Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
What Workplace Privacy Will Look Like In 10 Years
Newest First  |  Oldest First  |  Threaded View
hunterpj
hunterpj,
 User Rank: Strategist
6/20/2014 | 4:43:19 PM
So true...
So true...

The ECPA has been criticized for failing to protect all communications and consumer records, mainly because the law is so outdated and out of touch with how people share, store, and use information nowadays. For instance, under the ECPA it is relatively easy for a government agency to demand that service providers hand over personal consumer data that has been stored on their servers.

For instance, email that is stored on a third party's server for more than 180 days is considered by the law to be abandoned (amazing), and all that is required to obtain the content of the emails by a law enforcement agency, is a written statement certifying that the information is relevant to an investigation, without judical review. Yet in a patent lawsuit ever piece of electronic communication in your posession including archived backups can be frozen by subpoena and subject to future review for applicibility to the case.

Obviously, the ECPA needs a major overhaul. Just imagine the furor that will be created as every congressman, agency, and lobbyist jockey to put their 2-cents in. And of course any new law will the ultimately play out in the courts as there will be challenges and counter challenges as we have seen with current ECPA.

 

dmelnick
dmelnick,
 User Rank: Author
6/20/2014 | 4:27:48 PM
Re: Some US Law Already Exists But Protection is Limited
Great point Hunterpi,

I think its fascinating that we have specifically protected phone communications, but left email wide open and unprotected. I think this is largely law playing catch up to technology. For example, is skype subject to any safegaurds? Still interesting that employers can listen to your voicemail but with a clean Acceptable Use Policy, they can read all your email. 
hunterpj
hunterpj,
 User Rank: Strategist
6/20/2014 | 3:47:50 PM
Some US Law Already Exists But Protection is Limited
The Electronic Communications Privacy Act ("ECPA") prohibits employers from listening to employees' personal telephone conversations or voicemail messages in the workplace, whether the calls are made or received on a work telephone or an employee's personal cell phone. An employer also is potentially liable under the ECPA if he or she deletes or prevents an employee's access to voicemail messages. 

Seems like the the precedence is well established, except:

Employers can also generally monitor employee's phone calls for quality control purposes. They are supposed to cease monitoring once they are aware that the call is personal, though. If there is a policy in place against personal calls, however, the employer can listen to enough of the call to determine that it is personal, and the employee may still face disciplinary action for the personal call even if the employer didn't listen to the entire call.

Some states, such as California, require that all parties to a monitored phone conversation receive notice about the monitoring. If your state has such a law, your employer is required to inform you if they plan to monitor your phone calls.

Most of the latest technologies are not specifially detailed.

So a person is entitled to some privacy at work, but have far fewer privacy rights at work than they do in their personal life.
RetiredUser
RetiredUser,
 User Rank: Ninja
6/20/2014 | 1:35:55 PM
Re: Security vs Privacy vs Performance
@dmelnick

Exciting times :-)  Can't wait to see how that architecture is going to look, and then quickly identifying the exploits so we can make it better.

Look forward to your next article, David.  This is an area I have great interest in.

Cheers!
dmelnick
dmelnick,
 User Rank: Author
6/20/2014 | 1:28:03 PM
Re: Security vs Privacy vs Performance
Chrisitanabryant,

I think we are closer in position than it may appear. I agree in the need for separation. A clean barrier. But I believe that we can architect that barrier logically. In fact, I believe the idea of physical bariers may become increasingly problematic in a cloud based, multi-device world. Our interface (UI) tech may increasingly become personally owned. People currently dont expect work to provide their clothes, and someday soon we may bring our own UI to work and just using the work computing power, applications and data to perform our tasks. In this world, we must seek an architecture to safegaurd privacy. I believe a whole software privacy market is in its infancy and will ultimately develop the tools and techniques to enable our privacy amidst work and other computing demands.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
6/20/2014 | 12:59:31 PM
Re: Security vs Privacy vs Performance
 I would like to challenge the idea that we can fully separate our personal and professional use of technology.

I wholeheartedly aggree with that point, Dave. We can't fully separate our personal and professional use of technology and as we move into the IoT the distinction will become even more blurred.  
Whoopty
Whoopty,
 User Rank: Ninja
6/20/2014 | 12:25:45 PM
Gesture
The idea of a gesture switching us between personal and professional data profiles has me excited, as I struggle already to differentiate between the two sometimes. 

It's also gratifying to read someething where the future isn't doom and gloom or some 1984 scenario where no person's privacy is sacred. Nicely done. 
RetiredUser
RetiredUser,
 User Rank: Ninja
6/19/2014 | 7:39:05 PM
Re: Security vs Privacy vs Performance
@dmelnick

"Wrestle" is the key word. While I acknowledge the state you are describing is occurring and will further evolve in the near future, I believe (and in some cases know from first-hand experience) that not keeping a physical barrier between work and life can lead to serious personal privacy and work security concerns (whether that be never reading company email on your own device, or accessing the Internet or cloud for personal use from your work computer).  Can that barrier be inconvenient?  Sure – I have a small Acer GNU/Linux laptop that goes with me to work, and I log onto a non-company network to access personal apps and the Internet.  The reason is that I will never be the source of a malware or virus attack, or intrusion at work that might lead to sensitive information getting out – and we have plenty here.  Walking around the office I see many apps and websites open on company hardware that are ripe for intrusion.  Is that the fault of IT?  Certainly they need to work on policies and procedures to lock down and define workflow, but in the end, it is also the fault of the tech industry (if you subscribe to my view rather than believing BYOD and work/life integration is inevitable) for not writing security and privacy considerations into emerging tech such that someone can have one device, but have a physical separation between work and life (dual boot, for instance) that makes sure that the issues found in one environment can not and never will bleed over to the next.

I know, I'll be wearing tinfoil hats soon if I keep up with that train of thought :-)  But there's something to be said for those of us who "keep it separated" and how our work benefits from it.

   
dmelnick
dmelnick,
 User Rank: Author
6/19/2014 | 7:15:35 PM
Re: Security vs Privacy vs Performance
I appreciate your thoughtful observations. It appears you subscribe to the idea of separating your personal stuff from the work place to address privacy risk. I would like to challenge the idea that we can fully separate our personal and professional use of technology.

As the work day grows longer and people increasingly perform work outside the traditional office and at home (extended enterprise). As people use their own devices for work email and work devices for personal use (mobility). I believe emerging mobile technolgoy and the digital space broadly has forever blurred our work and personal lives. Once you accept that our personal and professional lives have become intertwined, we become forced to wrestle with how to manage boundaries to protect both the work place and our private space. 
RetiredUser
RetiredUser,
 User Rank: Ninja
6/19/2014 | 3:27:42 PM
Security vs Privacy vs Performance
I believe in the tech-integrated/enhanced near-future with enthusiasm. However, I also believe that workplace privacy needs to be carefully standardized. I think part of the issue regarding the understanding for what this actually is stems from confusion by both users and managers regarding the difference between security, privacy and performance.

For example, when it comes to allowing users access to an application like Twitter in the workplace, several questions need to be asked: 1) Is it relevant to the user's job? 2) If not, will having it affect their ability to do their work? 3) Might they post something damaging to the company, whether it be negative comments, or posting sensitive data? 4) Should the company have the ability to monitor what the user is reading/posting?

This collection of questions regarding a single app touches on security, privacy and performance. But "privacy" in the workplace is related to what a user can keep from an employer that will prevent that employer from bullying them, or leveraging information to cause a relationship to happen or to get work from the user that is not part of the contract of work as understood by standard practices (see Richard Stallman's take).

But for my part, I think you should not be able to install applications on your work-related computer if that is not part of the culture, especially if you work for a hospital, security firm, financial institution, and so on, because bringing your personal life to work does, and I stress does, impact the security and performance of your work.

Workplace privacy? Sure, if you like to dress in drag your boss doesn't need to know; but you also don't need to be letting that information out while at work over email, texts, Tweets or any other method that sits on company property meant for getting your job done. Know the difference, be responsible at work.

And if your employer insists on you enjoying all those perks, you may want to double-check your computer for spy-ware, or at least make sure your privacy is guaranteed on paper, because you have just opened yourself up to a slip that could later cost your job.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41340
PUBLISHED: 2022-09-24
The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.
CVE-2022-23463
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes suc...
CVE-2022-23464
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information...
CVE-2022-23461
PUBLISHED: 2022-09-24
Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds.
CVE-2022-36025
PUBLISHED: 2022-09-24
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incor...