CSL BULLETIN 
                      March 1993                     

GUIDANCE ON THE LEGALITY OF KEYSTROKE MONITORING 
At the request of the Department of Justice (DoJ), the National
Institute of Standards and Technology (NIST) is providing
information developed by the DoJ regarding the legal liability of
keystroke monitoring.  This bulletin advises federal system
administrators that keystroke monitoring during computer sessions
may be found illegal in certain circumstances and that notice of
such monitoring should be given to users.

What is Keystroke Monitoring?
Keystroke monitoring is a process whereby computer system
administrators view or record both the keystrokes entered by a
computer user and the computer's response during a user-to-
computer session.  Examples of keystroke monitoring would include
viewing characters as they are typed by users, reading users'
electronic mail, and viewing other recorded information typed by
users.  Some forms of routine system maintenance record user
keystrokes; this could constitute keystroke monitoring if the
keystrokes are preserved along with the user identification such
that an administrator can determine the keystrokes entered by
specific users.

Background
The Department of Justice says that keystroke monitoring is being
conducted on some agency systems in an effort to protect them
from intruders who access the systems without authority or in
excess of their assigned authority.  Intruders pose a serious
threat to the integrity of systems, in particular because
intruders can insert backdoors, Trojan horses, or other damaging
code such as computer viruses into the systems and evade
detection for long periods of time.  In these circumstances,
monitoring keystrokes typed by intruders can help administrators
in assessing and repairing any damage caused by intruders.

The guidance from the DoJ is intended to advise system
administrators of an ambiguity in U.S. law that makes it unclear
whether keystroke monitoring is basically the same as an
unauthorized telephone wiretap.  Current laws were written years
before concerns such as keystroke monitoring, system intruders,
or computer viruses became prevalent; consequently the laws do
not directly address the issue of keystroke monitoring.  In
addition, no legal precedent has been set to determine whether
keystroke monitoring is legal.  Therefore, the DoJ advises that
if system administrators are conducting keystroke monitoring or
anticipate the need for such monitoring, even if only for the
purpose of detecting intruders, they should ensure that all
system users, authorized and unauthorized, are notified that such
monitoring may be undertaken.

It is important to note that the DoJ is not authorizing keystroke
monitoring, even implicitly.  If the courts were to determine
that keystroke monitoring is improper, system administrators
could potentially be subject to criminal and civil liabilities. 
The DoJ consequently advises system administrators to protect
themselves by giving notice to users if session keystroke
monitoring is being conducted.  The DoJ further advises
administrators to notify authorized users of monitoring for
routine system maintenance, such as logging activity for purposes
of assessing system integrity, if such activity may in some cases
monitor the keystrokes of authorized users.

Providing Notification of the Keystroke Monitoring Policy
Simply providing written notice of a keystroke monitoring policy
to authorized users is not sufficient.  The DoJ recommends that a
banner notice indicating the keystroke monitoring policy be
placed on all agency systems that will be conducting keystroke
monitoring.  Since it is important that unauthorized as well as
authorized users be given notice, the banner should be boldly
displayed at sign-on to the system, giving all users ample
opportunity to read the banner.

Banner Content
The banner should give clear and unequivocal notice to intruders
that by signing on and using the system, they are expressly
consenting to having their keystrokes monitored or recorded
during their computer session.  The banner should indicate to
authorized users the possibility that they may be monitored
during the course of monitoring the intruder (e.g., if an
intruder is downloading a user's file, keystroke monitoring will
intercept both the intruder's download command and the authorized
user's file).  The banner should also indicate that system
administrators may in some cases monitor authorized users in the
course of routine system maintenance.  Users can elect to
continue use of the system, thus expressly consenting to the
monitoring policy, or to quit the system.

Example Banner
Following is an example banner provided by the DoJ:

      This system is for the use of authorized users only. 
      Individuals using this computer system without
      authority, or in excess of their authority, are subject
      to having all of their activities on this system
      monitored and recorded by system personnel.  In the
      course of monitoring individuals improperly using this
      system, or in the course of system maintenance, the
      activities of authorized users may also be monitored. 
      Anyone using this system expressly consents to such
      monitoring and is advised that if such monitoring
      reveals possible evidence of criminal activity, system
      personnel may provide the evidence of such monitoring
      to law enforcement officials.

Each agency may wish to tailor the banner to its precise needs
before distributing to system administrators.  In addition to
giving notice to users that keystroke monitoring may occur,
system administrators may find it helpful to include a statement
explaining the need for such monitoring, e.g., "To protect the
system from unauthorized use and to ensure that the system is
functioning properly, system administrators monitor this system."

Which Systems Should Display the Banner?
All agency systems that currently monitor keystrokes or that
anticipate the need to monitor keystrokes should display the
banner.  Examples of such systems could include multi-user
systems, information retrieval systems, and bulletin board
systems that can be accessed via networks and telephone lines,
since these systems are especially at risk to intruders.  Other
examples might include more restricted systems and personal
computers that can be accessed only within agencies.  If
keystrokes from one system may be monitored by a different
device, such as a network monitor designed to detect intrusion
attempts, users should still be informed of the monitoring
policy, perhaps by displaying the banner on all systems whose
activity is being monitored by the network device.

Long-Term Monitoring
The DoJ recommends against the long-term monitoring of any
individuals who are using a system without authority or in excess
of their authority.  Once a determination has been made as to
whether and how a system is being abused, the matter should be
reported promptly to law enforcement officials for consideration
as to whether court orders authorizing continued monitoring
should be obtained.

Summary
Due to ambiguities in current laws, it may be illegal to conduct
keystroke monitoring of users, even if only for the purpose of
detecting system intruders.  Therefore, a banner that notifies
users of the keystroke monitoring should be displayed prominently
on each system that may or will be conducting keystroke
monitoring.  Each agency should craft a banner to fulfill its
specific needs, using the guidance presented in this bulletin and
by the DoJ.  At a minimum, however, individuals using a computer
system without authority or in excess of their assigned
authority, or authorized users who are subject to keystroke
monitoring, should be told expressly that by using the system,
they are consenting to such monitoring.

For More Information
For more information regarding the Department of Justice advice
on the legality of keystroke monitoring, please contact the U.S.
Department of Justice, (202) 514-1026.

NIST Guidance
Users and system administrators should eliminate or reduce risks
to their systems from attacks by intruders, computer viruses, and
other related threats.  NIST recommends the following steps:

  o   educating users about malicious software and its risks, how
      to use control measures and procedures to protect
      themselves;

  o   use of existing technical controls to increase security and
      decrease vulnerabilities to unauthorized use;

  o   use of additional tools such as stronger user authentication
      mechanisms (e.g., smartcards) and vulnerability assessment
      tools; and

  o   contingency and incident handling procedures for containing
      and recovering from attacks and other computer security
      incidents.

NIST develops guidance in all of these areas.  For a copy of
Computer Security Publications List 91, contact CSL Publications,
NIST, Technology Building, Room B151, Gaithersburg, MD 20899-
0001, telephone (301) 975-2821, fax (301) 948-1784.

Retrieving Information Electronically
NIST maintains a bulletin board system (BBS) and Internet-
accessible site for computer security information open to the
public at all times.  These resources present information on
computer security publications, CSL Bulletins, alert notices,
information about viruses and anti-virus tools, a security events
calendar, and sources for more information.

To access the BBS, you need a computer with serial communications
capability and a modem.  For modems at 2400 bits per second (BPS)
or less, dial (301) 948-5717.  For 9600 BPS, dial (301) 948-5140. 
Modem settings for all speeds are 8 data bits, no parity, 1 stop
bit.

Internet users with telnet or ftp capability may telnet to the
BBS at cs-bbs.nist.gov (129.6.54.30).  To download files, users
need to use ftp as follows:  ftp to csrc.nist.gov (129.6.54.11),
log in to account anonymous, use your Internet address as the
password, and locate files in directory pub; an index of all
files is available for download.  For users with Internet-
accessible e-mail capability, send e-mail to
docserver@csrc.nist.gov with the following message:  send
filename, where filename is the name of the file you wish to
retrieve.  send index will return an index of available files.