Re: Blocking Google Talk

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 27 Jun 2006, James wrote:

> Does anybody know of legal implications associated with this kind of
> filtering ?  A lot of organisations now allow users to bank online via
> the orgs internet infrastructure as it is benefical to both parties.

They depend heavily on jurisdiction, policy, notification and regulation.
(I'm not a lawyer, I don't play one on the 'Net...)

>  If you are doing analysis on a mitm ssl stream you will potentially
> collect every users banking credentials. Would you have to redirect
> ssl connections to a web page that advises them of this ? I could see

So long as your policy spells this out and users (including visitors, 
contractors, etc.) have all seen the policy, you're generally covered.

If you have traders, my understanding is that you're mandated to monitor 
all wire traffic by the SEC.

> that the banks would also like to be advised if you are planning to do
> this and they more than likely will block access from organisations
> partaking in this strategy.  Banks are just the primary example.

As far as I know, nobody's applied a two-party consent state's laws to 
Internet monitoring.  It's likely though that such an effort would fail, 
given the long-term implications such a decision would cause.  In any 
case, the company owns the equipment and network, so I'm not sure the bank 
would have a case in attempting to tell the company what it could and 
couldn't do with its own equipment and networks.  End-user or 
consultant-owned equipment should be handled by policy and/or contract 
(preferably contract for enforcability IMO.)  My current pet legal theory 
is that making the policy a requirement for network access gives it enough 
consideration to fall under contract law, hopefully we'll never have to 
find out...

My clients generally end up with a policy review fairly early on, and I 
usually end up re-writing a lot of it, then they have their counsel review 
it and if they're following my recommendations, all employees sign and 
return a copy of the policy.  We make efforts to ensure that the policy is 
applied correctly and that exceptions are handled as needed to be sure the 
organization has the right sorts of protections in place.  My views are 
US-centric, since I've only dealt with US-based clients for policy writing 
and US and Canadian clients for policy issues.

I've just spent a fair amount of time going over personal use issues with 
one of my clients, rewriting their policies to account for it (where 
management was at least a little worried that allowing it in policy could 
hurt them- the opposite of reality IMO.)  We didn't get any push-back from 
the lawyers, and so far everyone's been accepting of the new policy, as it 
was explained rationally and reasonably as they were provided with copies 
to sign.


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
http://fora.compuwar.net      Infosec discussion boards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards