Slashdot Mirror

← Back to Stories (view on slashdot.org)

Federal Judges Take a Stance Against Workplace Monitoring

Posted by michael on from the showing-some-backbone dept.

parvati writes: "The NYTimes is reporting that federal judges on the US Court of Appeals for the Ninth Circuit (the largest of the 12 regional circuit courts) disabled software on their office computers that monitored downloading of music, streaming video, and pornography--software that had been installed by the Washington-based Administrative Office of the Courts after a survey showed that 3-7% of the judicial computer traffic included streaming video and the like. The judges say that they are concerned about "the propriety and even the legality of monitoring Internet usage." The AOC is not pleased."

5 of 185 comments (clear)

  1. Memorandum to Chief Judges, July 11, 2001 by nevis · · Score: 5, Informative

    To: All Chief Judges, United States Courts

    From: Chief Judge Mary M. Schroeder

    Re: Clarification of AO Correspondence on Intrusion Detection System Shutdown

    You have received a memorandum from Director Mecham dated June 15, 2001, regarding the Administrative Office's use of intrusion detection software on the Data Communications Network (DCN). This memorandum will provide you with additional information about why the Judicial Council of the Ninth Circuit directed that this software be disconnected for a brief period. Before doing so, let me emphasize two points:

    1. The security of our computer systems has not been compromised. The firewall that protects the Internet gateway for the Eighth, Ninth and Tenth Circuits was not breached during the few days that the intrusion detection software was inactive. Our computer staff has assiduously investigated every rumored firewall breach both within and outside the Ninth Circuit. Thus far, every report of an incident has proven to be groundless.

    2. All the Ninth Circuit seeks is a responsible, common sense resolution of the issues involved in Internet monitoring, after careful deliberation by the Judicial Conference. Internet Security The computer and networking equipment that permits courts in the Eighth, Ninth, and Tenth Circuits to access the Internet is located in San Francisco. These Internet access servers are controlled remotely from the AO offices in Washington, D.C. The servers are protected by a security system (hardware and software) that establishes a firewall between the DCN and the greater Internet. The firewall prevents unauthorized persons (hackers) from gaining access to the DCN and PACER networks. The servers also are equipped with an intrusion detection system, consisting of internal and external sensors, which enables the AO to detect hacking attempts. The intrusion detection system has some limited capacity to stop hackers, but is not a substitute for the firewall.

    The best analogy is to a locked door and a surveillance camera. It is the door that keeps intruders out. The surveillance camera simply keeps track of who tried to enter and when. At no time has the firewall protecting the DCN been deactivated. Nor is there any evidence that the firewall has been penetrated. Our systems staff hosts the Internet websites for courts in the three circuits. We have contacted all the systems managers in the three circuits and none of them report any evidence of intrusion or damage to their court web sites. Furthermore, the current debate has nothing to do with the PACER network on which the court Pacernet, Electronic Case Filing, and Internet web servers reside, a point that is confused in Director Mecham's June 15 memorandum. These websites are protected by a separate arm of the intrusion detection system, which was unaffected by the actions of our judicial council. The PACER network's intrusion detection sensor was never touched, and thus continually operational during the period in question.

    Internet Monitoring

    The intrusion detection system also can be used for purposes unrelated to security, such as use of Internet bandwidth (capacity). In this case, the AO had configured part of the system to identify individual computers within the DCN that had been used to access Internet sites dealing with pornography, music, stock trading, and gambling. Information gleaned from this surveillance was being used by the AO to seek disciplinary action against court employees. On May 23-24, 2001, AO monitoring was discussed by both the Executive Committee of the Ninth Circuit Court of Appeals and the Judicial Council of the Ninth Circuit. Reaction from both bodies was sharply negative. The Executive Committee adopted a resolution urging the Judicial Council to direct that the relevant internal intrusion detection system be disconnected until such time as the AO agreed to use it for security monitoring only. The resolution was passed unanimously by the Judicial Council. The circuit executive immediately disconnected the relevant internal intrusion detection system and notified the chief judges of the Eighth and Tenth Circuits and the AO of this action. As it turned out, the relevant portion of the intrusion detection system had shut down on its own sometime over the previous five days. This shutdown apparently went unnoticed by AO systems staff, which is responsible for DCN monitoring, 24 hours a day, seven days a week.

    Our Reasons

    The Judicial Council of the Ninth Circuit took these actions for the following reasons:

    1. We are concerned about the propriety, and even the legality, of monitoring Internet usage by court employees. A non-frivolous argument can be made that such activity violates the Electronic Communications Privacy Act of 1986, 18 U.S.C. 2510-2511, which imposes civil and criminal liability on any person "who intentionally intercepts . . . any wire, oral or electronic communication." This is of particular concern in our Circuit because of the construction given the Act in Konop v. Hawaiian Airlines, 236 F. 3d 1035, 1046 (9th Cir. 2001), which found liability when an employer accessed an employee website. The Act defines "electronic communication" quite broadly, including "any transfer of signs, signals, writing, images, sounds, date or intelligence of any nature." 18 U.S.C. 2510(12).

    2. We are particularly concerned that inadequate notice about the practice of monitoring had been provided to the judges and court staff. Most judges felt that surveillance of individual Internet activity as a means of enforcing an Internet policy without notice to the employee was inappropriate. If such an activity were to be put in place, it ought to be the result of official action of the Judicial Conference with notification to court staff.

    3. We believe that there had been inadequate discussion about this policy and practice by the Judicial Conference of the United States. Indeed, it appeared to us that surveillance of employees and possibly even judges had been initiated without specific authority from the Judicial Conference or the Executive Committee. Judges were also concerned that the policy had been implemented without the input and consideration given other similar actions, such as the protection of privacy in electronic case filing. Many judges were concerned about the potential scope of the monitoring. The system has the potential to allow real time observation of individual Internet activity. Indeed, virtually the only function of the "inside" sensor is to monitor the Internet activities of court personnel, not to track incoming Internet activity. Much of the monitoring was not driven by bandwidth concerns, but content detection. Judges believed that a careful policy needed to be in place defining the scope of any monitoring and disclosure of monitoring results.

    4. We are concerned about chief judges being asked to report to the AO on actions they may have taken. This is particularly troublesome without Judicial Conference policy directives. Why should a chief judge respond to the AO? Moreover, if a chief judge chooses not to respond, what would the AO believe is the appropriate next step? What is the basis for this? Since there is a "perk" aspect to some Internet use, how much privacy should be given to courtpersonnel? If an employee engages in phone sex at work or places bets over the phone to his/her bookie, it would be embarrassing to the Judiciary, but we do not monitor all Judiciary personnel's phone calls to try to catch such potentially embarrassing conduct.

    5. We are concerned that the definition of "inappropriate use" is too broad or might otherwise not be accepted by many chief judges. We are not convinced that downloading music or video files compromised bandwidth to the extent meriting monitoring. Many judges believe that less intrusive methods of administering an Internet policy ought to be pursued before actually conducting surveillance on employee Internet activity. Most court units have only just begun to educate and inform court staff about Internet concerns, particularly bandwidth usage. For example, many employees who were simply innocently unaware of bandwidth consequences would "stream" audio newscasts, particularly during the recent election and aftermath. In many court units, this practice was not against any official policy. Some judges believe that we ought to give court units an opportunity to address this in the first instance before monitoring.

    6. Many judges were concerned that recording and monitoring information kept by the AO would be an inevitable part of any Senate confirmation process. In addition, some judges observed that if limiting embarrassment were the goal, we were creating great potential for embarrassment by intercepting, organizing and summarizing this material.

    The Judicial Council of the Ninth Circuit fully supports legitimate system monitoring to detect hackers and outside threats to the security of the DCN. It believes that to the extent that the Committee on Automation and Technology and the Judicial Conference of the United States authorized any monitoring to date, it was for purposes of detecting hackers. The council does not believe that the judiciary leadership intended the process to be used to monitor the activity of judges and court personnel with the concomitant disciplinary action

    sought by the AO.

    Next Steps

    The Executive Committee of the Judicial Conference of the United States has directed the AO to cease monitoring for non-security purposes and asked the Conference's Automation and Technology Committee to develop a policy before the full Conference meets. The Automation and Technology Committee has formed a subcommittee that is looking into the issue.

    Our need as a Judiciary to discuss these important issues and formulate an informed, legally viable and necessary policy is indeed the original point raised many months ago by our circuit executive with the Administrative Office. We gain nothing by disparaging each others' motives or by engaging in threats, but gain everything from a full, accurate, and candid discussion of the important issues at the heart of this problem. We in the Ninth Circuit welcome the opportunity to participate in that discussion.

  2. Re:Need an article mirror... by Dr_Cheeks · · Score: 3, Informative

    Login schmogin; try replacing the "www" in the URL with "archive" and you'll go straight to the page, no messing. This always works just fine for me.

    --

  3. Missing the Point by isa-kuruption · · Score: 5, Informative

    One thing I noticed half-way through the article was a reference to employees being disciplined despite not being made aware of the policy. This is illegal.

    Is a company monitoring your actions while at work illegal? Well, if they notify you upon receipt of employment they will not tolerate certain acts (sexual harrassment, firearms, smoking, downloading streaming video) then you have a choice. Take that job and follow the rules... or don't. It's that simple. Since the equipment you are using belongs to the employers and the bandwidth you are using belongs to the employers, they have the right to state any policy they want.

    Monitoring isn't bad. As a security guy, we have to monitor people daily. For instance, we watch any downloads >10MB and do content filtering... sometimes we need to investigate exactly what a user has been downloading. We watch files over 10MB because there isn't much that is downloaded over 10MB, and we only have maybe 25-30 legit downloads per day that are that size. Sometimes we see someone downloading a .mov or .rm file, but unless the site has sexually explicit content we don't bother investigating.

    It IS in our company policy that using company computers for downloading pornography is illegal and all employees are made aware of this through a signed statement they return to H.R. upon being hired and through a mention of it at orientation at their first day of work.

    It isn't illegal to do this, unless the company doesn't tell you they are doing it. If they use a "full disclosure" policy regarding things like this, then this is and should be completely legal.

  4. No-login Link by zerosignal · · Score: 3, Informative

    http://archive.nytimes.com/2001/08/08/national/08C OUR.html

  5. Re:Questions by nevis · · Score: 2, Informative

    As for numbers of attempts. Literally thousands in a week.

    What is not clearly stated is that the AO installed IDS equipment both outside and inside the 9th Circuit gateway. The equipment disabled was the inside equipment. So there was never any security risk.