The following document is not an official MIT policy statment, but it does reflect IS's policy regarding privacy of student files and email. Joanne Costello, Fall 1997 ============================================================== Privacy on Campus: IS policy and procedures: Note: This is not an official policy statement. It does however reflect current practices within Information Systems. Information Systems endeavors to provide a secure network and information infrastructure for the MIT Community. Trying to balance security and privacy is a tricky manner. It has always been IS's policy to err on the side of privacy. An important aspect of a secure and reliable environment are system logs and other information records. These records permit us to gather statistics on resource usage to better do our capacity planning. They also permit us to track down security breaches or "incidents." We maintain many logs within the Athena/MITnet system. Under some circumstances we will search logs while tracking down a problem reported to Postmaster or through "stopit." In general we only perform such log searches while acting in an official capacity. We *never* use the logs to search for inappropriate behavior or otherwise go on a "fishing" expedition. "Logging" consists of making and maintaining transactional logs of activities within the system. For example the mailer maintains a log of completed transactions (as well as a queue of pending mail). The Kerberos logs consist of records of when Kerberos tickets were requested. Kerberos Logs: We maintain a record of all uses of our Kerberos authentication system. Typically a request is made to the Kerberos authentication system whenever a user logs in from a workstation as well as the first time she/he use a particular network service within that login session. We record all ticket requests that arrive at one of our Kerberos servers. This information is used to generate the "login" graphs and occasionally other usage statistics. Sometimes we use this information to determine who was logged into a particular workstation at a particular time. We have been asked to do broad searches on occasion by organizations outside of IS. Specifically we have been asked by the Campus Police and the Committee on Discipline. In both cases we have pushed back on those organizations until we came to an agreement on a "minimal" check. Kerberos logs are protected against malicious forgery and modification and are only viewable by a limited set of people. Kerberos logs are kept for a period of years. Mail logs: We maintain a record of every mail transaction that goes through the MITnet/Athena mailhub systems. We record who sent a message and to whom. These records are used to track down problems with the mail system and are only saved for 5 days and then are irretrievably deleted. They are also used to help determine who forged a mail message or how it was accomplished. We do *not* record the content of any mail message. For protection against a crash, we do keep an image of messages but this file is overwritten each night. Mail stored in an Athena locker is backed up with the system. Most backups are kept about 6 months. Archival backups are kept longer. While it would be difficult to retrieve a file or mail message it is possible to do so and with a court order or subpoena, we would have to do so. If you want to insure privacy you should encrypt your files/mail. Mailer Logs (Mailhub) are protected against forgery and are only available to a limited number of staff people. Dial-up Server Logs: Our dialup servers maintain UNIX system accounting records. These records contain information on system commands and who makes use of them. We use these records to help plan our dialup server capacity. These records do *not* include command line arguments to commands or any information about input data or output data from these commands. Our dialup servers also maintain logs of who makes outgoing network connections and where these connections terminate. We use these records to help identify Athena accounts whose passwords may be being used by Internet Crackers to compromise other systems on the Internet. Workstation Logs: In addition to centrally maintained logs, each Athena workstation has a log of who made use of it. Similarly some standard UNIX utilities make log entries on a workstation's local hard disk. Some applications may also maintain logs of who makes use of them. For example some third party applications make use of network based "license servers." Workstation Login Records: Each workstation records who logged in (and out). We have occasionally used these records to help track down a violator of MITnet/Athena rules. End users have also used these logs to see who was logged in. The maintenance of these logs is a standard UNIX function provided by all UNIX system software vendors. Some vendors make it possible to disable these logs. Workstation logs are *not* protected and may be viewed or modified by anyone with physical access to the workstation. Workstation logs are "wrapped" and entries disappear after a few months (depends on how busy the workstation is, retention is based on disk space consumed to keep the logs). Mailer Logs (Workstation): Each workstation maintains a log of mail transactions that originate on that workstation. This is a normal behavior of the "sendmail" program. We hardly ever make use of these logs, though we have on occasion. Mailer Logs (Workstation) are not protected in any way. Anyone with access to the workstation may view/modify them. "Monitoring" involves the act of fetching real time information in order to track down a suspected violation of MIT policy or law. An example of monitoring would be looking at all keystrokes or packets going into a workstation that we suspect is in operation by an Internet cracker. "Service Monitoring" is similar to monitoring above, however the purpose of Service Monitoring is to maintain the quality of service on MITnet/Athena. It is not directed at an individual. An example of Service Monitoring is the continuous stream of packets visible in the Network Operation Center (NOC) as they traverse the MITnet backbone. Under certain circumstances we may narrow the range of what is being displayed, but the goal is usually related to tracking down a system problem. We conduct Service Monitoring all the time. Often while performing service monitoring we will find ourselves viewing some private data (typically a packet's worth). However we rarely (if ever) know whose data it is. Staff members who engage in service monitoring keep any information learned confidential. In general we see "data" but rarely "information." "Searching" is the act of reading private files (those protected against reading or clearly marked as private) or mail in an attempt to either correct a system problem or catch a system cracker. Searching is the most serious act that we may use in order to catch a cracker. In general we have *never* searched the Athena system in a fishing expedition. I have no recollection where we have sanctioned a search of a person's files in order to prove wrongdoing of any kind either. In the future we may need to perform searches, however these should only be authorized from a senior level of MIT. Many universities have very different statements about searching. They feel that the resources belong to them and they have the right to search the system for such things as pirated software, pornography, or cracker software. Other issues: Each Athena user has a private "locker" or home directory where they may store files. We consider this space "private" and only under very rare circumstances will we look through files which are protected against reading. In general permission is required from a senior MIT official. Occasionally while performing their system maintenance tasks MITnet/Athena staff members may inadvertently view private information either stored in files or in transit across the network. Any information viewed this way is kept in strict confidence. MIT is always subject to being served with Court Orders and Subpoenas. When served MIT may have no alternative but to cooperate with the issuing authorities.