1997-10-20 - Re: “First do no harm”

Header Data

From: “Jean-Francois Avon” <jf_avon@citenet.net>
To: “tcmay@got.net>
Message Hash: 81a0f628a13a92f4ae6da1c0f42bd225ef207d92aea22f0ab3cf6b6fd9651f32
Message ID: <199710200420.AAA03892@cti06.citenet.net>
Reply To: N/A
UTC Datetime: 1997-10-20 04:21:28 UTC
Raw Date: Mon, 20 Oct 1997 12:21:28 +0800

Raw message

From: "Jean-Francois Avon" <jf_avon@citenet.net>
Date: Mon, 20 Oct 1997 12:21:28 +0800
To: "tcmay@got.net>
Subject: Re: "First do no harm"
Message-ID: <199710200420.AAA03892@cti06.citenet.net>
MIME-Version: 1.0
Content-Type: text/plain



On Sun, 19 Oct 1997 16:31:10 -0700, Tim May wrote:

>At 5:23 PM -0700 10/19/97, Jean-Francois Avon wrote:
>First, are you reading Cypherpunks? 

No.  I don't have time to even read all of e$ and e$pam.  I am not yet retired... :-)

>If so, post there. If not, please
>forward my reply to the "e$"

Done.

>If I operated a small company, I would have no policy on this at all.  Just
>as I wouldn't routinely tape-record employees, I wouldn't monitor their
>mail.
>Do most small businesses steam open all of the incoming and outgoing paper
>mail?

Let me describe a scenario: one key employee isn't there because... ...he is somewhere else [ :-) ]

Then, comes an urgent message forcing the company to make a split-second decision before the employee gets back.  It 
happens _all_the_time_ in small businesses where they do not have the ressource of the big companies.  You, the boss,  want to 
re-read some critical documents before making a move.  Of course, your employee was the most consciencious and trustworthy 
employee on this side of Andromeda, only, your memory fails as what was the *exact* wording of the critical documents.  It 
furthermore happens that the said faithfull employee is, unknown to you and in his mind not-company-detrimental, getting intronized 
to the mile-high club between L.A and Tokyo in the plane lavatory, therefore not reacheable by any modern means.  Wouldn't you 
wish you had his corporate private key?

In the old days, you used to scramble through his mountain of paper on his desk.  In more recent days, you frantically scanned his 
exemplary organized data structure and found the documents.  Today, the said data structure is still exceptionally orderly, but only 
to reveal several very describing filenames with a  dot-asc or dot-pgp extension.

Any comments?

>If a small business owner doesn't trust his employees, all is lost anyway.
>(Employees can post stuff from home, can take diskettes out of the
>building, etc., so what is gained by monitoring their mail?)

I thought that this was so self-evident that I did not even thought usefull to explain.
I was not talking about having employees giving copies of their personnal private key but of their corporate private key.  The one 
they use to transact business over unsecured lines, not the one they use to send raunchy messages to their lover.

>And if an employer is known to monitor employee mail, this actually
>increases his liability for certain things. (If an employer does not, then
>he has a better defense of claiming that some employee was acting on his
>own, etc.)

I never talked of monitoring e-mail, only of making sure the business retains access to employee-generated documents.  I used to 
have a private key for the company at a previous work location.  The first thing I did was to give my boss my passphrase for being 
afraid of what could happens if ever they needed a critical document during my absence.  He did not even know how to use PGP, 
but I made sure that somebody did.

This is why I said that a "secret" copy would be given to the boss.  He could encrypt the employees keys, print it on a micro-dot and 
hide it under his gold tooth cap.  And that way, there is always deniability since there is official company policy.  

Or better, all the boss has to do is to generate the employee's keys himself.  He could forever deny having made a copy and 
nobody could prove that he did.

Personnally, I would make sure that all keys to be used to transact business be generated by the boss, to be handed on a diskette 
in person.

As far as trying to prevent malicious action, I agree that there is no way an employer can do that.  Anybody really intent on screwing 
up things can.

Ciao

jfa
-- 
Jean-Francois Avon, Pierrefonds(Montreal) QC Canada
 DePompadour, Societe d'Importation Ltee
    Finest of Limoges porcelain and crystal
 JFA Technologies, R&D consultants
    physicists and engineers, LabView programing.
PGP encryption keys at:
   http://w3.citenet.net/users/jf_avon
   http://bs.mit.edu:8001/pks-toplev.html
ID# C58ADD0D  : 529645E8205A8A5E F87CC86FAEFEF891 
ID# 5B51964D  : 152ACCBCD4A481B0 254011193237822C







Thread