Security Ethics

[bryant]

Hot rumor: Karl Rove staffers sent email to the wrong address. Instead of mailing whoever@georgewbush.com, they mailed whoever@georgewbush.org. The guy who owns georgewbush.org is apparently not a Bush fan, so the emails are in Greg Palast's hands.

Taking advantage of this, of course, is morally wrong. As one Democratic Senate staffer said:

"They had an obligation to tell each of the people whose files they were intruding upon -- assuming it was an accident -- that that was going on so those people could protect themselves. To keep on getting these files is just beyond the pale."

Yeah, I'm being snarky. That's a quote from the time the Republicans noticed that they had the ability to read Democratic private files by accident. You could make a marginal argument on the premise that the emails were sent, whereas the Republicans had to go get the files from the fileserver, but as a system administrator? I don't buy it.

Comments

Does context not matter at all?

[dtm]

What if the emails contained evidence of a crime?

What if they contained plans for a future crime?

What if the emails were subject to an open subpoena, and the targets of the subpoena publically claimed that the emails were lost and couldn't be produced?

These are not, in this case, theoretical questions. (Okay, maybe the second one is)

Yes, keeping the security breach silent and using it to eavesdrop is unethical, but I am not convinced that instantly deleting the emails in question is the only possible ethical option - is turning the emails over to law enforcement not a viable option?

Re: Does context not matter at all?

[bryant]

Hm. You're advocating that any time a system administrator gets a bounced email to postmaster@whatever.com, they should read it to make sure there's no breach of the law?