privacy expectations Was: SSL and Malicious Hardware/Software

Steven M. Bellovin smb at cs.columbia.edu
Wed Apr 30 13:45:02 EDT 2008


On Wed, 30 Apr 2008 12:49:12 +0300 (IDT)
Alexander Klimov <alserkli at inbox.ru> wrote:

> 
> <http://www.securityfocus.com/columnists/421/2>:
> 
>   Lance Corporal Jennifer Long was issued a government computer
>   to use on a government military network. When she was
>   suspected of violations of the military drug use policies (and
>   of criminal laws related to drug use), Marine Corps criminal
>   investigators reviewed the contents of email messages she sent
>   to another military employee who was likewise using
>   a government issued computer over the same government network.
>   The messages were retrieved from the government mail server
>   and later used against Long. On September 27, 2006, the United
>   States Court of Appeals for the Armed forces had to decide
>   whether Long had any expectation of privacy in these e-mails.
> 
>   The starting point for any analysis is, of course, the DoD
>   policy expressed on its warning banner, which stated quite
>   explicitly:
> 
>     [...] All information, including personal information,
>     placed on or sent over this system may be monitored. Use of
>     this DoD computer system, authorized or unauthorized,
>     constitutes consent to monitoring of this system. [...]
> 
>   However, the military court, [...] found that Long did, in
>   fact have some privacy interests in the contents of her
>   communications. It noted that while the government said it
>   could monitor, it rarely did.
> 
The actual opinion is much more nuanced and case-specific.  In the
first place, it demonstrated that the actual culture at that site was
very different.  In particular, the administrator testified that "it
was general policy to avoid examining e-mails and their content
because it was a 'privacy issue'."  The court might well have ruled
differently were that not the case.

Second, the court noted that the suspected misconduct was (a) for
evidence of illegal behavior, and (b) unrelated to workplace misconduct.
And the banner wasn't specific enough: "The banner in the instant case
did not provide Apellee with notice that she had no right of privacy.
Instead, the banner focused on the idea that her use of the system may
be monitored for limited purposes."

In addition, because the employer in this case was the government,
constitutional protections come into play, in a way that would not
apply to a private sector employer.  The reasoning there is complex,
especially since we're talking about the military (and soldiers have
many fewer rights than do civilians), so I won't try to summarize it;
let it suffice to say that generalizing from that case to an ordinary
workplace environment is not simple.

To sum up -- the court ruling in this particular case was very specific
to the facts of the case.  It's far from clear that it's generally
applicable.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list