Re: Security Event / Customer Reporting

[JohnNicholson () aol com]

Ethan is correct to point out the exception to the ECPA.

Sections 2511 and 2520 of Title 18 of the U.S. Code create criminal and civil liability for improper interception of 
wire, oral and electronic communications.  Although there are exceptions under both the U.S. Code and under state laws 
for system providers, relying on these exceptions is unnecessary if your company puts in place an appropriate 
Monitoring Policy.  By explicitly requiring user consent to monitoring, your company can make access to your network 
and systems conditional on users accepting such monitoring.  All users of your network and systems (whether employees, 
third party contractors or customers) should be required to consent to monitoring.  

Your Monitoring Policy should specify that your company has the right to monitor all network traffic and all data 
stored on equipment used for company purposes that is provided to an employee or contractor by the company or by any 
third party contractor.  Both your authorized use policy ("AUP")(governing internal and contractor use) and your terms 
of service ("TOS")(governing third party use) should reference this policy and explain it.  In addition to informing 
users via the AUP and the TOS, logon banners should reference the Monitoring Policy and state that access to the 
network or system is subject to monitoring at any time and for any reason, and that by accessing and using the network 
or system, the user is explicitly agreeing to such monitoring.  Also, any contracts with third parties for the 
transmission of data belonging to that third party or any user or customer of that third party should require that 
third party to consent to such monitoring on behalf of its users a!
nd customers and to indemnify your company for any damages resulting from such consent.

Monitoring traffic and behavior on your systems can allow you to detect misconduct in real time, and can create logs 
that will be useful in an investigation and/or prosecution.  Monitoring can also decrease behavior such as employee web 
surfing or other violations of the AUP.

In the future, the increased use of personal technology (e.g., cell phones, PDAs, etc.) to access corporate systems 
will require increased and more specific consents.  If, for example, you open up your document management system so 
that it is web accessible, an employee with a PDA and a wireless modem can download confidential information.  Access 
to that system could require explicit consent from the user to monitoring of the activity and an agreement to provide 
access to the PDA on demand.  (Note, such access will be easier if your company owns the PDA and provides it to the 
employee.)

John
================
Important They-Can-Subject-Me-To-Disciplinary-Proceedings-(Or Worse)-If-I-Don't-Include-This Disclaimer: This message 
provides general information and represents the my views.  It does not constitute legal advice and should not be used 
or taken as legal advice relating to any specific situation.
> --- Begin Message ---
>
>
> From: "ethan preston" <prestone () bulldog georgetown edu>
>
> Date: Sat, 14 Jul 2001 00:15:26 -0400
>
> To quibble:
>  
> > > Current US law seems to view examining transit traffic like radio
> > > interception - a no-no, for the most part.  ...
> >
> > In that case, the law (as a prominent English judge once remarked)>
> > would be an ass. 
>
> Of this, there can be little doubt.
>
> > Using (only) radio analogies in determining >legalities for "domain-
> style" networks means that the resulting laws 
> > and directives will be fundamentally broken.  Remember, an inherent 
> > difference between "broadcast spectrum" and "routable protocol" 
> > networks is that the latter can only work by *requiring* 
> > intermediary "inspection" of (part of) the information flow across 
> > what may be loosely conceived of as "ownership boundaries" (and, 
> > worse, "media translation" (and some other services required to make 
> > our modern networks work) requires "manipulating" more of the data 
> > stream than simply the headers or delivery envelopes).
>
>
> The original author is probably referring to the Electronic 
> Communications Privacy Act (the federal wiretap laws), 18 USC 2510  et 
> seq., an article of legislation of truly horrifying lack of clarity, 
> complexity and vagueness. 
>
> ECPA provides criminal and civil penalties for the illicit interception 
> of wire or radio communications (they receive essentially the same 
> treatment under ECPA.) 18 USC 2511 (1) (a), 
> http://www4.law.cornell.edu/uscode/18/2511.html. The tricky part, so 
> far as the ability of peer ISPs to monitor traffic is concerned is the 
> (2) (a) exception of the same act:
>
> "It shall not be unlawful under this chapter for an operator of a 
> switchboard, or an officer, employee, or agent of a provider of wire or 
> electronic communication service, whose facilities are used in the 
> transmission of a wire or electronic communication, to intercept, 
> disclose, or use that communication in the normal course of his 
> employment 
> <<while engaged in any activity which is a necessary incident to the 
> rendition of his service or to the protection of the rights or property 
> of the provider of that service,>>
> except that a provider of wire communication service to the public 
> shall not utilize service observing or random monitoring except for 
> mechanical or service quality control checks."
>
> I don't think the caselaw we have gives anybody a good idea WHAT 
> exactly are the "rights or property of the [Internet service] provider" 
> is, let alone what kind of monitoring is necessary to protect the same. 
>
>
>
> ----------------------------------------------------------------------------
>
>
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see:
>
> http://aris.securityfocus.com
>
>
>
> --- End Message ---

----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com