No technology can replace a culture of respect for privacy. Arthur Riel, a former IT manager at Morgan Stanley found out the hard way. Information Week has done a good job covering the story. Seems that Mr. Riel was in charge of putting in place an e-mail archiving and searching solution at Morgan Stanley. Ironically enough, as a result of SOX findings that indicated that the company needed to do a better job of managing it’s e-mail.

Mr. Riel claims that he stumbled across e-mails that raised business conduct concerns, some of which implied that the CTO had received hard to get sports tickets and other favors from vendors. Mr. Riel copied and redistributed these mails which has since raised a ruckus and ongoing investigations. He was subsequently fired for abusing his access to the e-mail archive and, to use Morgan Stanley’s words, “engaged in a deliberate, extensive and
surreptitious review of other employees’ emails.”

Whether or not Morgan Stanley engaged in unethical business conduct is something I’ll leave to the press and appropriate law-enforcement agencies to sort out. I’m interested in how Mr. Riel came to see the e-mail in the first place. He, or his department at least, was in charge of establishing the email archive system. He used the archive. He performed searches. He found the incriminating e-mails.

Was Mr Riel claiming that he was “testing” the e-mail archive system? After all, he was in charge of its installation and it was a new system in their IT environment that ought to be thoroughly tested. Even if he was only testing the system, that’s no excuse for invading the privacy of other employees e-mail. This speaks to a fundamental rule in IT that is being looked at more and more by auditors, that the development organization should never have access to production data, in this case, the production e-mail archives. There are at least three ways I can think of to test the e-mail archive system without accessing production data and without invading anyone’s privacy.

First, Mr. Riel’s department could have established a separate test e-mail archive for the testing, seeded with dummy e-mails. This would have been a big pain both in terms of time and expense. But If the archive system doesn’t connect to the real e-mail archive, then it can’t pull up any real e-mails.

Second, Mr. Riel’s department could have created dummy e-mail accounts in the company and sent and received e-mail from the accounts and then ran tests searching for e-mails in the dummy e-mail accounts. The production database would still be used, but there would be test data in it. This sort of solution may not work for all kinds of systems, because in many databases and other repositories, test data would pollute the production data. But in the case of e-mail archives, the e-mail on the dummy accounts would not affect the other e-mail in the system. Furthermore, I would argue that the dummy e-mail account approach is useful because the test team can conduct more precise and meaningful tests. They can create lots of different test cases for the types of searches they want to do using carefully constructed e-mails in the dummy account.

Thirdly, lets suppose that both of the previous solutions to the problem are too expensive and too time-consuming to implement. Let’s just say for your testing you are going to some queries on the production data. How could you do this without invading anyone’s privacy? Well, you could always search on your own e-mails! If Mr. Riel had conducted queries limited in scope to only his e-mail account, he’d never see anyone else’s e-mail.

The issue of the misconduct by the higher level employees is no excuse for Mr. Riel’s behavior, not even if he was only testing the system.

This leads to the other issue raised by the story. When the e-mail archiving and search system is in place, who gets to use it and most importantly, under whose authorization and in what circumstances. In other words, what is the governing policy for using the e-mail archive? Can any employee use it any time to see anyone else’s e-mail? Can it only be used when legally compelled in e-discovery for litigation? What exactly is the policy. This is a thorny issue that not enough technology products address these days and in some sense policy based management of IT is the new frontier in privacy management. If I’m designing an e-mail archiving and search solution for example, I would be well advised to build into it a way to express the policies and terms and conditions for using the technology. I ought to create a secure audit trail of all queries made into the system, including who made the query, the exact scope and terms of the query, and most importantly a justification for that query against the stated policy.

I don’t know if the e-mail archiving system Mr. Riel installed at Morgan Stanley has such capabilities. My guess is that it doesn’t. In general IT vendors are behind the times in this stuff. But even if the system didn’t come with such capabilities, Mr. Riel, as the manager for the project, should have ensured that internal policy based auditing system was in place for the e-mail archive. And he should have followed it.

This entry was posted by Calvin () on Monday, April 3rd, 2006 at 9:33 am and is filed under Computer Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Note: Blog posts are the opinions of their authors and do not reflect the official opinion of the National Science Foundation or North Carolina State University.