[svlug] Hard drive destruction
Luke S. Crawford
lsc at prgmr.com
Thu Sep 10 21:21:24 PDT 2015
On 09/10/2015 08:25 PM, Michael Robinson wrote:
> If erasing the data on a hard drive is meant to ensure privacy or
> protect someone's reputation, consider that this person may need
> to be found out and connected with help to combat an Internet
> addiction. You might be ethically obligated to reach out to
> the datum owner or a supervisor above this person. If you don't,
> you may be asked in the future if you had knowledge of this person's
> addiction and face prosecution or sanctions for covering the problem
> There could just be trade secrets on a failing hard disk in
> which case physical destruction of the drive should be both prudent
> and legal.
Why do you make the distinction between "trade secrets" which it's okay,
even prudent to protect, and "personal secrets" which it's not okay to
protect? A person has just as much right to expect privacy in
personal matters as a corporation has to expect privacy in business
matters. Hell, if I were making the law, I would argue that an
individual should have *more* of a right to privacy than a corporation.
(For the record, I operate my business in a fairly open manner; we
release most of our tools, and wrote a book, even, detailing most of the
practical knowledge we had at the time about the technology we use. We
don't release financials, but that's mostly because we're small enough
that doing so would reveal people's personal income.)
As sysadmins, if a clients can't trust us to respect their privacy, if
our customers can't trust us with their data, we are useless, because we
usually can't do our job without that access.
As a sysadmin of a VPS provider, the lines are pretty clear. It is my
responsibility to provide reliable access to a block device, and to
insure that unauthorized parties can not read or write to that block
device. Sarah is extending this to the disks after they've finally
failed and the warranty is done, which is good, I think.
It is *not* my responsibility to go around making wild accusations about
"internet addiction" or randomly investigating my customers for
anything else. By policy, I treat those block devices as *block
devices* - by policy I'm not going to mount those block devices and
treat them as filesystems without the customer's say so. I'm not going
to log in to the customer's image without their knowledge.
These things seem pretty obvious to me; if you are a landlord, you
don't break into your tenant's apartment and rifle their underwear
drawer looking for drugs.
You may say it's different because it's a business... but I'm not so
sure it is. I think I would have similar feelings if I was helping my
cousin back up his laptop. Respecting another person's privacy is an
important part of respecting that person as a human being.
More information about the svlug