Home page logo

basics logo Security Basics mailing list archives

Login Banner
From: <stray+security-basics () itys net>
Date: Mon, 30 Dec 2002 11:33:16 -0500 (EST)

Alebit delayed:


APPENDIX A: Sample Network Banner Language

         Network banners are electronic messages that provide notice of
legal rights to users of computer networks.  From a legal standpoint,
banners have four primary functions.  First, banners may be used to generate
consent to real-time monitoring under Title III.  Second, banners may be
used to generate consent to the retrieval of stored files and records
pursuant to ECPA.  Third, in the case of government networks, banners may
eliminate any Fourth Amendment "reasonable expectation of privacy" that
government employees or other users might otherwise retain in their use of
the government's network under O'Connor v. Ortega, 480 U.S. 709 (1987).
Fourth, in the case of a non-government network, banners may establish a
system administrator's "common authority" to consent to a law enforcement
search pursuant to United States v. Matlock, 415 U.S. 164 (1974).

         CCIPS does not take any position on whether providers of network
services should use network banners, and, if so, what types of banners they
should use.  Further, there is no formal "magic language" that is necessary.
However, it is important to realize that banners may be worded narrowly or
broadly, and the scope of consent and waiver triggered by a particular
banner will in general depend on the scope of its language. Here is a
checklist of issues that may be considered when drafting a banner:

    * a) Does the banner state that use of the network constitutes consent
to monitoring? Such a statement helps establish the user's consent to
real-time interception pursuant to 18 U.S.C.  2511(2)(c)(monitoring by law
enforcement agency) or  2511(2)(d)(provider monitoring).
    * b) Does the banner state that use of the network constitutes consent
to the retrieval and disclosure of information stored on the network? Such a
statement helps establish the user's consent to the retrieval and disclosure
of such information and/or records pursuant to 18 U.S.C.  2702(b)(3),
2702(c)(2), and 2703(c)(1)(C).
    * c) In the case of a government network, does the banner state that a
user of the network shall have no reasonable expectation of privacy in the
network?  Such a statement helps establish that the user lacks a reasonable
expectation of privacy pursuant to O'Connor v. Ortega, 480 U.S. 709 (1987).
    * d) In the case of a non-government network, does the banner make clear
that the network system administrator(s) may consent to a law enforcement
search?  Such a statement helps establish the system administrator's common
authority to consent to a search under United States v. Matlock, 415 U.S.
164 (1974).
    * e) Does the banner contain express or implied limitations or
authorizations relating to the purpose of any monitoring, who may conduct
the monitoring, and what will be done with the fruits of any monitoring?
    * f) Does the banner state what users are authorized to access the
network, and the consequences of unauthorized use of the network? Such
notice makes it easier to establish knowledge of unauthorized use, and
therefore may aid prosecution under 18 U.S.C.  1030.
    * g) Does the banner require users to "click through" or otherwise
acknowledge the banner before using the network? Such a step may make it
easier to establish that the network user actually received the notice that
the banner is designed to provide.

Network providers who decide to banner all or part of their network should
consider their needs and the needs of their users carefully before selecting
particular language.  For example, a sensitive government computer network
may require a broadly worded banner that permits access to all types of
electronic information.  Here are three examples of broad banners:

   1. WARNING!  This computer system is the property of the United States
Department of Justice and may be accessed only by authorized users.
Unauthorized use of this system is strictly prohibited and may be subject to
criminal prosecution.  The Department may monitor any activity or
communication on the system and retrieve any information stored within the
system.  By accessing and using this computer, you are consenting to such
monitoring and information retrieval for law enforcement and other purposes.
Users should have no expectation of privacy as to any communication on or
information stored within the system, including information stored locally
on the hard drive or other media in use with this unit (e.g., floppy disks,
PDAs and other hand-held peripherals, CD-ROMs, etc.)
   2. This is a Department of Defense (DoD) computer system.  DoD computer
systems are provided for the processing of Official U.S. Government
information only.  All data contained within DoD computer systems is owned
by the Department of Defense, and may be monitored, intercepted, recorded,
read, copied, or captured in any manner and disclosed in any manner, by
authorized personnel.  THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM.  System
personnel may disclose any potential evidence of crime found on DoD computer
   3. You are about to access a United States government computer network
that is intended for authorized users only.  You should have no expectation
of privacy in your use of this network.  Use of this network constitutes
consent to monitoring, retrieval, and disclosure of any information stored
within the network for any purpose including criminal prosecution.

               In other cases, network providers may wish to establish a
more limited monitoring policy.  Here are three examples of relatively
narrow banners that will generate consent to monitoring in some situations
but not others:
   4. 4) This computer network belongs to the Grommie Corporation and may be
used only by Grommie Corporation employees and only for work-related
purposes.  The Grommie Corporation reserves the right to monitor use of this
network to ensure network security and to respond to specific allegations of
employee misuse.  Use of this network shall constitute consent to monitoring
for such purposes.  In addition, the Grommie Corporation reserves the right
to consent to a valid law enforcement request to search the network for
evidence of a crime stored within the network.
   5. Warning: Patrons of the Cyber-Fun Internet Caf may not use its
computers to access, view, or obtain obscene materials.  To ensure
compliance with this policy, the Cyber-Fun Internet Caf reserves the right
to record the names and addresses of World Wide Web sites that patrons visit
using Cyber-Fun Internet Caf computers.
   6. It is the policy of the law firm of Rowley & Yzaguirre to monitor the
Internet access of its employees to ensure compliance with law firm
policies.  Accordingly, your use of the Internet may be monitored.  The firm
reserves the right to disclose the fruits of any monitoring to law
enforcement if it deems such disclosure to be appropriate.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]