Tweet
Hi,
First post, be gently.
Something that has concerned me for a while, since recent cases regarding employer's access to what employees do on company computers. Also some law enforcement cases. By cases I mean media articles claiming a court found such and such, then gratuitously extrapolating to some non-sense doomsday conclusion.
What am I on about?
Example 1:
Bob gives Sue his Facebook password. Sue logs in as Bob. Did Sue commit an offence?
"No", Bob gave sue authorisation.
Example 2:
Sally is in work. She has a browser tab open with her GMail inbox logged in. Her employer sits down and unlocks her computer and reads through her email.
"But it's the employers computer, so of course they has access to it. If she wants to keep things private she shouldn't do it on her work PC!"
Example 3:
A policeman asks for the pin code to unlock your phone. You provide it and he unlocks the phone and clicks on the messenger button to check your last IMs.
The police have the authority to access your phone in there way to solving crimes.
I'm going to take the, possible, controversial position and say that in all 3 examples there has been an offence committed.
It all comes down to what is being accessed, who owns it and who is allowed to authorise access to it.
In example 1. Bob does NOT have authority to give access to Sue. The account, Bob's account, is NOT Bob's. Facebook own that account and authorise Bob to use it if he authenticates correctly. Facebook do NOT authorise Bob to give other people access to his account. Bob is in violation of Facebook's T&C but much worse, Sue has accessed a computer system without authority and could be committing a criminal offence. If you have a valid reason to need access to that Facebook account, you have to ask Facebook for authorisation to do so.
In example 2:
GMail is not running on equipment owned by Sally's employer. Gmail has NOT authorised Sally's employer access to her account. By viewing her emails they are carrying out unlawful access.
In example 3:
By accessing the IMs, (probably Facebook Messenger or WhatsApp) the police officer is accessing a remote account for which the person (You) do NOT have authorisation to allow him to access. There are other ways for law enforcement to access Facebook messages... well, unless they are end-to-end encrypted and I don't want to open THAT can!
But.... I'm not a lawyer, I'm just an IT professional with a hunch. It's contraversial because I think a LOT (is. most) people fail to consider who actually "owns" the accounts, and who can provide authorisation to the services they exist on. Authentication != Authorisation. You don't "own" your facebook account. Facebook do, they authorise you to use it.
So... how far off am I?
I think at least it should lead to interesting discussion.
Paul
First post, be gently.
Something that has concerned me for a while, since recent cases regarding employer's access to what employees do on company computers. Also some law enforcement cases. By cases I mean media articles claiming a court found such and such, then gratuitously extrapolating to some non-sense doomsday conclusion.
What am I on about?
Example 1:
Bob gives Sue his Facebook password. Sue logs in as Bob. Did Sue commit an offence?
"No", Bob gave sue authorisation.
Example 2:
Sally is in work. She has a browser tab open with her GMail inbox logged in. Her employer sits down and unlocks her computer and reads through her email.
"But it's the employers computer, so of course they has access to it. If she wants to keep things private she shouldn't do it on her work PC!"
Example 3:
A policeman asks for the pin code to unlock your phone. You provide it and he unlocks the phone and clicks on the messenger button to check your last IMs.
The police have the authority to access your phone in there way to solving crimes.
I'm going to take the, possible, controversial position and say that in all 3 examples there has been an offence committed.
It all comes down to what is being accessed, who owns it and who is allowed to authorise access to it.
In example 1. Bob does NOT have authority to give access to Sue. The account, Bob's account, is NOT Bob's. Facebook own that account and authorise Bob to use it if he authenticates correctly. Facebook do NOT authorise Bob to give other people access to his account. Bob is in violation of Facebook's T&C but much worse, Sue has accessed a computer system without authority and could be committing a criminal offence. If you have a valid reason to need access to that Facebook account, you have to ask Facebook for authorisation to do so.
In example 2:
GMail is not running on equipment owned by Sally's employer. Gmail has NOT authorised Sally's employer access to her account. By viewing her emails they are carrying out unlawful access.
In example 3:
By accessing the IMs, (probably Facebook Messenger or WhatsApp) the police officer is accessing a remote account for which the person (You) do NOT have authorisation to allow him to access. There are other ways for law enforcement to access Facebook messages... well, unless they are end-to-end encrypted and I don't want to open THAT can!
But.... I'm not a lawyer, I'm just an IT professional with a hunch. It's contraversial because I think a LOT (is. most) people fail to consider who actually "owns" the accounts, and who can provide authorisation to the services they exist on. Authentication != Authorisation. You don't "own" your facebook account. Facebook do, they authorise you to use it.
So... how far off am I?
I think at least it should lead to interesting discussion.
Paul
