[ntp-legal] ***SPAM*** Re: Monitoring policy - Problem with Stratum-1 Page...

John Pettitt jpp at cloudview.com
Thu Apr 13 03:59:40 UTC 2006


Todd for a server to be in that list it's owner must have put it there
or asked Dave to put it in the older version - Even if it's there in
error I don't see it as fraud any more than any other directory - the
burden is on the user to find out not a directory provider to provide
all the possible info.   Can you cite *any* case law that support the
idea that a person publishing a list is responsible for what people do
with it? 

I'm just not following your logic.

John


todd glassey wrote:
> By the way John - 3 more goodies here
>
> (1) let me ask a sort of fundamental question, and that is who
> gave ISC or this "NTP Hackers" WG legal authority to speak for the Server
> Operators ". It seems to me that per the ISC's Published Rules of
> Engagement" statement which while written in IETF "you cant blame us, its
> only a suggestion" style, is
> still a set of use terms and that these would be the governing rules.
>
> http://ntp.isc.org/bin/view/Servers/WebHome#Searching_for_A_Time_Server
>
> Why this is important is that its my lay opinion that these Rules of
> Engagement would likely set aside any set of AUP's that might exist
> since this is what would be seen and not the AUP's... right? In fact no
> links to any of the AUP's is provided just the Rules of Engagement which
> would form the scope of the contract between the NTP.ISC.ORG Hacker's team
> and the users of those servers which the ISC has no clearance to provide, I
> am sure.
>
> Seriously go to the S1 Page at
> http://ntp.isc.org/bin/view/Servers/StratumOneTimeServers and press any of
> the Access Policy Links - there is no link to the AUP so if I chose a server
> from this list that was that - this list conveyed that it and only it is the
> contract between the End User and the Server operator - and I call that
> Fraud By Wire.
>
> Also notice in those same  Engagement Rules there is nothing about the
> Incidental
> NON-SERVER based NTP clients like the PC based NTP and SNTP users of the
> same systems. What do you do about them? and how is their use accounted for
> in this?
>
> My take as such that this page, while appearing benign, is a problem.  And
> that this is true since this NTP WG has NO legal authority to speak for any
> of the Servers per the Inclusion Process to the List, and that this is
> especially true for the Federal or Governmentally operated or certified
> Servers.
>
> But wait - there is way more too...
>
> (2) There is another problem and that is what legally qualified/competent or
> released anyone to operate a NTP Site and why this list allowed anyone to
> add a system that represented itself as Competent to Peer with a Federally
> Operated Server, which is what this list implies.
>
> Since anyone without specifying their competence or
> operations capabilities or liability, can add a server to this S1/S2 list by
> email alone, I as much am pretty sure that this constitutes some form of
> 'legal agreement to be represented by the ISC.ORG sites content' right -
> Ohhhh No... not! What this means is that there is no agreement that any
> submissions are operated in concert with any standards or certification
> process, meaning that this is a "self-declared" list at best - the problem
> is that by mixing the amateur sites with those certified by the feds leads
> one to believe that all the sites are operated to the same level of
> competence and that statement is a liability to this group and the ISC since
> it obviously isnt true.
>
> Personally - I think ALL of the Federal Time Servers and their 'peering
> partner' systems need to be listed in their own list and all the uncertified
> systems need to be listed apart from the Federal or Governmentally Operated
> Time Servers.
>
> (3) Official S-1 Sites need a legal statement about their use and
> operations.
> To reinforce the problem here, there is a newly emerging  issue that some of
> the "S1" systems listed in the EDU Sector were never approved by their
> University's Legal or IT department's . I know this for a fact since the IT
> Managers at four of the University's
> listed in the Master List are personal friends and we have spoken on this.
>
> Likewise, those University's Legal Departments would probably have a
> hissy-fit if they were informed that they were going to be held legally
> accountable as a Public Resource that they as a legally defined entity,
> a University were offering publicly as to the accuracy and availability
> of that time source.
>
> (3a) This problem of the "release to publish the name and authorization to
> use a private Time Resource on the Internet" is further exacerbated by there
> being no formal conveyance of listing based on a Email.
>
> Sending someone (the NTP.ISC.ORG WG in this case) email saying hey List My
> Server is not any exclusive conveyance of IP information such that the
> NTP.ISC.ORG website can rewrite the Server Operator's AUP without there
> being some contract included in that email or referenced by it. The
> reasoning is simply that all parties have to
> be aware of their contractual actions formally. All parties have to be
> authorized to list these services and commit to allowing public access or
> restricted access to those services which most wont have legal authority to
> do based on their contracts with the University Networking AUP's they
> signed.
>
>
> Sorry but I think its way worse than you think it is, although its pretty
> easy to correct.
>
>
> Todd
> -----------------------
> Lay-Opinion Disclaimers Apply to the above commentary- the ISC needs
> competent legal advice on these issues I think.
>
>
>
>
>
>
>
>
> ----- Original Message ----- 
> From: "John Pettitt" <jpp at cloudview.com>
> To: "todd glassey" <todd.glassey at att.net>
> Cc: <ntp-legal at support.ntp.org>
> Sent: Tuesday, April 11, 2006 8:54 PM
> Subject: Re: Monitoring policy - Was [ntp:hackers] D-Links NTP server
> vandalism
>
>
>   
>> Thread from ntp-hackers
>>
>> todd glassey wrote:
>>     
>>> John
>>>
>>>       
>>>> Good we've established that - now where does it say that I as a server
>>>> operator in California have to advise people that their connection to
>>>>         
> my
>   
>>>> server may be logged and/or that the log data may be published?
>>>>
>>>>         
>>> Hold on to that John I will pull the citation on that - there is legal
>>> standing for this. The case itself set the standard which is why log-in
>>> banners are legally required to inform people that "all their actions
>>>       
> are
>   
>>> logged" when they use the computer.
>>>
>>>
>>>       
>> You are looking for 18 USC 5210 which says in part
>>     
>>> It shall not be unlawful under this chapter for a person not acting
>>> under color of law to intercept a wire, oral, or electronic
>>> communication where such person is a party to the communication or
>>> where one of the parties to the communication has given prior consent
>>> to such interception unless such communication is intercepted for the
>>> purpose of committing any criminal or tortious act in violation of the
>>> Constitution or laws of the United States or of any State.
>>>       
>> Which as far as I see it allows a server operator to intercept ntp
>> packets to/from  their server.
>>
>>
>>
>>     
>>>> Unless I promise them privacy (which I don't) there is no obligation on
>>>> my part of provide privacy unless you know of some law I don't.
>>>>
>>>>         
>>> Yes there is John, since there is no negotiations of the service that
>>>       
> you
>   
>>> are providing and there is no way that you can tell the End-User you are
>>> capturing their data, and because they have no idea you personally even
>>> exist, or that they have to ask you about using your server, yes... you
>>>       
> do
>   
>>> have an obligation IMHO
>>>
>>>       
>> I don't have to tell them see above
>>     
>>>> I get that the EU privacy laws may apply to EU servers but I'm not in
>>>> the EU (this is the reverse of the old "World != USA" issue - the world
>>>> != EU either).
>>>>
>>>>         
>>> You also aren't dealing with how you notify the people that are using
>>>       
> the
>   
>>> service as to your capturing their information.
>>>
>>>       
>> I don't have to per 18  usc 2510
>>     
>>> But also why in their right mind would anyone in the EU want to use a
>>> California Server? - Maybe parts of Asia but that's it.
>>>
>>>       
>> the global pool mean I have many Europeans using my server.
>>     
>>> lets look at the other issue - why would anyone want to depend on a
>>>       
> private
>   
>>> uncertified server. You carry no liability right? why would I want time
>>>       
> from
>   
>>> you?  What does it buy me?
>>>
>>>       
>> yes but that's a different topic.
>>
>> John
>>
>>     
>
>
>   



More information about the ntp-legal mailing list