Asymmetrical Information

If a lawyers who share office space used such a method for storing and protecting privileged material, not only could the material lose the protection, s/he would be sued for malpractice.

If a company used similar methods to "protect" trade secrets, it's likely that those secrets would cease to be protected legally.

If a Senator and/or staff place confidential documents on a shared server ...

This isn't crime, it's violation of professional courtesy. Which may still require that Hatch fire the staffer, but really, it's not as if Leahy has been oozing senatorial courtesy the past two years.

The IT staff should be prosecuted. For the non-IT professional, it can be difficult to tell if the directory in question belonged to somebody else or was part of their own system. You might not know what it was until you opened it. Pluasible deniability is easily established. I doubt your average employee would know there was a shared server or that files that were accessed without any password requirement were in any way restricted. No crime here. Just gross incompetence from Leahy's staff. Ha Ha.

Jim English
Chicago

So if you have a folder labeled "Jim English" there's nothing wrong with anyone who can do so opening it and reading the contents? What business does anyone have reading files that aren't theirs or that they haven't been specifically authorized to read?

It may be foolish to leave yourself open to things like this, but that does not mitigate the offense. It would be careless of me to leave my wallet lying around, but the person who takes it is still a thief.

Bernard Yomtov wrote:

So if you have a folder labeled "Jim English" there's nothing wrong with anyone who can do so opening it and reading the contents?

I actually have such a folder on a shared drive, labeled with my name, where I put items I am making available for other people. What's your point?

On networks I've used the presumption is that items that are made available publically are fair game for anyone to read.

Jim A

How does one know if it is Jim English's directory or the place where WE store information about Jim English. If I leave a file folder on a desk in a common area, a file folder like any other file folder and you are looking for a file folder that looks like any other file folder and you mistakenly pick up my file folder are you a thief? The "crime" is not that someone knew and diseminated some information. The "crime" is how the information was obtained. In this case it can be easily argued that someone picked up the wrong file folder from a common area. Crime? No way.

Jim English

Crank writes:

This isn't crime, it's violation of professional courtesy.

Many computer crime statutes define crime in terms of "unauthorized access." If the staffer who accessed the files understood that he was not authorized to do so, it may not matter that the staffer was not auditioning for the Matthew Broderick role in WarGames.

JimA writes:

On networks I've used the presumption is that items that are made available publically are fair game for anyone to read.

I think Sen. Hatch's statement makes clear that there was no such common understanding with regard to this network; in fact, the common understanding was to the contrary.

Jim English writes:

In this case it can be easily argued that someone picked up the wrong file folder from a common area.

If the staffer was new and didn't understand the system, sure, he could make that argument. If not, not.

Bernard - You are correct. Anyone who takes your wallet is a thief. On the other hand, if you were to leave a memo on top of the stack of magazines and newspapers in the reception area, would I know that I shouldn't read it? The question becomes what is the "understanding" in the office. In our office, anyone authorized to use the network is also authorized to access any of the documents on the shared drive -- if you want to keep something confidential you put it in YOUR folder (which is not part of the shared drive). So, in our office, the mere reading of a memo written by someone else would not be a breach of ethics.

Disclosing the contents of the memo to someone outside the office would be another matter. For this there is no excuse -- but there are mitigating factors. The Democrats had been making claims for months about why they were obstructing certain nominees. Those claims were directly contradicted by the memos. Could you blame a staffer who thought the greater cause of truth was served by disclosing the "truths" Democrats wanted to keep hidden? Clearly wrong, but not clearly more wrong what the Democrats were doing.

Alkali,

It is very difficult to judge what other people know, should know or understand. If there was a training class that was required for all staffers where the network architecture was detailed and what areas were forbidden to what staffers was described you would have a point. I doubt this ever would have happened if that were the case. No crime here folks. Just a poor, probably politically motivated, hire of a lousy IT staff.

Jim English

The government employee who discovered these memos is a whistle blower and therefore cannot be fired. He should be treated as a hero.

In his role of as a government employee he discovered that other employees were colluding to discriminate against a person because of his race. Maybe his methods were not commendable but racial discrimination should be stamped out no matter how it is discovered.

Jim English writes:

It is very difficult to judge what other people know, should know or understand.

Agreed in some cases; not here. Here, Sen. Hatch's statement tells me everything I need to know: if there were any genuine ambiguity about whether a well-understood line had been crossed, Hatch would not have made the statement.

Alkali,

Hatch draws a conclusion after the fact. In Hatch's opinion the action was inappropriate. This changes nothing about what I wrote. Hatch may have considerably higher standards for what someone should know. My posts have been in regard to whether a crime has been committed. Hatch says he does not know if a crime was committed. Hatch more than anything seems to be covering his own ass. Let's see if any charges get filed.

Jim English

On the shared drive where I work, there are folders bearing the names of the two engineers for whom I tech. I routinely upload data which I generate into both of these folders, and either of them plus several other people may access the data. It is after all a shared drive; the labeled folders are simply a convenience. If I had conficential data for one of them (not likely in our line of work) it would go somewhere else.

As for the flawed analogy of taking the wallet left out, that would be a lesser misdemeanor than taking it from a closed drawer; taking it from a locked drawer would be a felony.

This is one of those areas in which I can claim real expertise (co-wrote the book for the Navy.) Here are some key points:

(1) Did the staffer have to defeat some protection (even if it was easy to defeat)? If not, ie, the file was world-readable, then any negligence is on the part of the file's owner.

(2) Was there a history in the past of staffers sharing files on the server? Remember, this was a shared server for the (supposedly) non-partisan committee, used by all staff for storing work products. Or was there a general understanding that files were private. (Odds are that it was used for sharing files all the time, as most setups would otherwise have private "drives".)

Unless there is both some evidence of an effort to make the files inaccessible (so someone had to use administrator privileges to access them) and a history of not using that drive to share work products, then I don't think anyone can really claim it was a violation of anything but the Democrats' desire not to be caught.

Jim English,

You're really stretching. Hatch says it was "inappropriate," but you disagree.

The discussion is not about whether this was a criminal offenes, but about whether it was acceptable behavior. Clearly, according to Hatch, it wasn't. Get over it.

Triticale,

I fail to see the flaw in my analogy. Again, the point is not criminality. It is that one cannot defend misconduct by arguing that the victim's carelessness justified it. That's what those who defend the Republican staffer by criticizing the security arrangements are doing.

David W.,

I think it's clear from Hatch's statement that the understanding was not the same as exists in your office.

Bernard -- One should also keep in mind that Orren Hatch isn't exactly notable for having a lick of sense in some situations.

> Just a poor, probably politically motivated, hire of a lousy IT staff.

Good grief, of all people the IT staff deserve the benefit of the doubt here. Quick show of hands: how many of you IT folks out there have had your bosses immediately and fully support your every security recommendation?

.
.
.
.

About what I thought! No need for me to say "You can put your hands down now", is there? :-(

I figured this is what the "hacking" ultimately meant (ie, reading files on a shared drive). The question I had at the time of first reading the story of the alleged hacking was, "how incompetent would these guys have to be not to realize that anyone could see their stuff?" I mean politicians are paranoid of their peers in every other way, why wouldn't they likewise be suspicious of access into their data?

Charlie writes:

Unless there is both some evidence of an effort to make the files inaccessible (so someone had to use administrator privileges to access them) and a history of not using that drive to share work products, then I don't think anyone can really claim it was a violation of anything but the Democrats' desire not to be caught.

The first part of this is very close to a perfect analogy for the "well, the door was unlocked" defense. That defense doesn't work in the physical world, and I don't know that any courts accept this defense in the computer world -- although Orin Kerr has plausibly suggested that prosecution ought to require a showing that at least some password-type measure was defeated.

Bernard Yomtov writes:

Again, the point is not criminality.

Not sure about that -- I certainly wouldn't advise someone that they don't risk criminal prosecution for doing what this GOP staffer did -- but it is my view that there is unlikely to be prosecution in this case. (And that's fine with me. As a lefty, I can't say I wouldn't be amused by the public spectacle of having a GOP staffer taken away in handcuffs, but bleeding heart that I am, I don't really want to send some spastic young conservative to jail.)

Uh, Bernard, criminality is very much being discussed here. Your focus on the etiquette angle may impress Miss Manners, but that point seems to have been already settled; I don't see anyone (so far) arguing against it.

I'll happily go on record by saying that it was professionally uncouth. However that discourtesy bears no personal implications to me whatsoever, so what I (and a number of us, it appears) want to know was whether or not a LEGAL violation occurred.

As for the contents of the information so discovered...they turned over a pig and, lo and behold, discovered the other side was also dirty. Politicians, etc.

Bernard:

I don't know how Senator Hatch runs the committee, but I'd be really surprised to learn he has any real idea about how the network was set up or what was the understanding among network users about what access each was granted to which documents. When I was a staff, I often had to correct my boss's impression of such details. Now that I'm the boss, my staff does the same for me. [If it weren't for the fact I am technically responsible for the IT function at our firm (a responsibility I handle mostly through delegation), I'm sure I'd have little idea what rules govern access to the documents on our shared drive.]

Bottom line, I place very little weight on Hatch's statement that what was done was inappropriate (in the sense it violated the norms of the use of the network). On the related, but different, question of whether it was "okay" to disclose the memo's to the press, I think a prima facie case can be made for the proposition that such disclosure was inappropriate. Inappropriate, but hardly unusual for Washington.

> The first part of this is very close to a
> perfect analogy for the "well, the door was
> unlocked" defense. That defense doesn't work in
> the physical world, and I don't know that any
> courts accept this defense in the computer world

Not at all--the appropriate analogy has been stated before: someone left a memo, or a file folder containing memos, out in some public common area. Every one of the staffers involved was accessing files on the shared drive on a frequent basis. It may be a stupid way to have orginized things (though remember this is--or was, anyway--ostensibly a non-partisan committee) but that is in fact how it was set up.

> The first part of this is very close to a
> perfect analogy for the "well, the door was
> unlocked" defense. That defense doesn't work in
> the physical world, and I don't know that any
> courts accept this defense in the computer world

Not at all--the appropriate analogy has been stated before: someone left a memo, or a file folder containing memos, out in some public common area. Every one of the staffers involved was accessing files on the shared drive on a frequent basis. It may be a stupid way to have orginized things (though remember this is--or was, anyway--ostensibly a non-partisan committee) but that is in fact how it was set up.

Five memos published. One might wonder how many more are residing on someone's CD-ROM.

Oh well, we'll just have to hope for a higher degree of comity on the JC in the coming year.

I cannot tell you how many times recomendations to implement secure directories and abolish the "shared by eveyone drive" has been met with exclaimations of "Oh no, that is how we work!" However, that said, past experience with government IT staffs opens up a world of possibilities as to what actually happened.

most companies use security by obscurity... there's so much info, you only really have time to be doing your own work or stuff related to it

plus who knows what it's called (see tech, and project names... whistler, longhorn, blackcomb... these are meaningful because i'm a skier, but normally you'd have no idea what software they refer to technically outside of industry magazines... they are actually codenames for xp, next windows os, and the one after that)

in my firm, you have access to everything you need to, but only those things you actually need access to... everything is permission based, and everyone knows what is where and that if its on the shared drive, you can take a look

so nothing that isn't supposed to be shared amongst those with access to the drive is placed there.. budget and staffing reviews are not placed on share drive (well at least for people in the group... our analysis of others may be)

so this likely isn't criminal, and while i view it as politics, it probably isn't post or stupid nytm "the ethicist" approved, but again, it's politics

every source for every story is similarily unethical... i'll leave it for the lefties to start carping about how horrible the release of iran-contra and watergate details was

Alkali, I don't think you quite caught what I was saying: I am an expert on these matters, although not an attorney, and given both the description of the "crime" and my experience with computer forensics, unless both conditions were met (ie, needing to use some special privilege surreptitiously to get access, and doing so on files which were understood by documented policy not to be accessible by all staffers) there was no crime committed.

Frankly, I've had a certain amount of experience with executive branch files, and it makes me suspect that no one one the committee staff even considered the possibiity their drafts were accessible.

Was it impolite? You bet. Was it a crime? Not from the way it looks now. Is it deserving of the degree of high dudgeon it's getting? Not unless someone was pretty well stocked with dudgeon to begin with.

Oh, and D. Citizen? You're mistaken: in fact, most law firms operate in exactly that fashion with their client's data, either electronic or paper: anyone in the office has the potential for access to almost everything. The customer is protected during the working day not by locks or file-system protection, but by the combination of the legal obligation to confidentiality and the legal protection given attorney-client privilege and an attorney's work products.

anony-mouse and Charlie,

On my moral compass, and I hope on yours, there are points between "impolite" and "criminal." I know virtually nothing about the applicable law here, so am unwilling to discuss criminality.

I might add that the facts themselves seem a little murky also. Jane quotes the WSJ. I'm not a subscriber, so I can't read the item, but that paper is hardly famous for impartiality, especially since the section quoted suggests the "reporting" was on the editorial page.

David W.,

It may be true that Hatch knows little about how the system operates. But suppose your staff was involved in some controversial matter that came to public attention, and that you knew little about the technical details. Would you issue a statement saying one of your own staffers had behaved inappropriately before you checked with someone more knowledgeable? Hatch is a pretty fierce partisan, and I wouldn't expect him to concede any wrongdoing unless it was unavoidable.

Kirk,

I was not taking a swipe at IT professionals in general. I find most to be very competent. I also agree that management often disregards IT's recommendations regarding security in favor of convenience until something bad happens. Having said that, anyone who has NOT worked with an incompetent IT professional should now raise their hand.

Bernard,

I, like most of America, have long since gotten over this (if they even knew about it in the first place). As for the question of whether ethical vs. legal issues were up for discussion, I think it is safe to say that only legal issues matter in politics anymore. I don't know if this was the inevitable outcome of an ever growing government that has made it so finacially rewarding to be elected or a consequence of the behavior of recent politicians from both sides of the aisle, but I do believe it is a fact. With a few exceptions, the rule now seems to be "no indictment no foul". I wish it were different.

Finally, I disagree that Hatch is a fierce partisan. He is pretty chummy with Senator Leahy. I believe that is one of the reasons why the critisism of his own staff was so harsh.

Jim English
Chicago

All the wrangling over the ethics or criminality of the staffer is well and good. However, I'd like to know why the memos are not getting any media coverage, or at least as much as the "leak" is.

Charlie:

Oh, and D. Citizen? You're mistaken: in fact, most law firms operate in exactly that fashion with their client's data, either electronic or paper: anyone in the office has the potential for access to almost everything. The customer is protected during the working day not by locks or file-system protection, but by the combination of the legal obligation to confidentiality and the legal protection given attorney-client privilege and an attorney's work products.

Most firms work that way, but when a unaffiliated lawyers (those who are independent but share office space, and oft times computer networks) do so they open themselves up to liability for malpractice. A-C privilege covers the whole firm (which is why lawyers can be conflicted out of a case in which they performed no work, but their colleagues in the firm did). The customer has no need of protection from the other attorneys in the firm since they are all deemed to represent him for purposes of the privilege.

Also, interestingly enough, the duty of confidentiality is actually not a legal protection, but an ethical one. In fact, it extends further than the A-C privilege in that an attorney, in limited circumstances, can be restrained by the duty not to disclose confidences even if ordered to so because the privilege does not apply.

With all of that in mind, it's a wonder that the Judiciary Committee would do such a lousy job of protecting what I suppose it deemed confidential materials.

Charlie,

In fairness to D. Citizen, he was talking about lawyers not of the same firm who have an office sharing arrangement, which is common among sole practitioners.

We are forgetting what was in the memos. Orrin Hatch has just fallen for the same kind of tricks the Democrats were talking about on Intelligence Committee. It other words, it doesn't matter what you (Republicans)say because I can accuse you of dirty tricks when you find out. I can then wait to accuse you of it when I see fit.

All I have to do is to forget to shut the door!

"Finally, I disagree that Hatch is a fierce partisan."

Disagree all you want. Just because he's friendly with Leahy doesn't make him less partisan. Not to get the thread off on the usual exchanges about judicial nominations, but let me just point out that Hatch prevented a number of Clinton nominations from reaching the floor, and has the chutzpa to go on TV and complain how unfair it is that Democrats keep some Bush nominees from getting a vote.

That level of, shall we say, "inconsistency," seems pretty partisan to me.

Bernard,

Newt Gingrich was partisan. Tom Delay is partisan. Chuck Schumer (sp?) is partisan. Orin Hatch falls into the Arlen Spector, Patrick Leahy category of Senator for life. They are more worried about what is said around the Senate Dining room than they are about partisan politics. Orin Hatch has co-authered legislation with Ted Kennedy more times than I would care to remember. Finally, to directly address your point, if he were really partisan he would have pushed much harder to bring the Pickering vote to the floor. He did not. He would have fought harder to support both Brown and Estrada. He has not. If you asked around, I think most conservative Republicans would consider Hatch to be a bit of a sell-out. I could be wrong.

Jim English

After an admittedly cursory look through the comments, it seems one possibility has been overlooked.

The system may have been set up "open" by design. It was for comittee work, not party work, and sharing of information and views could be seen as an important part of the design.

If so, then the staffers who wrote the memos were doing the equivalent of downloading porn to an employer's system.

Folks, I see your point about D Cit., but with repect I'd argue that it's not really germane: the Intelligence Committee, unlike other committees, has a balaced membership and shares one staff; there's no "majority" and "minority" staff as with most other committees. (Seems I recall the Ethics Committee is the only other one that uses this scheme.) Thus the analogy is much more to the point if we're talking about a single firm.

Bernard, while I agree about there being more values on the moral band than "impolite" and "criminal". I'm just of the opinion that you shouldn't be fired unless you did something substantially more than just impolite.

In this case, it still sounds to me like the meo was a work product on the sared filesystem everyone used for their work products. If so, and the two conditions I mentioned don't hold, then the high dudgeon about the memos is misplaced, if not manufactured.

In the mean time, the actual memos should be getting more attention.

Bernard: Sure, there's different levels of impoliteness, I wasn't trying to deny that.

For example, there's "impolite" where one's mother wishes you'd call more often and stop ignoring her, "impolite" where one consequently gets fired from a place of employment as did the committee staffers in question, and even "impolite" where a person suggests in brusque terms that a blogger should have the decency to withdraw an Estrada/race entry on her own blog, an entry that is apparently proven prescient a month later by "impolite"-ly accessed memoranda.

However that kind of behavior is (a) limited in fan-out effect in this instance and (b) exactly what I expect from career politicians and other scoundrels who operate by their principles, and hence, I take only enough interest in it sufficient to reinforce my prejudices. Rule-of-law factors, on the other hand, affect all of us more broadly.

Re shared drives:

I have worked for four companies that had a share drive, and who also had personal folders.

You put informatiomn to share in you folder with the understanding that EVERYONE could access it.

What you could not do is put information INTO someone else's folder, because that would appear as if it was that person's information.

Comments are Closed.