Without a court order, the University cannot intercept contents of electronic transmissions (e.g "sniff packets") unless an exception applies.
The Wiretap Act
The "Provider Exception" allows a our office to conduct reasonable monitoring to protect the University's rights and property. The monitoring must be in "substantial nexus" with a threat. For example, this exception allows our office to run and maintain intrusion detection systems.
So far, its been unclear whether information intercepted using this exception can be used by or disclosed to law enforcement.
- (i) It shall not be unlawful under this chapter for an operator of a switchboard, or on officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.
The 2001 Patriot Act created the "Trespasser Exception" to the wiretap act. This exception allows law enforcement to to intercept communications to or from "computer trespassers." A "computer trespasser" is a person who a computer/network "without authorization" and "thus has no reasonable expectation of privacy..." The definition specifically excludes people with "an existing contractual relationship with the owner or operator."
There are several conditions attached in order for law enforcement to obtain these interceptions: the University must authorize the interception, our office must act under the color of law, there must be relevance to an ongoing investigation, and nothing but the communications sent or received by the computer trespasser may be intercepted.
- (21) "computer trespasser"--
- (A) means a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer; and
- (B) does not include a person known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator of the protected computer for access to all or part of the protected computer.
The Pen Register, Trap and Trace Statue
The "Pen Register" and "Trap and Trace" statues govern the monitoring of traffic data. For the most part, this does not cover payload/content. Examples include: source and destination IP addresses, port addresses, e-mail routing headers.
In addition to providing usage statistics, our office can use the data collected under the exception of these statutes to flag inordinate or suspicious use of resources to prompt further investigation. For example, we flag:
- disproportionate use of bandwidth,
- uncommon protocol use,
- services running on high and/or uncommon ports
- untimely usage
This exception is considered broad. We're permitted to capture traffic data:
- if it relates to the "operation, maintenance, [or] testing" of service
- to protect the right or property of the University
- to protect users from abuse of service or unlawful use of service
- (h) It shall not be unlawful under this chapter--
- (i) to use a pen register or a trap and trace device (as those terms are defined for the purposes of chapter 206 (relating to pen registers and trap and trace devices) of this title); or
- (ii) for a provider of electronic communication service to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire or electronic communication, or a user of that service, from fraudulent, unlawful or abusive use of such service.