John -
Googling "logon banner legal requirement" got me:
http://rr.sans.org/incident/evidence.php
which explicitly discusses many of the issues regarding
legality of monitoring, but does not *directly* mention
logon banners. However, it has pointers to several legal
cases or statutes which relate to monitoring in general.
That got me:
http://www.cert.org/advisories/CA-1992-19.html
which includes the text:
"...
The legality of such monitoring is governed by 18 U.S.C. section 2510 et seq.
[This looks like the first place to start hunting.] That statute was last
amended in 1986, years before the words "virus" and "worm" became part of our
everyday vocabulary. Therefore, not surprisingly, the statute does not directly
address the propriety of keystroke monitoring by system administrators.
Attorneys for the Department [of Justice] have engaged in a review of the
statute
and its legislative history. We believe his believe that such keystroke
monitoring
of intruders may be defensible under the statute. However, the statute
does not expressly authorize such monitoring. Moreover, no court has yet
had an opportunity to rule on this issue. If the courts were to decide
that such monitoring is improper, it would potentially give rise to both
criminal and civil liability for system administrators. Therefore, absent
clear guidance from the courts, we believe it is advisable for system
administrators who will be engaged in such monitoring to give notice to
those who would be subject to monitoring that, by using the system, they
are expressly consenting to such monitoring. Since it is important that
unauthorized intruders be given notice, some form of banner notice at the
time of signing on to the system is required. Simply providing written notice
in advance to only authorized users will not be sufficient to place outside
hackers on notice.
..."
The site has the following revision state:
Original issue date: December 7, 1992
Last revised: September 19, 1997
18 USC 2510 et seq was amended 01/02/01 according to
http://uscode.house.gov/usc.html
Similarly,
http://www.ciac.org/ciac/bulletins/j-043.shtml
has text for such a banner used by the DoE. If such a law
existed, then assuredly DoE would explicitly state in the
banner its meeting the requirements of XX U.S.C. section YYY et seq.
It doesn't.
You might also try
http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm
(also from google) which has a link to something called "Searching and
Seizing Computers and Obtaining Electronic Evidence in Criminal
Investigations", which I bet has the reference you want. It is
hosted at http://wwww.cybercrime.gov.
[I never knew this existed. Hey, I learned something new today.
I can go home!]
Looks to me like there is (or was) *not* an explicit legal
"logon banner" paragraph, but that the logon banner *seems* to
meet the requirements for notification of and consent to monitoring
in the absence of a written acknowledgement (such as when a cracker
takes a shot at your network). The entire purpose (at least,
as I understand it) of such logon banners is to provide explicit notice
to unauthorized users of the monitoring and explicitly state that
use of the system constitutes consent to this monitoring. Authorized
users must typically acknowledge and consent to this monitoring as
part of their user agreement. I believe this stems from the
requirements on wire tapping (etc) in 18 U.S.C. 2510 that requires
consent of all monitored parties, in the absence of a court order,
for such monitoring to be used as evidence. I am *not* sure how
this otherwise interacts with personal and commerical privacy law.
18 USC 25XX is pretty dense with requirements.
However, IANAL and all the rest of the disclaimers. My recommendation
is that you get your dept head to talk to one of the university's
lawyers and have *them* hunt down the right title and section, if you
feel the need to know. That's what lawyers are paid for. The
university would probably happily pay their lawyer to do that rather
than to fight a privacy law suit or lose a suit against some cracker
who trashed an online record system (like accounting).
Just my 0.02 and a little (the most dangerous kind!)
Google knowledge.
Charley
--
Charles Hamilton, MS EIT Doctoral Candidate
Department of Civil and Phone: 949.824.8694
Environmental Engineering FAX: 949.824.2117
University of California, Irvine Email: [EMAIL PROTECTED]
