Re: network activity logging

[Steve Worona <sworona () EDUCAUSE EDU>]

I will leave it to legal experts like Rodney to provide the detailed
answers, but let me try to frame the issues.

- Generally, anything you have in your possession is subject to
subpoena, court order, etc, independent of whether it was acquired
intentionally due to policy.  There are exceptions, and court orders
can be challenged, but this basic fact is the basis for the frequently
offered advice that you do minimal logging (including e-mail backups)
and maintain the logs for as little time as possible.

- Prior to the USA/PATRIOT Act, there were nearly no circumstances
under which you could be required to monitor or log your network's
activity.  The USA/PATRIOT Act introduced a process by which law
enforcement can come to you and mandate that you carry out monitoring
of designated individuals and activities.  If you're unable to do
so, for technological or financial reasons, law enforcement is
authorized to install the monitoring equipment on your network
themselves.

- Liability is complex.  A provision of the Telecommunications Act
of 1996 absolves ISP's from liability for third-party content.  But
this is an incomplete shield, since (1) it doesn't apply to itellectual
property liability, and (2) it won't protect you from non-US lawsuits.
It also only applies to content, not actions.  In particular, if your
network is used a a launching point for a DDOS or a harmful virus,
you won't be able to hide behind the 1996 law.  There are rumblings
that victims of cyberattacks will start suing these launch-point
networks on the grounds of negligence.  If/When that happens, the
result will impact how we evaluate liability exposure.  In the context
of the logging/monitoring question, the bottom line here, I think,
is that your liability is unlikely to be impacted by what you do or
don't monitor or log.  You should perform the logging and monitoring
that's appropriate to responsible network management and write policies
describing what you're doing, the information you're collecting, and
the circumstances under which it will be distributed and/or acted upon.

- With respect to privacy of log/monitoring data, start with the
assumption that, as noted above, you're logging and monitoring only
what's needed for responsible network administration.  The primary
constraints on what you may voluntarily do with this data come from
(1) FERPA, and (2) ECPA (the Electronic Communications Privacy Act).
Both of these laws have recently been modified by the USA/PATRIOT Act
to ease the constraints on your voluntary action.  I say "voluntary"
to contrast with what you may be required to do with the data as
noted above in the context of court orders and the USA/PATRIOT Act.
Your privacy policies are therefore bounded: You can't provide less
privacy than mandated by FERPA and ECPA nor can you provide more
than mandated by court orders and the USA/PATRIOT Act.

- In case it's not already obvious, campus IT organizations should
establish all policies and procedures in this area in close
collaboration with the institution's legal counsel.

Hope that helps!

Steve
-----
At 7:13 AM -0700 9/18/02, Kevin Shalla wrote:
> Recently, we had a complaint about someone using one of our dial-up modems
> who was using threatening language in a chat room.  We don't do sufficient
> logging to determine who it was.  Is there any legal requirement to do
> sufficient logging, and is it advisable to do so?  I remember advice (don't
> remember where) saying if you choose to create a policy of logging all
> activity that you are responsible for maintaining that, and providing
> access when subpoenaed, and if your policy is to not log activity you are
> absolved of that responsibility.  What is the liability if someone on
> campus / accessing via a modem pool does something illegal - are we liable
> because we provide access, or are we liable because we don't provide
> information on who it was, or are we not liable?  What do others do
> regarding this?  How can we address privacy when the policy is to log activity?
>
> Kevin Shalla
> Manager, Student Information Systems
> Illinois Institute of Technology
> <mailto:Kevin.Shalla () iit edu>
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.