Posted: Mon Aug 24, 2009 10:23 am
While I too am unable to find a specific document that covers the "third-party server" rule, it does seem to apply to this situation. As you mentioned, we have been told here not to upload exported data to a third-party server because of concerns about confidentiality. When a third-party server is involved in transmitting data from the screen of a computer running MLS, it seems that we have most of the same issues.boomerbubba wrote:Could someone please point to an actual policy document that describes such a "3rd party server" rule? I find no such reference in this document, where we might expect to find it mentioned. The "rule" seems to be a unicorn.
The screen of a computer running MLS may have highly confidential information (in some cases, more sensitive than anything that appears in export files). If the image of that screen is being transmitted to a third-party server, how do we know that the transmission is secure? How do we know that whoever runs that server doesn't keep copies of the images or transmit them somewhere else? It all comes down to our trust of the owner of that server. But if you examine the possible risks, much of the same mischief is possible that we are concerned about with exported data.
I don't think we need to conclude that the policy is "No matter what the question is, if it involves a third-party server, the answer is no," but there do seem to be valid security and confidentiality concerns with the remote access question.