The CodeGuard Blog

In a 9 – 0 ruling, the U.S. Supreme Court decided that employees do not have a right to privacy when using company phones to text each other.  The court’s ruling sent a clear message to privacy advocates worldwide, by saying that a supervisor’s search through employee text messages was in fact a search, but was not an “unreasonable” search, in their opinion last Friday.  I read about it in the Los Angeles Times here. 

A couple of things are interesting in this case.  First, the court apparently considered text messaging to be similar to any other public paging system.  So, in effect, it looks like sending a text message could be legally as open as calling someone through the Airport public address system.  I’m sure we will hear more about this in the future.

Second, the court rejected a broad interpretation of in individual’s right to privacy by the US 9th Circuit Court.  Normally, I wouldn’t be surprised if the 9^th  Circuit Court supported and privacy rights for pigeons on the San Francisco Bay Bridge.  However, many people, including me, wondered if the Supreme Court would broaden privacy protection, somehow.  In this ruling, it didn’t happen.

Under this ruling, it looks like your employer can have a closer look at text messages.  It might also extend to email messages in some future decision.  Certainly, a broader interpretation of privacy would have opened up the possibility of lawsuits for those of us who monitoring corporate networks.  The threat of lawsuits would have prevented many legal searches, simply because it would be too much trouble to defend.

Some people will say that the US is losing a right to individual privacy.  I’d have to disagree.  This ruling is putting privacy into perspective.  It’s also going to help protect information security professionals from baseless lawsuits as they perform legitimate monitoring for employers. 

Jim Molini, CISSP, CSSLP

I’m on vacation near St. Louis, working on the family farm for a few days. (Yes, I enjoy driving tractors and fixing fence in my spare time. It’s a big change from the day job.) So, with a few spare minutes, it’s about time that I updated the blog. Thanks for waiting.

I have a conundrum for all of you.

If a foreign nation parachuted soldiers into St. Louis, Missouri and started invading homes, I’m pretty certain that the US government would send in the military to defend us. That’s because it’s an attack on the homeland. However, if we use the Internet model, they’d tell those people to call the Saint Louis Police Department and give them the URL for a web page on how to defend oneself from foreign invaders.

Doesn’t that sound strange?

With the US government spending more than $10 billion this year on Cybersecurity – for the US government – isn’t it time they talked about protecting the rest of us?
So far, much of the protection money was spent on plans to fence off government networks. We’ve heard lots about fencing off government networks from people like Richard Clarke. To me, it’s like building a castle, while the peasants live outside. Is that what we want from our government?

I recommend that we discuss a more comprehensive option, called Digital Borders. I wrote about this back in 1997 in an article called “Electronic Borders: Defining and Protecting National Networks” for Computers and Security magazine, here. (I changed the name because of conflict with another type of border technology.) I’m posing the concept again, since the open Internet has failed to bring harmony to the digital world.

Digital Borders are nothing more than a way to define the territory of any individual nation on the Internet. Usually, that space would be defined as the logical space owned by servers and network connections located in the physical space of any nation. In that regard, those IP addresses are governed by that nation’s laws. Knowing about where your national interest begins and ends makes it easier to enforce laws and to keep foreign interests from interfering in your local business. If the government will do this for itself, why won’t it do the same thing for the rest of us?

Any government can get started with a digital border by licensing all data connections that transfer data to and from locations outside the physical borders of that nation. Yes, this is additional regulation, but it only affects those entities that make direct connections outside the nation. From that point, the people of the nation should decide how much control is exercised over those connections. Filtering known malware and attacks is a simple step that would do lots of good for the average Internet user.

I am not advocating a massive and intrusive firewall, similar to the one used by the People’s Republic of China. The level of control is a matter of public policy and should be debated in any nation that considers the concept. However, I’d at least like to have the debate. It’s time we stopped fooling ourselves about the risks of an uncontrolled Internet and began seriously discussing a comprehensive plan for protecting ourselves.

Jim Molini, CISSP, CSSLP