The trust issues as described are all one way. Putting it simply:-

The organisation has decided not to trust its employees so will 
constantly monitor them (Could effective training be an alternative?); 
The employee’s rationale appears to be that for the good of the 
organisation they will have to trust the organisation;
That means employees trusting other employees, which the organisation 
has shown by its considered actions that it does not do, it monitors 
instead.

If the organisation collectively will not trust its employees, what 
causes the employees to trust other employees within the organisation?

> I use the web at work to log on to my trade union site - 

I do recollect from my experience an instance where an organisation 
was demanding access to computer material, which related to the union 
activity of an employee where even knowing about that particular 
activity would have compromised the organisation in ongoing legal 
proceedings. They were denied that access but at some outward cost of 
trust to the person doing the denial of access. Where information is 
processed within an organisation something more than a surface veneer 
of codes of practice/conduct is required, and it has been my impression 
even those basics are often lacking, dealt with or got around.

> scenario is managed by my employer agreeing not to intercept 
> https: traffic with banking sites. The risk to them is 
> minimal (few banks offer malware or even videos as part of 
> their services!), so the employer can afford to be relaxed 
> about that, and it means that the most obviously tempting 
> information is unavailable, even theoretically, to the 
> sysadmins.

Do organisations take an interest in the financial affairs of 
employees and because of that will they never intercept financial 
information where for some reason it was suspected it would definitely 
be in the organisations interests?
Looking to the practices and actions of head hunters, employment 
agencies and others reveals some answers to that question. Most are 
trusted to find information about prospects in return for a financial 
reward.

Such fundamental value issues are clearly privacy, as well as 
organisational management related and in my view crux in creating an 
informed level of understanding around this area.


Ian W

> -----Original Message-----
> From: This list is for those interested in Data Protection 
> issues [mailto:[log in to unmask]] On Behalf Of 
> Ben Plouviez
> Sent: 24 November 2008 09:11
> To: [log in to unmask]
> Subject: Re: [data-protection] Monitoring of encrypted (SSL) data
> 
> 
> Interestingly, the more I've thought about this, the more 
> relaxed about it I am.
> 
> I use the web at work to log on to my trade union site - 
> since personal use for harmless purposes is allowed under my 
> employer's acceptable use policy. That traffic - normal http: 
> traffic - is intercepted by the Blue Coat proxy my employer 
> uses and passed through a virus and content scanner, to make 
> sure I'm abiding by the acceptable use policy, and in 
> particular that I'm not downloading executables or videos, 
> both of which are banned by that policy. If I try to do so, 
> those items will be stopped, and the fact logged. Otherwise, 
> the traffic relating to my actions on my union's site are 
> passed straight through to me. Note that sensitive personal 
> information is involved here (trade union
> membership): if I really didn't want to let my employer know 
> that I was a union member, I would be foolish to log on to 
> that site while at work.
> 
> 
> Now think about the interception of SSL (https:) traffic. My 
> employer is proposing to do pretty much exactly the same 
> thing with that traffic. This will ensure that they know I'm 
> not downloading executables or other banned material through 
> this backdoor (and will stop me if I do). They will not 
> store any other information from the https: stream, any more 
> than they do from the http: stream, but informaiton about my 
> attempts to download naughty stuff will similarly be recorded. 
> 
> So, there are three issues.
> 
> First: is my personal information safe? Well, theoretically, 
> a sysadmin could steal my information while it's on the proxy 
> server network - s/he would, of course, be committing all 
> kinds of offences in doing so. That high risk/high impact 
> scenario is managed by my employer agreeing not to intercept 
> https: traffic with banking sites. The risk to them is 
> minimal (few banks offer malware or even videos as part of 
> their services!), so the employer can afford to be relaxed 
> about that, and it means that the most obviously tempting 
> information is unavailable, even theoretically, to the 
> sysadmins. Without question, some risk to personal data I 
> pass through the network remains (as it does with http: 
> traffic), and good logging and security on the servers is 
> essential, as ever.
> 
> Second: is there a good enough reason for doing this? That is 
> a business judgement about the risks of disruption (caused by 
> malware etc) which could be caused by my using https: traffic 
> to breach the security of the network. We could argue about 
> proportionality here, but in the end it is a business 
> decision and hence up to my employer to decide whether or not 
> the activity is in their legitimate interests.
> 
> Third: do I need to know? I'm already informed by our 
> acceptable use policy that my internet use at work is 
> monitored. If I know a little (but not enough!) about proxy 
> servers and all their ways, I may believe (and did, until 
> last week) that technically this cannot include https: 
> traffic. But I would be foolish to try to take advantage of 
> that supposed fact by doing something that exposed highly 
> sensitive personal information that I really didn't want my 
> employer to know while using my employer's network. And, of 
> course, I would be doubly foolish to rely on the security of 
> https: to break my employer's acceptable use policies - or at 
> least I would have no reason to complain if I got caught. 
> However, since there do seem to be people who believe that 
> internet access comes free from Heaven and that internet 
> privacy is a divine right irrespective of whose internet 
> connection they're (ab)using, it would probably be sensible 
> for my employer to make it clear exactly what they are doing. 
> 
> Sorry about the length of this! But does anyone have any real 
> issue with any of it?
> 
> Ben 
> 
> -----Original Message-----
> From: This list is for those interested in Data Protection 
> issues [mailto:[log in to unmask]] On Behalf Of 
> [log in to unmask]
> Sent: 22 November 2008 18:50
> To: [log in to unmask]
> Subject: Re: [data-protection] Monitoring of encrypted (SSL) data
> 
> *******************************************************************
> This email has been received from an external party and has 
> been swept for the presence of computer viruses.
> *******************************************************************
> 
> There is another aspect which can affect an organisations 
> decision on the risk balances of an ssl proxy.
> 
> Where a site is connected via ssl to a user, that site has 
> access to a user's pc outside many of the controls exerted by 
> a firewall.
> 
> Symantec describes this as: -
> "Some Web sites and email servers use SSL (Secure Sockets 
> Layer) connections to encrypt connections between your 
> computer and the server. Privacy Control cannot block private 
> information sent through SSL connections. However, since the 
> information is encrypted, only the recipient of the email or 
> Web communication will be able to read the message."
> 
> Becoming proactive would not necessarily solve the problems 
> as intelligent consideration of the required growth in 
> organisational management and security to effectively control 
> those areas indicates.
> 
> Trust can be a funny thing. Imagine a savvy, driven, employee 
> (or a corrupt one) setting up their own secure connection at 
> home or utilising one elsewhere, do you live with that 
> singular possibility, or configure systems to stop all 
> potential problems?
> 
> 
> Ian



Money Saving Vouchers - http://www.tiscali.co.uk/shopping

__________________________________________________________

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^