[svlug] Hard drive destruction

[Luke S. Crawford]

.
On 09/10/2015 08:25 PM, Michael Robinson wrote:

>
> If erasing the data on a hard drive is meant to ensure privacy or
> protect someone's reputation, consider that this person may need
> to be found out and connected with help to combat an Internet
> addiction.  You might be ethically obligated to reach out to
> the datum owner or a supervisor above this person.  If you don't,
> you may be asked in the future if you had knowledge of this person's
> addiction and face prosecution or sanctions for covering the problem
> up.

...

>
> There could just be trade secrets on a failing hard disk in
> which case physical destruction of the drive should be both prudent
> and legal.

Why do you make the distinction between "trade secrets" which it's okay, 
even prudent to protect, and "personal secrets" which it's not okay to 
protect?    A person has just as much right to expect privacy in 
personal matters as a corporation has to expect privacy in business 
matters.   Hell, if I were making the law, I would argue that an 
individual should have *more* of a right to privacy than a corporation.

(For the record, I operate my business in a fairly open manner;   we 
release most of our tools, and wrote a book, even, detailing most of the 
practical knowledge we had at the time about the technology we use.  We 
don't release financials, but that's mostly because we're small enough 
that doing so would reveal people's personal income.)

As  sysadmins, if a clients can't trust us to respect their privacy, if 
our customers can't trust us with their data, we are useless, because we 
usually can't do our job without that access.


As a sysadmin of a VPS provider,  the lines are pretty clear.  It is my 
responsibility to provide reliable access to a block device, and to 
insure that unauthorized parties can not read or write to that block 
device.   Sarah is extending this to the disks after they've finally 
failed and the warranty is done, which is good, I think.

It is *not* my responsibility to go around making wild accusations about 
"internet addiction"  or randomly investigating my customers for 
anything else.    By policy, I treat those block devices as *block 
devices*  - by policy I'm not going to mount those block devices and 
treat them as filesystems without the customer's say so.  I'm not going 
to log in to the customer's image without their knowledge.

These things seem pretty obvious to me;  if you are a landlord, you 
don't break into your tenant's apartment and rifle their underwear 
drawer looking for drugs.

You may say it's different because it's a business... but I'm not so 
sure it is.   I think I would have similar feelings if I was helping my 
cousin back up his laptop.   Respecting another person's privacy is an 
important part of respecting that person as a human being.