Re: Sniffer notification

[Brian Eckman <eckman () UMN EDU>]

I went to a presentation given by Richard Salgado regarding network
monitoring. Mr. Salgado is a prosecutor in the Computer Crime and
Intellectual Property Section of the U.S. Department of Justice, and
therefore, I consider him an expert on this topic. He mentioned two key
exceptions to the federal wiretap laws. One is the consent exception,
which many Universities have mentioned here. If users are presented with
a "we may monitor you" type banner and consent to it (preferably
actively, like clicking on something or signing something to prove
acknowledgment), then you can monitor them.

The relevant Wiretap law is (18 U.S.C. 2511). The exact wording of the
"consent exception" is:

"It shall not be unlawful under this chapter for a person not acting
under color of law to intercept a wire, oral, or electronic
communication where such person is a party to the communication or where
one of the parties to the communication has given prior consent to such
interception unless such communication is intercepted for the purpose of
committing any criminal or tortious act in violation of the Constitution
or laws of the United States or of any State. "

The second, and also very relevant exception, is the provider exception.
 The exact wording of this exception is:

"It shall not be unlawful under this chapter for an operator of a
switchboard, or on officer, employee, or agent of a provider of wire or
electronic communication service, whose facilities are used in the
transmission of a wire or electronic communication, to intercept,
disclose, or use that communication in the normal course of his
employment while engaged in any activity which is a necessary incident
to the rendition of his service or to the protection of the rights or
property of the provider of that service, except that a provider of wire
communication service to the public shall not utilize service observing
or random monitoring except for mechanical or service quality control
checks."

So, when you check with your general counsel, they basically only need
to determine if you are a provider of "wire or electronic communication
service". I would hope they would all agree that you are. Notice that
you have the right to intercept and disclose the communication in order
to protect *your* property, that is, the network resource that you
provide. A paraphrase of what Mr. Salgado said at one point in his
presentation would be "please monitor your networks for intrusions".
(Not just, "you can", but "you should".)

I would believe that if nothing else, if people are complaining about
service levels, than you can monitor the traffic for "service quality
control checks". Also, many experts agree that sniffing as part of
intrusion detection is perfectly legal. As the exception mentions,
"random" monitoring is not allowed. You need to define the scope of your
investigation.

Cal State San Bernardino has a nice little page about this topic at
http://www.infosec.csusb.edu/policies/wiretap.html

Relevant federal wiretapping law:
http://www.cybercrime.gov/usc2511.htm

Note that I am not a lawyer, nor do I play one on TV. I just have some
information that I believe to be correct that I wished to share. I hope
I shed some light on the situation. As always, consult your general
counsel regarding legal issues.

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.