This will be an interesting case to watch. I'll be curious if the defense
follows along corporate lines for monitoring. The gap is likely notice, but an
argument could be made that if one spouse effectively acts as the computer
administrator and normally has to set up accounts and so forth, that person is
acting much like an IT department. Before you all react, follow the logic for a
moment... in my house, the DSL account is administered by me. All of the email
accounts associated with the DSL account are "child" accounts to the master,
which is mine. When I set up the accounts, I set up the passwords and I'm the
fallback if someone forgets their password (at least until they set up separate
security questions with the provider -- at that point, they "own" their part of
the account, as far as I'm concerned -- although I think I have the ultimate
ability to unlock a locked account). The computers and all the security is
administered by me as well. I purchased and installed the antivirus software and
have set up the firewalls and browsing rules. I've also purchased all of the
computers on the network, outside of one of my daughter's friends who can use
the wi-fi connection when she comes over (although she had to be authorized by
me to get access to the connection). Arguably, again, that makes me the system
administrator and as part of my normal routine, I need to understand what is
coming into the home network that could be malicious. So from a routine
standpoint, it could be argued that a spouse may fill that sort of role. And if
I am technically the owner (or at least the co-owner of the computers and the
network), how can I hack my own network?
That said, the next issue is expectations of privacy. Now if I install a
keylogger or break SSL (https) connections on my home network, there might be
some other issues if I haven't told anyone using the home network that I do
that. Those are truly hacker activities, although one could certainly argue that
they are also in depth monitoring techniques that are often used by law
enforcement or corporations. If I have serious concerns about the security of my
home network, I may need to implement those sorts of techniques to determine
what is going on. I suppose that there are any number of home computer users who
routinely deploy advanced forensic tools at home either as a hobby, for learning
purposes, or for monitoring purposes. Mind you, there are not a lot of people
who do this or are capable of doing this, but there are likely some who truly
"hack" their own networks to see what is really going on. That's potentially
troublesome because most advanced forensic tools and network monitoring tools
make collection of passwords and confidential information pretty trivial.
Frankly, defeating a Windows logon password on a home computer is trivial.
In the instance cited in Michigan, it appears that the spouse consulted a book
of passwords that his wife left by her computer. That's not hacking. He didn't
unlock a secured drawer, he didn't try a bunch of terms to find the right
password, he didn't social engineer the password from his spouse, he didn't
crack the passwords -- he apparently looked them up in a book left next to the
computer on his network. Now the issue in his case is that he did share what he
saw with a third party and I think this is where he probably crossed the line as
far as the prosecutor is concerned.
In the corporate world, we provide notice to employees that their computer
activities can and will be monitored. We don't go into a lot of detail about our
techniques, mainly because they change and changing banners and policies to
delineate what we do takes a lot of time and probably would be meaningless to
most users. So we simply indicate that we monitor and that an employee has
little or no expectations of privacy (except for jurisdictions where such
privacy is protected by law, of course). That's probably a little overboard for
the home network, but it is probably a good topic for discussion in most
families.
A general baseline for consideration is likely that what is stored inside your
firewall is probably fair game for inspection generally (and anyone who is
familiar with computer forensics knows that a lot of information is retained
locally). Outside the firewall is problematic and I would suggest that
unauthorized use of someone's credentials to view data stored "in the cloud" may
cross a line. But I would suggest that the full scope of the activity needs to
be understood. Who established the account? Who pays for the account (if it is a
paid account)? Who is responsible for unlocking a locked account? There's
probably a series of hurdles that should be crossed before a family member is
charged with a crime for examining another family member's account.
Patrick Cunningham, CRM, FAI
[log in to unmask]
"Perpetual optimism is a force multiplier."
-- Colin Powell
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]
|