Re: Sniffer notification

[Richard Gadsden <gadsden () MUSC EDU>]

On Tue, 23 Mar 2004, Cal Frye wrote:

> We're about to diagnose some networking issues here with rather
> aggressive use of Sniffer on student ports. We've always considered this
> to be pretty intrusive, and not to be done without notifying the users
> involved that we would be listening in. But we don't have written
> policies concerning this action, beyond the general statement that we
> (1) respect users privacy but (2) reserve the right to sniff should the
> need strike us.
>
> Anyone have a quick link to policies and notification documents to be
> sent to the user that I might have a look at and/or steal outright? I
> worry that there's something I might overlook in the process.

If you're not sure that the existing "general statement" in your policy
authorizes the diagnostic activity that you have in mind, then your first
stop should be your university counsel's office. That should be part of
your standard procedure for anything potentially invasive that's outside
the scope of routine operations.

If your legal counsel advises that you are authorized to proceed based on
your existing policy, then you might, in terms of notification, simply let
the affected users know about the coming diagnostic activity, and
reference the policy that authorizes it.

For example, were I in your shoes, I'd probably be referring the affected
users to the "Privacy and Confidentiality" section of our school's
computer use policy:

 <http://www.musc.edu/ccit/cup/cup2001.html>

 --- o ---
 Richard Gadsden
 Director of Computer and Network Security
 Medical University of South Carolina

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.