how corporations shape the legislation that controls them, and how independent service providers get displaced by monopolies
- Privately held companies (and non-profits) can still uphold their ethics
- Fallout from data breaches Equifax, Yahoo
- How do these companies work? “reputation management companies”
- Do these companies operate?
- You can get your own data from them, legally mandated
- There are Meta-access services that get info from all services