The Heckencamp ruling seems pretty lame to me.

the university's interest in maintaining the security of
its network provided a compelling government interest in
determining the source of the unauthorized intrusion into sensitive files.

But this isn't what happened. They already determined Heckencamp was the likely source of the intrusion. The further investigation on the part of the administrator was to determine if he had switched to another IP address in the same IP block. The network would have been better protected by simply blocking any administrative access to the mail server from the block of IP's assigned to the dorms. It was noted earlier in the ruling that:

The type of access the user had obtained was restricted to specific system administrators, none of whom would be working from the university's dormitories.

This would have prevented the unauthorized access the university was concerned with and it wouldn't require searching any computers or inconveniencing students, who shouldn't have administrative access to the mail server anyway.

There are also non-intrusive ways to reasonably determine if a computer, having switched IP addresses, is indeed the same computer. Every network interface card is assigned a unique MAC address by the manufacturer. This address is visible to the network and does not change with the IP address. There are, of course, ways to change the MAC address, but it would have been a reasonable first step for the admin to take before breaking into the students computer. There is no indication that the admin tried any non-intrusive methods before breaking into the computer

Since the admin's actions were not protective, but rather investigative and unnecessarily intrusive, I don't think this would be covered under the special needs requirement. My expertise is more on the computer side of this, however, so my legal opinion may be off.

The Barrows ruling looks like it would have gone the same way if the computer wasn't connected to the government network.

Even if Mr. Barrows did possess a subjective expectation of privacy, his failure to take affirmative measures to limit other employees’ access makes that expectation unreasonable.

This was evidenced by its public location, always-on status, lack of password protection, use for work activities, as well as its connection to the network. By the judge's reasoning, the first four facts would be sufficient to prove "his failure to take affirmative measures."

After reading the opinion concerning Heckencamp, I've concluded that Savoy may be some long-lost relative of Barney Fife.

Based on what I can gather on the opinion, they have either IP addresses associated with each room. Savoy blocked (probably from the Mail2 server the device using .117.

Then Savoy "checked the networking hardware", probably via looking at the ARP cache of a routing switch, and noted that the computer that was using the .117 address was now using the .120 address.

What I don't understand is what caused the light-bulb to go off for Savoy as is noted on 3884: "that the Mail2 server ‘security could be compromised at any time’, particularly because "the intruder at this point knows that he's being investigated". If that is a reasonable conclusion and knowing Hekencamp's previous history, what did Savoy go home? Geeesh.

On 3884, Savoy determined that the machine needed to "get off line immediately or as soon as possible". Again, Savoy should have come to that conclusion much earlier in the process, given what they knew.

Given the proper software, of which we don't know that University of Wisconsin has, if the IP address or MAC address of a suspect device is known, it would take all of 2 minutes to find the switch port the device was connected to, and disable the switch port. I say switch port because I am doubting that a residential network would still be using hubs.

So, speaking from a technical and response standpoint, I believe Fife Savoy acted slowly and should acted more proactively than he did, considering what he knew of Heckencamp, and there was in all likelihood an easier way to disconnect the device from the network. I am not condoning what Heckencamp did – but Savoy needs to bone up on how he responds to network incidents.

Wouldn't the court have been better off drawing on O'Connor v. Ortega? Granted, the rule derived from the O'Connor plurality opinion isn't directly on point here, since the Heckenkamp case doesn't involve a government employer search of an employee. But the underlying principle is the same as in the long line of cases stemming from O'Connor: a search is permissible if done for a legitimate administrative purpose by an actor whose governmental status is incidental.

To Eli Rabett:

You may not have an expectation of privacy for traffic that goes across the government network, but the computer itself remains private.

I am disquieted by the claim above that there is /no/ expectation of privacy in /anything/ I send on my school's computer network and that they can rifle through my data through the network at will.

After all, when I am in a dorm, the College is both my landlord and my ISP. Worse, I have no other choice for ISP. By this logic, can my ISP at home rifle through my transmitted and received data so long as they put me on notice that they might do so?

I agree that these are interesting cases, and that Heckencamp in particular brings out the urge in us computer geeks to second-guess a lot of the technical details that the opinion leaves out. (My computer geek credentials: I'm a professor of computer science who among other things teaches networking and operating systems.)

That said, my second-guessing would be rather different than that of several of the other commenters. I would a lot less quick to jump to the conclusion that Savoy was incompetent -- though I also would have liked the court to be less quick to accept his statements at face value. Perhaps Heckencamp's lawyers were not very aggressive in this regard? If so, the court can hardly be blamed for not going into the matter.

Some of the commenters seem to have lost sight of the fact that the events in question took place in 1999, not 2007. Network management was a lot more primitive then. Heck, we still have unmanaged hubs and switches in a lot of our dorms even in 2007, just because it is too expense to replace a whole campus worth of more-or-less-functional equipment and -- we upgrade as opportunties present themselves. Aside from the year, one clear sign that they were not working with today's state of the art equipment was the very fact that Heckencamp was able to change his IP address; nowadays the switch would lock the MAC address down to the assigned IP address. Speaking of the assignment of the IP address -- one of the commenters said something about DHCP. This is toally irrelevant. DHCP is a way to ask what IP address you should be using. Heckencamp could still choose to use a different IP address than what DHCP told him, or for that matter not ask the quesiton in the first place. What is needed is the switch refusing to carry packets with the wrong IP address, which is a seperate matter than the DHCP service. And while Savoy could probably have cut off a whole floor of the dorm, or something like that, I will remind you that doing that at finals time is not a popular choice -- even leaving aside the issue that I bring up in the next paragraph.

Finally, and perhaps most importantly, some comenters seem to make too easy a distinction between protective and investigative purposes. In particular, I would like to emphasize that activities that are in the themselfves investigative can be (and often are) carried out with an ultimate goal of protection, rather than of law enforcement. Real world analogy: consider protecting yourself using a bullet-proof vest vs. protecting yourself by using a flashlight to see your assailant vs. trying to gain evidence for criminal prosecution by using a flashlight. The court, as I understand it, isn't inquiring into whether Savoy used the moral equivalent of a flashlight or not. They are inquiring into whether he was gathering information to protect the systems or gathering evidence for prosecution.

The reason why this is very important is because the adversary Savoy was trying to keep out of the university's sensitive computers wasn't Heckencamp's computer (whether with IP address 117 or 120), but rather Heckencamp himself. The prior commenters seem to think the university server could be protected just by blocking a sufficiently large IP address range. But Heckencamp can take his special knowledge with him and go to a different computer, perhaps one with a quite different IP address, such as in the computer science department. We don't know what that special knowledge was. Root password? Backdoor that he had previously installed? Some exploitable vulnerability in the server software? The commenter who said root access shouldn't have been allowed from dorms seemed to assume that Heckencamp was just logging in as root through the normal front-door way. But maybe that isn't what was going on. Most importantly, I suspect that Savoy at this early point in the investigation didn't know what was going on either. Even if he knew what particular method Heckencamp was using to gain access to this particular server (which he observed), he didn't know what other servers Heckencamp had unauthorized means of accessing, nor what those means were. There was every reason to suppose that such other servers did exist and were at risk. (Remember, Heckencamp had a past record and was known to be breaking into Qualcomm.) In this context, disconnecting one computer by whatever means -- in the closet in the room, by software -- and sending Heckencamp and his knowledge out into the night to find another computer somewhere else -- would have been a very risky thing for Savoy to do. In order to protect against that risk, Savoy needed to neutralize Heckencamp's special knowledge.

Now, one way to do that in princple would be to lock Heckencamp away where he couldn't to any harm. But we fortunately live in a world where lots of due process stands in the way of this approach. (I wouldn't want it to be easy for me to be locked up.) So I gather that the approach Savoy chose.

Instead, he took a very standard computer security approach, which is to try to learn as much as you can about your adversary. If you know which vulnerabilities he is aware of in which of your systems, then you can close up all those vulnerabilities. That way it doesn't matter where he goes and which computer he uses. This explains why Savoy wanted a disk image. That is part of what the other commenters are missing. The protective action didn't just consist of unplugging the network cord. If that were all that Savoy did, they he really would have deserved all the scorn heaped on him by other commenters. (How hard can it be to get another cord and plug the computer back in?) But that was just one quick initial step in a much more intensive investigation, which investigation was motivated (or so the court tells us) by protective considerations rather than law enforcement ones.

Worse, I have no other choice for ISP.

Sprint, Verison, Cingular, etc. would all be happy to provide you with wireless internet connectivity.

I will concede Tomm's point that we need to distinguish what Savoy did when logging on over the network from the later activities such as making a disk image. Tomm can legitimately wonder what the protective function was of the logging in. It surely didn't have a law enforcement purpose though; the question seems to be whether it had a protective purpose or was just brain-dead, lacking in any reasonable purpose at all.

Certainly there are suggestions in the rather muddy court record that Savoy did not behave perfectly. Perhaps if he had it to do over again, after careful reflection, he might do it differently himself. I am reluctant to Monday-morning quarterback him in part because it is perfectly normal for judgment to slip somewhat during a crisis situation, and there is a big gap between less-than-perfect and utterly incompetent. However, I am also unwilling in large part because I doubt I really understand what Savoy actually did. He certainly didn't explain his actions to the court the way he would to a professional peer, and the court certainly has its limitations as a means of conveying what he said to us. Before I jump to a conclusion that would reflect poorly on him, I'd like to be able to ask him to explain just what commands he ran, and why. What is it that he was after that the network log didn't already tell him? The very fact that this is perplexing from the court's version of the story makes me assume there must be something lost in translation, rather than assuming that he was so incompetent as to log into a computer to obtain information he already had from a log.

By the way, speaking of less than perfect performance under pressure, I apologize for how evident my hurried typing is.

Anyhow, back to the fact that the court didn't really delve into Savoy's story in any meaningful way, but rather took it at face value. I turned up an earlier news story that suggests Heckencamp's attorneys may have been rather hamstrung in their ability to give him effective representation. It makes interesting, if sad, reading.

Professor Hailperin, I agree with your comments related to blocking a range of IP addresses. And as you point out, there is a lot that is not known about this matter.

I will call into question Savoy leaving work, going home and then checking on Heckencamp. If someone wants to learn more about their adversary, I would suggest staying on-campus where access to a fuller suite of network monitoring tools probably existed. The actions of Savoy going home do not indicate (to me) that he was very concerned about this matter, especially given Savoy's knowledge of Heckencamp's prior activities.

If the University of Wisconsin did not have switch ports to the dorm room in question in 1999, then disabling a switch port was not an option. But "back in the day", so to speak, there were several other options to restrict the traffic of Heckencamp. MAC based filters implemented at the network core could have been effective. Savoy was able to determine that Heckencamp's PC had switched from using the .117 address to the .120 address, so there was some capability to track what IP address a specific MAC address was bound to.

I'm not condoning the actions of Heckencamp, but do believe that the response by Savoy was confusing. It was finals week and if the situation was a grave as was being indicated, then trying to learn more about the adversary was I believe secondary to ensuring that services remain available for students. Going to Heckencamp's room could have been accomplished earlier in the process, and also saved Savoy a trip home and back.

Of course, much of the response by Savoy could have been stipulated in whatever policies the University had in place at the time concerning network security. Speaking for the college I work at, resource availability has always been the priority. If additional information on a unusual event is needed, it is obtained while keeping in mind that priority if at all possible.