[ntp-legal] Re: Monitoring policy - Was [ntp:hackers] D-Links NTP server vandalism

todd glassey todd.glassey at worldnet.att.net
Wed Apr 12 14:34:28 UTC 2006


John - I am well aware of section 5210 and all of Title 18 Pt1. Ch 19 - of
which 2510 is the Definitions section... and its not what I am looking for
exactly. There are several sections of law that apply here based in
informed-consent which doesn't exist between you and any of the End-Users of
the service, including as I recall several sections of Law pertaining to the
State of California itself.

Pieces of it fit under several sections of 18 USC - by the way - one of the
best copies of the US Code is Cornell's - as I said, I will be back to you
specifically on this - the collection of client information without a signed
agreement from the clients is illegal as far as I know and that is the
problem. Having an agreement with the creator of the code is somewhat close
to useless unless you assure that they propagate the terms of that deal to
their clients and this is done knowingly.

See also some of the key definitions in 18 USC '1030' - they are useful
here - The problem is that NO NTP Stratum-1 Operator has an agreement with
any of the SW-Only "End-User" Clients, like those that pointed their WINDOWS
Domain Controller or Gateway to a Public Stratum-1 Server, or those that
reset their Workstations directly from the Internet Stratum-1 Server list.

In fact -  I am willing to bet, that NONE of these people have signed any
type of agreement giving you the ability or legal authorization to use their
contact or identity information. Likewise NONE of these people have ever
read the AUP of your site because the client SW that they were saddled with
doesn't allow it. That is not the end-users fault...  that blame rests with
NTP and the management of this entity apparently.


If any formal agreement exists it would exist between the Service Operators
and those that actually did formally contact them, you might have a claim -
but you cannot bind a third party to a contract that they are not aware
exists. It just doesn't work and ***does*** constitute fraud by wire as far
as I know, a federal crime in the US.

Todd



----- Original Message ----- 
From: "John Pettitt" <jpp at cloudview.com>
To: "todd glassey" <todd.glassey at att.net>
Cc: <ntp-legal at support.ntp.org>
Sent: Tuesday, April 11, 2006 8:54 PM
Subject: Re: Monitoring policy - Was [ntp:hackers] D-Links NTP server
vandalism


> Thread from ntp-hackers
>
> todd glassey wrote:
> > John
> >
> >> Good we've established that - now where does it say that I as a server
> >> operator in California have to advise people that their connection to
my
> >> server may be logged and/or that the log data may be published?
> >>
> >
> > Hold on that John I will pull the citation on that - there is legal
> > standing for this. The case itself set the standard which is why log-in
> > banners are legally required to inform people that "all their actions
are
> > logged" when they use the computer.
> >
> >
>
> You are looking for 18 USC 5210 which says in part
> > It shall not be unlawful under this chapter for a person not acting
> > under color of law to intercept a wire, oral, or electronic
> > communication where such person is a party to the communication or
> > where one of the parties to the communication has given prior consent
> > to such interception unless such communication is intercepted for the
> > purpose of committing any criminal or tortious act in violation of the
> > Constitution or laws of the United States or of any State.
> Which as far as I see it allows a server operator to intercept ntp
> packets to/from  their server.
>
>
>
> >> Unless I promise them privacy (which I don't) there is no obligation on
> >> my part of provide privacy unless you know of some law I don't.
> >>
> >
> > Yes there is John, since there is no negotiations of the service that
you
> > are providing and there is no way that you can tell the End-User you are
> > capturing their data, and because they have no idea you personally even
> > exist, or that they have to ask you about using your server, yes... you
do
> > have an obligation IMHO
> >
>
> I don't have to tell them see above
> >
> >> I get that the EU privacy laws may apply to EU servers but I'm not in
> >> the EU (this is the reverse of the old "World != USA" issue - the world
> >> != EU either).
> >>
> >
> > You also aren't dealing with how you notify the people that are using
the
> > service as to your capturing their information.
> >
> I don't have to per 18  usc 2510
> > But also why in their right mind would anyone in the EU want to use a
> > California Server? - Maybe parts of Asia but that's it.
> >
> the global pool mean I have many Europeans using my server.
> > lets look at the other issue - why would anyone want to depend on a
private
> > uncertified server. You carry no liability right? why would I want time
from
> > you?  What does it buy me?
> >
> yes but that's a different topic.
>
> John
>



More information about the ntp-legal mailing list