RE: [squid-users] logging question

Robert,

    The statement of legality comes straight from our legal department.

    I am well aware of the ways ACLs can be used to create fun and
interesting effects with a user's access, however in this case, it is
irrelevant. There are too many loop holes that would need to be filled,
as the employee's access needs of the moment shift with the requirements
of the account they are managing, and these may shift from second to
second. Clients do not care if their demands are reasonable, and my
employers do not care how unpleasant it may be for the staff to cope with
the vagaries of a client so long as that client pays well.

   Regardless of the merits of personal point of view, I am in a position
that requires me to log this information in order to save these employee's
jobs. What if they are baking? Then they will be fired. What if they
are entering private information in a loan or credit application? They
will be fired. The ethics of the situation are very simple. Every
employee here signs a contract stating that no company computers or
bandwidth may be used for personal tasks, at any time, for any reason.
If they are doing so anyway then, to be blunt, they are people who lack
integrity and deserve no respect or consideration. I prefer however, to
believe that these are people of good moral character, who honor their
agreements and who are simply dealing with clients who are directing them
to sites the client favors.

   While I thank you for the repeated explanation of your personal beliefs
and preferences, my task is unchanged. If I cannot log the information
and use it to vindicate these people, they will be fired. The math is
quite simple. No logging == fired employees. Not in the future, not in
the past, but now. These are real people, who's jobs are at stake and who
will face unemployment _without_ benefit of unemployment insurance or
continued benefits, within about ten working days. The paperwork has
already been started, and I will have a single opportunity to stop it
during a review.

    I will take your previous two messages to mean "I don't know how/if it
can be done with Squid", and will continue on to other avenues. Some
other user here may know how, or I may be able to discover a method
myself.

    Thank you for your time.

On Wed, 4 Sep 2002, Robert Adkins wrote:

> Maxwell,
>
> That particular battle is still being fought in the courts. Depending
> upon the judge overseeing such a case, that has gone both ways in the US.
> I haven't any direct cases in front of me, but I have read about cases
> going both ways, even with the existence of restrictive corporate
> policies.
>
> However, if your employers are simply interested in cutting off access
> to certain sites, there are many methods to do so without compromising
> access to the rest of the internet.
>
> For instance, I am using a porn filter ACL within squid that I have had
> to add a number of sites and word combinations to. This has quickly and
> summarily ended improper use of the internet within this company.
>
> There exists a second filter that allows access to certain websites,
> that while they contain some word/word groupings you would find in a porn
> site, they are far from a porn site. Sites like www.essex.com, which is
> "The Best Small Town in America", it just happens to have "sex" within
> its name.
>
> Your best bet would be to simply block the sites that the upper
> management deems as unnecessary for employees to access. That will save
> you considerable time, potential legal hassles and should appease
> everyone.
>
> When I started my position here, I was told that porn sites were
> verbally forbidden, but still accessible. So, I technically forbade
> access to those sites.
>
> If you, or those employees, are unable to justify a legitimate business
> reason to access those forbidden web-sites, without sneaking around and
> logging all activity done on those sites. You really should simply block
> those sites.
>
> Once again, I would recommend speaking with your legal department or
> lawyer as you have no idea what information you could obtain within any
> log that you create or figure out how to create. The fact that you could
> accidentally create a log of employee banking records (usernames and
> passwords), which could potentially fall into the hands of unscrupulous
> individuals simply demands that you bring that information to the
> attention of the people that requested you to create such a log.
>
> Regards,
> Robert Adkins
> IT Manager/Buyer
> IMPEL Industries, Inc.
>
> -----Original Message-----
> From: maxwell [mailto:maxwell@mindscrape.com]
> Sent: Wednesday, September 04, 2002 2:44 PM
> To: Robert Adkins
> Cc: squid-users@squid-cache.org
> Subject: RE: [squid-users] logging question
>
>
>
>
>
> Robert,
>
> In the United States employees have no legal expectation of privacy
> using computers and access owned by their employers. In fact, most
> corporations have strict policies forbidding any sort of personal use of
> these resources in order to prevent any sort of liability or criminal
> activity. The reason for my question quite simply, is that we do have
> the aforementioned policy, and violating it is a terminating offense. We
> also have several employees who are repeatedly accessing websites
> expressly forbidden by both name and ip address. As we cannot, for
> business reasons, simply block access to the entire Internet, my
> employers
> wish to see what these employees are doing on these websites. If I
> cannot
> prove they have legitimate reason to be there, they will summarily
> terminated, and legal action may be pursued. It may be unfair and it may
> be harsh, but these are the conditions I am forced to deal with. If I
> can't log the material, and demonstrate it's validity in private, then
> these people will be fired.
>
> If I must, I will resort to packet sniffing in order to save these
> people's jobs. Logging it through the proxy however, with a nicely
> organized trail of accesses would, as you might imagine, save me quite a
> lot of time and effort in doing so.
>
> On Wed, 4 Sep 2002, Robert Adkins wrote:
>
> > Maxwell,
> >
> > Most of those forms are encrypted and I believe that this encrypted
> data
> > is never cached/logged.
> >
> > There is another issue that you will need to go over with your legal
> > department/lawyer and your Human Resources department, if you choose to
> > attempt this. To do this is quite an unethical act and probably highly
> > illegal.
> >
> > First off, this could create a listing of the proxy server users
> Social
> > Security Numbers (If in the US.) if they were to be applying for a loan
> > during lunch. This could also create a listing of their usernames and
> > passwords for accessing their personal bank accounts or any other
> > web-site that they may visit.
> >
> > Unless I am mistaken, what you are suggesting will break quite a
> number
> > of privacy laws, at least within the US and could get you into serious
> > trouble with the law. I believe that you could end up facing Federal
> > Charges, if you are in the United States.
> >
> > If this is something that was suggested to you by your employer, then
> > you may wish to bring this to their attention and have them discuss
> this
> > with their lawyer before moving forward with this unethical, immoral
> > task.
> >
> > The last thing that you would need to consider, is what happens if you
> > create this list and someone hacks your site? All of this information
> > could end up in the hands of other highly unethical people and that
> > information could then be used to seriously damage the financial
> > livelihood of the people that you "innocently" collected information
> > from.
> >
> > Regards,
> > Robert Adkins
> > IT Manager/Buyer
> > IMPEL Industries, Inc.
> > Office: 586-254-5800
> >
> > -----Original Message-----
> > From: maxwell [mailto:maxwell@mindscrape.com]
> > Sent: Wednesday, September 04, 2002 12:11 PM
> > To: mailinglistsquid-users@squid-cache.org;
> squid-users@squid-cache.org;
> > Robert Adkins
> > Subject: [squid-users] logging question
> >
> >
> >
> >
> > Is it possible to configure squid to log the full contents of all
> > form
> > submissions a user makes? I.E. all get/post/etc requests?
> >
> >
> >
>
>
>
Received on Wed Sep 04 2002 - 14:28:41 MDT