Network traffic is
|“||[c]oomputer network communications that are carried over wired or wireless networks between hosts.||”|
Legal considerations of collecting network traffic
Collecting network traffic can pose legal issues. Among these issues is the capture (intentional or incidental) of information with privacy or security implications, such as passwords or the contents of e-mails. This could expose the information to the staff members who are analyzing the collected data or administering the recording systems (e.g., IDS sensors). Organizations should have policies in place regarding the handling of inadvertent disclosures of sensitive information. Another problem with capturing data such as e-mails and text documents is that long-term storage of such information might violate an organization's data retention policy. It is also important to have policies regarding the monitoring of networks and to have warning banners on systems that indicate that activity may be monitored.
Although most network traffic data collection occurs as part of regular operations, it can also occur as part of troubleshooting or incident handling. In the latter case, it is important to follow consistent processes and to document all actions performed. For example, recording all packets sent and received by a particular user should be initiated only after the successful completion of a formal request and approval process. Organizations should have policies that clearly explain what types of monitoring can and cannot be performed without approval, and that describe or reference the procedures that detail the request and approval process.
Another potential legal issue is the preservation of original logs. Many organizations send copies of network traffic logs to centralized devices, as well as use tools that interpret and analyze network traffic. In cases where logs may be needed as evidence, organizations may wish to collect copies of the original log files, the centralized log files, and interpreted log data, in case there are any questions regarding the fidelity of the copying and interpretation processes.
As privacy has become a greater concern to organizations, many have become less willing to share information with each other, including network forensic data. For example, most ISPs now require a court order before providing any information related to suspicious network activity that might have passed through their infrastructure. Although this preserves privacy and reduces the burden on and liability of the ISPs, it also slows down the investigative process. This is particularly challenging when an organization is attempting to trace an ongoing network-based attack to its source, especially if the traffic passes through several ISPs.
- NIST Special Publication 800-86, at C-2.