Modernizing Authentication — What It Takes to Transform Secure Access
Federal judges are showing some proper perspective when it comes to matters of security and privacy, even when it means putting good guys in their place.
First up is the case of Nicodemo "Little Nicky" Scarfo, an alleged mob boss. A federal judge, Nicholas Politan, ordered the FBI to cough up more information on a keystroke logger it used to monitor Scarfo's PC. The judge is trying to decide whether the logger falls outside the purview of the search warrant the FBI legally obtained and into the realm of a wiretap, for which the FBI did not have permission.
The FBI procured a search warrant to enter Scarfo's place of business and install the keyboard sniffer, in hopes of capturing a password that would unlock encrypted files stored on his PC. The FBI got what it was after and unlocked files that implicated Scarfo in various illegal activities.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iBut Scarfo's defense team cried foul, saying the keyboard sniffer amounted to a wiretap, which requires a far more stringent court order than a search warrant. Judge Politan is at least listening to their view and has given the FBI until Aug. 31 to produce more details on how the keyboard logger works so he can make a decision.
I've already made my decision: the defense wins. The keyboard logger in question recorded every keystroke Scarfo made for a period of several months. Prosecutors argue that the logger didn't record email communications and thus a wiretap warrant wasn't necessary. That, of course, is absurd. If you collect every keystroke made on a computer, of course you're also collecting email communications, or at least have the opportunity to do so.
I have no problem with the FBI using such technology to catch criminals, but they should be required to play by established rules. In this case, the rules required a wiretap warrant.
The second case is even more remarkable because it involves federal judges ruling against other federal judges.
In May, a group of judges from the federal judiciary's Ninth Circuit court discovered their office computers were being monitored and ordered their IT department to shut down the monitoring program. But a committee of federal judges that helps determine how the judicial branch governs itself has recommended the monitoring system be turned back on. A vote on the committee's recommendation is scheduled for the Sept. 11 meeting of the Judicial Conference of the United States, the panel of top judges headed by Supreme Court Chief Justice William Rehnquist.
The monitoring system in question was installed only at the three gateways that connect the judiciary network to the Internet. Its purpose was to look for content such as pornography, music and streaming video files that indicate unauthorized use of the Internet connections. From coverage in the general press, it sounds like there are also intrusion detection capabilities built in to the system; those, thankfully, have already been turned back on.
Keep in mind the judiciary has about 30,000 employees, only a small fraction of whom are judges. It is not unreasonable to think that some of these employees, perhaps even some of the judges, are using their computers for matters that have nothing to do with their jobs. It is also not unreasonable to want to stop them from doing so, especially given this is the judiciary system we're talking about - a taxpayer-funded entity that should be held to a high standard of conduct.
It may smack of Big Brother, but any business that pays for its employees to have Internet access has a right to demand that access not be abused. In fact, the day may soon come when it becomes a business requirement to monitor employee actions to prove one's employees were not involved in illegal activities or, at least, that one's company took reasonable actions to prevent it.
At the same time, employees deserve to know their electronic actions are being monitored. There is much debate about whether employers should be required to disclose monitoring practices to their employees. But why the debate?
If the point of monitoring is to get employees to focus on their work and to use company resources only for company business, informing them of monitoring policies should only further those goals.
Desmond is editor of ecomSecurity.com.