Re: [fw-wiz] Blocking Google Talk

On Tue, 27 Jun 2006, James wrote:

Does anybody know of legal implications associated with this kind of
filtering ? A lot of organisations now allow users to bank online via
the orgs internet infrastructure as it is benefical to both parties.

They depend heavily on jurisdiction, policy, notification and regulation.
(I'm not a lawyer, I don't play one on the 'Net...)

If you are doing analysis on a mitm ssl stream you will potentially
collect every users banking credentials. Would you have to redirect
ssl connections to a web page that advises them of this ? I could see

So long as your policy spells this out and users (including visitors,
contractors, etc.) have all seen the policy, you're generally covered.

If you have traders, my understanding is that you're mandated to monitor
all wire traffic by the SEC.

that the banks would also like to be advised if you are planning to do
this and they more than likely will block access from organisations
partaking in this strategy. Banks are just the primary example.

As far as I know, nobody's applied a two-party consent state's laws to
Internet monitoring. It's likely though that such an effort would fail,
given the long-term implications such a decision would cause. In any
case, the company owns the equipment and network, so I'm not sure the bank
would have a case in attempting to tell the company what it could and
couldn't do with its own equipment and networks. End-user or
consultant-owned equipment should be handled by policy and/or contract
(preferably contract for enforcability IMO.) My current pet legal theory
is that making the policy a requirement for network access gives it enough
consideration to fall under contract law, hopefully we'll never have to
find out...

My clients generally end up with a policy review fairly early on, and I
usually end up re-writing a lot of it, then they have their counsel review
it and if they're following my recommendations, all employees sign and
return a copy of the policy. We make efforts to ensure that the policy is
applied correctly and that exceptions are handled as needed to be sure the
organization has the right sorts of protections in place. My views are
US-centric, since I've only dealt with US-based clients for policy writing
and US and Canadian clients for policy issues.

I've just spent a fair amount of time going over personal use issues with
one of my clients, rewriting their policies to account for it (where
management was at least a little worried that allowing it in policy could
hurt them- the opposite of reality IMO.) We didn't get any push-back from
the lawyers, and so far everyone's been accepting of the new policy, as it
was explained rationally and reasonably as they were provided with copies
to sign.

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact." Infosec discussion boards

firewall-wizards mailing list