As unlikely as it may sound, lawyers and computer security experts agree on one thing: When it comes to determining what's legal and what's not on the information superhighway, there are more questions than answers.
As unlikely as it may sound, lawyers and computer security experts agree
on one thing: When it comes to determining what's legal and what's not on
the information superhighway, there are more questions than answers. And
the shortage of clear-cut legal guidelines is creating problems and sowing
confusion among those responsible for defending agency networks.
Take the FBI's use of an e-mail monitoring system known as Carnivore.
The system enables law enforcement officials to monitor specifically targeted
e-mail accounts with the cooperation of that user's Internet service provider.
The FBI contends the system is legal because it does not intercept all
e-mail messages or e-mail content passing through an ISP. However, privacy
advocates argue that the system threatens the privacy of innocent, law-abiding
citizens.
Few federal cyberdefenders would not want to have the monitoring power
that Carnivore provides. But is it legal? Congress isn't convinced — some
members have expressed concern that it threatens basic constitutional rights,
such as protection from unreasonable searches and seizures.
Carnivore is just the latest example of technology outpacing the law,
putting employers and agency cyberdefenders on thin ice.
"We don't have much of a legal framework for cybersecurity," said Jeffrey
Hunker, senior director for critical infrastructure on the National Security
Council, which is tasked with advising the president on all major national
security issues, including cybersecurity. "Every time you ask a question,
five more questions emerge."
But for federal cyberdefenders, not knowing the law — even as those
limits are changing — could have catastrophic consequences. Agency information
technology managers could find themselves on the wrong side of a dispute,
mired in a public legal battle or responsible for losing solid cases against
accused criminals.
"As an operator, I never thought I needed to learn about the First,
Fourth and Fifth amendments [to the Constitution]," said Phil Loranger,
director of biometric security programs for the Army.
In fact, when the Army went on alert this year after receiving a threat
from a hacker group, service officials found themselves unable to conduct
a preventive strike against the hackers. Federal laws and regulations prohibit
government agencies from penetrating a commercial ISP to search for the
IP address of an attacker.
As the growth of the Internet and mobile computing devices muddies the
legal boundaries of the workplace and raises the stakes for network defenders,
agencies need to realize that privacy and constitutional questions, not
just security requirements, dictate what countermeasures they can take.
To date, there are more questions than answers. Still, a small but growing
number of legal cases could help guide agency managers in their efforts
to defend their networks and stay out of hot water. These cases, though
few and far between, represent the current canon of cyberlaw. And they are
the least of what agency security and network managers should know, say
cyberlaw experts.
Searching Federal Property
When officials at Napa State Hospital in California placed a doctor
on administrative leave in 1981 for allegedly harassing two female residents,
they had no idea that the ensuing legal case would establish one of the
most important ground rules for federal cyberdefenders of the future.
The 1987 landmark case of O'Connor v. Ortega stemmed from the investigation
of charges against Dr. Magno Ortega by a team of hospital officials led
by the hospital's executive director, Dr. Dennis O'Connor. Surprisingly,
the case had nothing to do with computers. Today, however, it has everything
to do with federal cyberdefenses.
In an effort to conduct what hospital officials characterized as an
"inventory" of government property, investigators entered Ortega's office
while he was on leave and seized various items from Ortega's desk and file
cabinets, including personal items. Instead of conducting a formal inventory,
officials placed Ortega's property in a box with items belonging to the
government and put it in storage.
Ortega then filed a lawsuit against the hospital, charging that the
search of his office violated the Fourth Amendment, which protects the public
from unreasonable searches and seizures. However, in what Tom King, a lawyer
for the Army's Signal Command at Fort Huachuca, Ariz., calls a "key case
for government protection of information systems," the Federal District
Court ruled against Ortega. "The law was that you have no Fourth Amendment
right in a government workplace," King said, speaking at the E-Gov Conference
in Washington, D.C., in July.
However, the decision was reversed on an appeal and wound up before the
U.S. Supreme Court. In a 1987 decision, the court concluded, "searches and
seizures by government employers or supervisors of the private property
of their employees are subject to Fourth Amendment restraints."
According to King, the Supreme Court's decision in O'Connor v. Ortega
has direct relevance to searches in the electronic workplace. It established
a reasonable test that balances a public employee's expectation of privacy
in his or her office against an employer's right to conduct a reasonable
search. "It established a Fourth Amendment right in a government workplace,
but that right is based on a reasonable expectation of privacy," he said.
What's Reasonable?
But should government employees expect to be protected by privacy laws
when using federal e-mail, information systems and network access? The answer
is yes, but that expectation is not the same as it is with old-fashioned
snail mail or the telephone.
In 1996, Air Force Col. James Maxwell Jr. appealed his conviction and
dismissal from the service stemming from his use of his home PC and America
Online accounts to obtain child pornography. In deciding the case, a military
court of appeals said that although e-mail users do have an expectation
of privacy, the very nature of the electronic world dictates that the expectation
be lower than in traditional forms of communication.
According to the court, even on proprietary networks, other employees or
users may gain access to the e-mail; recipients can forward an e-mail to
an untold number of other users; and users who send e-mail over the Internet
have no control over where the message is routed.
In the end, the court found that although the government's search of
Maxwell's America Online accounts was conducted "in good faith," the search
warrant did not include reference to the many "screen names" used by Maxwell,
and, therefore, that evidence was inadmissible in court. Although charges
of interstate distribution of obscenity and communicating bad language were
dismissed, a rehearing on other guilty verdicts was ordered.
There is a catch, however, when it comes to the balance of rights over
workplace e-mail — when an agency's employees are informed that their network
is monitored. "Individuals who transmit e-mail via a government computer
that is used for official business and [have] received notice that the system
is subject to monitoring have no reasonable expectation of privacy," according
to a study written by Marlene Muraco, a lawyer with Littler Mendelson P.C.
"Notice of monitoring strips the user of any expectation of privacy
that he had," Muraco wrote. "Where there is no explicit notice of monitoring,
employees should seek to gain assurances from management that their e-mails
will not be intercepted."
Disclosure Agreements
A key piece of legislation governing electronic privacy is the Electronic
Communications Privacy Act (ECPA) of 1986, which gives employers the right
to access employees' e-mail and voice-mail messages if the messages are
maintained on a system provided by the government or the employer. However,
employers may not access messages without the consent of either the author
or the intended recipient of the message if an outside service provider
owns the system — an important distinction for the government.
One group that relies heavily on monitoring and disclosure agreements
is the intelligence community. For intelligence officials, the Foreign Intelligence
Surveillance Act (FISA), passed in 1979, is the key policy law. It requires
officials to demonstrate probable cause before the government can conduct
an electronic surveillance of U.S. citizens for intelligence purposes.
One of the latest examples of FISA in action is the case against Los
Alamos physicist Wen Ho Lee, who has been accused of stealing nuclear secrets
for the Chinese government. Although the original FBI surveillance request
did not include a request to search a computer, a considerable debate ensued
about whether probable cause existed in the case.
Although the Lee case is unique in many respects, one aspect of the
case has a broad impact for federal cyberdefenders: an agency's authority
to conduct searches of employees' computers when employees have signed a
waiver authorizing such searches.
"Weirdly, Lee had signed such a waiver, and yet the FBI did not perform
the search until long afterwards," said Steven Aftergood, director of the
Project on Government Secrecy at the Federation of American Scientists.
"I guess the lesson is [to] get security waivers ahead of time, make sure
they are legally valid and then use them when the need arises."
According to cyberlaw experts, agencies should make sure they widely
publicize a notice of network monitoring that spells out the consequences
of improper behavior. If regulations and policies are not in place and are
not made public, agencies don't have a legal leg to stand on.
In 1998, an electronic engineer for the CIA's Foreign Broadcast Information
Service decided to visit pornographic World Wide Web sites and download
files to his work computer. When the government brought a case against him,
the court concluded that he did not have a reasonable expectation of privacy
because FBIS had published a policy that made unauthorized activity punishable
by termination and prosecution.
Who Runs Your Network?
Most lawyers agree that banner warnings similar to the ones you find
on almost all government home pages on the Internet and other published
policies are key attempts by the government to establish users' consent
to monitoring.
Although the CIA case is an important example of the critical role played
by consent-to-monitor agreements, there are exceptions to ECPA, according
to King.
"Your role within the government determines the protection you get under
ECPA," said King, adding that federal organizations — such as the Army's
director of command, control, communications and computers — can be considered
service providers under the law.
The case of U.S. v. Staff Sergeant Robert J. Monroe is another example
of where a consent-to-monitor regulation has been effective in protecting
government network monitors from the long arm of the law.
When Air Force system administrators investigated the cause of their
failing e-mail system in 1995, they found 59 files containing pornographic
images clogging the system. The administrators opened some of the files
and turned them over to Air Force criminal investigators.
Fortunately for the system administrators, Air Force policy clearly
advised all network users that their e-mail was subject to monitoring. Monroe's
expectation of privacy was rejected because the administrators were acting
in accordance with their obligation to keep their system operating correctly — known as the "service provider exception" to ECPA.
Unfortunately, although protections exist, regulations often differ across
the government, particularly in the military. "The Army regulations prohibit
system administrators from monitoring e-mail for these purposes," said King,
referring to the Maxwell case. When it comes to regulations on information
security procedures, "the Army's really conservative, the Navy is to the
limits of the law, and the Air Force doesn't know which way it wants to
go."
What's more, a former Air Force network security officer said he never
targeted individual computers or intercepted message traffic even though
his unit had banners posted on all the systems saying that they could do
so. "There's no teeth in that [policy], so the banner is mainly for the
hacker to not see a welcome message and use that against the Air Force in
court," he said.
Even though laws are in place that set limits on how agencies can manage
workers' activities online, network managers must become expert in the particular
rules that pertain to their agency.
"I learned a long time ago in my Army career to learn all the regulations
that pertained to my job and to follow them as closely as possible," the
security officer said. "I kept that thought as I figured out what to do
with the computer systems and detection tools that we employed."
NEXT STORY: Carnivore study coming soon