150 likes | 171 Views
Use Policies. Deputy Attorney General Robert Morgester Robert.Morgester@doj.ca.gov. Use Policy. Communicating the use policy Word of mouth Employee manuals Banners Things that every good use policy should have. The Good Policy.
E N D
Use Policies Deputy Attorney General Robert Morgester Robert.Morgester@doj.ca.gov
Use Policy • Communicating the use policy • Word of mouth • Employee manuals • Banners • Things that every good use policy should have . . . .
The Good Policy • Does the banner state that the use of the network constitutes consent to monitoring? • Helps establish consent for • Provider monitoring • Law enforcement monitoring
The Good Policy • Does the banner state that the use of the network constitutes consent to retrieval and disclosure of information stored on the network ? • Helps establish consent to the retrieval and disclosure of such information and/or records
The Good Policy • Does the banner state that the use of the network constitutes consent to retrieval and disclosure of information stored on the computer ? • Helps establish consent to the retrieval and disclosure of such information and/or records
Biby vs. Univ. of Nebraska • Search of employee computer done in response to a civil suit. • Employee sued for breach of privacy • Court found: • No reasonable expectation of privacy because computer use policy indicated computer could be searched when university was responding to discovery • Concurring opinion noted that university policy were to some degree private
The Good Policy • With government networks, does the banner state that the user of the network shall have no reasonable expectation of privacy in the network ? • Helps establish that user lacks a reasonable expectation of privacy pursuant to O’Conner v. Ortega (1987) 480 U.S. 709. • And what about that “C” drive?
The Good Policy • In the case of non-government network, does the banner make clear that the network system administrator may consent to a law enforcement search? • Establishes system administrator’s common authority to consent to a search under United States v. Matlock (1974) 415 U.S. 164. • And what about that “C” drive?
The Good Policy • Does the banner contain express or implied limitations or authorizations relating to the purpose of any monitoring / search, and what will be done with the fruits of any monitoring / search? • Do you want to limit why you can monitor? • Where do you want to be able to use the information found?
People v. Jiang (2002) 33 Cal.Rptr.3d 184 • Suspect of a sexual assault had his work lap computer produced by court order. Incriminating files were marked “Attorney” • Agreement signed by defendant did not preclude personal use of the computer • Nor did in mention anything about the company copying or disclosing the contents of the computer
The Good Policy • Does the banner state what users are unauthorized to access the network, and the consequences of unauthorized use of he network? • Makes it easier to establish unauthorized use?
The Good Policy • Does the banner require users to click through or otherwise acknowledge the banner before using the network? • Makes it easier to establish the user actually received the notice.
Sample Banner • WARNING! This computer system is the property of the United States Department of Justice and may be accessed only by authorized users. Unauthorized use of this system is strictly prohibited and may be subject to criminal prosecution. The Department may monitor any activity or communication on the system and retrieve any information stored within the system. By accessing and using this computer, you are consenting to such monitoring and information retrieval for law enforcement and other purposes. Users should have no expectation of privacy as to any communication on or information stored within the system, including information stored locally on the hard drive or other media in use with this unit (e.g., floppy disks, PDAs and other hand-held peripherals, CD-ROMs, etc.)
More Sample Banners • http://cybercrime.gov/s&smanual2002.htm • Look for Appendix “A”
Bad Use Policy? • Reasonable investigations into work related misconduct • Search must be work related • Search must be justified at its inception and permissible in scope • Reasonable grounds to believe evidence will be found • Search is limited in scope • Must be “employer intrusion” rather then “police intrusion”