Re: Security Event / Customer Reporting

From: JohnNicholsonat_private
Date: Mon Jul 16 2001 - 10:51:56 PDT

  • Next message: Pavel Kankovsky: "Re: SMTP server (How can I find out the real source of an attack)" 

    Ethan is correct to point out the exception to the ECPA.

Sections 2511 and 2520 of Title 18 of the U.S. Code create criminal and civil liability for improper interception of wire, oral and electronic communications.  Although there are exceptions under both the U.S. Code and under state laws for system providers, relying on these exceptions is unnecessary if your company puts in place an appropriate Monitoring Policy.  By explicitly requiring user consent to monitoring, your company can make access to your network and systems conditional on users accepting such monitoring.  All users of your network and systems (whether employees, third party contractors or customers) should be required to consent to monitoring.  

Your Monitoring Policy should specify that your company has the right to monitor all network traffic and all data stored on equipment used for company purposes that is provided to an employee or contractor by the company or by any third party contractor.  Both your authorized use policy ("AUP")(governing internal and contractor use) and your terms of service ("TOS")(governing third party use) should reference this policy and explain it.  In addition to informing users via the AUP and the TOS, logon banners should reference the Monitoring Policy and state that access to the network or system is subject to monitoring at any time and for any reason, and that by accessing and using the network or system, the user is explicitly agreeing to such monitoring.  Also, any contracts with third parties for the transmission of data belonging to that third party or any user or customer of that third party should require that third party to consent to such monitoring on behalf of its users a!
nd customers and to indemnify your company for any damages resulting from such consent.

Monitoring traffic and behavior on your systems can allow you to detect misconduct in real time, and can create logs that will be useful in an investigation and/or prosecution.  Monitoring can also decrease behavior such as employee web surfing or other violations of the AUP.

In the future, the increased use of personal technology (e.g., cell phones, PDAs, etc.) to access corporate systems will require increased and more specific consents.  If, for example, you open up your document management system so that it is web accessible, an employee with a PDA and a wireless modem can download confidential information.  Access to that system could require explicit consent from the user to monitoring of the activity and an agreement to provide access to the PDA on demand.  (Note, such access will be easier if your company owns the PDA and provides it to the employee.)

John
================
Important They-Can-Subject-Me-To-Disciplinary-Proceedings-(Or Worse)-If-I-Don't-Include-This Disclaimer: This message provides general information and represents the my views.  It does not constitute legal advice and should not be used or taken as legal advice relating to any specific situation.

    attached mail follows:

    To quibble: >>Current US law seems to view examining transit traffic like radio >>interception - a no-no, for the most part. ... > >In that case, the law (as a prominent English judge once remarked)> >would be an ass. Of this, there can be little doubt. >Using (only) radio analogies in determining >legalities for "domain- style" networks means that the resulting laws >and directives will be fundamentally broken. Remember, an inherent >difference between "broadcast spectrum" and "routable protocol" >networks is that the latter can only work by *requiring* >intermediary "inspection" of (part of) the information flow across >what may be loosely conceived of as "ownership boundaries" (and, >worse, "media translation" (and some other services required to make >our modern networks work) requires "manipulating" more of the data >stream than simply the headers or delivery envelopes). The original author is probably referring to the Electronic Communications Privacy Act (the federal wiretap laws), 18 USC 2510 et seq., an article of legislation of truly horrifying lack of clarity, complexity and vagueness. ECPA provides criminal and civil penalties for the illicit interception of wire or radio communications (they receive essentially the same treatment under ECPA.) 18 USC 2511 (1) (a), http://www4.law.cornell.edu/uscode/18/2511.html. The tricky part, so far as the ability of peer ISPs to monitor traffic is concerned is the (2) (a) exception of the same act: "It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment <<while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service,>> except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks." I don't think the caselaw we have gives anybody a good idea WHAT exactly are the "rights or property of the [Internet service] provider" is, let alone what kind of monitoring is necessary to protect the same. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 11:26:31 PDT