University logging mail to anon.penet
This just came up locally, and I'd like to have some comments on it, especially from people who understand the law a lot better than I do: Our local University apparently has been logging ALL mail to anon.penet, including faculty, students, and off-campus users. They maintain such weak security that someone was able to "obtain" the logs and post them to a local usenet group, thus compromising everyone's "anonymous" identities. -- Jeff Simmons jsimmons@goblin.punk.net
-----BEGIN PGP SIGNED MESSAGE----- On Wed, 6 Sep 1995, Jeff Simmons wrote:
This just came up locally, and I'd like to have some comments on it, especially from people who understand the law a lot better than I do:
Our local University apparently has been logging ALL mail to anon.penet, including faculty, students, and off-campus users.
They maintain such weak security that someone was able to "obtain" the logs and post them to a local usenet group, thus compromising everyone's "anonymous" identities.
I'd say that there are some serious ethical and legal concerns that should be addressed by the administration for keeping such logs... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.2 iQCVAwUBME5SwjokqlyVGmCFAQGuLQP/TA9F2Vf65o37Yq821zFfBB8HNekfdB6I PcmaRPHFzlgGfV2iSQm4sn0KHLddpX70ZrUaGM2uuJsYC1iwPagGOQR0Y51tjU7Y 1O+jBf3Pjsa64rox1Y5+7fQAnl4hD5Io13MtsosDC19kjPYuoJ33RHWF/uiHRT5N stRLLxwWjEo= =MQuw -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> hayden@krypton.mankato.msus.edu \ /__ Finger for Geek Code Info <=> Finger for PGP Public Key \/ / -=-=-=-=-=- -=-=-=-=-=- \/ http://krypton.mankato.msus.edu/~hayden/Welcome.html -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GED/J d-- s:++>: a-- C++(++++)$ ULUO++ P+>+++ L++ !E---- W+(---) N+++ o+ K+++ w+(---) O- M+$>++ V-- PS++(+++)>$ PE++(+)>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++ G+++++>$ e++$>++++ h r-- y++** ------END GEEK CODE BLOCK------
hayden@krypton.mankato.msus.edu said:
I'd say that there are some serious ethical and legal concerns that should be addressed by the administration for keeping such logs...
Ethical I would definately agree with. Legally, I'm not so sure of. The applicable law would appear to be the Electronic Communications Privacy Act of 1986. The law does allow administrators to see messages in the normal course of their job, as long as they don't reveal that information to a 3rd party (except law enforcement in the event of a criminal act) This protection is probably strongest with a company you purchase Internet Service from, probably lesser so with a University, since there is less obviously a customer/seller relationship, and almost non-existant with a business, since there isn't a customer relationship, and the systems are owner by the business. Bob
Bob Snyder wrote:
hayden@krypton.mankato.msus.edu said:
I'd say that there are some serious ethical and legal concerns that should be addressed by the administration for keeping such logs...
Ethical I would definately agree with.
Legally, I'm not so sure of. The applicable law would appear to be the Electronic Communications Privacy Act of 1986. The law does allow administrators to see messages in the normal course of their job, as long as they don't reveal that information to a 3rd party (except law enforcement in the event of a criminal act)
I'm no lawyer, but I believe that technically the ECPA allows them to view mail when it is part of maintenance, which could be in the "normal course of their job[s]" but I think it means that if they see mail while maintaining (ie, bounced msgs) it's Ok to read it but maintenance doesn't mean outright monitoring of mail. Then again, what does the ECPA say about monitoring message traffic? That's essentially what they are doing, and likely they will rationalize it as being to save their own skins. It also might be the work of a SysAdmin and the school administration would be entirely clueless about it. Another possibility is that a hacker (the same who got ahold of the file?) put in something to monitor it... (my knowledge of Unix is little, though...)
This protection is probably strongest with a company you purchase Internet Service from, probably lesser so with a University, since there is less obviously a customer/seller relationship, and almost non-existant with a business, since there isn't a customer relationship, and the systems are owner by the business.
I've heard some nasty stories about boards and a couple of I-Net providers who charge for access but reserve the right to throw someone off the system without refund (it's often in the terms of many account applications) for various no-nos. Rob
In message <199509070542.BAA23214@libws4.ic.sunysb.edu>, Deranged Mutant writes [...]
I've heard some nasty stories about boards and a couple of I-Net providers who charge for access but reserve the right to throw someone off the system without refund (it's often in the terms of many account applications) for various no-nos.
Alot do more or less that, but if you were an Internet Service Provider how would you deal with it? For example what if a customer started sending obscene material to people who didn't want it, and the recipents started to complain to you, or the goverment? If you (the ISP) don't have a service agreement that says you can disconnect the customer in that case you are in danger of getting sued by them if you cut them off. If you don't cut them off you are in danger of getting sued or shut down by the goverment. Even if we were in a more libertarian society you run the risk of being boycotted by potential customers (of corse the analagy breaks down somewhat, in a very libertarian society oyu might be able to run a profatable ISP selling to the very nich market of people who want to threten, harass, or generally make a nuicence of themselves). As a result are unlikely to find an ISP that doesn't have a set of no-no's. (and if you do they may not be in bisness for long) The best I think you can do is find an ISP that publishes their list of no-no's (like the one I work for UUNET - see any file in ftp://ftp.uu.net/uunet-info with "svc" in it's name and skip down to "AlterNet Terms and Conditions"), and seems to have a reasonable set of them, and last but not least make sure that they do at least refund any payment for service not recieved. For example UUNET (which I work for - but this is mostly irrelivant as this is a statment of the facts, not an oponion) publishes their terms and conditions in ftp://ftp.uu.net/uunet-info (look at any file with "svc" in it's name and skip down to "AlterNet Terms and Conditions"). As for reasonability I'll leave that up to you to decide. -- And no, I'm not speaking for UUNET Technologies, or anyone but myself.
So which university is this?
This just came up locally, and I'd like to have some comments on it, especially from people who understand the law a lot better than I do:
Our local University apparently has been logging ALL mail to anon.penet, including faculty, students, and off-campus users.
They maintain such weak security that someone was able to "obtain" the logs and post them to a local usenet group, thus compromising everyone's "anonymous" identities.
-- Jeff Simmons jsimmons@goblin.punk.net
So which university is this?
This just came up locally, and I'd like to have some comments on it, especially from people who understand the law a lot better than I do:
Our local University apparently has been logging ALL mail to anon.penet, including faculty, students, and off-campus users.
They maintain such weak security that someone was able to "obtain" the logs and post them to a local usenet group, thus compromising everyone's "anonymous" identities.
California State Polytechnic University, San Luis Obispo -- Jeff Simmons jsimmons@goblin.punk.net
On Wed, 6 Sep 1995, Jeff Simmons wrote:
This just came up locally, and I'd like to have some comments on it, especially from people who understand the law a lot better than I do:
Our local University apparently has been logging ALL mail to anon.penet, including faculty, students, and off-campus users.
They maintain such weak security that someone was able to "obtain" the logs and post them to a local usenet group, thus compromising everyone's "anonymous" identities.
Which University please?
-- Jeff Simmons jsimmons@goblin.punk.net
participants (6)
-
Black Unicorn -
Bob Snyder -
Deranged Mutant -
Jeff Simmons -
Josh M. Osborne -
Robert A. Hayden