Today I’m changing from a planned post on social engineering and OPSEC failures to talk about an epic failure in understanding security policy.
So today the New York Times published a story about the FDA monitoring emails and I think that this is a rehash of old news since it was written about before in the Washington Times about the very same thing. Now I’m not here to talk about the politics of the situation or whether the actions of the parties involved were right or wrong and I frankly don’t care. So regardless of how you feel about what happened I’m here to talk about network security policy, so check your politics at the door, as always comments are welcome.
So, yes the FDA was monitoring the actions of their employees on, now pay attention to this very important detail, Government owned computers. So I honestly want to know, where is the news story? At what point did any of the people suing the FDA believe that they had any expectation of privacy on a computer owned by their employer? In fact what expectation of privacy does anyone have on any computer that they do not own and have full administrative control of.
The correct answer; absolutely none.
There is case law that has upheld that employees may enjoy some expectation of privacy when using personal email accounts this is decided on a case by case basis and in an organization that clearly states that all communications are monitored one should automatically assume that they have no privacy. For more information go read Gone but Not Forgotten: When Privacy, Policy and Privilege Collide by Louise Hill
But what I really want to talk about is the policy and the fact that people always seem to ignore it. All government computers are supposed to display a logon banner that every user logging in to a system is required to acknowledge. They all contain, essentially the same language as required by the United States Government Configuration Baseline (USGCB) or by DoD Instruction (the link is a bit dated but it’s pretty much the same). In the case of the USGCB the text required is:
This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.
Note the bold print, in fact according to the Washington Times article “FDA computers post a warning, visible when users log on, that they should have “no reasonable expectation of privacy” in any data passing through or stored on the system, and that the government may intercept any such data at any time for any lawful government purpose.”
Users see these logon banners every time they logon to a computer, and they ignore them, click OK and move on. I’m sure that the people at the FDA were also required to sign a User Agreement Form. In the DoD we have a form that we are required to sign to gain access to any network and the first statement in that agreement is “The U.S. Government routinely intercepts and monitors communications on this information system”. Now the DoD does recognize that some of the members may not have access to any other computers than the ones owned by DoD so they make exceptions to certain types of privileged communications, however the responsibility falls to the member to consult with legal counsel offline first to determine their course of action:
-The user consents to interception/capture and seizure of ALL communications and data for any authorized purpose (including personnel
misconduct, law enforcement, or counterintelligence investigation). However, consent to interception/capture or seizure of communications
and data is not consent to the use of privileged communications or data for personnel misconduct, law enforcement, or counterintelligence
investigation against any party and does not negate any applicable privilege or confidentiality that otherwise applies.
– Whether any particular communication or data qualifies for the protection of a privilege, or is covered by a duty of confidentiality, is determined
in accordance with established legal standards and DoD policy. Users are strongly encouraged to seek personal legal counsel on such matters
prior to using an information system if the user intends to rely on the protections of a privilege or confidentiality.
So here is my issue with all of this, nobody ever reads any of these things. If they did they would understand that they have no real expectation of privacy on their work computers. They would understand that work computers are not their personal computers. People sign documents and accept terms and conditions without a thought. I’ve joked with my wife that one day I’m going to write an app and I’m going to put language in the End User License Agreement that says that I can come to your home any time I want and take whatever I want and drink all of your beer. And people will simply click OK.
This is another theme that I’ll continue to explore and I look forward to ongoing conversations.
(EDIT 2014.03.20: spelling/grammar)