Shouldn't it be possible, with what we know about cryptography available today, for banks and other companies to do business without having to regularly pass around files containing thousands of their customers' most personal identification credentials like names, addresses, SSNs and account numbers?
Not on the approved list of corporate software, requisition for the approved software that can do the same thing was denied due to budgetary reasoning.
How do you combat this sort of thing? My employer is set to impose a software registry upon its employees -- any open source tool, at all, has to be registered. Proprietary but free packages, like Adobe Reader or Opera, do not need to be reported.
I've yet to find a compelling argument against this. Or at least one that's persuasive to our legal department.
How much 'proprietary but free' software is malware, spyware, etc? Using examples of well-known software like Opera or Adobe Reader is a straw-man in favor of the 'OpenSource is bad' argument.
What -- in particular -- does the legal department have against Open Source software? Is FireFox somehow a legal-risk as opposed to Opera? Even though it's been vetted by a larger installed user-base? Or is it just because there is no 'single entity' that they can sue/point fingers at when/if something goes wrong? There are plenty of anonymously authored non-opensource pieces of software out there.
I think that it would make more sense to have either: 1) have to register all software on the list or 2) have to register all 'non-popular' software (i.e. Firefox/Opera ok, random OSS/proprietary software needs to be registered though).
From what I've been able to ascertain, our counsel's primary concern is that the mere availability of the source creates risk in terms of the introduction of copyleft code into our proprietary products. They're also afraid that, were an issue to arise, they wouldn't be able to settle it as a business matter as they would with a large corporation like Adobe or Opera.
We also have a number of customers requiring that we provide indemnification against any open source software infringement claims, which has sent our counsel down the path of wanting a full registry and approval process for all open source software on developer workstations.
The positions I've taken -- the workload, the fact that the registry doesn't adequately protect us from the surreptitious introduction of copyleft code snippets, etc. have all fallen on deaf ears. I'm trying to figure out what other arguments I might be able to bring to the table.
> They're also afraid that, were an issue to arise, they wouldn't be able to settle it as a business matter as they would with a large corporation like Adobe or Opera.
You might remind them that not all proprietary software comes from large corporations and many of the smaller guys might be more willing to pursue the legal 'issues' to the fullest extent of the law.
> The positions I've taken -- the workload, the fact that the registry doesn't adequately protect us from the surreptitious introduction of copyleft code snippets, etc. have all fallen on deaf ears. I'm trying to figure out what other arguments I might be able to bring to the table.
I would point them in the direction of people that have purposely included open source code in proprietary projects (e.g. the recent ScummVM on Wii issue) to try and instill the fact that registering all open source tools that are being used will not protect them from a developer that is trying to 'cut corners.'
If I have Firefox installed on my computer that DOES NOT mean that I have the source code 'at my fingertips' as well. The same could be said of Vim or Emacs. And unless your employer is building developer tools, I doubt that any of your developers is going to try and include code from the Vim or Emacs codebase. It just doesn't make sense.
Follow the new regulations to the letter. Document how much time you waste registering every useful Firefox extension, command-line utility, development library, etc. Include that evidence in your argument against the policy.
It's almost certainly more return on less effort to just find a new employer.
Or perhaps it just feels that way to me, because I really detest environments where one must start paperwork fights with bureaucrats just to get things done.
Are they providing a "We verified that these things are okay to not register." list or are they saying "If it's a free version of a proprietary program, you don't have to register". If the latter, how do you know that something qualifies? Or rather, what guidelines did they give you for making the decision.
Note that the answer to the latter can not be "you know what we mean".
Note that there's potential liability for proprietary software if you get this wrong while there's no liability for free software if you make a mistake. (The only liability for free software is if it turns out that it's actually proprietary.)
Heh. You'd be surprised at how blasé a lot of companies are about people's personal information. The vast majority of the corporate world still thinks it's perfectly reasonable to do their work by emailing excel files of personal data around.
And this is the real problem. This will happen again. That email should have been sent with something like PGP encryption to ensure that only the intended recipient could open it.
no customer data of any sort has been viewed or used by any inappropriate user during this data lapse
Since the email was apparently sent "in the clear" they cannot say this with certainty. A copy could have been siphoned off any intermediate network or smtp server.
Gmail, at least, forces you to use a SSL-encrypted SMTP server, so it's possible that the entire system of servers all communicated with each other securely. Not likely, though.
I work for a very large bank, we secure our sensitive communications with PGP. Part of my job involves communicating sensitive information with other very large banks which also take encryption seriously. I suspect that the bank in the article is the exception, rather than the rule.
Using unecrypted emails and web based email services for corporate communication is really bad judgement. In Canada one of our banks used to fax confidential documents to a scrapyard operator in West Virginia - for years.
http://tinyurl.com/ycdeqm8
"Rocky Mountain Bank, working with Google (through court order), confirmed on Thursday of last week that the e-mail containing client information was never opened and has now been permanently destroyed by Google's system," Tina Martinez, general counsel for Rocky Mountain Capital, wrote in an e-mail response to questions.
"As a result, no customer data of any sort has been viewed or used by any inappropriate user during this data lapse," Martinez wrote
So basically they got unbelievably lucky. It doesn't change the fact that Google was prepared to bust down this guy's virtual door because someone said they accidentally slipped some data in his mail-slot.
I think what's troubling is really a combination of two independent circumstances.
First, one company has access to tons of my personal data. I trust this company, they seem well intentioned and they have a very reasonable privacy policy. It's also extremely useful to me to have all of my data (email, personal contacts, calendar) in one place and accessible via a web-interface.
However, when you throw in the second variable, namely, the mixed-bag which is the US judicial system it can all be torpedoed with the flick of a wrist.
I really would have preferred to have seen the judge tell the bank "tough shit" and have someone (either the email recipient or EFF) put up more of a legal resistance to this court order.
True, the court system is rather unpredictable in this new territory. To me it seems reasonably fair though - as the owner of the account was unreachable, and many other people's private data was at stake. I would say that Google followed the rules properly, even if the bank didn't.
I found the Liskula Cohen blogger case much more troublesome, and the ongoing TCI Journal case is especially disturbing.
The interesting thing is that Google can easily read data in Gmail. I would have been happier if it was actually encrypted using the user's password or a one way hash of the user's password.
Easy: encrypt a random encryption key with password (I mean, with a key derived from password). Then encrypt content with this random key. When user changes password, re-encrypt the same key using a new password. No need to re-encrypt contents, because it's still encrypted with the same key.
This is how it's done in most disk encryption software, for example, FileVault.
