Top Mud Sites Forum - View Single Post

silvarilon · 03-08-2011, 02:11 AM

Since it was my quote, I'll chime in

As background, I work at a university, in a specialized IT group that looks after one of four faculties.

There is a central, university-wide IT group as well. Some infrastructure is managed by them, some by us, and some by both groups.

Within our faculty, people seem to be very aware that the IT people have access to a huge amount of information.

Interesting you use the word "control" though - IT people can certainly listen in on a lot of information, but whether thye "control" it is a different matter. I probably don't have the authority to tell someone that they are no longer allowed to use email, for example.

But where "access" and "control" gets blurry is interesting. Officially I don't have the authority to tell staff member A that they can play games, but tell staff member B that they can't. Unofficially, everyone knows that we're the person who control the *access* to what is needed, and therefore, by default, we do have that control. Even if it hasn't been officially recognized.

It isn't limited to only computer systems, though. I've got a keycard that lets me in pretty much wherever I want (there are a few places off-limit, mostly due to safety reasons. For example, my card won't let me into the radiation lab...) - it also lets me in 24/7. Very few other groups get that level of access, but techs seemingly get it by default.

Again, I think the organization is aware of this. We need a high level of information access just to do our jobs - we also tend to be the gatekeepers when giving out access to those same systems, again, a natural consequence of the way we do our job. It's quite possible that a level of middle managers could be put in place to control and authorize access, which would provide a buffer limiting the tech's authority. But that would significantly reduce our ability to be responsive to the users needs, and to give personalized solutions. My group exists specifically because we can provide better service than a generic university-wide IT group. So it doesn't make sense to loose that advantage.

I suspect part of the reason why people are comfortable with high level techs having significant authority and access is because... well, we've already got access. As soon as I can log into the mailserver as an administrator, I can read any of your email. You just have to trust that I won't. If you're putting that sort of trust in me, then giving me access to your physical office is a much smaller step.

The general attitude seems to be that techs aren't necessarily paid a large amount, but they are afforded the same sort of privileges when it comes to company access that upper management would have (and regularly much higher levels of access.)

Certainly. In my case, I don't have direct access to all those services, because some (such as the IP phones) are handled by the central group.

I certainly would be able to steal the passwords for any system I don't control with ease.

But my next question would be: what's the point?
So what if I can control your IRC access? What can I do with that?
- I can deny you access, if you annoy me. Power trip. But pretty petty, and the more I abuse power like that, the more likely someone in authority will get annoyed at me and reign me in. If you're the only person using IRC, then I could certainly deny all IRC with impunity.
- I can listen in on you. Again, power trip, but petty. And there are laws against it. Sure, nobody would know that I'm doing it... (although the other techs might realize) - but... yeah. Illegal, and really not as interesting as you'd think.
- I can play silly buggers. Make it start and stop working, or something. Again, pretty pointless.

And really? I don't care what people are talking about. Unless someone in authority tells me something like "I want you to record and review what this guy is discussing in IRC, due to reason X Y and Z" then I have no interest in what people have to say.

More significantly, there's a certain amount of work that needs to get done - if I have free time to spend screwing around, I'd much rather be making overly-long posts on TMS rather than fiddling with something that's already working. There is always something interesting and productive I can be doing as part of my job. I'm not going to waste my time on trivialities like that.

But then again, I have a large amount of freedom - if I've got the time I can create my own projects, decide what I want to improve or create, and I tend to get a lot of support from my IT group and the faculty. If I was in a job where I was given a list of tasks and no authority to decide things for myself, I might relish the "secret power" of being able to spy on people. I'm glad that isn't the case for me.

I'm quite surprised, actually.

Partly because that's illegal - although you can get away with it - it breaks a number of laws. I know the specifics here in Australia, but I'm sure there are similar laws in the US and most other countries. And regardless of laws, if they get found out, it can loose them their job just by virtue of annoying the wrong person.

Mostly I'm surprised because... I really just don't see the point. I have no interest what people are saying. If I want to find out what's happening around the place, the gossip grapevine is probably going to give me better returns than listening to phone conversations. And some people have, y'know, their own morals that might forbid them from listening in on a private conversation.

Well... depends on the company. In a company where IT is poor, there may be two or three IT guys who run everything - in which case, chances are nobody is watching them, as they're likely the only people who understand what is going on.

In a larger team, if the team tends to be made up of moral people, they'll be watching each other. The greater company culture will help, but the culture of the IT team will develop, and that culture will set the tone for what is acceptable. Most members of the team will then follow that lead, and the others should reign in the ones that don't. (Of course, if it's the boss that misbehaves, that just sets the culture for the underlings to also misbehave)

In my group the culture seems to be "respect people's privacy, but don't be afraid to delve into personal information if it's part of your job and you're doing it for a productive purpose" - I have never known a member of my team to read someone's email, even though we all have access to it. I have regularly known a member of the team to do a dump of someone's email (which prints it in a readable format to the screen) in order to check what the date of the last received email was, or similar, when trying to help a customer (whether the customer is there at the moment or not)

And I've never seen a customer surprised that we have access to their email in that sort of way. They all already assumed we had that sort of access.

Beyond the team, who watches? In some companies, as Darren posted, there is another body that polices behavior. In many there isn't. And beyond that, there is the law. It might be hard to catch an IT person screwing around with personal behavior, if they're smart enough to only do it in private, but if you do they can face serious legal consequences, including jail time.

So yeah, serious abuses can (and do) happen.
Techs have access to a LOT of information, and in a lot of ways are the most powerful (important?) people in a company
It's up to the company to hire trustworthy people, and to set up oversight where necessary. (Just the same as it's up to a retail store to hire trustworthy staff who won't shoplift or steal money from the register.)

But in a well-run team, that is given useful tasks to complete, independence to do their job, authority to make decisions, and the ability to set the IT agenda and goals - well, they'll be too busy doing the things that they want to bother abusing anything. And the company will benefit from that energy going into something productive.

It's an interesting topic - especially since just last week I was thinking about how I have more information about what each academic does than anyone else at the university, since I was the one that built the database which stores that information, and wrote the rules about how it's calculated. Which has (unintentionally) put me in the position of the "expert" on the topic, and therefore the person who sets policy about what work is worth what. (I'm not quite sure I'm comfortable telling my co-workers how much their work is worth)

Food for thought.

Cheers,
Tony

03-08-2011, 02:11 AM	#3
silvarilon Member Join Date: Dec 2009 Posts: 144	Re: Who's Watching the Watchers? Since it was my quote, I'll chime in As background, I work at a university, in a specialized IT group that looks after one of four faculties. There is a central, university-wide IT group as well. Some infrastructure is managed by them, some by us, and some by both groups. Within our faculty, people seem to be very aware that the IT people have access to a huge amount of information. Interesting you use the word "control" though - IT people can certainly listen in on a lot of information, but whether thye "control" it is a different matter. I probably don't have the authority to tell someone that they are no longer allowed to use email, for example. But where "access" and "control" gets blurry is interesting. Officially I don't have the authority to tell staff member A that they can play games, but tell staff member B that they can't. Unofficially, everyone knows that we're the person who control the access to what is needed, and therefore, by default, we do have that control. Even if it hasn't been officially recognized. It isn't limited to only computer systems, though. I've got a keycard that lets me in pretty much wherever I want (there are a few places off-limit, mostly due to safety reasons. For example, my card won't let me into the radiation lab...) - it also lets me in 24/7. Very few other groups get that level of access, but techs seemingly get it by default. Again, I think the organization is aware of this. We need a high level of information access just to do our jobs - we also tend to be the gatekeepers when giving out access to those same systems, again, a natural consequence of the way we do our job. It's quite possible that a level of middle managers could be put in place to control and authorize access, which would provide a buffer limiting the tech's authority. But that would significantly reduce our ability to be responsive to the users needs, and to give personalized solutions. My group exists specifically because we can provide better service than a generic university-wide IT group. So it doesn't make sense to loose that advantage. I suspect part of the reason why people are comfortable with high level techs having significant authority and access is because... well, we've already got access. As soon as I can log into the mailserver as an administrator, I can read any of your email. You just have to trust that I won't. If you're putting that sort of trust in me, then giving me access to your physical office is a much smaller step. The general attitude seems to be that techs aren't necessarily paid a large amount, but they are afforded the same sort of privileges when it comes to company access that upper management would have (and regularly much higher levels of access.) Certainly. In my case, I don't have direct access to all those services, because some (such as the IP phones) are handled by the central group. I certainly would be able to steal the passwords for any system I don't control with ease. But my next question would be: what's the point? So what if I can control your IRC access? What can I do with that? - I can deny you access, if you annoy me. Power trip. But pretty petty, and the more I abuse power like that, the more likely someone in authority will get annoyed at me and reign me in. If you're the only person using IRC, then I could certainly deny all IRC with impunity. - I can listen in on you. Again, power trip, but petty. And there are laws against it. Sure, nobody would know that I'm doing it... (although the other techs might realize) - but... yeah. Illegal, and really not as interesting as you'd think. - I can play silly buggers. Make it start and stop working, or something. Again, pretty pointless. And really? I don't care what people are talking about. Unless someone in authority tells me something like "I want you to record and review what this guy is discussing in IRC, due to reason X Y and Z" then I have no interest in what people have to say. More significantly, there's a certain amount of work that needs to get done - if I have free time to spend screwing around, I'd much rather be making overly-long posts on TMS rather than fiddling with something that's already working. There is always something interesting and productive I can be doing as part of my job. I'm not going to waste my time on trivialities like that. But then again, I have a large amount of freedom - if I've got the time I can create my own projects, decide what I want to improve or create, and I tend to get a lot of support from my IT group and the faculty. If I was in a job where I was given a list of tasks and no authority to decide things for myself, I might relish the "secret power" of being able to spy on people. I'm glad that isn't the case for me. I'm quite surprised, actually. Partly because that's illegal - although you can get away with it - it breaks a number of laws. I know the specifics here in Australia, but I'm sure there are similar laws in the US and most other countries. And regardless of laws, if they get found out, it can loose them their job just by virtue of annoying the wrong person. Mostly I'm surprised because... I really just don't see the point. I have no interest what people are saying. If I want to find out what's happening around the place, the gossip grapevine is probably going to give me better returns than listening to phone conversations. And some people have, y'know, their own morals that might forbid them from listening in on a private conversation. Well... depends on the company. In a company where IT is poor, there may be two or three IT guys who run everything - in which case, chances are nobody is watching them, as they're likely the only people who understand what is going on. In a larger team, if the team tends to be made up of moral people, they'll be watching each other. The greater company culture will help, but the culture of the IT team will develop, and that culture will set the tone for what is acceptable. Most members of the team will then follow that lead, and the others should reign in the ones that don't. (Of course, if it's the boss that misbehaves, that just sets the culture for the underlings to also misbehave) In my group the culture seems to be "respect people's privacy, but don't be afraid to delve into personal information if it's part of your job and you're doing it for a productive purpose" - I have never known a member of my team to read someone's email, even though we all have access to it. I have regularly known a member of the team to do a dump of someone's email (which prints it in a readable format to the screen) in order to check what the date of the last received email was, or similar, when trying to help a customer (whether the customer is there at the moment or not) And I've never seen a customer surprised that we have access to their email in that sort of way. They all already assumed we had that sort of access. Beyond the team, who watches? In some companies, as Darren posted, there is another body that polices behavior. In many there isn't. And beyond that, there is the law. It might be hard to catch an IT person screwing around with personal behavior, if they're smart enough to only do it in private, but if you do they can face serious legal consequences, including jail time. So yeah, serious abuses can (and do) happen. Techs have access to a LOT of information, and in a lot of ways are the most powerful (important?) people in a company It's up to the company to hire trustworthy people, and to set up oversight where necessary. (Just the same as it's up to a retail store to hire trustworthy staff who won't shoplift or steal money from the register.) But in a well-run team, that is given useful tasks to complete, independence to do their job, authority to make decisions, and the ability to set the IT agenda and goals - well, they'll be too busy doing the things that they want to bother abusing anything. And the company will benefit from that energy going into something productive. It's an interesting topic - especially since just last week I was thinking about how I have more information about what each academic does than anyone else at the university, since I was the one that built the database which stores that information, and wrote the rules about how it's calculated. Which has (unintentionally) put me in the position of the "expert" on the topic, and therefore the person who sets policy about what work is worth what. (I'm not quite sure I'm comfortable telling my co-workers how much their work is worth) Food for thought. Cheers, Tony