Who’s Computer is it, Anyway?! (Part 2)
Okay – here’s the scenario (again): Same as Part 1 - Corporate environment, computer is provided by the company, all of the initial software on the computer is installed by the company. The user signed an Acceptable Use Policy statement acknowledging their responsibilities with regard to computer use and security. The company’s acceptable use policy says something about “…only approved software…” The end user is the only user of the computer. Employees are allowed to use the Internet (i.e. the web browser), applications, and email for business purposes and for limited personal use.
More on those neat little freebies – but this time, it is not just a seemingly innocent browser toolbar. There are other free tools out there, commonly known as “peer-to-peer” (P2P) applications. Seems our carefree and gadget crazy employee from last time really likes music, so I will just concentrate on the P2P apps that allow you to download music files (MP3s), but there are many others. The way these applications work is that you install some software (free of course) on your computer, which then has the ability to connect to everyone else on the Internet who has that same software. The reason they call it peer-to-peer is because users don’t actually download the files from a central source, but from each other. The user enters the search terms of the music they are looking for, and the P2P software finds the other users who are online that have that music. The user can then choose to download the files they want. When the download is started, parts of the file can actually come from multiple peer users, speeding up the download process. Downloading MP3 files is great – the users can listen to them on their computer at work, providing they aren’t distracting coworkers, and they can even take them home at the end of the day. Ah, piracy has never been so easy!
Well, here’s the catch: For one thing, downloading copyrighted files from any source without paying for them is illegal. Remember last time I mentioned getting your employer in trouble by installing supposedly “free” software that actually had to be licensed? Well P2P software opens your employer up to a whole new batch of liabilities. We can safely assume (my opinion here) that most people that use P2P software to download music know it is illegal, but do it anyway. This makes the crime more blatant and premeditated, in my mind, and seems to result in harsher consequences. Since you are on company time and on company property, you are now (using a legal term here) under the “scope of employment” which allows prosecuting parties to hold your employer accountable as well as you. The employer should have known that the employees were using company network resources and company computers for downloading illegal music. If the employer is practicing due diligence, they would be checking their network for P2P traffic and scanning their servers for potentially illegal file types.
Even if you are using one of the new and improved “pay as you go” services and pay for the music instead of committing piracy, you are still creating problems on a networking infrastructure. So now let’s take the whole “who’s computer is it anyway?” question a little further and ask “who’s network is it anyway?” The other thing about P2P software is that it creates network traffic – a LOT of network traffic. When I was teaching, our students were all required to have laptop computers in support of the curriculum. We had full Internet access for them, email, and wide open – no restrictions. Very early on in our experience with student laptops, we found that it didn’t take them long to discover Napster and Kazaa. While teaching class, I could look out and see the sea of dopey looks as these people were downloading tune after tune (not paying attention to the Instructor, of course). The magic question of “Hey!!! How come the network is so slow between the hours of 11:00am and 3:00pm??” popped up. It was because several hundred students were all downloading massive volumes of MP3 files and choking our network. Not only that, but our file servers hard drives were swiftly running out of space because of all the MP3’s being stored in student Home folders. Imagine that same problem, not in an academic setting, but in a business setting where real work is supposed to be getting done. These types of activities have the potential to hog bandwidth, take up valuable file server space, and are probably robbing employers out of productivity from their employees.
So now for the security aspects of this issue: P2P software is known to be a large source of security vulnerabilities and exploits. Software like this creates a pretty big opening into the hosting computer making it possible to spread viruses, WORMS, denial of service attacks, and other attacks that allow full control of a compromised computer. In fact, having this type of software may cause your company to fall out of compliance for various legislative act requirements such as those contained in HIPAA, Sarbanes-Oxley, or GLB.
Again, as in the case of the company owned computer – it’s not the employee’s network, it is the company’s network. The employer has the right – scratch that – the obligation to protect their network from performance degradation and unauthorized use. They also have a legal requirement to ensure that all of their information technology resources are in compliance with various regulations – and that includes making sure that the software installed on company owned workstations isn’t causing security or performance problems. Be a good employee – do what you want to your computer at home (you’re going to anyway), and leave your company resources for doing business. Failure to keep this stuff of your employer’s machines has the potential to hurt them, but also has the potential to hurt you more than you can imagine.
More Information:
SearchSecurity.Com Article: Are P2P Applications Worth the Risk?
DHS: Unauthorized P2P Programs on Government Computers
Article: Instant Messaging and P2P Vulnerabilities in Health Organizations
Who’s Computer is it, Anyway?! (Part 1)