WASHINGTON (08/14/2000) - As unlikely as it may sound, lawyers and computer security experts agree on one thing: When it comes to determining what's legal and what's not on the information superhighway, there are more questions than answers. And the shortage of clear-cut legal guidelines is creating problems and sowing confusion among those responsible for defending agency networks.
Take the U.S. Federal Bureau of Investigation's use of an e-mail monitoring system known as Carnivore. The system enables law enforcement officials to monitor specifically targeted e-mail accounts with the cooperation of that user's Internet service provider. The FBI contends the system is legal because it does not intercept all e-mail messages or e-mail content passing through an ISP. However, privacy advocates argue that the system threatens the privacy of innocent, law-abiding citizens.
Few federal cyberdefenders would not want to have the monitoring power that Carnivore provides. But is it legal? Congress isn't convinced - some members have expressed concern that it threatens basic constitutional rights, such as protection from unreasonable searches and seizures.
Carnivore is just the latest example of technology outpacing the law, putting employers and agency cyberdefenders on thin ice.
"We don't have much of a legal framework for cybersecurity," said Jeffrey Hunker, senior director for critical infrastructure on the National Security Council, which is tasked with advising the president on all major national security issues, including cybersecurity. "Every time you ask a question, five more questions emerge."
But for federal cyberdefenders, not knowing the law - even as those limits are changing - could have catastrophic consequences. Agency information technology managers could find themselves on the wrong side of a dispute, mired in a public legal battle or responsible for losing solid cases against accused criminals.
"As an operator, I never thought I needed to learn about the First, Fourth and Fifth amendments [to the Constitution]," said Phil Loranger, director of biometric security programs for the Army.
In fact, when the Army went on alert this year after receiving a threat from a hacker group, service officials found themselves unable to conduct a preventive strike against the hackers. Federal laws and regulations prohibit government agencies from penetrating a commercial ISP to search for the IP address of an attacker.
As the growth of the Internet and mobile computing devices muddies the legal boundaries of the workplace and raises the stakes for network defenders, agencies need to realize that privacy and constitutional questions, not just security requirements, dictate what countermeasures they can take.
To date, there are more questions than answers. Still, a small but growing number of legal cases could help guide agency managers in their efforts to defend their networks and stay out of hot water. These cases, though few and far between, represent the current canon of cyberlaw. And they are the least of what agency security and network managers should know, say cyberlaw experts.
Searching Federal Property
When officials at Napa State Hospital in California placed a doctor on administrative leave in 1981 for allegedly harassing two female residents, they had no idea that the ensuing legal case would establish one of the most important ground rules for federal cyberdefenders of the future.
The 1987 landmark case of O'Connor v. Ortega stemmed from the investigation of charges against Dr. Magno Ortega by a team of hospital officials led by the hospital's executive director, Dr. Dennis O'Connor. Surprisingly, the case had nothing to do with computers. Today, however, it has everything to do with federal cyberdefenses.
In an effort to conduct what hospital officials characterized as an "inventory" of government property, investigators entered Ortega's office while he was on leave and seized various items from Ortega's desk and file cabinets, including personal items. Instead of conducting a formal inventory, officials placed Ortega's property in a box with items belonging to the government and put it in storage.
Ortega then filed a lawsuit against the hospital, charging that the search of his office violated the Fourth Amendment, which protects the public from unreasonable searches and seizures. However, in what Tom King, a lawyer for the Army's Signal Command at Fort Huachuca, Ariz., calls a "key case for government protection of information systems," the Federal District Court ruled against Ortega. "The law was that you have no Fourth Amendment right in a government workplace," King said, speaking at the E-Gov Conference in Washington, D.C., in July. However, the decision was reversed on an appeal and wound up before the U.S. Supreme Court. In a 1987 decision, the court concluded, "searches and seizures by government employers or supervisors of the private property of their employees are subject to Fourth Amendment restraints."
According to King, the Supreme Court's decision in O'Connor v. Ortega has direct relevance to searches in the electronic workplace. It established a reasonable test that balances a public employee's expectation of privacy in his or her office against an employer's right to conduct a reasonable search. "It established a Fourth Amendment right in a government workplace, but that right is based on a reasonable expectation of privacy," he said.
But should government employees expect to be protected by privacy laws when using federal e-mail, information systems and network access? The answer is yes, but that expectation is not the same as it is with old-fashioned snail mail or the telephone.
In 1996, Air Force Col. James Maxwell Jr. appealed his conviction and dismissal from the service stemming from his use of his home PC and America Online accounts to obtain child pornography. In deciding the case, a military court of appeals said that although e-mail users do have an expectation of privacy, the very nature of the electronic world dictates that the expectation be lower than in traditional forms of communication. According to the court, even on proprietary networks, other employees or users may gain access to the e-mail; recipients can forward an e-mail to an untold number of other users; and users who send e-mail over the Internet have no control over where the message is routed.
In the end, the court found that although the government's search of Maxwell's America Online accounts was conducted "in good faith," the search warrant did not include reference to the many "screen names" used by Maxwell, and, therefore, that evidence was inadmissible in court. Although charges of interstate distribution of obscenity and communicating bad language were dismissed, a rehearing on other guilty verdicts was ordered.
There is a catch, however, when it comes to the balance of rights over workplace e-mail - when an agency's employees are informed that their network is monitored. "Individuals who transmit e-mail via a government computer that is used for official business and [have] received notice that the system is subject to monitoring have no reasonable expectation of privacy," according to a study written by Marlene Muraco, a lawyer with Littler Mendelson P.C.
"Notice of monitoring strips the user of any expectation of privacy that he had," Muraco wrote. "Where there is no explicit notice of monitoring, employees should seek to gain assurances from management that their e-mails will not be intercepted."
A key piece of legislation governing electronic privacy is the Electronic Communications Privacy Act (ECPA) of 1986, which gives employers the right to access employees' e-mail and voice-mail messages if the messages are maintained on a system provided by the government or the employer. However, employers may not access messages without the consent of either the author or the intended recipient of the message if an outside service provider owns the system - an important distinction for the government.
One group that relies heavily on monitoring and disclosure agreements is the intelligence community. For intelligence officials, the Foreign Intelligence Surveillance Act (FISA), passed in 1979, is the key policy law. It requires officials to demonstrate probable cause before the government can conduct an electronic surveillance of U.S. citizens for intelligence purposes.
One of the latest examples of FISA in action is the case against Los Alamos physicist Wen Ho Lee, who has been accused of stealing nuclear secrets for the Chinese government. Although the original FBI surveillance request did not include a request to search a computer, a considerable debate ensued about whether probable cause existed in the case.
Although the Lee case is unique in many respects, one aspect of the case has a broad impact for federal cyberdefenders: an agency's authority to conduct searches of employees' computers when employees have signed a waiver authorizing such searches.
"Weirdly, Lee had signed such a waiver, and yet the FBI did not perform the search until long afterwards," said Steven Aftergood, director of the Project on Government Secrecy at the Federation of American Scientists. "I guess the lesson is [to] get security waivers ahead of time, make sure they are legally valid and then use them when the need arises."
According to cyberlaw experts, agencies should make sure they widely publicize a notice of network monitoring that spells out the consequences of improper behavior. If regulations and policies are not in place and are not made public, agencies don't have a legal leg to stand on.
In 1998, an electronic engineer for the CIA's Foreign Broadcast Information Service decided to visit pornographic World Wide Web sites and download files to his work computer. When the government brought a case against him, the court concluded that he did not have a reasonable expectation of privacy because FBIS had published a policy that made unauthorized activity punishable by termination and prosecution.
Who Runs Your Network?
Most lawyers agree that banner warnings similar to the ones you find on almost all government home pages on the Internet and other published policies are key attempts by the government to establish users' consent to monitoring.
Although the CIA case is an important example of the critical role played by consent-to-monitor agreements, there are exceptions to ECPA, according to King.
"Your role within the government determines the protection you get under ECPA," said King, adding that federal organizations - such as the Army's director of command, control, communications and computers - can be considered service providers under the law.
The case of U.S. v. Staff Sergeant Robert J. Monroe is another example of where a consent-to-monitor regulation has been effective in protecting government network monitors from the long arm of the law.
When Air Force system administrators investigated the cause of their failing e-mail system in 1995, they found 59 files containing pornographic images clogging the system. The administrators opened some of the files and turned them over to Air Force criminal investigators.
Fortunately for the system administrators, Air Force policy clearly advised all network users that their e-mail was subject to monitoring. Monroe's expectation of privacy was rejected because the administrators were acting in accordance with their obligation to keep their system operating correctly - known as the "service provider exception" to ECPA.
Unfortunately, although protections exist, regulations often differ across the government, particularly in the military. "The Army regulations prohibit system administrators from monitoring e-mail for these purposes," said King, referring to the Maxwell case. When it comes to regulations on information security procedures, "the Army's really conservative, the Navy is to the limits of the law, and the Air Force doesn't know which way it wants to go."
What's more, a former Air Force network security officer said he never targeted individual computers or intercepted message traffic even though his unit had banners posted on all the systems saying that they could do so. "There's no teeth in that [policy], so the banner is mainly for the hacker to not see a welcome message and use that against the Air Force in court," he said.
Even though laws are in place that set limits on how agencies can manage workers' activities online, network managers must become expert in the particular rules that pertain to their agency.
"I learned a long time ago in my Army career to learn all the regulations that pertained to my job and to follow them as closely as possible," the security officer said. "I kept that thought as I figured out what to do with the computer systems and detection tools that we employed."