On the examination of hard drives: Looking in the wrong direction
We recently got an e-mail asking if we either offered (no) or could recommend (yes) training in examining the content of non-networked company-owned hard drives located on company property. As sometimes happens, the email came not from a company address, but from a web mail address, and there was no description of the problem.
This is not unusual: It is not uncommon for people to wish to shield their identities until they have decided to actually take action. In addition, when dealing with certain classes of problem it is imprudent to make a phone call to us from anywhere other than a randomly-chosen pay phone, or to send us e-mails from anywhere except a web server far removed from any with which one is publicly associated. Nonetheless, prudent or not, we don’t provide services until we know who the client is, what their problem is, and how and what they are doing with the help we give them. This is because we have four corporate rules, one of which is that we don’t work for bad people or do bad things.
Putting aside the minor details of not knowing who was asking the question and not knowing the details of the problem, from our perspective, there were two issues here; a minor issue and a major issue, neither of which was technological in nature.
The minor issue was a legal one. The source of the e-mail appeared to be located somewhere in the EU, and EU regulations are still a trifle hazy regarding employee rights to privacy in this particular area, and have to be looked at in conjunction with local laws: While we can, based on past experience, give a good guess as to what the law probably says, that is really not good enough: Before taking any steps to clandestinely look at an employee’s hard drive, or in his desk or locker, we always tell clients that they need to get an opinion from counsel experienced in both U.S./EU and local intellectual properties law and labor law. We are not attorneys and wouldn’t dream of offering legal advice, but we certainly advise clients to seek competent counsel before taking action that could land them in litigation. The second issue was more significant: What was the problem they were trying to solve? Our experience leads us to believe that, when we get a question like this, what is often being looked-at is a symptom. A symptom of what? Well, there are several possibilities. On a simplistic level, the company may have problems with competitive intelligence or economic espionage. They may also have a problem with a disgruntled employee.
However, it often happens that what we are seeing is part of a systemic problem. It may be an intra-company-cultural issue, or an issue of technical laxness, or poor OPSEC, or some combination of all the above. By this I mean that you are seeing a specific event, but that it is not actually a single event, but a small part of some other pattern. Whatever the problem is, however, before we start putting makeup on a pimple we want to make sure it is a pimple, not the start of a of rubella epidemic. Because systemic problems are often very difficult to see if you are part of the problem, it is both prudent and cost-effective to bring in someone like LUBRINCO from the outside to take an experienced and detached view of the situation to figure out what is the problem, and how to solve it.
What would the solution be to their actual problem? Without knowing the problem we don’t know the solution. But we do know that all measures can be judged based on five criteria:
1. What problem is the measure trying to solve?
2. How can it fail in practice?
3. Given the failure modes, how well does it solve the problem?
4. What are the costs, both financial and social, associated with it?
5. Given the effectiveness and costs, is the measure worth it?
The bottom line is that it is very easy to confuse a symptom with a problem, and it is a better idea to solve problems rather than to treat symptoms!