Slashdot Mirror
Federal Judges Take a Stance Against Workplace Monitoring
parvati writes: "The NYTimes is reporting that federal judges on the US Court of Appeals for the Ninth Circuit (the largest of the 12 regional circuit courts) disabled software on their office computers that monitored downloading of music, streaming video, and pornography--software that had been installed by the Washington-based Administrative Office of the Courts after a survey showed that 3-7% of the judicial computer traffic included streaming video and the like. The judges say that they are concerned about "the propriety and even the legality of monitoring Internet usage." The AOC is not pleased."
You're forgetting that sexual harassment laws would essentially allow all the female employees (and with a good enough lawyer the male ones) of the company to sue and collect billions in damages for the fact that a single individual was storing porn on company equipment. Remember the presence of pornography in the workplace, even if only one person ever looks at it, constitutes sexual harassment under U.S. laws and that monitoring all employees is required to avoid liability.
To: All Chief Judges, United States Courts
From: Chief Judge Mary M. Schroeder
Re: Clarification of AO Correspondence on Intrusion Detection System Shutdown
You have received a memorandum from Director Mecham dated June 15, 2001, regarding the Administrative Office's use of intrusion detection software on the Data Communications Network (DCN). This memorandum will provide you with additional information about why the Judicial Council of the Ninth Circuit directed that this software be disconnected for a brief period. Before doing so, let me emphasize two points:
1. The security of our computer systems has not been compromised. The firewall that protects the Internet gateway for the Eighth, Ninth and Tenth Circuits was not breached during the few days that the intrusion detection software was inactive. Our computer staff has assiduously investigated every rumored firewall breach both within and outside the Ninth Circuit. Thus far, every report of an incident has proven to be groundless.
2. All the Ninth Circuit seeks is a responsible, common sense resolution of the issues involved in Internet monitoring, after careful deliberation by the Judicial Conference. Internet Security The computer and networking equipment that permits courts in the Eighth, Ninth, and Tenth Circuits to access the Internet is located in San Francisco. These Internet access servers are controlled remotely from the AO offices in Washington, D.C. The servers are protected by a security system (hardware and software) that establishes a firewall between the DCN and the greater Internet. The firewall prevents unauthorized persons (hackers) from gaining access to the DCN and PACER networks. The servers also are equipped with an intrusion detection system, consisting of internal and external sensors, which enables the AO to detect hacking attempts. The intrusion detection system has some limited capacity to stop hackers, but is not a substitute for the firewall.
The best analogy is to a locked door and a surveillance camera. It is the door that keeps intruders out. The surveillance camera simply keeps track of who tried to enter and when. At no time has the firewall protecting the DCN been deactivated. Nor is there any evidence that the firewall has been penetrated. Our systems staff hosts the Internet websites for courts in the three circuits. We have contacted all the systems managers in the three circuits and none of them report any evidence of intrusion or damage to their court web sites. Furthermore, the current debate has nothing to do with the PACER network on which the court Pacernet, Electronic Case Filing, and Internet web servers reside, a point that is confused in Director Mecham's June 15 memorandum. These websites are protected by a separate arm of the intrusion detection system, which was unaffected by the actions of our judicial council. The PACER network's intrusion detection sensor was never touched, and thus continually operational during the period in question.
Internet Monitoring
The intrusion detection system also can be used for purposes unrelated to security, such as use of Internet bandwidth (capacity). In this case, the AO had configured part of the system to identify individual computers within the DCN that had been used to access Internet sites dealing with pornography, music, stock trading, and gambling. Information gleaned from this surveillance was being used by the AO to seek disciplinary action against court employees. On May 23-24, 2001, AO monitoring was discussed by both the Executive Committee of the Ninth Circuit Court of Appeals and the Judicial Council of the Ninth Circuit. Reaction from both bodies was sharply negative. The Executive Committee adopted a resolution urging the Judicial Council to direct that the relevant internal intrusion detection system be disconnected until such time as the AO agreed to use it for security monitoring only. The resolution was passed unanimously by the Judicial Council. The circuit executive immediately disconnected the relevant internal intrusion detection system and notified the chief judges of the Eighth and Tenth Circuits and the AO of this action. As it turned out, the relevant portion of the intrusion detection system had shut down on its own sometime over the previous five days. This shutdown apparently went unnoticed by AO systems staff, which is responsible for DCN monitoring, 24 hours a day, seven days a week.
Our Reasons
The Judicial Council of the Ninth Circuit took these actions for the following reasons:
1. We are concerned about the propriety, and even the legality, of monitoring Internet usage by court employees. A non-frivolous argument can be made that such activity violates the Electronic Communications Privacy Act of 1986, 18 U.S.C. 2510-2511, which imposes civil and criminal liability on any person "who intentionally intercepts . . . any wire, oral or electronic communication." This is of particular concern in our Circuit because of the construction given the Act in Konop v. Hawaiian Airlines, 236 F. 3d 1035, 1046 (9th Cir. 2001), which found liability when an employer accessed an employee website. The Act defines "electronic communication" quite broadly, including "any transfer of signs, signals, writing, images, sounds, date or intelligence of any nature." 18 U.S.C. 2510(12).
2. We are particularly concerned that inadequate notice about the practice of monitoring had been provided to the judges and court staff. Most judges felt that surveillance of individual Internet activity as a means of enforcing an Internet policy without notice to the employee was inappropriate. If such an activity were to be put in place, it ought to be the result of official action of the Judicial Conference with notification to court staff.
3. We believe that there had been inadequate discussion about this policy and practice by the Judicial Conference of the United States. Indeed, it appeared to us that surveillance of employees and possibly even judges had been initiated without specific authority from the Judicial Conference or the Executive Committee. Judges were also concerned that the policy had been implemented without the input and consideration given other similar actions, such as the protection of privacy in electronic case filing. Many judges were concerned about the potential scope of the monitoring. The system has the potential to allow real time observation of individual Internet activity. Indeed, virtually the only function of the "inside" sensor is to monitor the Internet activities of court personnel, not to track incoming Internet activity. Much of the monitoring was not driven by bandwidth concerns, but content detection. Judges believed that a careful policy needed to be in place defining the scope of any monitoring and disclosure of monitoring results.
4. We are concerned about chief judges being asked to report to the AO on actions they may have taken. This is particularly troublesome without Judicial Conference policy directives. Why should a chief judge respond to the AO? Moreover, if a chief judge chooses not to respond, what would the AO believe is the appropriate next step? What is the basis for this? Since there is a "perk" aspect to some Internet use, how much privacy should be given to courtpersonnel? If an employee engages in phone sex at work or places bets over the phone to his/her bookie, it would be embarrassing to the Judiciary, but we do not monitor all Judiciary personnel's phone calls to try to catch such potentially embarrassing conduct.
5. We are concerned that the definition of "inappropriate use" is too broad or might otherwise not be accepted by many chief judges. We are not convinced that downloading music or video files compromised bandwidth to the extent meriting monitoring. Many judges believe that less intrusive methods of administering an Internet policy ought to be pursued before actually conducting surveillance on employee Internet activity. Most court units have only just begun to educate and inform court staff about Internet concerns, particularly bandwidth usage. For example, many employees who were simply innocently unaware of bandwidth consequences would "stream" audio newscasts, particularly during the recent election and aftermath. In many court units, this practice was not against any official policy. Some judges believe that we ought to give court units an opportunity to address this in the first instance before monitoring.
6. Many judges were concerned that recording and monitoring information kept by the AO would be an inevitable part of any Senate confirmation process. In addition, some judges observed that if limiting embarrassment were the goal, we were creating great potential for embarrassment by intercepting, organizing and summarizing this material.
The Judicial Council of the Ninth Circuit fully supports legitimate system monitoring to detect hackers and outside threats to the security of the DCN. It believes that to the extent that the Committee on Automation and Technology and the Judicial Conference of the United States authorized any monitoring to date, it was for purposes of detecting hackers. The council does not believe that the judiciary leadership intended the process to be used to monitor the activity of judges and court personnel with the concomitant disciplinary action
sought by the AO.Next Steps
The Executive Committee of the Judicial Conference of the United States has directed the AO to cease monitoring for non-security purposes and asked the Conference's Automation and Technology Committee to develop a policy before the full Conference meets. The Automation and Technology Committee has formed a subcommittee that is looking into the issue.
Our need as a Judiciary to discuss these important issues and formulate an informed, legally viable and necessary policy is indeed the original point raised many months ago by our circuit executive with the Administrative Office. We gain nothing by disparaging each others' motives or by engaging in threats, but gain everything from a full, accurate, and candid discussion of the important issues at the heart of this problem. We in the Ninth Circuit welcome the opportunity to participate in that discussion.
augh! don't be fooled by the link -- it's really bowie j poag's weblog!!!
i hate being tricked into going there!
Login schmogin; try replacing the "www" in the URL with "archive" and you'll go straight to the page, no messing. This always works just fine for me.
One thing I noticed half-way through the article was a reference to employees being disciplined despite not being made aware of the policy. This is illegal.
.mov or .rm file, but unless the site has sexually explicit content we don't bother investigating.
Is a company monitoring your actions while at work illegal? Well, if they notify you upon receipt of employment they will not tolerate certain acts (sexual harrassment, firearms, smoking, downloading streaming video) then you have a choice. Take that job and follow the rules... or don't. It's that simple. Since the equipment you are using belongs to the employers and the bandwidth you are using belongs to the employers, they have the right to state any policy they want.
Monitoring isn't bad. As a security guy, we have to monitor people daily. For instance, we watch any downloads >10MB and do content filtering... sometimes we need to investigate exactly what a user has been downloading. We watch files over 10MB because there isn't much that is downloaded over 10MB, and we only have maybe 25-30 legit downloads per day that are that size. Sometimes we see someone downloading a
It IS in our company policy that using company computers for downloading pornography is illegal and all employees are made aware of this through a signed statement they return to H.R. upon being hired and through a mention of it at orientation at their first day of work.
It isn't illegal to do this, unless the company doesn't tell you they are doing it. If they use a "full disclosure" policy regarding things like this, then this is and should be completely legal.
http://archive.nytimes.com/2001/08/08/national/08C OUR.html
"...that had been installed by the Washington-based Administrative Office of the Courts..."
August 8, 2001
Rebels in Black Robes Recoil at Surveillance of Computers
By NEIL A. LEWIS
ASHINGTON, Aug. 7 -- A group of federal employees who believed that the monitoring of their office computers was a major violation of their privacy recently staged an insurrection, disabling the software used to check on them and suggesting that the monitoring was illegal and unethical.
This was not just a random bunch of bureaucrats but a group of federal judges who are still engaged in a dispute with the office in Washington that administers the judicial branch and that had installed the software to detect downloading of music, streaming video and pornography.
It is a conflict that reflects the anxiety of workers at all levels at a time when technology allows any employer to examine each keystroke made on an office computer. In this case, the concern over the loss of privacy comes from the very individuals, federal judges, who will shape the rules of the new information era.
The insurrection took root this spring in the United States Court of Appeals for the Ninth Circuit, based in San Francisco and the largest of the nation's 12 regional circuits, covering 9 Western states and two territories. The Judicial Conference of the United States, the ultimate governing body of the courts, is to meet on Sept. 11 to resolve the matter.
The conflict between the circuit judges and the Administrative Office of the Courts, a small bureaucracy in Washington, deteriorated to a point that a council of the circuit's appeals and district judges ordered their technology staff to disconnect the monitoring program on May 24 for a week until a temporary compromise was reached. Because the Ninth Circuit's was also linked to the Eighth and Tenth Circuits, the shutdown affected about a third of the country and about 10,000 court employees, including more than 700 active and semiretired judges.
Leonidas Ralph Mecham, who runs the Administrative Office of the Courts, and who ordered the monitoring of all federal court workers, said in a March 5 memorandum that the software was to enhance security and reduce computer use that was not related to judicial work and that was clogging the system. A survey by his office, he wrote, "has revealed that as much as 3 to 7 percent of the judiciary browser's traffic consists of streaming media such as radio and video broadcasts, which are unlikely to relate to official business."
Officials in the judicial branch on both sides of the issue provided several internal memorandums written as the dispute continued over the weeks.
After the shutdown, Mr. Mecham complained in a memorandum that disconnecting the software was irresponsible and might have resulted in security breaches, allowing unauthorized outsiders access to the judiciary's internal confidential computer network. "The weeklong shutdown put the entire judiciary's data communication network at risk," he wrote on June 15.
Mr. Mecham warned in that memorandum that on the days before the software was disabled, there were hundreds of attempts at intrusion into the judiciary's network from places like China and Iran.
But Chief Judge Mary Schroeder of the Ninth Circuit responded that the concerns were overblown and that the circuit's technical people carefully monitored computer activity during the week that the software was disabled.
In a June 29 memorandum, she said that there was no evidence that the electronic firewall used to block hacking had been breached and suggested that Mr. Mecham had exaggerated the potential of a security breach because having hundreds of attempted breaches per day was routine and routinely blocked.
The Ninth Circuit disconnected the software, she wrote, because the monitoring policy was not driven by concern over overloading the system but Mr. Mecham's concern over "content detection." Many employees had been disciplined, she noted, because the software turned up evidence of such things as viewing pornography, although they had not been given any clear notice of the court's computer use policy.
Moreover, she wrote, the judiciary may have violated the law.
"We are concerned about the propriety and even the legality of monitoring Internet usage," she wrote. Her memorandum said that the judiciary could be liable to lawsuits and damages because the software might have violated the Electronic Communications Privacy Act of 1986, which imposes civil and criminal liability on any person who intentionally intercepts "any wire, oral or electronic communication."
She noted that the Ninth Circuit had ruled just this year that the law was violated when an employer accessed an employee Web site. In fact, the issues of what is permissible by employers have produced a patchwork of legal rulings and the matter has never been addressed directly by the Supreme Court.
Judge Alex Kozinski, a member of the Ninth Circuit appeals court, drafted and distributed an 18-page legal memorandum arguing that the monitoring was a violation of anti- wiretap statute.
Judge Kozinski, widely known for his libertarian views, said the court employees who were disciplined, an estimated three dozen, could be entitled to monetary damages if they brought a lawsuit.
A spokesman for Mr. Mecham said that the software could not identify specific employees but workstations. When unauthorized use was detected, Mr. Mecham's deputy, Clarence Lee Jr., wrote to the chief judge of the district, urging that the employee who used the workstation be identified and disciplined. One such letter includes an appendix listing the Web sites that employee had visited, some of them pornographic. There is no evidence that any alleged abuse of the system involved judges.
Judge Kozinski said: "Aside from my view that this may be a felony, it is something that we as federal judges have jurisdiction to consider. We have to pass on this very kind of conduct in the private sphere."
Prof. Jeffrey Rosen of the George Washington University Law School, author of a recent book on privacy, "The Unwanted Gaze" (Vintage 2001), said, "It's fascinating that the courts have to grapple with these issues so close to home." The law is evolving, he said, adding: "This drama with the judges reminds us of how thin the privacy protections are. There's a real choice right now whether e-mail and Web browsing should be regarded like the telephone or a postcard."
Judge Edwin L. Nelson, who is chairman of a judges' committee that deals with computer issues, said in an interview that his group met last week and drafted proposals to deal with monitoring. Judge Nelson would not discuss the proposals but they are almost certain to resemble policies used in the rest of the federal government, in which clear notice is given to computer users that they may be monitored.
Jim Flyzik, vice chairman of an interagency group that considers computer privacy issues in the federal government, said that each department had its own policy but that clear and unambiguous notification of monitoring was usually an element.
In the private sector, a survey by the American Management Association this year found that 63 percent of companies monitored employees' computer use.
As for numbers of attempts. Literally thousands in a week.
What is not clearly stated is that the AO installed IDS equipment both outside and inside the 9th Circuit gateway. The equipment disabled was the inside equipment. So there was never any security risk.