[LINK] Spying on staff no solution to privacy protection: professor

Adam Todd link at todd.inoz.com
Wed Aug 30 11:13:34 AEST 2006 

Have none of the developers of these Super Computer Systems heard of Audit 
Trails and Logging?  My goodness, I apply even the most basic of auditing 
to any access to any record or database, even a web page:

Date+time
(Length of access until next record)
Remote IP address
Logged in User
Record Accessed
Record modified
Pointer to original record prior to modification
Note field for accessor to make a note explaining why they accessed the record.


It's really so simple.  And my libraries work with Access, MySQL and, well 
pretty much any database system.  Drop in and play.  No need to thing, the 
libraries work out the underlaying records and structures.

This kinda came from a project I did in the 1990's for the Opera House 
who's Booking system running on a networked database platform (can't 
remember which one now) was deleting records when new ones were entered.

What I did was intercept the new record before it was committed, and 
discovered the reason that the old random record was being deleted, hence 
grabbed it before the database engine wrote to the table.  Then wrote the 
new record and re-wrote the old record.

Since then I've developed a new codebase to do a hell of a lot more and 
it's extremely useful.

I can instantly track a users access between web sites and databases, 
records they have accessed, modified, deleted, or copied.

I fail to see why Centrelink can't have the same process in place.  They 
require staff to "login" to the system, it's not hard to log the ID to an 
access table.  They already "log" that someone is in the record, they just 
don't go that extra step.  Sad really.

The only privacy in Centrelink is who is accessing your record, when, for 
how long, and why.




At 10:28 AM 30/08/2006, brd at iimetro.com.au wrote:
><brd>
>
>While I agree with the comments that spying on staff is not the way to go and
>neither is waiting for workers to breach privacy laws and then take action, I
>don't think that enforcing policy outside of an application is the way to go.
>
></brd>
>
>Spying on staff no solution to privacy protection: professor
>Sandra Rossi
>Computerworld
>29/08/2006 12:27:40
>http://www.computerworld.com.au/index.php/id;1622226737;fp;16;fpid;0
>
>Instead of spying on staff who snoop into private records while at work,
>organizations should adopt security measures that prevent staff breaching
>privacy laws, a Queensland University of Technology privacy expert said today.
>
>His comments follow news last week that Centrelink is using keylogging 
>software
>to monitor staff access to company records. The surveillance has led to the
>sacking of 19 staff. Similar steps are being taken at the Australian Tax 
>Office
>(ATO) where 27 workers have been sacked.
>
>Centrelink CEO Jeff Whalan dubbed the surveillance a "success" and said there
>would be no apologies for the tough stance the welfare agency has taken to
>protect public records.
>
>Professor Peter Croll, from QUT's Faculty of Information and Technology, said
>the current approach to privacy regulation was to wait for workers to breach
>privacy laws and then take action.
>
>"What's happening is that we have organizations snooping on their staff to see
>if their staff are snooping," he said. "This just isn't the answer."
>
>Professor Croll supported privacy protection and moves to prevent staff from
>snooping, but said organizations shouldn't just rely on audits. Next month
>Professor Croll and his research team at QUT's Information Security Institute
>will release the first software prototype said to be suitable for all
>businesses to prevent snooping by staff.
>
>"If you have a security policy then this new software enforces that security
>policy. It can't be overridden," he said.
>
>"It offers military standard, mandatory access controls to ensure privacy is
>enforced in commercially available, enterprise-level computer systems."
>
>He said the development of this prototype, which has been funded by an
>Australian Research Council grant, provides strict access control 
>technology to
>prevent unauthorized viewing of sensitive data.
>
>Professor Croll, in collaboration with the CSIRO, has also developed another
>security measure that protects privacy.
>
>"It is a Web-based software tool that asks questions of the user and then 
>makes
>sure that the user is aware of the relevant privacy regulations and rules
>before allowing access to information," he said.
>
>"It encourages privacy policy compliance and enforces access controls."
>
>--
>Regards
>brd
>
>Bernard Robertson-Dunn
>Sydney Australia
>brd at iimetro.com.au
>
>
>----------------------------------------------------------------
>This message was sent using iiMetro WebMail
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link

More information about the Link mailing list