> Number two, I would like to drop my own two cents in on this.
> Realistically, I have no idea why this isn't being done to start with. I
> find it tantamount to lunacy that we feel that we "cannot" or are
> "not allowed" to protect our systems from viruses. I'm pretty sure
> that we all have some kind of anti-virus system already up and
> running on whatever email package we are using internally (we run
> NAV on our Pegasus email). I'm not really sure who owns Pilot, but
> I am sure that each of our groups have users who use it on a
> regular basis. To put it bluntly, it is a whole in the security shema
> we have all attempted to setup. From what I am hearing the issue
> seems to be whether or not we would be in violation of AUP by
> doing so?? If this is the case, on what grounds does MSU uphold
> these policies. Are they saying that by scanning the emails for
> viruses that we as system admin's would be reading the emails?
> Are they aware that when any programs scans for a virus, that we
> do not see any of it happening, and even if we wish to monitor it
> scanning we STILL would not see the email. Are they concerned
> that we will write a program that will run in conjunction with the
> virus scanner, or in place of the virus scanner that will allow us to
> read the email. If that is what they believe or fear, I find that very
> offensive. I, for one, do not like being accused low moral values by
> folks whom I have never met, nor have they met me. Hey, if the
> post office trusts the folks that they hire off the street to sort my
> mail not to read it, you would think that MSU could trust us
It's not that anyone's accusing you or other system administrators of low
moral values, but that we're all required to take the high road in this
respect. Perhaps some of us think that line may be drawn a bit too high,
but it's the one we're expected to live with, and it does provide a level
of consistency from location to location around campus.
As for where and how to do virus protection, we still need to do
some work in that regard. In general, though, users should run virus
protection on their own workstations, and system administrators should
do virus protection on shared (non-personal) data. That should adequately
protect systems from the viruses and worms themselves. That may not
protect fully against side effects such as filled disks or poor system
performance from traffic overload, but there are other ways to deal with
> Ok, hard as that is to put aside, let me wonder this. Is MSU
> worried that by doing any of the above we would be violating the
> users 4th ammendment rights? Let me clarify something here;
> [portions of ECPA and comments omitted]
It's a bit simpler than that, although this may have been part of the
thinking in creating the AUP. It's clear that the AUP is more restrictive
than the ECPA requires, and is certainly different from the standard
corporation business model. One of the most notable differences is
that personal e-mail is permitted, particularly under a user's Pilot
e-mail account, but in many cases this would also extend to a user's
departmental e-mail box, assuming it is under the user's name.
The MSU AUP creates an expectation of privacy for personal communications
and data storage for all members of the MSU community. The Network
Communications Committee (NCC) is working on developing the interpretations
of the MSU AUP, but the gist of it with respect to communications and data
storage is that data is presumed to be personal when associated in any way
with an individual, unless it is stored in a location explicitly declared
to be for non-personal (e.g. business or research) data. Such a declaration
needs to be made known to the individual in advance, preferably by the use
of a system-specific AUP.
Any data that is deemed to be personal data is not to be accessed, scanned,
etc., without the express permission of the user, the Vice Provost's
office, or other legal means. In general, if the user gives permission for
a specific activity, then, and only then, can the system owner or manager
perform that activity. I think the NCC will have to give some thought to
whether a "shrink-wrap" policy notification and/or consent (e.g. a login
banner) is satisfactory, or whether an explicit signoff is required.
> If employers are exempted under this provision, then presumably
> they may monitor electronic communications in order to promote
> quality control, prevent loss of trade secrets, investigate employees
> suspected of wrongdoing, deter personal use of company property, etc.
At MSU, the authority under this exemption has been given to the Vice
Provost's office, barring a specific system AUP to the contrary. And
further discussion may be necessary as to how far a system AUP can go
in this respect.
> Under the consent exception, an employer may intercept electronic
> communications if the prior consent of one of the parties to the
> communication has been obtained. (18 U.S.C. § 2511(2)(d) (1994)).
> To come within this exception, an employer need only acquire the
> implied or express consent of one employee in an employee-
> customer or employee-employee communication. It is important to
> remember that the ECPA does not preempt stricter statutes in
> states, such as Maryland, which require the consent of all parties.
> An employee will likely be deemed to have given consent if, having
> knowledge of the employer’s policy, he or she continues to use the
> e-mail system. To this end, a written policy is preferred because all
> parties will have expressly consented to its terms. Even when the
> policy is written, the employer would be ill-advised to monitor e-
> mails to a degree that exceeds the scope of the policy. For
> example, in the context of telephone calls, the courts agree that an
> employer is not privileged to continue listening to conversations of
> a purely personal nature. Further, a policy that merely suggests
> that monitoring may be done may not be sufficient to create
> implied consent.
> Now I know that we have a acceptable use policy in place at MSU,
> and I also know that at least for our division in order to log onto our
> network you must click OK that you have read and understand the
> policy. Seems pretty clear cut to me..
See above. An individual at MSU can acknowledge understanding and
abiding by the MSU AUP, without providing any reason for MSU (as
employer, or otherwise) to assume that there is any consent for
monitoring e-mail or other communications.