Computerworld - We've had some excitement around my department over the past few weeks involving law enforcement. If you work for an Internet service provider, you are probably familiar with what is called a Section 2703(f) court order.
Title 18 U.S.C. 2703(f) of the Electronic Communications Privacy Act of 1986 contains a provision requiring Internet service providers to take the necessary steps to preserve electronic records and other evidence pending the issuance of a court order or other legal process.
The order is simply a letter from a law enforcement agency requiring a service provider to preserve logs in preparation for a subpoena or search warrant. Receiving such letters is a common occurrence at Internet service providers -- but not at my company.
Suspicions Aired
A few weeks ago, I was called to our general counsel's office, which had received such an order. The letter, typed on fancy letterhead with a three-letter agency logo on top, instructed us to preserve any logs in relation to the network activity of one of our employees.
At the initial meeting, my team and I met with the investigator. He was fairly savvy about technology, which came as a surprise.
He said our employee was using his home computer to access child pornography on the Internet. But the investigator also suspected that the employee was sending pornographic pictures, videos and Web site address information to his e-mail account at work. And the agency had reason to believe that our employee was using his company-issued workstation to access these illegal sites.
I was pretty sure that the employee couldn't use his desktop workstation to access pornography Web sites, since we use content-filtering software that blocks access to most of them. But we had to comply with the order.
Normally, if law enforcement agents want to monitor someone's network activity, they present a Title III wiretap order. That enables investigators to install network-monitoring software that can be configured so they can monitor only a particular person's network traffic.
At our company, however, we already collect network traffic data through our intrusion-detection systems, so a Title III order wasn't needed. We typically keep three months of data, which includes all network traffic going in and out of our company at specific gateway locations.
We have about 20 sensors to gather that data, so I suggested that we filter the data from our network sensors and use our three months of saved data to assemble a profile of the user's network activity.
The investigator agreed, but he cautioned us to
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
