Educause Security Discussion mailing list archives
Re: Process / Forms for Students voluntarily surrendering computers
From: Herrera Reyna Omar <omar_herrera () BANXICO ORG MX>
Date: Fri, 22 Oct 2004 16:47:01 -0500
Jim, It seems that this is not so easy to accomplish. People with experience on these cases and lawyers will give you more details, but this is what I've learned for such scenarios: a) There should be a search warrant to force a search if the equipment belongs to the student. Even if you want to investigate only the particular incident, you might inadvertently look at the student's private information (suppose he/she has some email from a friend confessing him/her of being infected with aids). The student can easily sue you for this (and I believe he/she will have very high probabilities of winning, even if he/she initially agreed to the search voluntarily). b) Even if the computer system belongs to the University, there has to be some kind of signed contract where the student acknowledged that any information he/she puts in there might be subject of investigation and that the students understands and gives permission to do this investigation anytime (due to the information contained in the equipment, not because of who owns the equipment). The easiest and least-risky approach would be: a) You limit your investigation to network evidence acquisition (just to make sure spoofing or a public computer is not involved). b1) With evidence that supports the request of the external organization, you warn the user. You could for example expel him/her from campus network after repeated warnings and you also warn the student of potential legal problems, but you just don't have the authority (most of the time) to take such an investigation in your hands. b2) If the external organization provides sufficient evidence (provided you already verified a), you could directly apply sanctions to the student as stated in your information security policy (on "allowed use of resources" for example). In a few words, my suggestion is: avoid unnecessary investigation, which carries a lot of legal risk and might require a considerable amount of resources to do it properly (depending on your infrastructure number of cases and number of students). Simply apply your local policy if sufficient evidence has been provided to you (and verified by you within reasonable limits) by the affected organization. In any case, you must check with your lawyers (the problem has more legal implications than technical implications actually). I hope this helps. Regards, Omar Herrera
-----Mensaje original----- De: James H Moore [mailto:jhmfa () RIT EDU] ... Sorry for the cross-post but this deals in both areas. Common situation (at FIT - Ficticious Institute of Technology), Sally Student scans the Whitehouse, or NSA, ... We get a polite request to investigate. We go to Sally, and ask why she has been trying to fingerprint
government
systems. She denies all knowledge, and we ask if we can look at her system. She loans us her notebook. What is good wording for voluntary release? What is a good investigative process? So that, 1) We avoid liability (e.g. we don't mess up her drive while investigating, and accidentally delete the folder with her thesis and research in it.) 2) We prepare for student judicial, in case, she thinks that she has erased all the evidence, but hasn't. 3) What do we disclose to Sally (or the university), and when about
our
investigative process. What questions did I miss?
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Process / Forms for Students voluntarily surrendering computers Herrera Reyna Omar (Oct 22)
- <Possible follow-ups>
- Re: Process / Forms for Students voluntarily surrendering computers Eric Pancer (Oct 22)
- Re: Process / Forms for Students voluntarily surrendering computers Joel Rosenblatt (Oct 22)