The only exception to the below being that if you are acting "as an agent of law enforcement" (i.e. the police put you up to it), there are no current LEGAL ramifications for doing it.
However, you NEED to notify all individuals via that logon banner that their activities may be monitored in a variety of ways with or without their consent. Just my opinion... Jeremy MCSE, MCT, MCIWA, CIWCI, CCNA, A+, Net+, I-Net+ ------------------------------------------------------------------------ ----------------------------- Technical Trainer New Horizons of <Your Wildest Dreams> :) ------------------------------------------------------------------------ ----------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 2:55 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: A question about logon banners (long) Just a thought here from my days in physical security. As a private individual, you are not governed by the fourth amendment rights of another, as those restrictions only extend to government agents and their search and seizure activities. The private individual keylogging another private individual arena is just waiting for a huge press story to get it into court and get it decided. From what I can find, you can be sued civilly for doing it, as you can for doing just about anything anymore, but there are no legal restrictions in place against you, as far as I am aware, unless you break another existing criminal statute or code. I could be wrong, so as always, consult your available legal eagles prior to any actions. Jeff Neithercutt CNA, GSEC Wells Fargo Bank Corporate Information Protection 155 5th Street MAC 0186-030 San Francisco, CA. 94103 (415)243-5549 -----Original Message----- From: Charley Hamilton [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 2:12 PM To: John Stauffacher Cc: Security Basics Mailing List Subject: Re: A question about logon banners (long) John - Googling "logon banner legal requirement" got me: http://rr.sans.org/incident/evidence.php which explicitly discusses many of the issues regarding legality of monitoring, but does not *directly* mention logon banners. However, it has pointers to several legal cases or statutes which relate to monitoring in general. That got me: http://www.cert.org/advisories/CA-1992-19.html which includes the text: "... The legality of such monitoring is governed by 18 U.S.C. section 2510 et seq. [This looks like the first place to start hunting.] That statute was last amended in 1986, years before the words "virus" and "worm" became part of our everyday vocabulary. Therefore, not surprisingly, the statute does not directly address the propriety of keystroke monitoring by system administrators. Attorneys for the Department [of Justice] have engaged in a review of the statute and its legislative history. We believe his believe that such keystroke monitoring of intruders may be defensible under the statute. However, the statute does not expressly authorize such monitoring. Moreover, no court has yet had an opportunity to rule on this issue. If the courts were to decide that such monitoring is improper, it would potentially give rise to both criminal and civil liability for system administrators. Therefore, absent clear guidance from the courts, we believe it is advisable for system administrators who will be engaged in such monitoring to give notice to those who would be subject to monitoring that, by using the system, they are expressly consenting to such monitoring. Since it is important that unauthorized intruders be given notice, some form of banner notice at the time of signing on to the system is required. Simply providing written notice in advance to only authorized users will not be sufficient to place outside hackers on notice. ..." The site has the following revision state: Original issue date: December 7, 1992 Last revised: September 19, 1997 18 USC 2510 et seq was amended 01/02/01 according to http://uscode.house.gov/usc.html Similarly, http://www.ciac.org/ciac/bulletins/j-043.shtml has text for such a banner used by the DoE. If such a law existed, then assuredly DoE would explicitly state in the banner its meeting the requirements of XX U.S.C. section YYY et seq. It doesn't. You might also try http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm (also from google) which has a link to something called "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations", which I bet has the reference you want. It is hosted at http://wwww.cybercrime.gov. [I never knew this existed. Hey, I learned something new today. I can go home!] Looks to me like there is (or was) *not* an explicit legal "logon banner" paragraph, but that the logon banner *seems* to meet the requirements for notification of and consent to monitoring in the absence of a written acknowledgement (such as when a cracker takes a shot at your network). The entire purpose (at least, as I understand it) of such logon banners is to provide explicit notice to unauthorized users of the monitoring and explicitly state that use of the system constitutes consent to this monitoring. Authorized users must typically acknowledge and consent to this monitoring as part of their user agreement. I believe this stems from the requirements on wire tapping (etc) in 18 U.S.C. 2510 that requires consent of all monitored parties, in the absence of a court order, for such monitoring to be used as evidence. I am *not* sure how this otherwise interacts with personal and commerical privacy law. 18 USC 25XX is pretty dense with requirements. However, IANAL and all the rest of the disclaimers. My recommendation is that you get your dept head to talk to one of the university's lawyers and have *them* hunt down the right title and section, if you feel the need to know. That's what lawyers are paid for. The university would probably happily pay their lawyer to do that rather than to fight a privacy law suit or lose a suit against some cracker who trashed an online record system (like accounting). Just my 0.02 and a little (the most dangerous kind!) Google knowledge. Charley -- Charles Hamilton, MS EIT Doctoral Candidate Department of Civil and Phone: 949.824.8694 Environmental Engineering FAX: 949.824.2117 University of California, Irvine Email: [EMAIL PROTECTED]
