Educause Security Discussion mailing list archives
Re: Sniffer notification
From: Brian Eckman <eckman () UMN EDU>
Date: Wed, 24 Mar 2004 09:10:32 -0600
I went to a presentation given by Richard Salgado regarding network monitoring. Mr. Salgado is a prosecutor in the Computer Crime and Intellectual Property Section of the U.S. Department of Justice, and therefore, I consider him an expert on this topic. He mentioned two key exceptions to the federal wiretap laws. One is the consent exception, which many Universities have mentioned here. If users are presented with a "we may monitor you" type banner and consent to it (preferably actively, like clicking on something or signing something to prove acknowledgment), then you can monitor them. The relevant Wiretap law is (18 U.S.C. 2511). The exact wording of the "consent exception" is: "It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State. " The second, and also very relevant exception, is the provider exception. The exact wording of this exception is: "It shall not be unlawful under this chapter for an operator of a switchboard, or on officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks." So, when you check with your general counsel, they basically only need to determine if you are a provider of "wire or electronic communication service". I would hope they would all agree that you are. Notice that you have the right to intercept and disclose the communication in order to protect *your* property, that is, the network resource that you provide. A paraphrase of what Mr. Salgado said at one point in his presentation would be "please monitor your networks for intrusions". (Not just, "you can", but "you should".) I would believe that if nothing else, if people are complaining about service levels, than you can monitor the traffic for "service quality control checks". Also, many experts agree that sniffing as part of intrusion detection is perfectly legal. As the exception mentions, "random" monitoring is not allowed. You need to define the scope of your investigation. Cal State San Bernardino has a nice little page about this topic at http://www.infosec.csusb.edu/policies/wiretap.html Relevant federal wiretapping law: http://www.cybercrime.gov/usc2511.htm Note that I am not a lawyer, nor do I play one on TV. I just have some information that I believe to be correct that I wished to share. I hope I shed some light on the situation. As always, consult your general counsel regarding legal issues. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota "There are 10 types of people in this world. Those who understand binary and those who don't." ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Sniffer notification, (continued)
- Re: Sniffer notification Neil_Sachnoff (Mar 23)
- Re: Sniffer notification Cal Frye (Mar 23)
- Re: Sniffer notification Dan Schneider (Network Administrator) (Mar 23)
- Re: Sniffer notification Doug Sandford (Mar 23)
- Re: Sniffer notification Cal Frye (Mar 23)
- Re: Sniffer notification David L. Wasley (Mar 23)
- Re: Sniffer notification Cal Frye (Mar 23)
- Re: Sniffer notification Carol Myers (Mar 23)
- Re: Sniffer notification Brian Reilly (Mar 23)
- Re: Sniffer notification Brian Kaye (Mar 24)
- Re: Sniffer notification Brian Eckman (Mar 24)
- Re: Sniffer notification Bruggeman, John (Mar 24)