Research −> 1992 DOJ Letter
1992 Department of Justice Letter on Keystroke Monitoring

Todd Heberlein

18 Mar 2013

By 1992 monitoring of network traffic for attacks, referred to by the Department of Justice as “keystroke monitoring” was starting to gain traction. This letter, by the now Director of the FBI, raises the concern that this may be a criminal act and recommends actions to reduce the chance that network administrators could face charges.
1 Background
Starting in 1988 I began working on a collection of network intrusion detection and analysis tools collectively called the Network Security Monitor (NSM) (see 1991 appendix of my thesis). By 1992 some personnel at the United States Air Force started deploying it within the Air Force and few other locations. Eventually this would evolve into the Air Force's global ASIM network sensor grid.
A Department of Justice letter questioning the legality of network monitoring eventually reached my contacts in the Air Force, and they forwarded this letter to me.
2 Network Security Monitoring May Be a Criminal Act
The biggest takeaway from the letter is that this security monitoring may actually be a criminal act and the system administrators carrying it out could potentially be prosecuted. Yikes!
The relevant portion of the letter (with emphasis added) is:
We believe that such keystroke monitoring of intruders may be defensible under the statute. However, the statute does not expressly authorize such monitoring. Moreover, no court has yet had an opportunity to rule on this issue. If the courts were to decide that such monitoring is improper, it would potentially give rise to both criminal and civil liabilities for system administrators.
As a friend explained it to me, the legality of network security monitoring may be decided by case law. I was not eager to be the first to go on trial and establish the case law.
A year or two later I got a call from someone saying he was from the Department of Justice. I had a brief moment of panic. Then he explained to me he was installing the NSM on their network and had some configuration questions. Whew!
3 Consent Banner for Hackers
To reduce the risk of prosecution, the letter provides what is perhaps one of the earliest login banner recommendations for users logging in. The Department of Defense recently released an update to their recommended consent banner.
What I find interesting about the letter is how important it stresses that the hackers see it. Again, from the letter:
Since it is important that unauthorized intruders be given notice, some form of banner notice at the time of signing on to the system is required. Simply providing written notice in advance to only authorized users will not be sufficient to place outsider hackers on notice.
An agency's banner should give clear and unequivocal notice to intruders that by signing onto the system they are expressly consenting to such monitoring.
Ummm... hackers often do not come in through the front door. What happens then?
4 No Intelligence Gathering or Anomaly Detection
Furthermore, long-term monitoring of hackers should not be done. Apparently gathering additional intelligence on the intruders was frowned upon.
Lastly, we would note that the long-term monitoring of individuals using a system without authority, or in excess of their authority, should not be conducted routinely. The monitoring of such individuals should be limited to the extent reasonable and necessary to determine whether and how the system is being abused.
To some extent this could make some sense, but long-term monitoring of everything was typically how we detected the misuse to begin with. Most intruders did not give advanced notice that they were going to attack. Furthermore, long-term monitoring was how we developed profiles for anomaly detection. Watching the attackers was also how we learned new attack techniques to look for.
5 Letter's Author
An amusing factoid is that the author of the letter, Robert S. Mueller III, is currently the Director of the FBI.
6 Conclusions
I encourage everyone involved in computer security to read the original 1992 letter because it gives insights to a pivotal time in cyber security as intrusion detection was actually starting to take off.

@NetSquared_USA  copyright Net Squared, Inc., 2008-2013