Slashdot Mirror
Federal Judges Take a Stance Against Workplace Monitoring
parvati writes: "The NYTimes is reporting that federal judges on the US Court of Appeals for the Ninth Circuit (the largest of the 12 regional circuit courts) disabled software on their office computers that monitored downloading of music, streaming video, and pornography--software that had been installed by the Washington-based Administrative Office of the Courts after a survey showed that 3-7% of the judicial computer traffic included streaming video and the like. The judges say that they are concerned about "the propriety and even the legality of monitoring Internet usage." The AOC is not pleased."
My workplace monitors IP traffic left, right and sideways.
My thoughts on the matter...?
Well, lessee, <tap>,<tap> ...areyou listening, OK!
"Provided by the management for your protection."
To: All Chief Judges, United States Courts
From: Chief Judge Mary M. Schroeder
Re: Clarification of AO Correspondence on Intrusion Detection System Shutdown
You have received a memorandum from Director Mecham dated June 15, 2001, regarding the Administrative Office's use of intrusion detection software on the Data Communications Network (DCN). This memorandum will provide you with additional information about why the Judicial Council of the Ninth Circuit directed that this software be disconnected for a brief period. Before doing so, let me emphasize two points:
1. The security of our computer systems has not been compromised. The firewall that protects the Internet gateway for the Eighth, Ninth and Tenth Circuits was not breached during the few days that the intrusion detection software was inactive. Our computer staff has assiduously investigated every rumored firewall breach both within and outside the Ninth Circuit. Thus far, every report of an incident has proven to be groundless.
2. All the Ninth Circuit seeks is a responsible, common sense resolution of the issues involved in Internet monitoring, after careful deliberation by the Judicial Conference. Internet Security The computer and networking equipment that permits courts in the Eighth, Ninth, and Tenth Circuits to access the Internet is located in San Francisco. These Internet access servers are controlled remotely from the AO offices in Washington, D.C. The servers are protected by a security system (hardware and software) that establishes a firewall between the DCN and the greater Internet. The firewall prevents unauthorized persons (hackers) from gaining access to the DCN and PACER networks. The servers also are equipped with an intrusion detection system, consisting of internal and external sensors, which enables the AO to detect hacking attempts. The intrusion detection system has some limited capacity to stop hackers, but is not a substitute for the firewall.
The best analogy is to a locked door and a surveillance camera. It is the door that keeps intruders out. The surveillance camera simply keeps track of who tried to enter and when. At no time has the firewall protecting the DCN been deactivated. Nor is there any evidence that the firewall has been penetrated. Our systems staff hosts the Internet websites for courts in the three circuits. We have contacted all the systems managers in the three circuits and none of them report any evidence of intrusion or damage to their court web sites. Furthermore, the current debate has nothing to do with the PACER network on which the court Pacernet, Electronic Case Filing, and Internet web servers reside, a point that is confused in Director Mecham's June 15 memorandum. These websites are protected by a separate arm of the intrusion detection system, which was unaffected by the actions of our judicial council. The PACER network's intrusion detection sensor was never touched, and thus continually operational during the period in question.
Internet Monitoring
The intrusion detection system also can be used for purposes unrelated to security, such as use of Internet bandwidth (capacity). In this case, the AO had configured part of the system to identify individual computers within the DCN that had been used to access Internet sites dealing with pornography, music, stock trading, and gambling. Information gleaned from this surveillance was being used by the AO to seek disciplinary action against court employees. On May 23-24, 2001, AO monitoring was discussed by both the Executive Committee of the Ninth Circuit Court of Appeals and the Judicial Council of the Ninth Circuit. Reaction from both bodies was sharply negative. The Executive Committee adopted a resolution urging the Judicial Council to direct that the relevant internal intrusion detection system be disconnected until such time as the AO agreed to use it for security monitoring only. The resolution was passed unanimously by the Judicial Council. The circuit executive immediately disconnected the relevant internal intrusion detection system and notified the chief judges of the Eighth and Tenth Circuits and the AO of this action. As it turned out, the relevant portion of the intrusion detection system had shut down on its own sometime over the previous five days. This shutdown apparently went unnoticed by AO systems staff, which is responsible for DCN monitoring, 24 hours a day, seven days a week.
Our Reasons
The Judicial Council of the Ninth Circuit took these actions for the following reasons:
1. We are concerned about the propriety, and even the legality, of monitoring Internet usage by court employees. A non-frivolous argument can be made that such activity violates the Electronic Communications Privacy Act of 1986, 18 U.S.C. 2510-2511, which imposes civil and criminal liability on any person "who intentionally intercepts . . . any wire, oral or electronic communication." This is of particular concern in our Circuit because of the construction given the Act in Konop v. Hawaiian Airlines, 236 F. 3d 1035, 1046 (9th Cir. 2001), which found liability when an employer accessed an employee website. The Act defines "electronic communication" quite broadly, including "any transfer of signs, signals, writing, images, sounds, date or intelligence of any nature." 18 U.S.C. 2510(12).
2. We are particularly concerned that inadequate notice about the practice of monitoring had been provided to the judges and court staff. Most judges felt that surveillance of individual Internet activity as a means of enforcing an Internet policy without notice to the employee was inappropriate. If such an activity were to be put in place, it ought to be the result of official action of the Judicial Conference with notification to court staff.
3. We believe that there had been inadequate discussion about this policy and practice by the Judicial Conference of the United States. Indeed, it appeared to us that surveillance of employees and possibly even judges had been initiated without specific authority from the Judicial Conference or the Executive Committee. Judges were also concerned that the policy had been implemented without the input and consideration given other similar actions, such as the protection of privacy in electronic case filing. Many judges were concerned about the potential scope of the monitoring. The system has the potential to allow real time observation of individual Internet activity. Indeed, virtually the only function of the "inside" sensor is to monitor the Internet activities of court personnel, not to track incoming Internet activity. Much of the monitoring was not driven by bandwidth concerns, but content detection. Judges believed that a careful policy needed to be in place defining the scope of any monitoring and disclosure of monitoring results.
4. We are concerned about chief judges being asked to report to the AO on actions they may have taken. This is particularly troublesome without Judicial Conference policy directives. Why should a chief judge respond to the AO? Moreover, if a chief judge chooses not to respond, what would the AO believe is the appropriate next step? What is the basis for this? Since there is a "perk" aspect to some Internet use, how much privacy should be given to courtpersonnel? If an employee engages in phone sex at work or places bets over the phone to his/her bookie, it would be embarrassing to the Judiciary, but we do not monitor all Judiciary personnel's phone calls to try to catch such potentially embarrassing conduct.
5. We are concerned that the definition of "inappropriate use" is too broad or might otherwise not be accepted by many chief judges. We are not convinced that downloading music or video files compromised bandwidth to the extent meriting monitoring. Many judges believe that less intrusive methods of administering an Internet policy ought to be pursued before actually conducting surveillance on employee Internet activity. Most court units have only just begun to educate and inform court staff about Internet concerns, particularly bandwidth usage. For example, many employees who were simply innocently unaware of bandwidth consequences would "stream" audio newscasts, particularly during the recent election and aftermath. In many court units, this practice was not against any official policy. Some judges believe that we ought to give court units an opportunity to address this in the first instance before monitoring.
6. Many judges were concerned that recording and monitoring information kept by the AO would be an inevitable part of any Senate confirmation process. In addition, some judges observed that if limiting embarrassment were the goal, we were creating great potential for embarrassment by intercepting, organizing and summarizing this material.
The Judicial Council of the Ninth Circuit fully supports legitimate system monitoring to detect hackers and outside threats to the security of the DCN. It believes that to the extent that the Committee on Automation and Technology and the Judicial Conference of the United States authorized any monitoring to date, it was for purposes of detecting hackers. The council does not believe that the judiciary leadership intended the process to be used to monitor the activity of judges and court personnel with the concomitant disciplinary action
sought by the AO.Next Steps
The Executive Committee of the Judicial Conference of the United States has directed the AO to cease monitoring for non-security purposes and asked the Conference's Automation and Technology Committee to develop a policy before the full Conference meets. The Automation and Technology Committee has formed a subcommittee that is looking into the issue.
Our need as a Judiciary to discuss these important issues and formulate an informed, legally viable and necessary policy is indeed the original point raised many months ago by our circuit executive with the Administrative Office. We gain nothing by disparaging each others' motives or by engaging in threats, but gain everything from a full, accurate, and candid discussion of the important issues at the heart of this problem. We in the Ninth Circuit welcome the opportunity to participate in that discussion.
Well, if they notify you upon receipt of employment
Except that NOBODY notifies employees of policy concurrently with the offer. The policy notification only happens *after* you have started the new job, when they have you over a barrel. And they change policies freely during your employment, leaving you no choice but to accept or walk out. This is a significant power differential, and it suggests that these are not "contracts freely entered into", but that there is some measure of coercion involved.
For further proof, imagine asking for a copy of the employee handbook in an interview. Do you think you'll get that offer? I'll bet it wouldn't help your chances. That says volumes about the coercive nature of this so-called "contract".
One thing I noticed half-way through the article was a reference to employees being disciplined despite not being made aware of the policy. This is illegal.
.mov or .rm file, but unless the site has sexually explicit content we don't bother investigating.
Is a company monitoring your actions while at work illegal? Well, if they notify you upon receipt of employment they will not tolerate certain acts (sexual harrassment, firearms, smoking, downloading streaming video) then you have a choice. Take that job and follow the rules... or don't. It's that simple. Since the equipment you are using belongs to the employers and the bandwidth you are using belongs to the employers, they have the right to state any policy they want.
Monitoring isn't bad. As a security guy, we have to monitor people daily. For instance, we watch any downloads >10MB and do content filtering... sometimes we need to investigate exactly what a user has been downloading. We watch files over 10MB because there isn't much that is downloaded over 10MB, and we only have maybe 25-30 legit downloads per day that are that size. Sometimes we see someone downloading a
It IS in our company policy that using company computers for downloading pornography is illegal and all employees are made aware of this through a signed statement they return to H.R. upon being hired and through a mention of it at orientation at their first day of work.
It isn't illegal to do this, unless the company doesn't tell you they are doing it. If they use a "full disclosure" policy regarding things like this, then this is and should be completely legal.
Understanding that the browser was NOT an intrinsic part of the operating system, for example would have taken all of 60 seconds.
Curious George
***General Consultant to the Human Race*** My opinions are free. You get what you pay for.
is that the higher-ups only begin to question the legality/ethics of software monitoring when it happens to them directly.
Although I'm not a big fan of workplace monitoring, this instance smacks of that guy whose neighbor told him about the how p2p likes to find kids, give them pr0n and take their bikes.
In a perfect world, the folks in D.C. would listen to the concerns of those of us who are bugged by privacy intrusions when they first start. I guess I'm not really one to complain, since I've never written a letter to my congressdude.
Maybe we should start writing. That way we'll be justified in complaining when congressmen/judges only care about things affecting them directly, or when they hear it from their neighbor's kid's cat.
It is all fun and games till a judge loses his p0rn.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
If you'd bothered to read the fascinating article, you'd have seen that the NYT explicitly says: "There is no evidence that any alleged abuse involves judges." Just so you know.
And in fact, the issues they are worried about are :
- Judge Alex Kozinski, a member of the Ninth Circuit appeals court, [argues] that the monitoring was a violation of anti- wiretap statute.
- "Aside from my view that this may be a felony, it is something that we as federal judges have jurisdiction to consider. We have to pass on this very kind of conduct in the private sphere."
- "In fact, the issues of what is permissible by employers have produced a patchwork of legal rulings and the matter has never been addressed directly by the Supreme Court."
That's what they are worried about. And as for using their tech smarts: they just ordered their sysadmin to disable monitoring software. Try reading the article, mmmkay?"I will take the Ring," he said, "though I do not know the way."