Posted tagged ‘Conflict of interest’

Ethics of Computing – What’s a sysadmin to do?

2008-01-30

One of the areas in which my philosophical interests and my informations systems interests have collided is the ethics of system or network administration. The system administrators, or sysadmins, are the ones who can read your mail, track your web browsing, etc., and you would never know it. They may even have the access to alter their tracks and make their activities less visible to other sysadmins. Obviously, it is a position for which you’d want a person worthy of a tremendous amount of trust.

By its nature, a sysadmin’s job often requires that she come in contact with privileged information. If the email stops flowing, the cause must be found and fixed before the users/customers arrive with the torches and pitchforks. Often, a single message is “hung” in the mail queue. By this point, the sysadmin has already seen the sender, recipient, and subject line. The message must be moved. Do I bounce it back to the sending server to try again? Do I delete the message? What if I can’t contact my user (either sender or recipient)? Do I open it and read it anyway before making a decision to delete it from the queue? What if the user is my romantic partner?

When I worked at a site where I was the ONLY sysadmin, I had to face decisions like those everyday and deal with them quickly. My workload, with 200+ users, would have supported three senior sysadmins. I always tried to err on the side of individual privacy (except that I was unforgiving in my automated hunt for weak user passwords). Just by the nature of how my firewall was set up, my logs contained web surfing history that I could match to a particular PC. A department head had a problem with his employees misusing their internet access in the middle of the night, and he wanted my log information to use in disciplining his miscreants. While I told him I could and would happily restrict his department’s internet access according to any criteria he could possibly come up with, there was no published policy that authorized me to release a user’s web usage information, and he left empty-handed.

What would you do? How would you handle the potential conflicts of interest that lurk literally everywhere? Why?

Advertisements