Notes from LISA 2006, Part 2
"While I am an attorney, I am not your attorney."
This posting covers aspects my activities on Wednesday morning that I consider to be noteworthy.
Keynote: Hollywood's Secret War on Your NOC
The keynote, presented by Cory Doctorow, was basically a pep rally for the EFF. It seemed to be carefully formatted to toss out a few things that could happen followed by something equally as concerning that actually has happened. The strategy seemed to recognize the need to keep the audience's sense of urgency from drifting too far in to the background. He hit topics such as the DMCA, Sony rootkits disguised as music CDs, DVR retention limits, remote control of home entertainment center outputs and various other DRM tactics. For my part, I can only hope that the free market realizes that people like having fewer encumberances on their media and finds it can make more money by offering competitive products with fewer liberties stripped out. It is, of course, more important for the latter to become true.
As is well known by folks who have attended LISA, a very important benefit of the conference is the Hallway Track. The basic gist is simple: Any conversation happening out in the open is fair game to be monitored and joined. The Hallway Track is augmented by facilities such as the conference wiki and an IRC channel.
At the conference, I noticed a number of laptops showing login screens emblazoned with a CentOS logo. I had not heard of it before, yet it was apparently somewhat popular. I asked a few people about it and was told that it's a free Linux distribution based on the Red Hat Enterprise Linux source code. The CentOS web site seems to confirm this, although it avoids mentioning Red Hat by name. The people who acknowledged having used it seemed happy with it, so CentOS now goes on my list of things to take a look at. At work, it's hard to get money for Red Hat subscriptions. My personal opinion is that the time saved by the effort that Red Hat puts in to it more than makes up for the cost of the subscription. I'm not sure what the opposing viewpoint is.
Invited Talks II: Sysadmins, Network Managers and Wiretap Law
I considered this talk to be mandatory for my type of work. I qualify as both a "Sysadmin" and a "Network Manager." I am also a member of my employer's network security team. My job duties include the protection of the systems and resources that my employer uses and offers in order to conduct business. This often does include the monitoring of communications and other data flowing through my employer's network.
Alex Muentz presented an interesting summary of relevant federal law - wiretap law and stored communication law, in particular. I feel that I should relay his obligatory disclaimer that this talk did not constitute legal advice and that various states have their own laws which result in situations that differ from federal law. ;-)
A theme that ran throughout his talk involved conditions under which a right to privacy applies. Two key elements are: An individual must have a "reasonable" belief that privacy is provided in a situation and the situation must be one under which society would typically grant privacy. There are also concepts of privacy in receipt versus privacy in transmission. In a nutshell, it seems that an individual can have an expectation that what they are receiving is private, but that the same cannot be expected when transmitting information. One must assume that the receiver may decide to become (or possibly already be) an informant. There also is no expectation of privacy for information that must be given to a third party for the purposes of delivering a communication - the example he used was the address information on the outside of an envelope.
Alex presented an interesting example of how new technology has sometimes confused the law. At one point in our history, this new device called the telephone was introduced. Somewhere in the 1920's it was ruled that there shall be no expectation of privacy when it comes to telephone communications. After all, you're willingly transmitting your voice via copper wires that extend well beyond the confines of your private residence, so naturally you can't expect to know who could possibly hear it. At a later point in history, this position was updated to differentiate between use of the telephone and, for example, climbing up on your roof and yelling across to someone else.
The Wiretap Act covers the intercept of communications while they are physically in-transit on the wire (more on this later). The important point for me is that agents or employees of service providers are not prohibited from wiretapping when acting to protect the rights and/or facilities of the service provider. It is also permitted when attempting to determine the source of harmful electronic interference. Alex noted that the terminology that defines a service provider is a bit vague and subject to interpretation - it seems that lots of entities could be defined as service providers, depending on context.
The Stored Communication Act covers information that is stored on a computer system, regardless of how temporary that storage may be. As an E-mail message makes its way from Person A to Person B via a number of SMTP servers, it's considered stored communication during the time that it is on disk on each of those servers. (I assume that the same applies for data stored in RAM as well.) The act of copying a message in that state would fall under the stored communication laws, not the wiretap laws.
Stored communication law prohibits accessing data without permission, exceeding granted permissions and obstructing access to information by those who are authorized to access it. There are exceptions to this that apply to me as well. The owner of a service may access its data for any reason. A user may access information that is intended for them. There is also an exception for inadvertant discovery of a crime.
There are two primary cases that affect the divide between wiretap and stored communication law at present. In 1995, Steve Jackson Games versus US Secret Service found that interception under the Wiretap Act must be "contemporaneous with transmission." This is the source of the above reference to communications being physically in-transit on the wire. This ruling was adopted by most federal circuits and several states. However, Councilman vs. US (2005) seems to turn this distinction on its head. The 1st Circuit Court seems to be trying to redefine interception to include other situations when there is a "legitimate business reason." This case could have numerous implications. Stay tuned.
Alex made a couple suggestions for those of us involved in this sort of work. The first was to get sniffing written in to your job description. The second is to have a published policy that defines the permitted who, when, how and where of sniffing for the organization. These actions should help to protect both the employee and the organization. The good news for me is that private companies have a lot of latitude when it comes to what they can do with systems that they own, as long as the intended actions are stated.
Overall, it was a very interesting and informative talk. It will be worth while to look for future talks on this topic in order to stay updated on changes. As noted above, this stuff does change from time to time.