Monday, September 24, 2007

Re: When you find a hacker... (UNCLASSIFIED)

Classification: UNCLASSIFIED=20
Caveats: NONE

As always, I am not a constitutional scholar.

It is important to note that in this case, the keylogger also broke
wiretapping laws because it is an "interception" device.=20

Breaking in and reading email can break these laws (as determined by
precedent not explicitly in law by US vs Councilman) but there are a
range of federal laws (e.g. fraud, hate crimes, etc.) that can kick in
once you determine how that information was used. There can also be
extensive state laws (Virginia has some very tough ones) that could be
harsher than the federal consequences. I would think learning more
would make for an interesting student research paper. The EFF is a good
place to start:
http://www.eff.org/Privacy/Email_Internet_Web/?f=3Demail_privacy.faq.txt

As to schools and businesses, it is highly advisable to notify anyone
using your systems (through AUP, Handbooks, Personnel Policy, etc) under
what conditions you expect to read their mail. Is it at anytime, is it
only under suspicion, who will be reading it? This helps bring
transparency to employees and students, but also insulates the school if
an authorized person abuses the knowledge they gain in reading email.
The fourth amendment test is usually, "a reasonable expectation of
privacy" so it is best to set those expectations yourself even though
precedent tends to favor the institution.

Finally, always remember that once you involve authorities, particularly
at the federal level, you will have set in motion a process that is
nearly impossible to stop and over which you have no effective control.
The school should be sure it is willing to support this process to its
conclusion.

_J
=20

___________________________________

Jason Johnson - Program Director
Web Services Branch - Walter Reed Army Medical Center Ingenium (ISO
9001:2000 certified)
Office: 202-782-1047
Cell: 202-262-0516
jason.johnson@ingenium.net
jason.p.johnson2@us.army.mil=20
-----Original Message-----
From: A forum for independent school educators
[mailto:ISED-L@LISTSERV.SYR.EDU] On Behalf Of Meany, Catherine
Sent: Saturday, September 22, 2007 10:53 AM
To: ISED-L@LISTSERV.SYR.EDU
Subject: Re: When you find a hacker...

My understanding is that institutions do own their email systems and
privacy is not assured. Boston Public Schools does monitor email to some
extent. Financial institutions monitor employees email to be sure they
are not disclosing sensitive or illegal information. If you have cause,
you have the right to read them.=20
=20
However, once users or outsiders hack into someone else's private email,
that is a crime. Using a software keylogger here, a student logged
everything a teacher typed, including their emails. That immediately
broke federal wiretapping laws. The Secret Service notified me that once
I realized what was in the logs, I should immediately stop reading them
and turn over everything to the police. If I continued to read the logs,
I was potentially also breaking these laws and participating in the
crime. They seized the hard drives and took over.
=20
Those were the parameters of what occurred here. I hope that is helpful.
I would refer to lawyers or local authorities for a complete explanation
of laws. Most now have Internet fraud and corruption divisions that are
versed in this area and can investigate hard drives, etc.
=20
Cathy Meany
=20

________________________________

From: A forum for independent school educators on behalf of Keith E
Gatling
Sent: Sat 9/22/2007 8:43 AM
To: ISED-L@LISTSERV.SYR.EDU
Subject: Re: When you find a hacker...

On 9/19/07, Meany, Catherine <cmeany@boston.k12.ma.us> wrote:
>
> FYI: Accessing others' email is a federal crime covered by wiretapping

> laws. You should know that once you discover this breach, beyond the=20
> initial discovery, you will also be liable for breaking this law if=20
> you access emails or even read stolen emails. Stop immediately and=20
> contact the authorities.
>

This piece here sounds very interesting, and I'd like to get this
clarified before I put this out to all of my students. In particular,
what exactly is meant by "accessing others' email"? Is this just the
obvious breaking into the account, or does it also cover messing with
someone's email that they left open for a moment while they went to the
bathroom?
And realistically, what can we legally do if we don't know who the
cretin was who sent the questionable email from the naive/lazy student's
account?

More important, the couple of students I mentioned this to want to know
does this mean that *the school* can't legally look at or mess with
their
*school-hosted* email? I suspect that we can because it's on our
servers, just as any business can look into what's on their servers.

I would suppose that "spoofing" another student's email address is about
as illegal as putting someone else's return address on a snailmail
letter - not very (Or is it? I'm often surprised by what's illegal.).

--
keg

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * Keith E Gatling - Computer Instructor Manlius Pebble Hill School
5300 Jamesville Rd DeWitt, NY 13214
315.446.2452
http://www.gatling.us/keith

Some teachers teach subjects. Others teach students.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* *

[ For info on ISED-L see http://www.gds.org/ISED-L ] Submissions to
ISED-L are released under a Creative Commons license.

[ For info on ISED-L see http://www.gds.org/ISED-L ] Submissions to
ISED-L are released under a Creative Commons license.
Classification: UNCLASSIFIED=20
Caveats: NONE

[ For info on ISED-L see http://www.gds.org/ISED-L ]
Submissions to ISED-L are released under a Creative Commons license.