Re: Logon Message

["Schmidt, Eric W" <erschmid () IUPUI EDU>]

First off, I am not a lawyer and I am not offering any legal advice
here.

That said, generally speaking, logon messages are used to provide
someone accessing a computer system an understanding of their rights on
the system and their expectations of privacy. 

I decided to go to THE source for information on logon banners.  These
are some excerpts from the US Department of Justice document "Searching
and Seizing Computers and Obtaining Electronic Evidence in Criminal
Investigations", Section D. Special Case: Workplace Searches.

For those of us in private higher education institutions:

        (1)(b)  "Private-sector employers and supervisors generally
enjoy a broad authority to consent to searches in the workplace. .....
In a close case, an employment policy or computer network banner that
establishes the employer's right to consent to a workplace search can
help establish the employer's common authority to consent under Matlock.
See Appendix A."

For those of us in state higher education institutions:

        (2)(a)  "Written employment policies and "banners" are
particularly important in cases that consider whether government
employees enjoy a reasonable expectation of privacy in government
computers. Banners are written notices that greet users before they log
on to a computer or computer network, and can inform users of the
privacy rights that they do or do not retain in their use of the
computer or network. See generally Appendix A. In general, government
employees who are notified that their employer has retained rights to
access or inspect information stored on the employer's computers can
have no reasonable expectation of privacy in the information stored
there."

        And finally Appendix A states, "Network banners are electronic
messages that provide notice of legal rights to users of computer
networks.  From a legal standpoint, banners have four primary functions.
First, banners may be used to generate consent to real-time monitoring
under Title III.  Second, banners may be used to generate consent to the
retrieval of stored files and records pursuant to ECPA.  Third, in the
case of government networks, banners may eliminate any Fourth Amendment
"reasonable expectation of privacy" that government employees or other
users might otherwise retain in their use of the government's network
under O'Connor v. Ortega, 480 U.S. 709 (1987).  Fourth, in the case of a
non-government network, banners may establish a system administrator's
"common authority" to consent to a law enforcement search pursuant to
United States v. Matlock, 415 U.S. 164 (1974)."

Here's a link to the full document.

http://www.usdoj.gov/criminal/cybercrime/s&sappendix2002.htm#_A_


My real life experiences here revolve around serving as a federal
government agent for eight years as a computer crime investigator and
requiring banners to be installed on government systems that were part
of an investigation.  

We did have instances where a judge or two expected ALL computer ports
to be bannered before they would consider that an unauthorized person
attempting to enter that system had been afforded the opportunity to
understand they were consenting to being monitored.  (That's ALL 65,000
plus ports and totally unreasonable in my opinion.)  I think that common
sense has given way now and that is not the expectation anymore but I am
going to contact the Computer Crime and Intellectual Property section of
DOJ just to make sure.  

I'll report back to this forum what I find out.



Eric W. Schmidt, CISSP, CISM, DABFE
Information Security Officer
Indiana University School of Medicine
office:  317-278-8751
email:  erschmid () iupui edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.