You may often encounter a warning message when logging in to a business or government computer system. These warnings are cropping up everywhere and sound pretty ominous. “Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected and disclosed to authorized site and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign.” Sound scary? It should. But why do businesses feel the need to come off as some Orwellian Big Brother?
The problem comes when the business tries to prosecute criminals who have invaded their network and caused damage. The argument is often made that the information being used against them violates the hacker’s privacy rights or it constitutes illegal search and seizure. Some have even gone so far as to say that the business wanted the system violated merely by connecting it to the Internet. The fact that the main entry screen for Microsoft Windows says “Welcome” has even successfully been used as an argument. The scary part is that the hackers have been winning.
To ensure that your legal case is not hijacked just as your system was, you need to provide clear and compelling information to any user of the system regardless of level of trust. It must be clearly stated that misuse of any part of the system is unacceptable. Putting this in front of users each time they sign on or make an attempt to gain entry to your system eliminates their ability to wage a defense against their being caught and prosecuted.
Don’t get caught in the trap that you provide anyone with an out. Do not make statements such as, “We are not really monitoring anyone. This is just for us to be able to prosecute hackers.” By watering down the message and the intent, you are reversing any gain from having the warning message. You might as well not have it at all. Your employees should clearly understand company policy and realize that anything they do should be business related. Personal e-mail, inappropriate Web sites or other activity unrelated to work is best done on their own time on their own equipment in their own homes.
Bob Radvanovsky has written an excellent white paper on login warning banners. This can be found at http://www.unixworks.net/papers/wp-007.pdf. For samples of banners in use at government offices (and at many businesses), check out the US Department of Energy’s information bulletin J-043h at http://ciac.llnl.gov/ciac/bulletins/j-043.shtml. The SANS Institute also has a detailed write-up explaining the legal reasons behind providing warnings at http://www.sans.org/resources/idfaq/evidence_preservation.php.