Web stakeout

As unlikely as it may sound, lawyers and computer security experts agree

on one thing: When it comes to determining what's legal and what's not on

the information superhighway, there are more questions than answers. And

the shortage of clear-cut legal guidelines is creating problems and sowing

confusion among those responsible for defending agency networks.

Take the FBI's use of an e-mail monitoring system known as Carnivore.

The system enables law enforcement officials to monitor specifically targeted

e-mail accounts with the cooperation of that user's Internet service provider.

The FBI contends the system is legal because it does not intercept all

e-mail messages or e-mail content passing through an ISP. However, privacy

advocates argue that the system threatens the privacy of innocent, law-abiding

citizens.

Few federal cyberdefenders would not want to have the monitoring power

that Carnivore provides. But is it legal? Congress isn't convinced — some

members have expressed concern that it threatens basic constitutional rights,

such as protection from unreasonable searches and seizures.

Carnivore is just the latest example of technology outpacing the law,

putting employers and agency cyberdefenders on thin ice.

"We don't have much of a legal framework for cybersecurity," said Jeffrey

Hunker, senior director for critical infrastructure on the National Security

Council, which is tasked with advising the president on all major national

security issues, including cybersecurity. "Every time you ask a question,

five more questions emerge."

But for federal cyberdefenders, not knowing the law — even as those

limits are changing — could have catastrophic consequences. Agency information

technology managers could find themselves on the wrong side of a dispute,

mired in a public legal battle or responsible for losing solid cases against

accused criminals.

"As an operator, I never thought I needed to learn about the First,

Fourth and Fifth amendments [to the Constitution]," said Phil Loranger,

director of biometric security programs for the Army.

In fact, when the Army went on alert this year after receiving a threat

from a hacker group, service officials found themselves unable to conduct

a preventive strike against the hackers. Federal laws and regulations prohibit

government agencies from penetrating a commercial ISP to search for the

IP address of an attacker.

As the growth of the Internet and mobile computing devices muddies the

legal boundaries of the workplace and raises the stakes for network defenders,

agencies need to realize that privacy and constitutional questions, not

just security requirements, dictate what countermeasures they can take.

To date, there are more questions than answers. Still, a small but growing

number of legal cases could help guide agency managers in their efforts

to defend their networks and stay out of hot water. These cases, though

few and far between, represent the current canon of cyberlaw. And they are

the least of what agency security and network managers should know, say

cyberlaw experts.

Searching Federal Property

When officials at Napa State Hospital in California placed a doctor

on administrative leave in 1981 for allegedly harassing two female residents,

they had no idea that the ensuing legal case would establish one of the

most important ground rules for federal cyberdefenders of the future.

The 1987 landmark case of O'Connor v. Ortega stemmed from the investigation

of charges against Dr. Magno Ortega by a team of hospital officials led

by the hospital's executive director, Dr. Dennis O'Connor. Surprisingly,

the case had nothing to do with computers. Today, however, it has everything

to do with federal cyberdefenses.

In an effort to conduct what hospital officials characterized as an

"inventory" of government property, investigators entered Ortega's office

while he was on leave and seized various items from Ortega's desk and file

cabinets, including personal items. Instead of conducting a formal inventory,

officials placed Ortega's property in a box with items belonging to the

government and put it in storage.

Ortega then filed a lawsuit against the hospital, charging that the

search of his office violated the Fourth Amendment, which protects the public

from unreasonable searches and seizures. However, in what Tom King, a lawyer

for the Army's Signal Command at Fort Huachuca, Ariz., calls a "key case

for government protection of information systems," the Federal District

Court ruled against Ortega. "The law was that you have no Fourth Amendment

right in a government workplace," King said, speaking at the E-Gov Conference

in Washington, D.C., in July.

However, the decision was reversed on an appeal and wound up before the

U.S. Supreme Court. In a 1987 decision, the court concluded, "searches and

seizures by government employers or supervisors of the private property

of their employees are subject to Fourth Amendment restraints."

According to King, the Supreme Court's decision in O'Connor v. Ortega

has direct relevance to searches in the electronic workplace. It established

a reasonable test that balances a public employee's expectation of privacy

in his or her office against an employer's right to conduct a reasonable

search. "It established a Fourth Amendment right in a government workplace,

but that right is based on a reasonable expectation of privacy," he said.

What's Reasonable?

But should government employees expect to be protected by privacy laws

when using federal e-mail, information systems and network access? The answer

is yes, but that expectation is not the same as it is with old-fashioned

snail mail or the telephone.

In 1996, Air Force Col. James Maxwell Jr. appealed his conviction and

dismissal from the service stemming from his use of his home PC and America

Online accounts to obtain child pornography. In deciding the case, a military

court of appeals said that although e-mail users do have an expectation

of privacy, the very nature of the electronic world dictates that the expectation

be lower than in traditional forms of communication.

According to the court, even on proprietary networks, other employees or

users may gain access to the e-mail; recipients can forward an e-mail to

an untold number of other users; and users who send e-mail over the Internet

have no control over where the message is routed.

In the end, the court found that although the government's search of

Maxwell's America Online accounts was conducted "in good faith," the search

warrant did not include reference to the many "screen names" used by Maxwell,

and, therefore, that evidence was inadmissible in court. Although charges

of interstate distribution of obscenity and communicating bad language were

dismissed, a rehearing on other guilty verdicts was ordered.

There is a catch, however, when it comes to the balance of rights over

workplace e-mail — when an agency's employees are informed that their network

is monitored. "Individuals who transmit e-mail via a government computer

that is used for official business and [have] received notice that the system

is subject to monitoring have no reasonable expectation of privacy," according

to a study written by Marlene Muraco, a lawyer with Littler Mendelson P.C.

"Notice of monitoring strips the user of any expectation of privacy

that he had," Muraco wrote. "Where there is no explicit notice of monitoring,

employees should seek to gain assurances from management that their e-mails

will not be intercepted."

Disclosure Agreements

A key piece of legislation governing electronic privacy is the Electronic

Communications Privacy Act (ECPA) of 1986, which gives employers the right

to access employees' e-mail and voice-mail messages if the messages are

maintained on a system provided by the government or the employer. However,

employers may not access messages without the consent of either the author

or the intended recipient of the message if an outside service provider

owns the system — an important distinction for the government.

One group that relies heavily on monitoring and disclosure agreements

is the intelligence community. For intelligence officials, the Foreign Intelligence

Surveillance Act (FISA), passed in 1979, is the key policy law. It requires

officials to demonstrate probable cause before the government can conduct

an electronic surveillance of U.S. citizens for intelligence purposes.

One of the latest examples of FISA in action is the case against Los

Alamos physicist Wen Ho Lee, who has been accused of stealing nuclear secrets

for the Chinese government. Although the original FBI surveillance request

did not include a request to search a computer, a considerable debate ensued

about whether probable cause existed in the case.

Although the Lee case is unique in many respects, one aspect of the

case has a broad impact for federal cyberdefenders: an agency's authority

to conduct searches of employees' computers when employees have signed a

waiver authorizing such searches.

"Weirdly, Lee had signed such a waiver, and yet the FBI did not perform

the search until long afterwards," said Steven Aftergood, director of the

Project on Government Secrecy at the Federation of American Scientists.

"I guess the lesson is [to] get security waivers ahead of time, make sure

they are legally valid and then use them when the need arises."

According to cyberlaw experts, agencies should make sure they widely

publicize a notice of network monitoring that spells out the consequences

of improper behavior. If regulations and policies are not in place and are

not made public, agencies don't have a legal leg to stand on.

In 1998, an electronic engineer for the CIA's Foreign Broadcast Information

Service decided to visit pornographic World Wide Web sites and download

files to his work computer. When the government brought a case against him,

the court concluded that he did not have a reasonable expectation of privacy

because FBIS had published a policy that made unauthorized activity punishable

by termination and prosecution.

Who Runs Your Network?

Most lawyers agree that banner warnings similar to the ones you find

on almost all government home pages on the Internet and other published

policies are key attempts by the government to establish users' consent

to monitoring.

Although the CIA case is an important example of the critical role played

by consent-to-monitor agreements, there are exceptions to ECPA, according

to King.

"Your role within the government determines the protection you get under

ECPA," said King, adding that federal organizations — such as the Army's

director of command, control, communications and computers — can be considered

service providers under the law.

The case of U.S. v. Staff Sergeant Robert J. Monroe is another example

of where a consent-to-monitor regulation has been effective in protecting

government network monitors from the long arm of the law.

When Air Force system administrators investigated the cause of their

failing e-mail system in 1995, they found 59 files containing pornographic

images clogging the system. The administrators opened some of the files

and turned them over to Air Force criminal investigators.

Fortunately for the system administrators, Air Force policy clearly

advised all network users that their e-mail was subject to monitoring. Monroe's

expectation of privacy was rejected because the administrators were acting

in accordance with their obligation to keep their system operating correctly — known as the "service provider exception" to ECPA.

Unfortunately, although protections exist, regulations often differ across

the government, particularly in the military. "The Army regulations prohibit

system administrators from monitoring e-mail for these purposes," said King,

referring to the Maxwell case. When it comes to regulations on information

security procedures, "the Army's really conservative, the Navy is to the

limits of the law, and the Air Force doesn't know which way it wants to

go."

What's more, a former Air Force network security officer said he never

targeted individual computers or intercepted message traffic even though

his unit had banners posted on all the systems saying that they could do

so. "There's no teeth in that [policy], so the banner is mainly for the

hacker to not see a welcome message and use that against the Air Force in

court," he said.

Even though laws are in place that set limits on how agencies can manage

workers' activities online, network managers must become expert in the particular

rules that pertain to their agency.

"I learned a long time ago in my Army career to learn all the regulations

that pertained to my job and to follow them as closely as possible," the

security officer said. "I kept that thought as I figured out what to do

with the computer systems and detection tools that we employed."