RE: A question about logon banners (long)

From: neitherj@WellsFargo.COM
Date: 03/18/02 

From: neitherj@WellsFargo.COM
To: chamilto@uci.edu, stauffacher@chapman.edu
Date: Mon, 18 Mar 2002 11:55:09 -0800

Just a thought here from my days in physical security. As a private
individual, you are not governed by the fourth amendment rights of another,
as those restrictions only extend to government agents and their search and
seizure activities. The private individual keylogging another private
individual arena is just waiting for a huge press story to get it into court
and get it decided. From what I can find, you can be sued civilly for doing
it, as you can for doing just about anything anymore, but there are no legal
restrictions in place against you, as far as I am aware, unless you break
another existing criminal statute or code. I could be wrong, so as always,
consult your available legal eagles prior to any actions.

Jeff Neithercutt CNA, GSEC
Wells Fargo Bank
Corporate Information Protection
155 5th Street MAC 0186-030
San Francisco, CA. 94103
(415)243-5549

-----Original Message-----
From: Charley Hamilton [mailto:chamilto@uci.edu]
Sent: Thursday, March 14, 2002 2:12 PM
To: John Stauffacher
Cc: Security Basics Mailing List
Subject: Re: A question about logon banners (long)

John -

Googling "logon banner legal requirement" got me:

        http://rr.sans.org/incident/evidence.php

which explicitly discusses many of the issues regarding
legality of monitoring, but does not *directly* mention
logon banners. However, it has pointers to several legal
cases or statutes which relate to monitoring in general.

That got me:

        http://www.cert.org/advisories/CA-1992-19.html

which includes the text:

"...
The legality of such monitoring is governed by 18 U.S.C. section 2510 et
seq.
[This looks like the first place to start hunting.] That statute was last
amended in 1986, years before the words "virus" and "worm" became part of
our
everyday vocabulary. Therefore, not surprisingly, the statute does not
directly
address the propriety of keystroke monitoring by system administrators.

Attorneys for the Department [of Justice] have engaged in a review of the
statute
and its legislative history. We believe his believe that such keystroke
monitoring
of intruders may be defensible under the statute. However, the statute
does not expressly authorize such monitoring. Moreover, no court has yet
had an opportunity to rule on this issue. If the courts were to decide
that such monitoring is improper, it would potentially give rise to both
criminal and civil liability for system administrators. Therefore, absent
clear guidance from the courts, we believe it is advisable for system
administrators who will be engaged in such monitoring to give notice to
those who would be subject to monitoring that, by using the system, they
are expressly consenting to such monitoring. Since it is important that
unauthorized intruders be given notice, some form of banner notice at the
time of signing on to the system is required. Simply providing written
notice
in advance to only authorized users will not be sufficient to place outside
hackers on notice.
..."

The site has the following revision state:
        Original issue date: December 7, 1992
        Last revised: September 19, 1997

18 USC 2510 et seq was amended 01/02/01 according to
http://uscode.house.gov/usc.html

Similarly,

        http://www.ciac.org/ciac/bulletins/j-043.shtml

has text for such a banner used by the DoE. If such a law
existed, then assuredly DoE would explicitly state in the
banner its meeting the requirements of XX U.S.C. section YYY et seq.
It doesn't.

You might also try

http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm

(also from google) which has a link to something called "Searching and
Seizing Computers and Obtaining Electronic Evidence in Criminal
Investigations", which I bet has the reference you want. It is
hosted at http://wwww.cybercrime.gov.
[I never knew this existed. Hey, I learned something new today.
I can go home!]

Looks to me like there is (or was) *not* an explicit legal
"logon banner" paragraph, but that the logon banner *seems* to
meet the requirements for notification of and consent to monitoring
in the absence of a written acknowledgement (such as when a cracker
takes a shot at your network). The entire purpose (at least,
as I understand it) of such logon banners is to provide explicit notice
to unauthorized users of the monitoring and explicitly state that
use of the system constitutes consent to this monitoring. Authorized
users must typically acknowledge and consent to this monitoring as
part of their user agreement. I believe this stems from the
requirements on wire tapping (etc) in 18 U.S.C. 2510 that requires
consent of all monitored parties, in the absence of a court order,
for such monitoring to be used as evidence. I am *not* sure how
this otherwise interacts with personal and commerical privacy law.
18 USC 25XX is pretty dense with requirements.

However, IANAL and all the rest of the disclaimers. My recommendation
is that you get your dept head to talk to one of the university's
lawyers and have *them* hunt down the right title and section, if you
feel the need to know. That's what lawyers are paid for. The
university would probably happily pay their lawyer to do that rather
than to fight a privacy law suit or lose a suit against some cracker
who trashed an online record system (like accounting).

Just my 0.02 and a little (the most dangerous kind!)
Google knowledge.

Charley 

-- 
Charles Hamilton, MS EIT                Doctoral Candidate
Department of Civil and                 Phone: 949.824.8694
    Environmental Engineering           FAX:   949.824.2117 
University of California, Irvine        Email: chamilto@uci.edu

Relevant Pages

  • RE: A question about logon banners
    ... A question about logon banners ... to authorized site and law enforcement personnel. ... By using this system, the user consents to such interception, monitoring, ...
    (Security-Basics)
  • Re: Spy Software
    ... The use of logon banners informing users they are being monitored is a ... monitoring using logon banners and then prosecuting misuse of systems stands ... > the contract I have signed with you, so therefore you have to remove the ...
    (Security-Basics)
  • Re: Is it possible to log outgoing mail in sendmail?
    ... >>> their consent to the monitoring. ... > choice amongst employees whether or not they should be `monitored' ... Do you think there may be a problem with us doing this and the DPA then? ...
    (comp.os.linux.security)
  • Re: Is it possible to log outgoing mail in sendmail?
    ... >>> their consent to the monitoring. ... > choice amongst employees whether or not they should be `monitored' ... Do you think there may be a problem with us doing this and the DPA then? ...
    (comp.os.linux.security)
  • RE: A question about logon banners (long)
    ... Googling "logon banner legal requirement" got me: ... cases or statutes which relate to monitoring in general. ... That statute was ... If such a law existed, ...
    (Security-Basics)
Quantcast