On Sat, Oct 27, 2001 at 01:59:41PM -0700, todd glassey wrote: > > Ridiculous Carl - The only Judge that would allow a court to equate > Logging with Wiretapping is one that did not understand systems > logging or timesharing. It's not completely ridiculous; ECPA 1986 explicitly extends the Wiretap Act to apply to "live" monitoring of electronic communications with no audio component (since ones with an audio component were already covered by the Wiretap Act). The catch, however, is that ECPA mostly restricts the government's ability to do "live" monitoring. There has yet to be any legislation or case law (of which I'm aware) that changes what ECPA has to say about voluntary disclosure of log information to the government, which is basically that log/transactional data is considered a subset of "non-content records"; such records are (somewhat) fully-disclosable to the government--in the worst-case reading of ECPA, the data would only be admissable if the government agent who received it had already obtained a section 2703(d) order to "force" the party to disclose its logs; the important thing, then, is to make sure that whomever you talk to in the government when pursuing something for which logs would be an important piece of evidence does take the appropriate measures to make that data admissable. (Wow. That was a long sentence. My apologies.) The site that Carl cited advocates the use of banner messages to obtain implicit permission to monitor activities. While such banners can never hurt and should always be used, however, they are impossible to implement for non-interactive transactions (e.g. a port scan); I haven't seen any evidence, moreover, that the restrictions that such banners circumvent apply to transactional logs, which another part of that same DoJ site (<http://www.cybercrime.gov/searchmanual.htm#IIIe2>) explicitly gives the same interpretation that I describe above. That section, in fact, also points out that hackers, by virtue of not being subscribers or customers of the providers of the communications service being monitored, should not be able to use the ECPA protections. (The chart in section IIIf of that document is also a good summary of the various types of information ECPA covers and how information disclosure for them are handled.) IANAL, YMMV, don't try this at home, etc. I'd be very interested in discussing this further off-list with anyone who knows of actual cases where ECPA has been applied to transactional records. -- Sweth. -- Sweth Chandramouli ; <svcat_private> President, Idiopathic Systems Consulting --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Sat Oct 27 2001 - 15:26:22 PDT