[R] security using R at work

[S Ellison]

> If I install R on my work network computer, will the data ever leave our
> network? 
As far as I know, if you run R locally (and not, say, on an amazon EC2 instance) your data - indeed anything about you or your machine - will only leave your desktop if you download and run an R package that transfers data intentionally. I don't know of _any_, but there are 10000 or so out there and I've probably used less than a hundred of them over the last decade. 
Other than malice, I can't imagine why an R package would upload data to anywhere else, but I suppose it's conceivable that someone has a server farm out there for doing parallel MCMC and has written a package to access it, and that might be a use-case for data upload. Again, I don't know of one.

But here are three things that don't depend on a mailing list opinion.
a) If you are genuinely concerned, airgap. Only run sensitive data on machines that are not connected to the outside world. Install any necessary packages from local .zip on USB drives or something.

b) Install something like wireshark and test for unexpected outgoing traffic on a dummy data set before applying the package to anything sensitive.

c) Have your IT department mark R as an unauthorised package (in your machine's firewall/security package) for TCP/IP transport so that R cannot talk to the internet.*

*That is a pain as the ability to download packages on demand is really helpful. However, it does mean that you can restrict _just_ R and does not require an airgap.



*******************************************************************
This email and any attachments are confidential. Any use...{{dropped:8}}