Re: Process / Forms for Students voluntarily surrendering computers

[Herrera Reyna Omar <omar_herrera () BANXICO ORG MX>]

Jim, 

It seems that this is not so easy to accomplish. People with experience
on these cases and lawyers will give you more details, but this is what
I've learned for such scenarios:

a) There should be a search warrant to force a search if the equipment
belongs to the student. Even if you want to investigate only the
particular incident, you might inadvertently look at the student's
private information (suppose he/she has some email from a friend
confessing him/her of being infected with aids). The student can easily
sue you for this (and I believe he/she will have very high probabilities
of winning, even if he/she initially agreed to the search voluntarily).

b) Even if the computer system belongs to the University, there has to
be some kind of signed contract where the student acknowledged that any
information he/she puts in there might be subject of investigation and
that the students understands and gives permission to do this
investigation anytime (due to the information contained in the
equipment, not because of who owns the equipment).

The easiest and least-risky approach would be:

a) You limit your investigation to network evidence acquisition (just to
make sure spoofing or a public computer is not involved).

b1) With evidence that supports the request of the external
organization, you warn the user. You could for example expel him/her
from campus network after repeated warnings and you also warn the
student of potential legal problems, but you just don't have the
authority (most of the time) to take such an investigation in your
hands.

b2) If the external organization provides sufficient evidence (provided
you already verified a), you could directly apply sanctions to the
student as stated in your information security policy (on "allowed use
of resources" for example).

In a few words, my suggestion is: avoid unnecessary investigation, which
carries a lot of legal risk  and might require a considerable amount of
resources to do it properly (depending on your infrastructure number of
cases and number of students). Simply apply your local policy if
sufficient evidence has been provided to you (and verified by you within
reasonable limits) by the affected organization.

In any case, you must check with your lawyers (the problem has more
legal implications than technical implications actually).

I hope this helps.

Regards,
Omar Herrera

> -----Mensaje original-----
> De: James H Moore [mailto:jhmfa () RIT EDU]
> ...
> Sorry for the cross-post but this deals in both areas.
>
> Common situation (at FIT - Ficticious Institute of Technology),  Sally
> Student scans the Whitehouse, or NSA, ...
>
> We get a polite request to investigate.
>
> We go to Sally, and ask why she has been trying to fingerprint
government
> systems.
>
> She denies all knowledge, and we ask if we can look at her system.
>
> She loans us her notebook.
>
> What is good wording for voluntary release?
>
> What is a good investigative process?  So that,
>   1) We avoid liability (e.g. we don't mess up her drive while
> investigating, and accidentally delete the folder with her thesis and
> research in it.)
>
>   2) We prepare for student judicial, in case, she thinks that she has
> erased all the evidence, but hasn't.
>
>   3) What do we disclose to Sally (or the university), and when about
our
> investigative process.
>
> What questions did I miss?

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.