New Computer Banner Balances Security, Privacy Considerations

By Donna Miles
American Forces Press Service

June 6, 2008 - A new notice on Defense Department computer screens ensures users understand that their e-mails are subject to monitoring, but also reinforces specific user privacy and confidentiality protections, the department's chief information officer said. The new language represents the first change since 1997 to the "notice and consent" banner that appears each time a user logs onto a Defense Department network or information system.

While clarifying the scope of the Defense Department's authorized monitoring of its networks and information systems, the revised language "absolutely preserves" user privacy and confidentiality guaranteed by law, according to John G. Grimes, assistant secretary of defense for networks and information integration.

"These changes to the banner and user agreement language help clarify the user's understanding of the broad nature of DoD's authorized monitoring practices, while simultaneously reaffirming DoD's commitment to respecting and protecting important private and confidential communications that are guaranteed for its personnel," Grimes said.

Communications between Defense Department users and their attorneys, clergy or psychotherapists are considered "privileged" and protected from monitoring.

"Although DoD has a long history of respecting such privileged relationships, the previous banner language did not expressly identify this protection for the user," Grimes said. "For the first time ever, the DoD banner and user agreement now specifically addresses these important protections."

The new banner notifies users that their systems may be monitored for "penetration testing, COMSEC (communications security) monitoring, network defense, quality control, and employee misconduct, law enforcement and counterintelligence investigations."

It also includes a paragraph clarifying that passwords, access cards, encryption and biometric access controls are used to provide security for the benefit of the government – not to provide personal privacy to employees.

The notice also will appear on government BlackBerry devices and other personal digital assistants and personal electronic devices, although the wording will be shorter than on computers.

Grimes emphasized that monitoring activities covered by the new banner language have been in effect for "a long time," but were not specifically named in the 1997-era banner language.

The new verbiage spells out the policy in light of a U.S. Court of Appeals for the Armed Forces decision. The court ruled that the previous banner warning did not state clearly enough that employees have only limited privacy rights when using government computer systems.

In that case, a servicemember received notice that she was required to undergo a random urinalysis test. She, in turn, e-mailed several other people, discussing her fear that her drug use would be detected and the steps she had taken to avoid detection, officials in Grimes' office explained. Investigators used those e-mails as evidence in a prosecution. The servicemember was convicted and sentenced, but an appellate court set aside the findings and sentence, because the banner did not clearly state that there was no right of privacy in e-mails.

The revised banner will ensure all users of government computer systems understand the limited privacy protections, officials said.

Defense Department officials said monitoring is critical in ensuring government systems aren't compromised by viruses or hackers, and to identify threats as early as possible. "In order to protect DoD information systems, DoD needs to be able to monitor all traffic flowing through and across DoD systems," an official said.