rkan@mole.ai.mit.edu (R. Kan) (03/02/91)
I have reason to believe that my e-mail is being monitored by my sysadmins on another system that I am on. They have stated that since the university owns the computer, I have no right to privacy on the system even though I have not signed any statements saying I give up my rights in order to use the system. Is this valid from a legal viewpoint? Can they read anyone's mail at their discretion? There is a witchhunt going on right now on this system to get rid of users that do not use the system for "legitimate" purposes...i.e. no games, no ftp, no irc. The latest security measures include closing off "chfn" and "last". I have never been on a unix system where wtmp was closed off for security reasons, are there any systems out there that have this "high security risk" shut off? Please e-mail or reply here so I can show them how bogus they are. R. Kan
lear@turbo.bio.net (Eliot) (03/02/91)
In referenced articlerkan@mole.ai.mit.edu (R. Kan) wonders if it's legally ok for his system administrators to snoop in his mail. I'm no lawyer, but I did follow the goings on with the Electronic Communications Privacy Act of 1986 a little. There are, as I understand it, two things going against you in this case: [1] In terms of breaches of privacy, ECPA makes explicit exemption for service providers from just about any form of prosecution so long as they do not divulge any information, even if that your mail file falls under ECPA, and that you are being provide a service). [2] They told you that they were going to do so. Therefore you do not have a reasonable expectation of privacy, so your chances of actually pushing forward on the privacy issue are considerably diminished, as I understand it. Apparently this is common law. On these two points perhaps an enlightened member of the bar might wish to make a comment (Mike)? There is, I understand it, one thing going for you in this case: [1] Didn't MIT have some big internal stink about what thou shalt and shalt not do with mail files? It's possible that your system administrators are violating some internal policy. I refer you to Jeff Schiller for more details on that question (jis@mit.edu). -- Eliot Lear [lear@turbo.bio.net]
rkan@mole.ai.mit.edu (R. Kan) (03/03/91)
In article <Mar.1.19.02.06.1991.10847@turbo.bio.net> lear@turbo.bio.net (Eliot) writes: >[2] They told you that they were going to do so. Therefore you do They (my university computing center system administrators) did NOT tell me or anyone else they were going to monitor e-mail. They do not even have an explicit policy regarding e-mail. They told me after I suspected my mail was monitored that they reserved the right to read e-mail if they deemed it necessary to protect the system against illegal use of the system. This I can understand and agree with except that I was not made aware of beforehand that they could do this. They have no guidelines as to what constitutes probable cause to initiate a search, and they do not state in any written policy that they have this right. The users of the system do not know they are giving up certain rights of privacy to the system administrators when they use the system. Because of this lack of official policy, it is up to the whims of the individual sys admins to do as they see fit without being held accountable for their actions. This is what I am concerned about. >There is, I understand it, one thing going for you in this case: > >[1] Didn't MIT have some big internal stink about what thou shalt > and shalt not do with mail files? It's possible that your I have to clarify this better. I am NOT refering to MIT, I am refering another university system which I am on. This specific case has nothing to do with MIT. In case anyone is interested in how I suspected my e-mail was read, I logged on to the system one day with a "You have mail." message. When I tried to read my mail though, I got a "No mail." message. I thought this was rather strange so I did an "ls -l /usr/spool/mail/mylogin" where "mylogin" is my login name, therefore the name of my mail file. This is what I saw: -rw------- 1 root 20055 Feb 21 18:35 /usr/spool/mail/mylogin -rw------- 1 mylogin 19873 Feb 21 16:07 /usr/spool/mail/mylogin~ Apparently some bozo forgot to restore ownership of my mail file to me. I could access the backup file they made but all mail to me bounced until the ownership of my real mail file was restored to me a day later. They actually deleted the root owned file and just renamed the backup file, so I lost whatever new mail was in the original mail file since the original file is larger than the backup file. So far, they have not given me a decent answer about this. Again, let me reiterate, this has nothing to do with MIT. R. Kan
dawn@ux1.cso.uiuc.edu (Dawn Owens) (03/04/91)
Someone (sorry, I don't recall who) suggested that because the sysadmins told this guy that they were reading his mail, that he no longer had a reasonable expectation of privacy. I am not a lawyer, but I was under the impression that the expectation of privacy was NOT a subjective one but an objective one. That is, there are some places where one *should* expect privacy. And this is not dependent on any subjective feelings about whether things are private or not by a particular person involved. For instance, I don't think that regarding conversations held on a public sidewalk, one can have a reasonable expectation of privacy, even if it seems private, or that no one is listening to you. On the other hand, you can have a reasonable expectation of privacy regarding conversations held in your bedroom. EVEN if some guy shows up at your door and says "Hey, I planted a tape recorder in your bedroom, and I can hear everything you say, " your reasonable expectation of privacy is not eliminated. That is, one can not shield him/herself from wrongdoing simply by telling you he/she is going to do it. If that were the case, Ted Bundy could have put up a disclaimer in his volkswagon, and still be alive today. (I know, not a great analogy.) Also, I was under the impression that the ECPA did not use an expectation of privacy standard at all. I will reread the act, but I don't recall seeing it there. Dawn
walter@sumax.seattleu.edu (walter) (03/04/91)
rkan@mole.ai.mit.edu (R. Kan) writes: > > I have reason to believe that my e-mail is being monitored by > my sysadmins on another system that I am on. They have stated > that since the university owns the computer, I have no right to > privacy on the system even though I have not signed any statements > saying I give up my rights in order to use the system. Is this Your rights, under the law, to privacy on the system you mention are, for the most part, covered in the Electronic Communications Privacy Act of 1986 (Federal statute). If you were given to expect privacy on this system, you might have a cause for grievance under the ECPA. However, the ECPA allows for operators of systems such as the one to which you refer a certain amount of leeway in viewing private conversations/E-Mail as an incident to system maintenance. This, of course, does not mean that whatever information is discovered can be revealed or used elsewhere unless such information relates to illegal activity. It's also important to note that systems can, and do, disclaim facilities for private E-Mail. If the claim is technically valid, then you should expect NOT to have privacy on that system. Walter -- halcyon!walter@sumax.seattleu.edu The 23:00 News and Mail Service - +1 206 292 9048 - Seattle, WA USA +++ A Waffle Iron +++