Educause Security Discussion mailing list archives
Re: network activity logging
From: Steve Worona <sworona () EDUCAUSE EDU>
Date: Wed, 18 Sep 2002 09:55:51 -0700
I will leave it to legal experts like Rodney to provide the detailed answers, but let me try to frame the issues. - Generally, anything you have in your possession is subject to subpoena, court order, etc, independent of whether it was acquired intentionally due to policy. There are exceptions, and court orders can be challenged, but this basic fact is the basis for the frequently offered advice that you do minimal logging (including e-mail backups) and maintain the logs for as little time as possible. - Prior to the USA/PATRIOT Act, there were nearly no circumstances under which you could be required to monitor or log your network's activity. The USA/PATRIOT Act introduced a process by which law enforcement can come to you and mandate that you carry out monitoring of designated individuals and activities. If you're unable to do so, for technological or financial reasons, law enforcement is authorized to install the monitoring equipment on your network themselves. - Liability is complex. A provision of the Telecommunications Act of 1996 absolves ISP's from liability for third-party content. But this is an incomplete shield, since (1) it doesn't apply to itellectual property liability, and (2) it won't protect you from non-US lawsuits. It also only applies to content, not actions. In particular, if your network is used a a launching point for a DDOS or a harmful virus, you won't be able to hide behind the 1996 law. There are rumblings that victims of cyberattacks will start suing these launch-point networks on the grounds of negligence. If/When that happens, the result will impact how we evaluate liability exposure. In the context of the logging/monitoring question, the bottom line here, I think, is that your liability is unlikely to be impacted by what you do or don't monitor or log. You should perform the logging and monitoring that's appropriate to responsible network management and write policies describing what you're doing, the information you're collecting, and the circumstances under which it will be distributed and/or acted upon. - With respect to privacy of log/monitoring data, start with the assumption that, as noted above, you're logging and monitoring only what's needed for responsible network administration. The primary constraints on what you may voluntarily do with this data come from (1) FERPA, and (2) ECPA (the Electronic Communications Privacy Act). Both of these laws have recently been modified by the USA/PATRIOT Act to ease the constraints on your voluntary action. I say "voluntary" to contrast with what you may be required to do with the data as noted above in the context of court orders and the USA/PATRIOT Act. Your privacy policies are therefore bounded: You can't provide less privacy than mandated by FERPA and ECPA nor can you provide more than mandated by court orders and the USA/PATRIOT Act. - In case it's not already obvious, campus IT organizations should establish all policies and procedures in this area in close collaboration with the institution's legal counsel. Hope that helps! Steve ----- At 7:13 AM -0700 9/18/02, Kevin Shalla wrote:
Recently, we had a complaint about someone using one of our dial-up modems who was using threatening language in a chat room. We don't do sufficient logging to determine who it was. Is there any legal requirement to do sufficient logging, and is it advisable to do so? I remember advice (don't remember where) saying if you choose to create a policy of logging all activity that you are responsible for maintaining that, and providing access when subpoenaed, and if your policy is to not log activity you are absolved of that responsibility. What is the liability if someone on campus / accessing via a modem pool does something illegal - are we liable because we provide access, or are we liable because we don't provide information on who it was, or are we not liable? What do others do regarding this? How can we address privacy when the policy is to log activity? Kevin Shalla Manager, Student Information Systems Illinois Institute of Technology <mailto:Kevin.Shalla () iit edu> ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- network activity logging Kevin Shalla (Sep 18)
- <Possible follow-ups>
- Re: network activity logging Steve Worona (Sep 18)