“Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful.” — Niccolo Machiavelli, The Prince
I was talking with a gentleman from a university who told me that they are not allowed to inspect the payload of a packet when doing network monitoring. He went on to say that they only inspected the header and if through this method they can demonstrated possible hacking activity, then they could go to the chancellor for an exception. Only with the exception could they start doing packet capturing of the person in question. This struck me as very odd, since the law relating to electronic monitoring is the Electronic Communication Privacy Act (ECPA). I did not see, if the university was following this law, how an exception could be issued by the chancellor and not a judge. I wondered about what were the legal requirements verse the business risk management policies of the university.
The university policy appears to be based on the American Association of Collegiate Registrars and Admissions Officers report, “Final Report NSF – LAMP Project: Identifying Where Technology Logging and Monitoring for Increased Security End and Violations of Personal Privacy and Student Records Begin.” The study focused on the Family Educational Rights and Privacy Act of 1974 (FERPA). That law was written to afford students and their parents (in case of minor students) certain rights to the protection of their education records. To quote the LAMP report, “When systems data are collected in logs, such data include information that itself or when matched with other data can be used to identify individuals and their behavior patterns. As college and university environments increase the number of functions that are networked, the ability to create an increasingly complex picture of individual activities grow. What may begin as logging activity to protect the efficient and effective functioning of one system can be targeted data collection and surveillance of a specific individual.” It goes on to state, “If a record is directly related to a student — i.e., identifiably associated with a specific individual — and if it is retained by the institution in any form (e.g., handwriting, print, tapes, film, microfilm, microfiche, and form of electronic data storage), it is an education record under the law, and the student is afforded certain rights.”
The report breaks data into three levels:
- Level I is for the purpose of network or operations management. Either data yielded cannot be associated with an individual user or functions are enabled in such a way as to effectively separate identifiable information from other output.
- Level II is also for the purpose of network and operations management as well as security. The data may be associated with individual users through multiple steps. The data are separated into log output to facilitate analysis of specific functions but to provide checkpoints before data can be linked and related in such a way that education records are created. Access should be restricted. Individuals handling data must be trained in FERPA. Archiving of data is short in duration.
- Level III is primary for the purpose of security. Data yielded at this level include IP addresses, user IDs, account information, email addresses, date and time stamps, and any other readily identifiable information. Individuals with access are very few and have high-level authorizations documented in their position description. Individuals dealing with this level of data are highly trained in FERPA and data access procedures. Archiving is extremely short.
The LAMP report makes recommendations based on the diverse work force that handle student records. It is a report, not law. I remember when I went to school, which was after 1974, and our student IDs had our social security numbers on them. Later, when I was in graduate school, they allowed us to apply for another identification number, but by default the student ID still had a person’s social security number. I am glad the university is taking this issue more seriously.
The Electronic Privacy Information Center is considered a somewhat radical group. Their letter concerning peer-to-peer (P2P) is interesting in that it referenced the NSF LAMP study. While their statement, “Monitoring the content of communications is fundamentally incompatible with the mission of educational institutions to foster critical thinking and exploration” might reflect a view held by many in the education field, it does not address the legal issues. BTW, the top five schools to receive RIAA complaints concerning P2P are Ohio, Purdue, the University of Nebraska-Lincoln, University of Tennessee and the University of South Carolina. It looks like some universities are not listening to EPIC. At Michigan State, first time offenders get a warning. Second time offenders have to watch an eight-minute anti-piracy DVD produced by the RIAA. Third time offenders face suspension. The entertainment industry typically can identify a student only by his or her numerical Internet address and must rely on the school to correlate that information with its own records to trace a person’s real-world identity. Federal law requires universities to take action to stop repeat offenders, or else the universities can be sued. Other universities are more receptive to the views of EPIC and are not concerned about legal action. Purdue, which has received 1,068 complaints so far this year, said it rarely even notifies students accused by the RIAA because it’s too much trouble to track down alleged offenders.
I have heard that excuse before from a university. A lifetime ago, I worked for a university. The university started up a community network for the surrounding counties. The issue of attempting to block pornographic sites came up. At that time, we were told not to try to block anything. Now, we were swamped with work, but concern about us overworking was not the motivation behind the do nothing policy. The legal opinion of the university lawyers was that it is better to claim you cannot do something than to make an attempt, fail to block a few, and then be held liable for the few that you do not block. I am thankful my mail provider does not have that philosophy, or I could never find any mail amongst all the spam.
The idea of not doing anything does not provide legal cover when it can be demonstrated that industry best practices differ from your company’s actions. For example, Morgan Stanley ended up paying a $15 million dollar fine as a result of the firm not appropriately or adequately retaining emails. Rebecca Herold wrote an interesting blog on “The Security and Privacy Risks of Blogs, IMs, and Email.” She quotes from the American Management Association (AMA) and The ePolicy Institute, “Last year, the inability to produce subpoenaed e-mail resulted in million dollar—even billion dollar—lawsuits against U.S. companies. In fact, 24% of organizations have had employee e-mail subpoenaed, and 15% of companies have gone to court to battle lawsuits triggered by employee e-mail.”
I agree with Rebecca in her posting, “New Data Retention Requirements in the EU” where she states, “I see this as a sleeping giant that will emerge sometime soon to surprise and bonk on the head a great many compliance, info sec and privacy officers.” The Federal Rules of Civil Procedure was just updated in December 2006. David Stern over on the Security Catalyst forum sums up the changes as:
- Files, instant messages, and email must be properly stored to allow efficient retrieval
- Corporate counsel must understand how records are retained and retrieved so that they can provide a description of all retained data
- Electronically stored information must be available to facilitate rapid searches. The lawyers no longer have to wait for discovery paperwork
David goes on to state, “Legal experts have warned that setting an unusually short retention period and then claiming that the records have been deleted will be seen as malfeasance.” While it is true that there is not yet a single authoritative source for retention periods, David points out that “The PCAOB’s Audit Standard 3 and the SEC both require 7 years, so setting your time to that range should not be out of the question. While these rules only apply to litigation cases in Federal Court, these rules have historically worked their way down to the lower courts.”
Mr. William Cook, leading data security attorney for the firm Wildman Harrold, told me on the issue of monitoring, “You have the right, and some would argue, obligation to monitor the data and traffic on your own systems.” Mr. Cooke did a presentation for the NSF Cybersecurity Summit 2007 where he presented on “Legal Perspectives on Data Security.
There are three U.S. federal statutes govern the interception, accessing, use, disclosure and privacy protections of electronic and wire communications. The U.S. Electronic Communications Privacy Act (ECPA, 18 U.S.C. §§ 2701-2712) of 1986 covers stored communications. Real-time interception, as in wireless networks, is covered by the Pen/Trap Statute, 18 U.S.C. §§ 3121-3127, centered in addressing information (like 802.11 protocol headers), and by the Wiretap Statute (“Title III”), 18 U.S.C. §§ 2510-2522, centered in the contents of communication.
The Department of Justice (DOJ) has written on the challenges of unlawful conduct involving the user of the Internet. In order to provide the legal background, answers.com has an informative post on the “Electronic Communication Privacy Act.”
The Electronic Communications Privacy Act of 1986 (ECPA Pub. L. 99-508, Oct. 21, 1986, 100 Stat. 1848, 18 U.S.C. § 2510) was enacted by the U.S. Congress to extend government restrictions on wire taps from telephone calls to include transmissions of electronic data by computer. Specifically, ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (the Wire Tap Statute), which was primarily designed to prevent unauthorized government access to private electronic communications. Later, ECPA was amended, and weakened to some extent, by some provisions of the USA PATRIOT Act. In addition, Section 2709 of the Act, which allowed the FBI to issue National Security Letters to ISPs ordering them to disclose records about their customers, was ruled unconstitutional under the First (and possibly Fourth) Amendments in ACLU v. Ashcroft (2004). It is thought that this could be applied to other uses of NSLs.
Title I of ECPA protects electronic communications while in transit. Title II of the ECPA, the Stored Communications Act (SCA) protects messages stored on computers, but its protections are weaker than the ECPA’s. Title III prohibits the use of pen register and/or trap and trace devices to record dialing, routing, addressing, and signalling information used in the process of transmitting wire or electronic communications. Several court cases have raised the question of whether e-mail messages are protected under ECPA while they were in temporary storage enroute to their final destination. In United States v. Councilman, a U.S. district court and a three judge appeals panel ruled they were not, but in 2005, the full United States Court of Appeals for the First Circuit ruled that they were. Privacy advocates were relieved, though the ruling might still be appealed to the U.S. Supreme Court. They had argued in Amicus curiae briefs that if the ECPA did not protect e-mail in temporary storage, its added protections were meaningless as virtually all electronic mail is stored temporarily in transit at least once and that Congress would have known this in 1986 when the law was passed. (see e.g. RFC 822).
Title III of the Omnibus Crime Control and Safe Street Act as amended (18 U.S.C. §2520(a); 18 U.S.C. §2511(1)(a)-(d)), “gives individuals a private right of action for any improper taping of their conversations to which they did not consent.” However, there is an exception for business telephone calls when the monitoring of the calls and taping over an extension phone is done in the ordinary course of business. The most commonly used exception to Title III’s requirements permits “a person acting under color of law” to intercept an “electronic communication” where “such person is a party to the communication, or one of the parties to the communication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(c).
State law may add additional protection providing one-party or two-party consent requirement. For example, in New York (as of 2005) consent of only one party to a conversation is necessary to lawfully record an in-person or telephonic communication. California and Florida are two-party consent states. Stroock & Stroock & Lavan discuss this issue in their posting title, “The Consent-to-Record Provision.
Robert Strang, who was acting as Assistant United States Attorney for the Southern District of New York where he was the Computer Telecommunications Coordinator, did a nice writeup titled, “Recognizing and Meeting Title III Concerns in Computer Investigations.” To quote Strang:
In 1986, Congress passed the Electronic Communications Privacy Act (“ECPA”), which, among others things, extended the prohibitions contained in Title III of the Omnibus Crime and Control and Safe Streets Act of 1968 (the “Wiretap Act”), 18 U.S.C. §§ 2510-2521, to electronic communications that are intercepted contemporaneously with their transmission—that is electronic communications that are in transit between machines and which contain no aural (human voice) component. Thus, communications involving computers, faxes, and pagers (other than “tone-only” pagers) all enjoy the broad protections provided by Title III unless one or more of the statutory exceptions to Title III applies. In the computer context, both the government and third parties are prohibited from installing “sniffer” computer software, such as the FBI’s Carnivore program, to record keystroke and computer traffic of a specific target unless one of the exceptions is present.
Title III permits “a person not acting under color of law” to intercept an “electronic communication” where “such person is a party to the communication, or one of the parties to the communication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(d). That is where banners end up being important. This exception provides a the implied consent of the subject hacker himself through computer “banners.”
One of the key provision on Title III is that it also permits providers of a communication service, including an electronic communication service, the right to intercept communications as a “necessary incident to the rendition of his service” or to protect “the rights or property of the provider of that service.” 18 U.S.C. § 2511(2)(a)(i). This exception permits a private party to monitor activities on its system to prevent misuse of the system through damage, fraud, or theft of services. Since computer hacking often involves damage or disabling of a network’s computer security system, as well as theft of the network’s service, this exception permits a system administrator to monitor the activities of a hacker while on the network.
Strang points out that there are limitations. The monitoring must be reasonably connected to the protection of the provider’s service. It cannot be used as a pretext to engage in unrelated monitoring. John S. Caragozian and Donald E. Warner Jr. demonstrate this point very well with quoting various cases in their posting, “Privacy Rights of Employees Using Computers in California.” A key point is that the right to monitor is justified by the right to protect one’s own system from harm. An ISP, for example, may not be able to monitor the activities of one of its customers under this exception for allegedly engaging in hacking activities on other networks. Another limitation of this exception is that it does not permit a private provider of the communication service to authorize the government to conduct the monitoring; the monitoring must be done by the provider itself.
Law is complicated, and I certainly am not a lawyer. This posting was an attempt to make some sense of a few laws while providing additional links to information. For additional information, the US Department of Justice maintains a web site on computer crime and intellectual property. The DOJ site provided news and documents relating to cyber crime. There is also the podcast, CyberSpeak. The hosts, Bret Padres and Ovie Carroll, are both former U.S. Air Force Office of Special Investigations (AFOSI) agents. They provide a very entertaining weekly podcast on computer security, computer crime, and computer forensics topics.
