Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
What Workplace Privacy Will Look Like In 10 Years
Newest First  |  Oldest First  |  Threaded View
hunterpj
hunterpj,
 User Rank: Strategist
6/20/2014 | 4:43:19 PM
So true...
So true...

The ECPA has been criticized for failing to protect all communications and consumer records, mainly because the law is so outdated and out of touch with how people share, store, and use information nowadays. For instance, under the ECPA it is relatively easy for a government agency to demand that service providers hand over personal consumer data that has been stored on their servers.

For instance, email that is stored on a third party's server for more than 180 days is considered by the law to be abandoned (amazing), and all that is required to obtain the content of the emails by a law enforcement agency, is a written statement certifying that the information is relevant to an investigation, without judical review. Yet in a patent lawsuit ever piece of electronic communication in your posession including archived backups can be frozen by subpoena and subject to future review for applicibility to the case.

Obviously, the ECPA needs a major overhaul. Just imagine the furor that will be created as every congressman, agency, and lobbyist jockey to put their 2-cents in. And of course any new law will the ultimately play out in the courts as there will be challenges and counter challenges as we have seen with current ECPA.

 

dmelnick
dmelnick,
 User Rank: Author
6/20/2014 | 4:27:48 PM
Re: Some US Law Already Exists But Protection is Limited
Great point Hunterpi,

I think its fascinating that we have specifically protected phone communications, but left email wide open and unprotected. I think this is largely law playing catch up to technology. For example, is skype subject to any safegaurds? Still interesting that employers can listen to your voicemail but with a clean Acceptable Use Policy, they can read all your email. 
hunterpj
hunterpj,
 User Rank: Strategist
6/20/2014 | 3:47:50 PM
Some US Law Already Exists But Protection is Limited
The Electronic Communications Privacy Act ("ECPA") prohibits employers from listening to employees' personal telephone conversations or voicemail messages in the workplace, whether the calls are made or received on a work telephone or an employee's personal cell phone. An employer also is potentially liable under the ECPA if he or she deletes or prevents an employee's access to voicemail messages. 

Seems like the the precedence is well established, except:

Employers can also generally monitor employee's phone calls for quality control purposes. They are supposed to cease monitoring once they are aware that the call is personal, though. If there is a policy in place against personal calls, however, the employer can listen to enough of the call to determine that it is personal, and the employee may still face disciplinary action for the personal call even if the employer didn't listen to the entire call.

Some states, such as California, require that all parties to a monitored phone conversation receive notice about the monitoring. If your state has such a law, your employer is required to inform you if they plan to monitor your phone calls.

Most of the latest technologies are not specifially detailed.

So a person is entitled to some privacy at work, but have far fewer privacy rights at work than they do in their personal life.
RetiredUser
RetiredUser,
 User Rank: Ninja
6/20/2014 | 1:35:55 PM
Re: Security vs Privacy vs Performance
@dmelnick

Exciting times :-)  Can't wait to see how that architecture is going to look, and then quickly identifying the exploits so we can make it better.

Look forward to your next article, David.  This is an area I have great interest in.

Cheers!
dmelnick
dmelnick,
 User Rank: Author
6/20/2014 | 1:28:03 PM
Re: Security vs Privacy vs Performance
Chrisitanabryant,

I think we are closer in position than it may appear. I agree in the need for separation. A clean barrier. But I believe that we can architect that barrier logically. In fact, I believe the idea of physical bariers may become increasingly problematic in a cloud based, multi-device world. Our interface (UI) tech may increasingly become personally owned. People currently dont expect work to provide their clothes, and someday soon we may bring our own UI to work and just using the work computing power, applications and data to perform our tasks. In this world, we must seek an architecture to safegaurd privacy. I believe a whole software privacy market is in its infancy and will ultimately develop the tools and techniques to enable our privacy amidst work and other computing demands.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
6/20/2014 | 12:59:31 PM
Re: Security vs Privacy vs Performance
 I would like to challenge the idea that we can fully separate our personal and professional use of technology.

I wholeheartedly aggree with that point, Dave. We can't fully separate our personal and professional use of technology and as we move into the IoT the distinction will become even more blurred.  
Whoopty
Whoopty,
 User Rank: Ninja
6/20/2014 | 12:25:45 PM
Gesture
The idea of a gesture switching us between personal and professional data profiles has me excited, as I struggle already to differentiate between the two sometimes. 

It's also gratifying to read someething where the future isn't doom and gloom or some 1984 scenario where no person's privacy is sacred. Nicely done. 
RetiredUser
RetiredUser,
 User Rank: Ninja
6/19/2014 | 7:39:05 PM
Re: Security vs Privacy vs Performance
@dmelnick

"Wrestle" is the key word. While I acknowledge the state you are describing is occurring and will further evolve in the near future, I believe (and in some cases know from first-hand experience) that not keeping a physical barrier between work and life can lead to serious personal privacy and work security concerns (whether that be never reading company email on your own device, or accessing the Internet or cloud for personal use from your work computer).  Can that barrier be inconvenient?  Sure – I have a small Acer GNU/Linux laptop that goes with me to work, and I log onto a non-company network to access personal apps and the Internet.  The reason is that I will never be the source of a malware or virus attack, or intrusion at work that might lead to sensitive information getting out – and we have plenty here.  Walking around the office I see many apps and websites open on company hardware that are ripe for intrusion.  Is that the fault of IT?  Certainly they need to work on policies and procedures to lock down and define workflow, but in the end, it is also the fault of the tech industry (if you subscribe to my view rather than believing BYOD and work/life integration is inevitable) for not writing security and privacy considerations into emerging tech such that someone can have one device, but have a physical separation between work and life (dual boot, for instance) that makes sure that the issues found in one environment can not and never will bleed over to the next.

I know, I'll be wearing tinfoil hats soon if I keep up with that train of thought :-)  But there's something to be said for those of us who "keep it separated" and how our work benefits from it.

   
dmelnick
dmelnick,
 User Rank: Author
6/19/2014 | 7:15:35 PM
Re: Security vs Privacy vs Performance
I appreciate your thoughtful observations. It appears you subscribe to the idea of separating your personal stuff from the work place to address privacy risk. I would like to challenge the idea that we can fully separate our personal and professional use of technology.

As the work day grows longer and people increasingly perform work outside the traditional office and at home (extended enterprise). As people use their own devices for work email and work devices for personal use (mobility). I believe emerging mobile technolgoy and the digital space broadly has forever blurred our work and personal lives. Once you accept that our personal and professional lives have become intertwined, we become forced to wrestle with how to manage boundaries to protect both the work place and our private space. 
RetiredUser
RetiredUser,
 User Rank: Ninja
6/19/2014 | 3:27:42 PM
Security vs Privacy vs Performance
I believe in the tech-integrated/enhanced near-future with enthusiasm. However, I also believe that workplace privacy needs to be carefully standardized. I think part of the issue regarding the understanding for what this actually is stems from confusion by both users and managers regarding the difference between security, privacy and performance.

For example, when it comes to allowing users access to an application like Twitter in the workplace, several questions need to be asked: 1) Is it relevant to the user's job? 2) If not, will having it affect their ability to do their work? 3) Might they post something damaging to the company, whether it be negative comments, or posting sensitive data? 4) Should the company have the ability to monitor what the user is reading/posting?

This collection of questions regarding a single app touches on security, privacy and performance. But "privacy" in the workplace is related to what a user can keep from an employer that will prevent that employer from bullying them, or leveraging information to cause a relationship to happen or to get work from the user that is not part of the contract of work as understood by standard practices (see Richard Stallman's take).

But for my part, I think you should not be able to install applications on your work-related computer if that is not part of the culture, especially if you work for a hospital, security firm, financial institution, and so on, because bringing your personal life to work does, and I stress does, impact the security and performance of your work.

Workplace privacy? Sure, if you like to dress in drag your boss doesn't need to know; but you also don't need to be letting that information out while at work over email, texts, Tweets or any other method that sits on company property meant for getting your job done. Know the difference, be responsible at work.

And if your employer insists on you enjoying all those perks, you may want to double-check your computer for spy-ware, or at least make sure your privacy is guaranteed on paper, because you have just opened yourself up to a slip that could later cost your job.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-34918
PUBLISHED: 2022-07-04
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an u...
CVE-2022-34829
PUBLISHED: 2022-07-04
Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.
CVE-2022-31600
PUBLISHED: 2022-07-04
NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmmCore, where a user with high privileges can chain another vulnerability to this vulnerability, causing an integer overflow, possibly leading to code execution, escalation of privileges, denial of service, compromised integrity, and informat...
CVE-2022-31601
PUBLISHED: 2022-07-04
NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmbiosPei, which may allow a highly privileged local attacker to cause an out-of-bounds write, which may lead to code execution, denial of service, compromised integrity, and information disclosure.
CVE-2022-31602
PUBLISHED: 2022-07-04
NVIDIA DGX A100 contains a vulnerability in SBIOS in the IpSecDxe, where a user with elevated privileges and a preconditioned heap can exploit an out-of-bounds write vulnerability, which may lead to code execution, denial of service, data integrity impact, and information disclosure.