Re: consequences for student hacking - Legal implications

["Shamblin, Quinn (shamblqn)" <shamblqn () UCMAIL UC EDU>]

Disclaimer:  What follows is a summary of details provided by an attorney during a discussion on this topic, but please 
consult your own attorney before solidifying any conclusions or taking any actions.  With that said:



Persons that capture packets in real time as they flow through either physical media or a wireless may be violating 
several federal statues:

1.       The Wiretap Act [18 U.S.C 2510-22] - Protects the contents of the communication

2.       The Pen/Trap Statue [18 U.S.C3121-27] - Protects information about the communication (from, to, start time, 
duration)

3.       Electronic Communications Privacy Act (ECPA) [18 U.S.C. 2510-2521, 2701-2710] - Extends the wiretap act to 
include electronic communications



These laws apply even if you are the owner of the network in question; much less a person with no authority on the 
network.  Failure to comply with the requirements of these statues may result in civil and criminal penalties and the 
felony level.



The Wiretap Act broadly prohibits the intentional interception, use, or disclosure of communication unless a statutory 
exception applies.  In general, this prohibits third parties from installing sniffers to read communication on the 
network.  There are a number of statutory exceptions to this act.  The main ones are:

・         The provider exception 2511(2)(a)(i)

・         The consent exception 2511(2)(a)(c-d)  {this is the exception that does allow the providers to sniff their 
own network as long as this has been clearly communicated to the users by policy and bannering the network}

・         The computer trespasser exception 2511(2)(i)  {used to allow providers and law enforcement to monitor 
trespassers}

・         Pursuant to a Title 3 court order 2518



There are other exceptions, but they are not designed to allow a person with no legitimate authority or right to tap 
into the communications of others without their express knowledge and consent.



The Electronic Communications Privacy Act (ECPA) [18 U.S.C. Sections 2510-2521, 2701-2710] (1986), amended the Federal 
Wiretap Act (originally written for telephone conversations) to account for the increasing amount of communications and 
data transferred and stored on computer systems. The ECPA protects against the unlawful interceptions of any wire 
communications--whether it's telephone or cell phone conversations, voicemail, email, and other data sent over the 
wires. The ECPA also includes protections for messages that are stored--email messages that are archived on servers, 
for instance. Now, under the law, unauthorized access to computer messages, whether in transit or in storage, is a 
federal crime.



A further useful reference is The Computer Fraud and Abuse Act and The National Information Infrastructure Protection 
Act (1996) (significantly amending the CFAA). Expanded the definition of a "protected computer" to effectively cover 
any computer connected to the internet, so the above statutes, originally written to cover federal computers only, 
apply.  Among other things, the CFAA prohibits:



1.       Accessing a computer without authorization and subsequently transmitting classified government information. 
[Subsection 1030(a)(1)];

2.       Theft of financial information [Subsection 1030(a)(2)];

3.       Accessing a "protected computer," which the courts have recently interpreted as being any computer connected 
to the internet, even if the intruder obtains no data [Subsection 1030(a)(3)];



To sum up: a person running a sniffer without your knowledge and consent may be in violation of several Federal laws…  
Obviously, everything would come down to the interpretation of some of these details in your local jurisdiction.  I 
understand that some judges have interpreted this law as applying only to actions by the authorities, but others have 
applied it to the actions private citizens as well, hence the qualification.  This also varies from state to state.



So in considering what your policy will say, it seems to me you have quite a lot of backing if you write your policy 
strictly.  I am not currently aware of case law on this point, but you may also wish to consider the implication that, 
if you write your policy loosely or do not write one, it may be argued that you are tacitly giving your consent or 
approval.



There is another applicable concept that I first ran across at the DoD when we were discussing need-to-know and 
security levels:  Just because you have the access, does not mean you have the authority or the right.  This idea can 
be used to word a policy in a softer, more diplomatic way than references to US Statues…



Regards,


Quinn R. Shamblin



Information Security Officer, University of Cincinnati

CISSP, PMP ● quinn.shamblin () uc edu ● (513) 556-0803



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bill 
Brinkley
Sent: Wednesday, February 20, 2008 7:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] consequences for student hacking



A passive sniffer (Packet Capture) is simply capturing the data that comes to the port or is transmitted in the air, 
and not should not be limited. Any device that can legitimately connect to the network should be able to capture any 
traffic destined for it. Actively scanning or manipulating the network to receive more traffic than would normally 
occur may be a criminal act, but the passive sniffing is not.

--
Bill Brinkley
Cell 678.877.5145
wbbrinkley () gmail com

On Feb 19, 2008 4:38 PM, Bob Henry <bhenry () boisestate edu> wrote:

Boise State has a policy restricting the use of network scanners, host
scanners, sniffers, etc. to those approved by the Network Engineer.  The
consequences for violating the policy are described with these words:

Depending on the seriousness of an offense, violation of this policy
can result in penalties ranging from reprimand, to loss of use, to
referral to University authorities for disciplinary action, to criminal
prosecution.

That's the theory.  I'm looking for a reality check.  What do your
institutions do when you catch a student sniffing the wired or wireless
network for userID's and passwords?

Thanks,

 <mailto:wbbrinkley () gmail com>